manualshive.com logo in svg

Cisco Catalyst 3550 Series, Software Configuration Manual, Page: 557 / 992

Share
Download
Cisco Catalyst 3550 Series Software Configuration Manual Download Page 557

 

28-19

Catalyst 3550 Multilayer Switch Software Configuration Guide

78-11194-09

Chapter 28      Configuring Network Security with ACLs

Configuring IP ACLs

Including Comments in ACLs

You can use the remark keyword to include comments (remarks) about entries in any IP standard or 
extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is 
limited to 100 characters. 

The remark can go before or after a permit or deny statement. You should be consistent about where you 
put the remark so that it is clear which remark describes which permit or deny statement. For example, 
it would be confusing to have some remarks before the associated permit or deny statements and some 
remarks after the associated statements. 

For IP numbered standard or extended ACLs, use the access-list access-list number remark remark 
global configuration command to include a comment about an access list. To remove the remark, use the 
no form of this command. 

In this example, the workstation belonging to Jones is allowed access, and the workstation belonging to 
Smith is not allowed access:

Switch(config)# access-list 1 remark Permit only Jones workstation through

Switch(config)# access-list 1 permit 171.69.2.88

Switch(config)# access-list 1 remark Do not allow Smith workstation through

Switch(config)# access-list 1 deny 171.69.3.13

For an entry in a named IP ACL, use the remark access-list configuration command. To remove the 
remark, use the no form of this command. 

In this example, the Jones subnet is not allowed to use outbound Telnet:

Switch(config)# ip access-list extended telnetting

Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out

Switch(config-ext-nacl)# deny tcp host 171.69.2.88 any eq telnet

Applying an IP ACL to an Interface or Terminal Line

After you create an IP ACL, you can apply it to one or more interfaces or terminal lines. ACLs can be 
applied on either outbound or inbound Layer 3 interfaces, but only to inbound Layer 2 interfaces. This 
section describes how to accomplish this task for both terminal lines and network interfaces. Note these 
guidelines:

When controlling access to a line, you must use a number. Only numbered ACLs can be applied to 
lines.

When controlling access to an interface, you can use a name or number. 

Set identical restrictions on all the virtual terminal lines because a user can attempt to connect to 
any of them.

If you apply an ACL to a Layer 3 interface and routing is not enabled on your switch, the ACL only 
filters packets that are intended for the CPU, such as SNMP, Telnet, or Web traffic. You do not have 
to enable routing to apply ACLs to Layer 2 interfaces.

Port ACLs are not supported on the same switch with input router ACLs and VLAN maps.

If you try to apply an ACL to a Layer 2 interface on a switch that has an input Layer 3 ACL or 
a VLAN map applied to it, a conflict error message is generated. You can apply an ACL to a 
Layer 2 interface if the switch has output Layer 3 ACLs applied.

If you try to apply an ACL to an input Layer 3 interface on a switch that has a Layer 2 ACL 
applied to it, a conflict error message is generated. You can apply an ACL to an output Layer 3 
interface if the switch has Layer 2 ACLs applied.

Summary of Contents for Catalyst 3550 Series

Page 1: ...San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Catalyst 3550 Multilayer Switch Software Configuration Guide Cisco IOS Release 12 1 19 EA1 October 2003 Customer Order Number DOC 7811194 Text Part Number 78 11194 09 ...

Page 2: ...OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP CCSP the Cisco Arrow logo the Cisco Powered Network mark Cisco Unity Follow Me Browsing FormShare and StackWise are trademarks of Cisco Systems Inc Changing the Way W...

Page 3: ...onal Publications and Information xxxix C H A P T E R 1 Overview 1 1 Features 1 1 Management Options 1 7 Management Interface Options 1 7 Advantages of Using CMS and Clustering Switches 1 8 Network Configuration Examples 1 9 Design Concepts for Using the Switch 1 9 Small to Medium Sized Network Using Mixed Switches 1 13 Large Network Using Only Catalyst 3550 Switches 1 15 Multidwelling Network Usi...

Page 4: ... Accessing the CLI 2 9 Accessing the CLI from a Browser 2 10 C H A P T E R 3 Getting Started with CMS 3 1 Understanding CMS 3 1 Front Panel View 3 2 Topology View 3 2 CMS Menu Bar Toolbar and Feature Bar 3 2 Online Help 3 4 Configuration Modes 3 5 Guide Mode 3 5 Expert Mode 3 6 Wizards 3 6 Privilege Levels 3 6 Access to Older Switches In a Cluster 3 7 Configuring CMS 3 7 CMS Requirements 3 7 Minim...

Page 5: ...ample Configuration 4 8 Manually Assigning IP Information 4 10 Checking and Saving the Running Configuration 4 10 Modifying the Startup Configuration 4 12 Default Boot Configuration 4 12 Automatically Downloading a Configuration File 4 12 Specifying the Filename to Read and Write the System Configuration 4 13 Booting Manually 4 13 Booting a Specific Software Image 4 14 Controlling Environment Vari...

Page 6: ...ommand Switch Characteristics 6 3 Standby Command Switch Characteristics 6 3 Candidate Switch and Member Switch Characteristics 6 4 Planning a Switch Cluster 6 5 Automatic Discovery of Cluster Candidates and Members 6 5 Discovery through CDP Hops 6 6 Discovery through Non CDP Capable and Noncluster Capable Devices 6 6 Discovery through Different VLANs 6 7 Discovery through the Same Management VLAN...

Page 7: ...tocol 7 2 Configuring NTP 7 3 Default NTP Configuration 7 4 Configuring NTP Authentication 7 4 Configuring NTP Associations 7 5 Configuring NTP Broadcast Service 7 6 Configuring NTP Access Restrictions 7 7 Configuring the Source IP Address for NTP Packets 7 9 Displaying the NTP Configuration 7 10 Configuring Time and Date Manually 7 10 Setting the System Clock 7 11 Displaying the Time and Date Con...

Page 8: ...1 Protecting Access to Privileged EXEC Commands 8 2 Default Password and Privilege Level Configuration 8 2 Setting or Changing a Static Enable Password 8 3 Protecting Enable and Enable Secret Passwords with Encryption 8 4 Disabling Password Recovery 8 5 Setting a Telnet Password for a Terminal Line 8 6 Configuring Username and Password Pairs 8 7 Configuring Multiple Privilege Levels 8 8 Setting th...

Page 9: ...ntrolling Switch Access with Kerberos 8 32 Understanding Kerberos 8 32 Kerberos Operation 8 34 Authenticating to a Boundary Switch 8 35 Obtaining a TGT from a KDC 8 35 Authenticating to Network Services 8 35 Configuring Kerberos 8 35 Configuring the Switch for Local Authentication and Authorization 8 36 Configuring the Switch for Secure Shell 8 37 Understanding SSH 8 38 SSH Servers Integrated Clie...

Page 10: ...me 9 15 Setting the Switch to Client Frame Retransmission Number 9 16 Configuring the Host Mode 9 17 Configuring a Guest VLAN 9 17 Resetting the 802 1X Configuration to the Default Values 9 18 Displaying 802 1X Statistics and Status 9 19 C H A P T E R 10 Configuring Interface Characteristics 10 1 Understanding Interface Types 10 1 Port Based VLANs 10 2 Switch Ports 10 2 Access Ports 10 3 Trunk Por...

Page 11: ...1 2 SmartPort Macro Configuration Guidelines 11 2 Creating and Applying SmartPort Macros 11 3 Displaying SmartPort Macros 11 4 C H A P T E R 12 Configuring VLANs 12 1 Understanding VLANs 12 1 Supported VLANs 12 2 VLAN Port Membership Modes 12 3 Configuring Normal Range VLANs 12 4 Token Ring VLANs 12 5 Normal Range VLAN Configuration Guidelines 12 5 VLAN Configuration Mode Options 12 6 VLAN Configu...

Page 12: ...23 Load Sharing Using STP Port Priorities 12 24 Load Sharing Using STP Path Cost 12 25 Configuring VMPS 12 27 Understanding VMPS 12 27 Dynamic Port VLAN Membership 12 28 VMPS Database Configuration File 12 28 Default VMPS Configuration 12 30 VMPS Configuration Guidelines 12 30 Configuring the VMPS Client 12 31 Entering the IP Address of the VMPS 12 31 Configuring Dynamic Access Ports on VMPS Clien...

Page 13: ...14 1 Understanding Voice VLAN 14 1 Configuring Voice VLAN 14 2 Default Voice VLAN Configuration 14 2 Voice VLAN Configuration Guidelines 14 3 Configuring a Port to Connect to a Cisco 7960 IP Phone 14 3 Configuring Ports to Carry Voice Traffic in 802 1Q Frames 14 4 Configuring Ports to Carry Voice Traffic in 802 1P Priority Tagged Frames 14 4 Overriding the CoS Priority of Incoming Data Frames 14 5...

Page 14: ... ID 16 3 Spanning Tree Interface States 16 4 Blocking State 16 5 Listening State 16 6 Learning State 16 6 Forwarding State 16 6 Disabled State 16 6 How a Switch or Port Becomes the Root Switch or Root Port 16 7 Spanning Tree and Redundant Connectivity 16 7 Spanning Tree Address Management 16 8 Accelerated Aging to Retain Connectivity 16 8 Spanning Tree Modes and Protocols 16 9 Supported Spanning T...

Page 15: ...rts 17 5 Interoperability with 802 1D STP 17 5 Understanding RSTP 17 6 Port Roles and the Active Topology 17 6 Rapid Convergence 17 7 Synchronization of Port Roles 17 8 Bridge Protocol Data Unit Format and Processing 17 9 Processing Superior BPDU Information 17 10 Processing Inferior BPDU Information 17 10 Topology Changes 17 10 Configuring MSTP Features 17 11 Default MSTP Configuration 17 12 MSTP...

Page 16: ... Ports 18 8 Understanding BackboneFast 18 10 Understanding EtherChannel Guard 18 12 Understanding Root Guard 18 12 Understanding Loop Guard 18 13 Configuring Optional Spanning Tree Features 18 14 Default Optional Spanning Tree Configuration 18 14 Optional Spanning Tree Configuration Guidelines 18 14 Enabling Port Fast 18 14 Enabling BPDU Guard 18 15 Enabling BPDU Filtering 18 16 Enabling UplinkFas...

Page 17: ...iate Leave Processing 20 5 IGMP Report Suppression 20 5 Source Only Networks 20 5 Configuring IGMP Snooping 20 6 Default IGMP Snooping Configuration 20 6 Enabling or Disabling IGMP Snooping 20 7 Setting the Snooping Method 20 8 Configuring a Multicast Router Port 20 9 Configuring a Host Statically to Join a Group 20 9 Enabling IGMP Immediate Leave Processing 20 10 Disabling IGMP Report Suppression...

Page 18: ...king 21 6 Blocking Flooded Traffic on an Interface 21 6 Resuming Normal Forwarding on a Port 21 7 Configuring Port Security 21 8 Understanding Port Security 21 8 Secure MAC Addresses 21 8 Security Violations 21 9 Default Port Security Configuration 21 10 Port Security Configuration Guidelines 21 10 Enabling and Configuring Port Security 21 11 Enabling and Configuring Port Security Aging 21 14 Disp...

Page 19: ...ased SPAN 24 6 SPAN Traffic 24 6 SPAN and RSPAN Interaction with Other Features 24 7 SPAN and RSPAN Session Limits 24 8 Default SPAN and RSPAN Configuration 24 8 Configuring SPAN 24 8 SPAN Configuration Guidelines 24 9 Creating a SPAN Session and Specifying Ports to Monitor 24 10 Creating a SPAN Session and Enabling Ingress Traffic 24 11 Removing Ports from a SPAN Session 24 13 Specifying VLANs to...

Page 20: ...ice 26 4 Synchronizing Log Messages 26 6 Enabling and Disabling Timestamps on Log Messages 26 7 Enabling and Disabling Sequence Numbers in Log Messages 26 8 Defining the Message Severity Level 26 8 Limiting Syslog Messages Sent to the History Table and to SNMP 26 10 Configuring UNIX Syslog Servers 26 10 Logging Messages to a UNIX Syslog Daemon 26 11 Configuring the UNIX System Logging Facility 26 ...

Page 21: ...dware and Software Handling of Router ACLs 28 6 Unsupported Features 28 7 Creating Standard and Extended IP ACLs 28 8 Access List Numbers 28 8 Creating a Numbered Standard ACL 28 9 Creating a Numbered Extended ACL 28 11 Creating Named Standard and Extended IP ACLs 28 15 Using Time Ranges with ACLs 28 17 Including Comments in ACLs 28 19 Applying an IP ACL to an Interface or Terminal Line 28 19 IP A...

Page 22: ... Problems 28 43 Configuration Conflicts 28 44 ACL Configuration Fitting in Hardware 28 45 TCAM Usage 28 47 C H A P T E R 29 Configuring QoS 29 1 Understanding QoS 29 2 Basic QoS Model 29 4 Classification 29 5 Classification Based on QoS ACLs 29 7 Classification Based on Class Maps and Policy Maps 29 7 Policing and Marking 29 8 Mapping Tables 29 10 Queueing and Scheduling 29 11 Queueing and Schedul...

Page 23: ...ring DSCP Maps 29 51 Configuring the CoS to DSCP Map 29 52 Configuring the IP Precedence to DSCP Map 29 52 Configuring the Policed DSCP Map 29 53 Configuring the DSCP to CoS Map 29 54 Configuring the DSCP to DSCP Mutation Map 29 55 Configuring Egress Queues on Gigabit Capable Ethernet Ports 29 57 Mapping CoS Values to Select Egress Queues 29 57 Configuring the Egress Queue Size Ratios 29 58 Config...

Page 24: ...al Interfaces 30 11 Configuring the Physical Interfaces 30 12 Configuring EtherChannel Load Balancing 30 14 Configuring the PAgP Learn Method and Priority 30 15 Configuring the LACP Port Priority 30 16 Configuring Hot Standby Ports 30 16 Configuring the LACP System Priority 30 17 Displaying EtherChannel PAgP and LACP Status 30 18 C H A P T E R 31 Configuring IP Unicast Routing 31 1 Understanding I...

Page 25: ...Traffic Distribution Control 31 25 Configuring Basic IGRP Parameters 31 26 Configuring Split Horizon 31 28 Configuring OSPF 31 29 Default OSPF Configuration 31 30 Configuring Basic OSPF Parameters 31 31 Configuring OSPF Interfaces 31 32 Configuring OSPF Area Parameters 31 33 Configuring Other OSPF Parameters 31 34 Changing LSA Group Pacing 31 36 Configuring a Loopback Interface 31 36 Monitoring OS...

Page 26: ...onfiguration Example 31 71 Displaying Multi VRF CE Status 31 75 Configuring Protocol Independent Features 31 75 Configuring Cisco Express Forwarding 31 75 Configuring the Number of Equal Cost Routing Paths 31 76 Configuring Static Unicast Routes 31 77 Specifying Default Routes and Networks 31 78 Using Route Maps to Redistribute Routing Information 31 79 Configuring Policy Based Routing 31 82 PBR C...

Page 27: ...P Configuration 33 5 WCCP Configuration Guidelines 33 5 Enabling the Web Cache Service Setting the Password and Redirecting Traffic Received From a Client 33 6 Monitoring and Maintaining WCCP 33 9 C H A P T E R 34 Configuring IP Multicast Routing 34 1 Cisco Implementation of IP Multicast Routing 34 2 Understanding IGMP 34 3 IGMP Version 1 34 3 IGMP Version 2 34 4 Understanding PIM 34 5 PIM Version...

Page 28: ...val 34 30 Configuring Optional IGMP Features 34 31 Default IGMP Configuration 34 31 Changing the IGMP Version 34 32 Changing the IGMP Query Timeout for IGMPv2 34 32 Changing the Maximum Query Response Time for IGMPv2 34 33 Configuring the Multilayer Switch as a Member of a Group 34 34 Controlling Access to IP Multicast Groups 34 35 Modifying the IGMP Host Query Message Interval 34 36 Configuring t...

Page 29: ...35 1 MSDP Operation 35 2 MSDP Benefits 35 3 Configuring MSDP 35 4 Default MSDP Configuration 35 4 Configuring a Default MSDP Peer 35 4 Caching Source Active State 35 6 Requesting Source Information from an MSDP Peer 35 8 Controlling Source Information that Your Switch Originates 35 8 Redistributing Sources 35 9 Filtering Source Active Request Messages 35 11 Controlling Source Information that Your...

Page 30: ...res 37 1 Recovering from Corrupted Software 37 2 Recovering from a Lost or Forgotten Password 37 2 Password Recovery with Password Recovery Enabled 37 3 Procedure with Password Recovery Disabled 37 5 Recovering from a Command Switch Failure 37 6 Replacing a Failed Command Switch with a Cluster Member 37 7 Replacing a Failed Command Switch with Another Switch 37 8 Recovering from Lost Member Connec...

Page 31: ...B 4 Deleting Files B 5 Creating Displaying and Extracting tar Files B 5 Creating a tar File B 5 Displaying the Contents of a tar File B 6 Extracting a tar File B 7 Displaying the Contents of a File B 7 Working with Configuration Files B 8 Guidelines for Creating and Using Configuration Files B 8 Configuration File Types and Location B 9 Creating a Configuration File By Using a Text Editor B 9 Copy...

Page 32: ... Using FTP B 25 Uploading an Image File By Using FTP B 26 Copying Image Files By Using RCP B 27 Preparing to Download or Upload an Image File By Using RCP B 28 Downloading an Image File By Using RCP B 29 Uploading an Image File By Using RCP B 31 A P P E N D I X C Unsupported CLI Commands in Cisco IOS Release 12 1 19 EA1 C 1 Access Control Lists C 1 Unsupported Privileged EXEC Commands C 1 ARP Comm...

Page 33: ...mands C 7 Unsupported Route Map Commands C 7 MSDP C 7 Unsupported Privileged EXEC Commands C 7 Unsupported Global Configuration Commands C 8 Network Address Translation NAT commands C 8 Unsupported User EXEC Commands C 8 Unsupported Global Configuration Commands C 8 Unsupported Interface Configuration Commands C 8 RADIUS C 8 Unsupported Global Configuration Commands C 8 SNMP C 9 Unsupported Global...

Page 34: ...Contents xxxiv Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 ...

Page 35: ...I This guide provides procedures for using the commands that have been created or changed for use with the Catalyst 3550 switch It does not provide detailed information about these commands For detailed information about these commands refer to the Catalyst 3550 Multilayer Switch Command Reference for this release For information about the standard Cisco IOS Release 12 1 commands refer to the Cisc...

Page 36: ...tions or references to materials not contained in this manual Caution Means reader be careful In this situation you might do something that could result equipment damage or loss of data Timesaver Means the following will help you solve a problem The tips information might not be troubleshooting or even an action but could be useful information Related Publications These documents provide complete ...

Page 37: ... can access the most current Cisco documentation on the World Wide Web at this URL http www cisco com univercd home home htm You can access the Cisco website at this URL http www cisco com International Cisco websites can be accessed from this URL http www cisco com public countries_languages shtml Documentation CD ROM Cisco documentation and additional literature are available in a Cisco Document...

Page 38: ...Obtaining Technical Assistance For all customers partners resellers and distributors who hold valid Cisco service contracts the Cisco Technical Assistance Center TAC provides 24 hour award winning technical support services online and over the phone Cisco com features the Cisco TAC website as an online starting point for technical assistance Cisco TAC Website The Cisco TAC website http www cisco c...

Page 39: ...ou and Cisco will commit resources during normal business hours to restore service to satisfactory levels Priority 4 P4 You require information or assistance with Cisco product capabilities installation or configuration There is little or no effect on your business operations Obtaining Additional Publications and Information Information about Cisco products technologies and network solutions is av...

Page 40: ...o com go iqmagazine Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing developing and operating public and private internets and intranets You can access the Internet Protocol Journal at this URL http www cisco com en US about ac123 ac147 about_cisco_the_internet_protocol_journal html Training Cisco offers world class net...

Page 41: ...rd multilayer software image SMI or EMI installed The SMI software image provides Layer 2 features and basic Layer 3 routing You can order the Enhanced Multilayer Software Image Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI Ease of Use and Ease of Deployment Express Setup for quickly configuring a switch for the first time with basic IP information contact inf...

Page 42: ...ng overall network traffic For IGMP devices IGMP snooping for limiting flooding of multicast traffic IGMP report suppression for sending only one IGMP report per multicast router query to the multicast devices supported only for IGMPv1 or IGMPv2 queries Multicast VLAN registration MVR to continuously send multicast streams in a multicast VLAN while isolating the streams from subscriber VLANs for b...

Page 43: ...ess through the switch console port to a directly attached terminal or to a remote terminal through a serial connection or a modem Note For additional descriptions of the management interfaces see the Management Options section on page 1 7 Redundancy Hot Standby Router Protocol HSRP for command switch and Layer 3 router redundancy UniDirectional Link Detection UDLD and aggressive UDLD on all Ether...

Page 44: ...cing network traffic by restricting flooded traffic to links destined for stations receiving the traffic Voice VLAN for creating subnets for voice traffic from Cisco IP Phones VLAN 1 minimization to reduce the risk of spanning tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link With this feature enabled no user traffic is sent or received The switch CPU continu...

Page 45: ...nd flexible administrative control over authentication and authorization processes 802 1Q tunneling to allow customers with users at remote sites across a service provider network to keep VLANs segregated from other customers and Layer 2 protocol tunneling to ensure that the customer s network has complete STP CDP and VTP information about all users Quality of Service QoS and Class of Service CoS ...

Page 46: ...formation Protocol RIP versions 1 and 2 Open Shortest Path First OSPF Interior Gateway Routing Protocol IGRP and Enhanced IGRP EIGRP Border Gateway Protocol BGP Version 4 IP routing between VLANs inter VLAN routing for full Layer 3 routing between two or more VLANs allowing each VLAN to maintain its own autonomous data link domain Multiple VPN routing forwarding multi VRF instances in customer edg...

Page 47: ...nt Options The Catalyst 3550 switch is designed for plug and play operation you need to configure only basic IP information for the switch and connect it to the other devices in your network If you have specific network needs you can configure and monitor the switch on an individual basis or as part of a switch cluster through its various management interfaces Management Interface Options You can ...

Page 48: ...you have a limited number of them CMS is the easiest interface to use and makes switch and switch cluster management accessible to authorized users from any PC on your network By using switch clusters and CMS you can Manage and monitor interconnected Catalyst switches refer to the release notes for a list of supported switches regardless of their geographic proximity and interconnection media incl...

Page 49: ...users compete for network bandwidth it takes longer to send and receive data When you configure your network consider the bandwidth required by your network users and the relative priority of the network applications they use Table 1 1 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users Table 1 1 I...

Page 50: ...ted Design Methods Efficient bandwidth usage for multimedia applications and guaranteed bandwidth for critical applications Use IGMP snooping to efficiently forward multimedia and multicast traffic Use other QoS mechanisms such as packet classification marking scheduling and congestion avoidance to classify traffic with the appropriate priority level thereby providing maximum flexibility and suppo...

Page 51: ...1 Gbps connection is shared among the switches in the stack Using these Gigabit GBIC modules also provides flexibility in media and distance options 1000BASE T GBIC copper connections of up to 328 feet 100 m 1000BASE SX GBIC fiber optic connections of up to 1804 feet 550 m 1000BASE LX LH GBIC fiber optic connections of up to 32 808 feet 6 miles or 10 km 1000BASE ZX GBIC fiber optic connections of ...

Page 52: ... 1 1 Example Configurations Si Si Si Si Catalyst 3550 GigaStack cluster 1 Gbps HSRP 50830 Catalyst 3550 12T or Catalyst 3550 12G switch Gigabit server Catalyst 3550 switch Cost Effective Wiring Closet High Performance Workgroup Redundant Gigabit Backbone Catalyst 3550 cluster Catalyst 3550 switch Catalyst 3550 switch Catalyst switches ...

Page 53: ...tandard straight through twisted pair cable with RJ 45 connectors to the 10 100 inline power ports on the Catalyst 3550 24PWR switches and to the 10 100 ports on the Catalyst 3550 switches These multiservice switch ports automatically detect any IP phones that are connected Cisco CallManager controls call processing routing and IP phone features and configuration Users with workstations running Ci...

Page 54: ... Collapsed Backbone Configuration IP Gigabit servers Call Manager Cisco Access point Cisco Access point 86390 Cisco IP Phones Cisco IP Phones Workstations running Cisco SoftPhone software Catalyst GigaStack cluster Catalyst GigaStack cluster Catalyst 3550 24PWR Catalyst 3550 24PWR Cisco 2600 or 3600 routers Catalyst 3550 multilayer switches Internet IP IP IP Si Si M ...

Page 55: ... limit bandwidth on a per port or per user basis The switch ports are configured as either trusted or untrusted You can configure a trusted port to trust the CoS value the DSCP value or the IP precedence If you configure the port as untrusted you can use an ACL to mark the frame in accordance with the network policy Within each wiring closet is a Catalyst 3550 multilayer switch for inter VLAN rout...

Page 56: ...alyst 3550 Switches in Wiring Closets in a Backbone Configuration IP Gigabit servers 86391 Cisco IP Phones Cisco IP Phones Catalyst 3550 cluster Catalyst 3550 cluster Cisco 7500 routers Catalyst 6000 multilayer switches WAN IP IP IP IP IP Si Si Si Si Call Manager Cisco Access point Catalyst 3550 24PWR Catalyst 3550 24PWR M Cisco Access point ...

Page 57: ...existing phone lines The Catalyst LRE switches can then connect to another residential switch or to an aggregation switch All ports on the residential Catalyst 3550 switches and Catalyst LRE switches if they are included are configured as 802 1Q trunks with protected port and STP root guard features enabled The protected port feature provides security and isolation between ports on the switch ensu...

Page 58: ...amples Figure 1 4 Catalyst 3550 Switches in a MAN Configuration 50833 Service Provider POP Mini POP Gigabit MAN Residential location Catalyst 3550 multilayer switches Catalyst switches Catalyst 6500 switches Cisco 12000 Gigabit switch routers Si Si Si Si Si Si Si Si Residential gateway hub Set top box TV PC Set top box TV ...

Page 59: ...wing them to travel simultaneously on the same fiber optic cable The CWDM OADM modules on the receiving end separate or demultiplex the different wavelengths Using CWDM technology with the switches translates to farther data transmission and an increased bandwidth capacity up to 8 Gbps on a single fiber optic cable For more information about the CWDM GBIC modules and CWDM OADM modules refer to the...

Page 60: ...1 20 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 1 Overview Where to Go Next ...

Page 61: ...lable for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are ...

Page 62: ... Use a password to protect access to this mode Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Config vlan While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configura...

Page 63: ...arameters see the Configuring a Range of Interfaces section on page 10 8 Line configuration While in global configuration mode specify a line with the line vty or line console command Switch config line To exit to global configuration mode enter exit To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure parameters for the terminal line Table 2 1 Command Mode Summar...

Page 64: ...e This example shows how to enter the show configuration privileged EXEC command Switch show conf Using no and default Forms of Commands Almost every configuration command also has a no form In general use the no form to disable a feature or function or reverse the action of a command For example the no shutdown interface configuration command reverses the shutdown of an interface Use the command ...

Page 65: ...n Switch terminal history size number of lines The range is from 0 to 256 Beginning in line configuration mode enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show ...

Page 66: ...abling and Disabling Editing Features page 2 7 Editing Commands through Keystrokes page 2 7 Editing Command Lines that Wrap page 2 8 Table 2 4 Recalling Commands Action1 1 The arrow keys function only on ANSI compatible terminals such as VT100s Result Press Ctrl P or the up arrow key Recall commands in the history buffer beginning with the most recent command Repeat the key sequence to recall succ...

Page 67: ...Commands through Keystrokes Capability Keystroke1 Purpose Move around the command line to make changes or corrections Press Ctrl B or press the left arrow key Move the cursor back one character Press Ctrl F or press the right arrow key Move the cursor forward one character Press Ctrl A Move the cursor to the beginning of the command line Press Ctrl E Move the cursor to the end of the command line ...

Page 68: ...rl X Delete all characters from the cursor to the beginning of the command line Press Ctrl W Delete the word to the left of the cursor Press Esc D Delete from the cursor to the end of the word Capitalize or lowercase words or capitalize a set of letters Press Esc C Capitalize at the cursor Press Esc L Change the word at the cursor to lowercase Press Esc U Capitalize letters from the cursor to the ...

Page 69: ...ntries see the Editing Commands through Keystrokes section on page 2 7 Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see To use this functionality enter a show or more command followed by the pipe ch...

Page 70: ...imultaneous secure SSH sessions After you connect through the console port through a Telnet session or through an SSH session the user EXEC prompt appears on the management station Accessing the CLI from a Browser This procedure assumes that you have met the software requirements including browser and Java plug in configurations and have assigned IP information and a Telnet password to the switch ...

Page 71: ...s can be command switches or member switches refer to the release notes for this switch Understanding CMS CMS provides these features for managing switch clusters and individual switches from web browsers such as Netscape Communicator or Microsoft Internet Explorer Front panel and topology views of your network as shown in Figure 3 7 on page 3 13 and Figure 3 8 on page 3 14 that can be displayed a...

Page 72: ...10 CMS Menu Bar Toolbar and Feature Bar The configuration and monitoring options for configuring switches and switch clusters are available from the menu bar the toolbar and the feature bar The menu bar shown in Figure 3 1 provides these options for managing a single switch and switch clusters CMS Install CMS on your PC or workstation choose printing options select interaction modes display CMS pr...

Page 73: ...such as polling intervals the views to open at CMS startup and the color of administratively shutdown ports Save Configuration2 2 Some options from this menu option are not available in read only mode Save the configuration of the cluster or a switch to Flash memory Software Upgrade2 Upgrade the software for the cluster or a switch Port Settings1 Display and configure port parameters on a switch V...

Page 74: ...atures from CMS Some CMS features are not available in read only mode For more information about how access modes affect CMS see the Privilege Levels section on page 3 6 Online Help CMS provides comprehensive online help to assist you in understanding and performing configuration and monitoring tasks from the CMS windows Online help is available for features that are supported by devices in your c...

Page 75: ...also available for some configuration options These are similar to guide mode configuration windows except that fewer options are available Guide Mode Guide mode is for users who want a step by step approach for completing a specific configuration task This mode is not available for all features A person icon appears next to features that have guide mode available as shown in Figure 3 3 When you c...

Page 76: ...he name the wizard launches for that feature as shown in Figure 3 3 on page 3 5 Wizards are not available for all features or for read only access levels For more information about the read only access mode see the Privilege Levels section on page 3 6 Privilege Levels CMS provides two levels of access to the configuration options read write access and read only access If you know your privilege le...

Page 77: ...hes with 4 MB CPU DRAM In read only mode these switches appear as unavailable devices and cannot be configured from CMS Configuring CMS This section contains these topics that describe the requirements and configuration information for CMS CMS Requirements section on page 3 7 Cross Platform Considerations section on page 3 9 Launching CMS section on page 3 10 CMS Requirements This section describe...

Page 78: ...n the release notes Note If you need to both upgrade your web browser and install the CMS plug in you must upgrade your browser first If you install the CMS plug in and then upgrade your browser the plug in is not registered with the new browser Table 3 2 Minimum Hardware Configuration OS Processor Speed DRAM Number of Colors Resolution Font Size Windows NT 4 01 1 Service Pack 3 or higher is requi...

Page 79: ...6 EA1 or earlier the CMS versions in those software releases might appear similar but are not the same as this release For example the Topology view in this release is not the same as the Topology view or the Cluster View in those earlier software releases CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager Cluster management options are not available on these swit...

Page 80: ...ion on page 3 13 Topology View section on page 3 14 Launching CMS To display the switch access page follow these steps Step 1 Enter the switch IP address in the browser and press Return Step 2 Enter your username and password when prompted If no username is configured on your switch the default enter only the enable password if an enable password is configured in the password field The switch home...

Page 81: ...h CMS Displaying CMS Figure 3 4 Switch Home Page The Switch Home Page has these tabs Express Setup Opens the Express Setup page Note You can use Express Setup to assign an IP address to an unconfigured switch For more information refer to the hardware installation guide Cluster Management Suite Launches CMS ...

Page 82: ...rowser CMS plug in or Java plug in or if the plug in is not enabled the CMS Startup Report page appears as shown in Figure 3 5 Figure 3 5 CMS Startup Report The CMS Startup Report has links that instruct you how to correctly configure your PC or workstation If the CMS Startup Report appears click the links and follow the instructions to configure your PC or workstation Note If you are running Wind...

Page 83: ...iew displays the front panel image of the command switch and other selected switches as shown in Figure 3 7 and you can select more switches to be displayed You can choose and configure the switches that appear in Front Panel view You can drag the switches that appear and re arrange them You can right click on a switch port to configure that port Figure 3 7 Front Panel View and Port Popup Menu Not...

Page 84: ...S is launched from a command switch When you click the topology button on the tool bar the Topology view displays the command switch indicated by the CMD label and the devices that are connected to it as shown in Figure 3 8 You can right click on a switch or link icon to display a menu for that icon Figure 3 8 Topology View and Device Popup Menus Note Figure 3 8 shows multiple popup menus Only one...

Page 85: ...e to join the cluster such as routers access points IP phones and so on Note The Topology view displays only the switch cluster and network neighborhood of the specific command or member switch that you access To display a different switch cluster you need to access the command switch or member switch of that cluster CMS Icons For a complete list of device and link icons available in CMS select He...

Page 86: ...3 16 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 3 Getting Started with CMS Where to Go Next ...

Page 87: ...g the Startup Configuration page 4 12 Scheduling a Reload of the Software Image page 4 17 Understanding the Boot Process Before you can assign switch information IP address subnet mask default gateway secret and Telnet passwords and so forth you need to install and power on the switch as described in the hardware installation guide that shipped with your Catalyst 3550 switch The normal boot proces...

Page 88: ... refer to the hardware guide that shipped with your switch Before you can use the Express Setup program to assign switch information on a switch running Cisco IOS Release 12 1 14 EA1 or later make sure that you have connected a PC to a 10 100 switch port Assigning Switch Information You can assign IP information through the switch setup program through a Dynamic Host Configuration Protocol DHCP se...

Page 89: ...on file location on the network you might also need to configure a Trivial File Transfer Protocol TFTP server and a Domain Name System DNS server The DHCP server or the DHCP server feature running on your switch can be on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay A relay device forwards broadcast traffic be...

Page 90: ...e the client and server are bound and the client uses configuration information received from the server The amount of information the switch receives depends on how you configure the DHCP server For more information see the Configuring the DHCP Server section on page 4 5 If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid a configuration error exists th...

Page 91: ... these lease options IP address of the client required Subnet mask of the client required DNS server IP address optional Router IP address default gateway address to be used by the switch required If you want the switch to receive the configuration file from a TFTP server you must configure the DHCP server with these lease options TFTP server name required Boot filename the name of the configurati...

Page 92: ...If you specify the TFTP server name in the DHCP server lease database you must also configure the TFTP server name to IP address mapping in the DNS server database If the TFTP server to be used is on a different LAN from the switch or if it is to be accessed by the switch through the broadcast address which occurs if the DHCP server response does not contain all the required information described ...

Page 93: ...me is reserved for the switch and provided in the DHCP reply one file read method The switch receives its IP address subnet mask TFTP server address and the configuration filename from the DHCP server or the DHCP server feature running on your switch The switch sends a unicast message to the TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt...

Page 94: ...as read earlier from the TFTP server If the cisconet cfg file is read the filename of the host is truncated to eight characters If the switch cannot read the network confg cisconet cfg or the hostname file it reads the router confg file If the switch cannot read the router confg file it reads the ciscortr cfg file Note The switch broadcasts TFTP server requests if the TFTP server is not obtained f...

Page 95: ...n file is present on Switch 1 through Switch 4 Configuration Explanation In Figure 4 3 Switch 1 reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch 1 reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host tabl...

Page 96: ...ent configuration 1363 bytes version 12 1 no service pad service timestamps debug uptime service timestamps log uptime no service password encryption hostname Switch enable secret 5 1 ej9 DMUvAUnZOAmvmgqBEzIxE0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is ...

Page 97: ... 172 20 137 1 snmp server community private RW snmp server community public RO snmp server community private es0 RW snmp server community public es0 RO snmp server chassis id 0x12 end To store the configuration or changes that you have made to your startup configuration in Flash memory enter this privileged EXEC command Switch copy running config startup config Destination filename startup config ...

Page 98: ...by using the DHCP based autoconfiguration feature For more information see the Understanding DHCP Based Autoconfiguration section on page 4 3 Table 4 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and ex...

Page 99: ...nfigure it to manually boot Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to load during the next boot cycle For file url specify the path directory and the configuration filename F...

Page 100: ...ng of the MANUAL_BOOT environment variable The next time you reboot the system the switch is in boot loader mode shown by the switch prompt To boot the system use the boot filesystem file url boot loader command For filesystem use flash for the system board Flash device For file url specify the path directory and the name of the bootable image Filenames and directory names are case sensitive Step ...

Page 101: ...f it is not listed in this file it has a value if it is listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name o...

Page 102: ...load and execute the first executable image it can find by using a recursive depth first search through the Flash file system If the BOOT variable is set but the specified images cannot be loaded the system attempts to boot the first bootable file that it can find in the Flash file system boot system filesystem file url Specifies the software image to load during the next boot cycle This command c...

Page 103: ...rrent day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has been set through Network Time Protocol NTP the hardware calendar or manually The time is relative to the configured time zone on the switch To schedule ...

Page 104: ...Thu Jun 20 1996 in 344 hours and 53 minutes Proceed with reload confirm To cancel a previously scheduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to determine if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information includi...

Page 105: ...istrar is a network management device that acts as a configuration service for automating the deployment and management of network devices and services see Figure 5 1 Each Configuration Registrar manages a group of Cisco IOS devices switches and routers and the services that they deliver storing their configurations and delivering them as needed The Configuration Registrar automates initial config...

Page 106: ... Configuration Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static con...

Page 107: ...en given a unique group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About ConfigID DeviceID and Host Name The Configuration Registrar assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event servi...

Page 108: ...is fixed at the time of the connection to the event gateway and does not change even when the switch host name is reconfigured When changing the switch host name on the switch the only way to refresh the deviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the con...

Page 109: ...ludes the Trivial File Transfer Protocol TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server...

Page 110: ... not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Configuring CNS Embedded Agents The CNS agents embedded in the switch Cisco IOS software allow the switch to be connec...

Page 111: ...efault gateway IP address TFTP server Create a bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the IE2100 Configuration Registrar Configure the switch to use either the switch MAC address or the serial number instead of the default host name to generate the configID and eventID Configure the CNS event agent to push the configurat...

Page 112: ...e port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For init retry retry count enter the number of initial retries before switching to backup The default is 3 Optional For keepalive seconds enter how often the switch sends keepalive messages For retry count enter the numbe...

Page 113: ...iguration command enables the configuration agent and initiates a partial configuration on the switch You can then remotely send incremental configurations to the switch from the Configuration Registrar Enabling an Initial Configuration Beginning in privileged EXEC mode follow these steps to enable the CNS configuration agent and initiate an initial configuration on the switch Command Purpose Step...

Page 114: ...Establish a static route to the Configuration Registrar whose IP address is network number Step 7 cns id interface num dns reverse ipaddress mac address event or cns id hardware serial hostname string string event Set the unique eventID or configID used by the Configuration Registrar For interface num enter the type of interface for example Ethernet Group Async Loopback or Virtual Template This se...

Page 115: ...er event no persist page page source ip address syntax check Enable the configuration agent and initiate an initial configuration For ip address hostname enter the IP address or the host name of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages...

Page 116: ...tion mode Step 2 cns config partial ip address hostname port number source ip address Enable the configuration agent and initiate a partial configuration For ip address hostname enter the IP address or the host name of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enter source ip address to use for the sou...

Page 117: ...g connections Displays the status of the CNS configuration agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the CNS configuration agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Displa...

Page 118: ...5 14 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 5 Configuring IE2100 CNS Agents Displaying CNS Configuration ...

Page 119: ...ional information about switch clusters and the clustering options For complete procedures about using CMS to configure switch clusters refer to the online help For the CLI cluster commands refer to the switch command reference Refer to the release notes for the list of Catalyst switches eligible for switch clustering including which ones can be command switches and which ones can only be member s...

Page 120: ...r Candidates and Members section on page 6 5 This section includes management VLAN considerations for the Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2940 Catalyst 2950 and Catalyst 3500 XL switches For complete information about these switches in a switch cluster environment refer to the software configuration guide for that specific switch Command switch redundancy if a command switch ...

Page 121: ...tandby Command Switch Characteristics A Catalyst 3550 standby command switch must meet these requirements It is running Cisco IOS Release 12 1 4 EA1 or later It has an IP address It has CDP version 2 enabled It is connected to other standby switches through its management VLAN and to all member switches through a common VLAN It is redundantly connected to the cluster so that connectivity to member...

Page 122: ...cluster Member switches are switches that have actually been added to a switch cluster Although not required a candidate or member switch can have its own IP address and password for related considerations see the IP Addresses section on page 6 16 and Passwords section on page 6 16 To join a cluster a candidate switch must meet these requirements It is running cluster capable software It has CDP v...

Page 123: ...h ones can only be member switches for the required software versions and for the browser and Java plug in configurations Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol CDP to discover member switches candidate switches neighboring switch clusters and edge devices across multiple VLANs and in star or cascaded topologies Note Do not disable CD...

Page 124: ...use they are within three hops from the edge of the cluster It does not discover switch 15 because it is four hops from the edge of the cluster Figure 6 1 Discovery through CDP Hops Discovery through Non CDP Capable and Noncluster Capable Devices If a command switch is connected to a non CDP capable third party hub such as a non Cisco hub it can discover cluster enabled devices connected to that t...

Page 125: ... first column because the command switch has no VLAN connectivity to it Catalyst 2900 XL member switches Catalyst 2950 member switches running a release earlier than Cisco IOS Release 12 1 9 EA1 and Catalyst 3500 XL member switches must be connected to the command switch through their management VLAN For information about discovery through management VLANs see the Discovery through the Same Manage...

Page 126: ...s even if they belong to different management VLANs See the Discovery through Different Management VLANs section on page 6 9 The command switch in Figure 6 4 has ports assigned to management VLAN 9 It discovers all but these switches Switches 7 and 10 because their management VLAN VLAN 4 is different from the command switch management VLAN VLAN 9 Switch 9 because automatic discovery does not exten...

Page 127: ...s VLAN 1 For information about discovery through the same management VLAN on these switches see the Discovery through the Same Management VLAN section on page 6 8 The non LRE Catalyst 2950 command switch running Cisco IOS Release 12 1 9 EA1 or later in Figure 6 5 and the Catalyst 3550 command switch in Figure 6 6 have ports assigned to VLANs 9 16 and 62 The management VLAN on the Catalyst 2950 com...

Page 128: ...over the switches in VLANs 9 and 62 but not the switch in VLAN 4 If the routed port path between the command switch and member switch 7 is lost connectivity with member switch 7 is maintained because of the redundant path through VLAN 9 Si Si Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2950 Catalyst 2955 and Catalyst 3500 XL switches VLAN 62 VLAN trunk 4 62 VLAN 62 VLAN 16 VLAN 9 VLAN 16...

Page 129: ...ports are assigned to VLAN 1 When the new switch joins a cluster its default VLAN changes to the VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The command switch in Figure 6 8 belongs to VLANs 9 and 16 When the new Catalyst 3550 and non LRE switches join the cluster The Catalyst 3550 switch and it...

Page 130: ...ches When the command switch is a Catalyst 2955 switch all standby command switches must be Catalyst 2955 switches When the command switch is a Catalyst 2950 LRE switch all standby command switches must be Catalyst 2950 LRE switches When the command switch is a non LRE Catalyst 2950 switch running Cisco IOS Release 12 1 9 EA1 or later all standby command switches must be non LRE Catalyst 2950 swit...

Page 131: ...about standby command switches Virtual IP Addresses page 6 13 Other Considerations for Cluster Standby Groups page 6 13 Automatic Recovery of Cluster Configuration page 6 15 Virtual IP Addresses You need to assign a unique virtual IP address and group number and name to the cluster standby group This information must be configured on a specific VLAN or routed port on the active command switch The ...

Page 132: ...lyst 2950 switches If you have a Catalyst 2900 XL or Catalyst 3500 XL command switch the standby command switches should be Catalyst 2900 XL and Catalyst 3500 XL switches Only one cluster standby group can be assigned to a cluster You can have more than one router redundancy standby group An HSRP group can be both a cluster standby group and a router redundancy group However if a router redundancy...

Page 133: ...ion to the standby command switch You must therefore rebuild the cluster This limitation applies to all clusters If the active command switch fails and there are more than two switches in the cluster standby group the new command switch does not discover any Catalyst 1900 Catalyst 2820 and Catalyst 2916M XL member switches You must re add these member switches to the cluster This limitation applie...

Page 134: ...escribed in the HTTP Access to CMS section on page 3 9 For more information about IP addresses see Chapter 4 Assigning the Switch IP Address and Default Gateway Host Names You do not need to assign a host name to either a command switch or an eligible cluster member However a host name assigned to the command switch can help to identify the switch cluster The default host name for the switch is Sw...

Page 135: ...port an unlimited number of community strings and string lengths For more information about SNMP and community strings see Chapter 27 Configuring SNMP For SNMP considerations specific to the Catalyst 1900 and Catalyst 2820 switches refer to the installation and configuration guides specific to those switches TACACS and RADIUS Inconsistent authentication configurations in switch clusters cause CMS ...

Page 136: ...ode these switches appear as unavailable devices and cannot be configured from CMS LRE Profiles In Cisco IOS Release 12 1 14 EA1 or later the Catalyst 2950 LRE switches do not support public profiles In software releases earlier than Cisco IOS Release 12 1 14 EA1 a configuration conflict occurs if a switch cluster has LRE switches that use both private and public profiles If one LRE switch in a cl...

Page 137: ... the Planning a Switch Cluster section on page 6 5 and the release notes We strongly recommend that the highest end command capable switch in the cluster be the command switch If your switch cluster has a Catalyst 3550 switch that switch should be the command switch If your switch cluster has Catalyst 2900 XL Catalyst 2940 Catalyst 2950 Catalyst 2950 LRE Catalyst 2955 and Catalyst 3500 XL switches...

Page 138: ...opology view candidate switches are cyan and member switches are green To add more than one candidate switch press Ctrl and left click the candidates that you want to add Instead of using CMS to add members to the cluster you can use the cluster member global configuration command from the command switch Use the password option in this command if the candidate switch has a password You can select ...

Page 139: ...ional authentication considerations in switch clusters see the TACACS and RADIUS section on page 6 17 Figure 6 11 Add to Cluster Window Enter the password of the candidate switch If no password exists for the switch leave this field blank Select a switch and click Add Press Ctrl and left click to select more than one switch 2900 LRE 24 1 65724 ...

Page 140: ...me and the standby priority interface configuration commands and the cluster standby group global configuration command When the command switch is a Catalyst 3550 switch all standby command switches must be Catalyst 3550 switches When the command switch is a Catalyst 2955 switch all standby command switches must be Catalyst 2955 switches When the command switch is a Catalyst 2950 LRE switch all st...

Page 141: ...didate switch that can be added to the cluster standby group CC Command switch when HSRP is disabled You must enter a virtual IP address for the cluster standby group This address must be in the same subnet as the IP addresses of the switch The group number must be unique within the IP subnet It can be from 0 to 255 and the default is 0 The group name can have up to 31 characters The Standby Comma...

Page 142: ...ons links and colors see the Topology View section on page 3 14 Step 4 Select Reports Inventory to display an inventory of the switches in the cluster Figure 6 14 The summary includes information such as switch model numbers serial numbers software versions IP information and location You can also display port and switch statistics from Reports Port Statistics and Port Port Settings Runtime Status...

Page 143: ...I This example shows how to log into member switch 3 from the command switch CLI switch rcommand 3 If you do not know the member switch number enter the show cluster members privileged EXEC command on the command switch For more information about the rcommand command and all other cluster commands refer to the switch command reference The Telnet session accesses the member switch CLI at the same p...

Page 144: ... by default When you create a cluster the command switch manages the exchange of messages between member switches and an SNMP application The cluster software on the command switch appends the member switch number esN where N is the switch number to the first configured read write and read only community strings on the command switch and propagates them to the member switch The command switch uses...

Page 145: ...e Configuration Guide 78 11194 09 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Figure 6 15 SNMP Management for a Cluster Trap T r a p T r a p Command switch Trap 1 Trap 2 Trap 3 Member 1 Member 2 Member 3 33020 SNMP Manager ...

Page 146: ...6 28 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters ...

Page 147: ...r switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12 1 This section contains this configuration information Understanding the System Clock page 7 1 Understanding Netw...

Page 148: ...umber with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others even if...

Page 149: ...p update calendar and the ntp master global configuration commands are not available This section contains this configuration information Default NTP Configuration page 7 4 Configuring NTP Authentication page 7 4 Configuring NTP Associations page 7 5 Configuring NTP Broadcast Service page 7 6 Configuring NTP Access Restrictions page 7 7 Configuring the Source IP Address for NTP Packets page 7 9 Di...

Page 150: ...ckets NTP access restrictions No access control is specified NTP packet source IP address The source address is determined by the outgoing interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp authenticate Enable the NTP authentication feature which is disabled by default Step 3 ntp authentication key number md5 value Define the authentication keys By defau...

Page 151: ...our entries Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a pe...

Page 152: ...or receive NTP broadcast packets on an interface by interface basis if there is an NTP broadcast server such as a router broadcasting time information on the network The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it The switch can also receive NTP broadcast packets to synchronize its own clock This section has procedures for both sending and receiving NTP b...

Page 153: ...estrictions You can control NTP access on two levels as described in these sections Creating an Access Group and Assigning a Basic IP Access List page 7 8 Disabling NTP Services on a Specific Interface page 7 9 Step 6 copy running config startup config Optional Save your entries in the configuration file Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next...

Page 154: ...rve peer access list number Create an access group and apply a basic IP access list The keywords have these meanings query only Allows only NTP control queries serve only Allows only time requests serve Allows time requests and NTP control queries but does not allow the switch to synchronize to the remote device peer Allows time requests and NTP control queries and allows the switch to synchronize...

Page 155: ... are enabled on all interfaces by default Beginning in privileged EXEC mode follow these steps to disable NTP packets from being received on an interface To re enable receipt of NTP packets on an interface use the no ntp disable interface configuration command Configuring the Source IP Address for NTP Packets When the switch sends an NTP packet the source IP address is normally set to the address ...

Page 156: ...IOS Release 12 1 Configuring Time and Date Manually If no other source of time is available you can manually configure the time and date after the system is restarted The time remains accurate until the next system restart We recommend that you use manual configuration only as a last resort If you have an outside source to which the switch can synchronize you do not need to manually set the system...

Page 157: ...n set by a timing source such as NTP the flag is set If the time is not authoritative it is used only for display purposes Until the clock is authoritative and the authoritative flag is set the flag prevents peers from synchronizing to the clock when the peers time is invalid The symbol that precedes the show clock display has this meaning Time is not authoritative blank Time is authoritative Time...

Page 158: ...is clock timezone AST 3 30 To set the time to UTC use the no clock timezone global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock timezone zone hours offset minutes offset Set the time zone The switch keeps internal time in universal time coordinated UTC so this command is used only for display purposes and when the time is manually set...

Page 159: ...fig clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring w...

Page 160: ...pril 26 2001 at 02 00 Switch config clock summer time pdt date 12 October 2000 2 00 26 April 2001 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone date month date year hh mm month date year hh mm offset or clock summer time zone date date month year hh mm date month year hh mm offset Configure summer time to start on the first date and en...

Page 161: ... Prompt Configuration page 7 15 Configuring a System Name page 7 15 Configuring a System Prompt page 7 16 Understanding DNS page 7 16 Default System Name and Prompt Configuration The default switch system name and prompt is Switch Configuring a System Name Beginning in privileged EXEC mode follow these steps to manually configure a system name When you set the system name it is also used as the sy...

Page 162: ...ecific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track of domain names IP has defined the concept of a domain name server which holds a cache or database of names mapped to IP addresses To map domain names to IP addresses you must first identify the host names specify the name server that is present on your network and enable the...

Page 163: ...separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specify ...

Page 164: ...guration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also displays on all connected terminals It appears after the MOTD b...

Page 165: ...ple shows the banner displayed from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message of ...

Page 166: ...ncludes these types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast or multicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address Note For complete syntax an...

Page 167: ...new dynamic addresses and aging out those that are not in use The aging interval is configured on a per switch basis However the switch maintains an address table for each VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any combination of ports based on the destination address of the received packet Using the MAC address table the switch forwards...

Page 168: ... new addresses from being learned Beginning in privileged EXEC mode follow these steps to configure the dynamic address table aging time To return to the default value use the no mac address table aging time global configuration command Table 7 3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None conf...

Page 169: ...res the MAC address activity for each hardware port for which the trap is enabled MAC address notifications are generated for dynamic and secure MAC addresses events are not generated for self addresses multicast addresses or other static addresses Beginning in privileged EXEC mode follow these steps to configure the switch to send MAC address notification traps to an NMS host Command Purpose Step...

Page 170: ...g interface fastethernet0 4 Switch config if snmp trap mac notification added You can verify the previous commands by entering the show mac address table notification interface and the show mac address table notification privileged EXEC commands Step 5 mac address table notification interval value history size value Enter the trap interval time and the history table size Optional For interval valu...

Page 171: ...face specified with the interface id option Beginning in privileged EXEC mode follow these steps to add a static address To remove static entries from the address table use the no mac address table static mac addr vlan vlan id interface interface id global configuration command This example shows how to add the static address c2f3 220a 12f4 to the MAC address table When a packet is received in VLA...

Page 172: ...static mac addr vlan vlan id drop command the switch drops packets with the specified MAC address as a source or destination If you enter the mac address table static mac addr vlan vlan id drop global configuration command followed by the mac address table static mac addr vlan vlan id interface interface id command the switch adds the MAC address as a static address You enable unicast MAC address ...

Page 173: ...es of features QoS and security ACEs The access template might typically be used in an access switch at the network edge where the route table sizes might not be substantial Filtering and QoS might be more important because an access switch is the entry to the whole network Routing The routing template maximizes system resources for unicast routing typically required for a router or aggregator in ...

Page 174: ...ubnet VLANs routed ports and SVIs are not limited by software and can be set to a number higher than indicated in the tables If the number of subnet VLANs configured is lower or equal to the number in the tables the number of entries in each category unicast addresses IGMP groups and so on for each template will be as shown As the number of subnet VLANs increases CPU utilization typically increase...

Page 175: ... global configuration command on a switch does not enable routing but it would prevent other features from using the memory allocated to unicast and multicast routing in the routing template which could be up to 30 K in Gigabit Ethernet switches and 17 K in Fast Ethernet switches You must use the extended match keyword to support 144 bit Layer 3 TCAM when WCCP or multi VRF CE is enabled on the swi...

Page 176: ...routing Switch config end Switch reload Proceed with reload confirm Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sdm prefer access extended match extended match routing extended match vlan Specify the SDM template to be used on the switch The keywords have these meanings access Maximizes the use of QoS classification ACEs and security ACEs on the switch routing ...

Page 177: ... into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are locally stored on the switch When users attempt to access the switch through a port or line they must enter the password specified for the port or line before they can access the switch For more information see the Protecti...

Page 178: ...is configuration information Default Password and Privilege Level Configuration page 8 2 Setting or Changing a Static Enable Password page 8 3 Protecting Enable and Enable Secret Passwords with Encryption page 8 4 Disabling Password Recovery page 8 5 Setting a Telnet Password for a Terminal Line page 8 6 Configuring Username and Password Pairs page 8 7 Configuring Multiple Privilege Levels page 8 ...

Page 179: ...sword password Define a new password or change an existing password for access to privileged EXEC mode By default no password is defined For password specify a string from 1 to 25 alphanumeric characters The string cannot start with a number is case sensitive and allows spaces but ignores leading spaces It can contain the question mark character if you precede the question mark with the key combin...

Page 180: ...pted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is normal user EXEC mode privileges The default level is 15 privileged EXEC mode privileg...

Page 181: ...ecovery By default any end user with physical access to the Catalyst 3550 switch can recover from a lost password by interrupting the boot process while the switch is powering on and then by entering a new password The password recovery disable feature protects access to the switch password by disabling part of this functionality When this feature is enabled the end user can interrupt the boot pro...

Page 182: ...erminal Enter global configuration mode Step 2 no service password recovery Disable password recovery This setting is saved in an area of the Flash memory that is accessible by the boot loader and the Cisco IOS image but it is not part of the file system and is not accessible by any user Step 3 end Return to privileged EXEC mode Step 4 show version Verify the configuration by checking the last few...

Page 183: ...e configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user ID as one word Spaces and quotation marks are not allowed Optional For level specify the privilege level the user has after gainin...

Page 184: ...ation information Setting the Privilege Level for a Command page 8 8 Changing the Default Privilege Level for Lines page 8 9 Logging into and Exiting a Privilege Level page 8 10 Setting the Privilege Level for a Command Beginning in privileged EXEC mode follow these steps to set the privilege level for a command mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ...

Page 185: ...hey can lower the privilege level by using the disable command If users know the password to a higher privilege level they can use that password to enable the higher privilege level You might specify a high level or privilege level for your console line to restrict line usage To return to the default line privilege level use the no privilege level line configuration command Step 5 show running con...

Page 186: ...TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch TACACS provides for separate and modular auth...

Page 187: ...tion or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounting records include u...

Page 188: ...lternative method for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon i...

Page 189: ...n group servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow these steps to identify the IP host or host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 c...

Page 190: ...A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authenticati...

Page 191: ... TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 8 13 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration comma...

Page 192: ...rict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through the CLI even i...

Page 193: ...these steps to enable TACACS accounting for each Cisco IOS privilege level and for network services To disable accounting use the no aaa accounting network exec start stop method1 global configuration command Displaying the TACACS Configuration To display TACACS server statistics use the show tacacs privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode S...

Page 194: ...US server documentation Use RADIUS in these network environments that require access security Networks with multiple vendor access servers each supporting RADIUS For example access servers from several vendors use a single RADIUS server based security database In an IP based network with multiple vendors access servers dial in users are authenticated through a RADIUS server that has been customize...

Page 195: ...e events occur 1 The user is prompted to enter a username and password 2 The username and encrypted password are sent over the network to the RADIUS server 3 The user receives one of these responses from the RADIUS server a ACCEPT The user is authenticated b REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE A challenge...

Page 196: ... list is exhausted You should have access to and should configure a RADIUS server before configuring RADIUS features on your switch This section contains this configuration information Default RADIUS Configuration page 8 20 Identifying the RADIUS Server Host page 8 20 required Configuring RADIUS Login Authentication page 8 23 required Defining AAA Server Groups page 8 25 optional Configuring RADIU...

Page 197: ...h use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all RADIUS servers on a per server basis or in some combination of...

Page 198: ...r timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication ...

Page 199: ...st be applied to a specific interface before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authe...

Page 200: ...the RADIUS server For more information see the Identifying the RADIUS Server Host section on page 8 20 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the use...

Page 201: ...ed server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host entries for the same server if each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts...

Page 202: ...nsmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as ...

Page 203: ...group server radius group2 Switch config sg radius server 172 20 0 1 auth port 2000 acct port 2001 Switch config sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database o...

Page 204: ... aaa accounting network exec start stop method1 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network related service requests Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization to determine if the user has ...

Page 205: ...e Cisco TACACS specification and sep is for mandatory attributes and is for optional attributes The full set of features available for TACACS authorization can then be used for RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret text string used between the switch and all RADIUS servers Note The key is a text st...

Page 206: ...avpair ip outacl 2 deny ip 10 10 10 10 0 0 255 255 any Other vendors have their own unique vendor IDs options and associated VSAs For more information about vendor IDs and VSAs refer to RFC 2138 Remote Authentication Dial In User Service RADIUS Beginning in privileged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more inf...

Page 207: ... global configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Displaying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Command Purpos...

Page 208: ...urity Command Reference Release 12 1 at this URL http www cisco com univercd cc td doc product software ios121 121cgcr secur_r srprt2 srdkerb htm Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference Release 12 1 the trusted third party can be a Catalyst 3550 switch that supports Kerberos that is configured as a network security server and that can authenticat...

Page 209: ...e credentials Kerberos credentials verify the identity of a user or service If a network service decides to trust the Kerberos server that issued a ticket it can be used in place of re entering a username and password Credentials have a default lifespan of eight hours Instance An authorization level label for Kerberos principals Most Kerberos principals are of the form user REALM for example smith...

Page 210: ...er Network services query the Kerberos server to authenticate to other network services KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and later Kerberos versions the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it In Kerberos versions earlier than Kerberos 5 KEYTAB is referred to as SRVTAB4 Principal Also known as a Kerb...

Page 211: ...l authentication until the user logs on to the switch Obtaining a TGT from a KDC This section describes the second layer of security through which a remote user must pass The user must now authenticate to a KDC and obtain a TGT from the KDC to access network services For instructions about how to authenticate to a KDC refer to the Obtaining a TGT from a KDC section in the Security Server Protocols...

Page 212: ...e Cisco IOS Security Configuration Guide Release 12 1 at this URL http www cisco com univercd cc td doc product software ios121 121cgcr secur_c scprt2 scdkerb htm xtocid154007 Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode The switch then handles authentication and authorizatio...

Page 213: ...uct software ios122 122cgcr fsecur_c fothersf scfssh htm Note For complete syntax and usage information for the commands used in this section refer to the command reference for this release and the command reference for Cisco IOS Release 12 2 at this URL http www cisco com univercd cc td doc product software ios122 122cgcr index htm Step 6 username name privilege level password encryption type pas...

Page 214: ...o works with the SSH server supported in this release and with non Cisco SSH servers The switch supports an SSHv1 or an SSHv2 server The switch supports an SSHv1 client SSH supports the Data Encryption Standard DES encryption algorithm the Triple DES 3DES encryption algorithm and password based user authentication SSH also supports these user authentication methods TACACS for more information see ...

Page 215: ... appear If it does you must configure an IP domain name by using the ip domain name global configuration command When configuring the local authentication and authorization authentication method make sure that AAA is disabled on the console Setting Up the Switch to Run SSH Follow these steps to set up your switch to run SSH 1 Download the cryptographic software image from Cisco com This step is re...

Page 216: ... Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip ssh version 1 2 Optional Configure the switch to run SSH version 1 or SSH version 2 1 Configure the switch to run SSH version 1 2 Configure the switch to run SSH version 2 If you do not enter this command or do not specify a keyword the SSH server selects the latest SSH version supported by the SSH client For exam...

Page 217: ...ommands section in the Other Security Features chapter of the Cisco IOS Security Command Reference Cisco IOS Release 12 2 at this URL http www cisco com univercd cc td doc product software ios122 122cgcr fsecur_r fothercr srfssh htm Step 5 show ip ssh or show ssh Display the version and configuration information for your SSH server Display the status of the SSH server connections on the switch Ste...

Page 218: ...8 42 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 8 Configuring Switch Based Authentication Configuring the Switch for Secure Shell ...

Page 219: ...col that restricts unauthorized clients from connecting to a LAN through publicly accessible ports The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN Until the client is authenticated 802 1X access control allows only Extensible Authentication Protocol over LAN EAPOL Cisco Discovery Protocol CDP and S...

Page 220: ...ure Access Control Server version 3 0 or later RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients Switch edge switch or wireless access point controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client an...

Page 221: ...s from the client are dropped If the client does not receive an EAP request identity frame after three attempts to start authentication the client sends frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated For more information see the Ports in Authorized and Unauthorized States section on page 9 4 When...

Page 222: ...es normal traffic without 802 1X based authentication of the client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the interface auto enables 802 1X authentication and causes the port to begin in the unauthorized state allow...

Page 223: ...nable port security and 802 1X on a port 802 1X authenticates the port and port security manages network access for all MAC addresses including that of the client You can then limit the number or group of clients that can access the network through an 802 1X port These are some examples of the interaction between 802 1X and port security on the switch When a client is authenticated and the port se...

Page 224: ...ntication succeeds on the primary VLAN A voice VLAN port becomes active when there is link and the device MAC address appears after the first CDP message from the IP phone Cisco IP phones do not relay CDP messages from other devices As a result if several Cisco IP phones are connected in series the switch recognizes only the one directly connected to it When 802 1X is enabled on a voice VLAN port ...

Page 225: ...e VLAN 65 Tunnel Medium Type 802 81 Tunnel Private Group ID VLAN name or VLAN ID Attribute 64 must contain the value VLAN type 13 Attribute 65 must contain the value 802 type 6 Attribute 81 specifies the VLAN name or VLAN ID assigned to the 802 1X authenticated user For examples of tunnel attributes see the Configuring the Switch to Use Vendor Specific RADIUS Attributes section on page 8 29 Using ...

Page 226: ...e switch during the authentication process The VSAs used for per user ACLs are inacl n for ingress direction and outacl n for egress direction MAC ACLs are only supported in the ingress direction Use only extended ACL syntax style to define the per user configuration stored on the RADIUS server When the definitions are passed from the RADIUS server they are created by using the extended naming con...

Page 227: ... 9 15 optional Setting the Switch to Client Frame Retransmission Number page 9 16 optional Configuring the Host Mode page 9 17 optional Configuring a Guest VLAN page 9 17 optional Resetting the 802 1X Configuration to the Default Values page 9 18 optional Default 802 1X Configuration Table 9 1 shows the default 802 1X configuration Table 9 1 Default 802 1X Configuration Feature Default Setting Aut...

Page 228: ...abling 802 1X on the port you must first remove it from the EtherChannel If you try to enable 802 1X on an EtherChannel or on an active port in an EtherChannel an error message appears and 802 1X is not enabled If you enable 802 1X on a not yet active port of an EtherChannel the port does not join the EtherChannel Switched Port Analyzer SPAN and Remote SPAN RSPAN destination ports You can enable 8...

Page 229: ... by using the dot1x system auth control global configuration command If 802 1X was running in multiple hosts mode on an interface in the previous release make sure to reconfigure it by using the dot1x host mode multi host interface configuration command Enabling 802 1X Authentication To enable 802 1X port based authentication you must enable AAA and specify the authentication method list A method ...

Page 230: ...e used in default situations The default method list is automatically applied to all interfaces Enter at least one of these keywords group radius Use the list of all RADIUS servers for authentication none Use no authentication The client is automatically authenticated by the switch without using the information supplied by the client Step 4 dot1x system auth control Enable 802 1X authentication gl...

Page 231: ...ransmission and encryption key values for all RADIUS servers by using the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Configuring Settings for All RADIUS Servers section on page 8 29 Command Purp...

Page 232: ...f seconds between re authentication attempts to 4000 Switch config if dot1x reauthentication Switch config if dot1x timeout reauth period 4000 Manually Re Authenticating a Client Connected to a Port You can manually re authenticate the client connected to a specific port at any time by entering the dot1x re authenticate interface interface id privileged EXEC command This step is optional If you wa...

Page 233: ...h does not receive this response it waits a set period of time known as the retransmission time and then resends the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Beginning in privileged EXEC mode follow these steps to change the amount ...

Page 234: ...is optional To return to the default retransmission number use the no dot1x max req interface configuration command This example shows how to set 5 as the number of times that the switch sends an EAP request identity request before restarting the authentication process Switch config if dot1x max req 5 Step 3 dot1x timeout tx period seconds Set the number of seconds that the switch waits for a resp...

Page 235: ...d set to auto This procedure is optional To disable multiple hosts on the port use the no dot1x host mode multi host interface configuration command This example shows how to enable Fast Ethernet interface 0 1 to allow multiple hosts Switch config interface fastethernet0 1 Switch config if dot1x port control auto Switch config if dot1x host mode multi host Configuring a Guest VLAN When you configu...

Page 236: ...e interface to be configured For the supported interface types see the 802 1X Configuration Guidelines section on page 9 10 Step 3 dot1x guest vlan vlan id Specify an active VLAN as an 802 1X guest VLAN The range is 1 to 4094 Any VLAN can be configured as an 802 1X guest VLAN except internal routed port VLANs RSPAN VLANs or voice VLANs Step 4 end Return to privileged EXEC mode Step 5 show dot1x in...

Page 237: ...mand To display 802 1X statistics for a specific interface use the show dot1x statistics interface interface id privileged EXEC command To display the 802 1X administrative and operational status for the switch use the show dot1x all privileged EXEC command To display the 802 1X administrative and operational status for a specific interface use the show dot1x interface interface id privileged EXEC...

Page 238: ...9 20 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 9 Configuring 802 1X Port Based Authentication Displaying 802 1X Statistics and Status ...

Page 239: ... and usage information for the commands used in this chapter refer to the switch command reference for this release and the online Cisco IOS Interface Command Reference for Release 12 1 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface ty...

Page 240: ... When VTP mode is transparent the VTP and VLAN configuration is saved in the switch running configuration and you can save it in the switch startup configuration file by entering the copy running config startup config privileged EXEC command Add ports to a VLAN by using the switchport interface configuration commands Identify the interface For a trunk port set trunk characteristics and if desired ...

Page 241: ...Voice VLAN Trunk Ports A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database Two types of trunk ports are supported In an ISL trunk port all received packets are expected to be encapsulated with an ISL header and all transmitted packets are sent with an ISL header Native non tagged frames received from an ISL trunk port are dropped An IEEE ...

Page 242: ... or to provide IP host connectivity to the switch By default an SVI is created for the default VLAN VLAN 1 to permit remote switch administration Additional SVIs must be explicitly configured In Layer 2 mode SVIs provide IP host connectivity only to the system in Layer 3 mode you can configure routing across SVIs SVIs are created the first time that you enter the vlan interface configuration comma...

Page 243: ...An EtherChannel balances the traffic load across the links in the channel If a link within the EtherChannel fails traffic previously carried over the failed link changes to the remaining links You can group multiple trunk ports into one logical trunk port group multiple access ports into one logical access port group multiple tunnel ports into one logical tunnel port or group multiple routed ports...

Page 244: ...idging the standard software image supports only basic routing static routing and RIP Whenever possible to maintain high performance forwarding is done by switch hardware However only IP version 4 packets with Ethernet II encapsulation can be routed in hardware All other types of traffic can be fallback bridged by hardware The routing function can be enabled on all SVIs and routed ports The Cataly...

Page 245: ...ernet fastethernet or fa for 10 100 Ethernet or Gigabit Ethernet gigabitethernet or gi Slot The slot number on the switch always 0 on this switch Port number The interface number on the switch The port numbers always begin at 1 starting at the left when facing the front of the switch for example fastethernet 0 1 fastethernet 0 2 If there is more than one media type for example 10 100 ports and Gig...

Page 246: ...or for the specified interface Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters When you enter the interface range configuration mode all command parameters that you enter are attributed to all interfaces within that range until you exit this mode Beginning in privileged EXEC mode ...

Page 247: ...e Oct 6 08 24 35 LINK 3 UPDOWN Interface FastEthernet0 1 changed state to up Oct 6 08 24 35 LINK 3 UPDOWN Interface FastEthernet0 2 changed state to up Oct 6 08 24 35 LINK 3 UPDOWN Interface FastEthernet0 3 changed state to up Oct 6 08 24 35 LINK 3 UPDOWN Interface FastEthernet0 4 changed state to up Oct 6 08 24 35 LINK 3 UPDOWN Interface FastEthernet0 5 changed state to up Oct 6 08 24 36 LINEPROT...

Page 248: ...delines Valid entries for interface range vlan vlan ID vlan ID where VLAN ID is from 1 to 4094 fastethernet slot first port last port where slot is 0 gigabitethernet slot first port last port where slot is 0 port channel port channel number port channel number where port channel number is from 1 to 64 You must add a space between the interface numbers and the hyphen when entering an interface rang...

Page 249: ...rnet0 1 2 fastethernet0 5 7 Switch config end Switch This example shows how to enter interface range configuration mode for the interface range macro enet_list Switch configure terminal Switch config interface range macro enet_list Switch config if range This example shows how to delete the interface range macro enet_list and to verify that it has been deleted Switch configure terminal Switch conf...

Page 250: ...or 802 1Q trunks VLAN 1 VLAN trunking Switchport mode dynamic desirable supports DTP Port enable state All ports are enabled Port description None defined Speed Autonegotiate Duplex mode Autonegotiate Flow control Flow control is set to off for receive and desired for send for Gigabit Ethernet ports For 10 100 Mb s ports send is always off EtherChannel PAgP Disabled on all Ethernet ports See Chapt...

Page 251: ... GBIC interfaces Note You cannot configure speed or duplex mode on Gigabit Interface Converter GBIC ports but for certain types of GBICs you can configure speed to not negotiate nonegotiate if connected to a device that does not support autonegotiation These sections describe how to configure the interface speed and duplex mode Configuration Guidelines page 10 13 Setting the Interface Speed and Du...

Page 252: ...r supply power to these devices and to disable the inline power detection For certain IEEE Power Devices that require multiple reloads during initialization you can set a delay shutdown time to configure the switch to continue providing power during initialization For more information about configuring a delay shutdown time refer to the command reference for this release Note This feature is only ...

Page 253: ... Before configuring flowcontrol on an interface use the no mls qos global configuration command to disable QoS on the switch Flow control can be implemented in two forms symmetric and asymmetric The symmetric implementation is suitable for point to point links and asymmetric is suitable for hub to end node connections where it is desirable for the hub to pause the end system but not vice versa You...

Page 254: ... the resulting flow control resolution on local and remote ports refer to the flowcontrol interface configuration command in the command reference for this release Beginning in privileged EXEC mode follow these steps to configure flow control on an interface To disable flow control use the flowcontrol receive off and flowcontrol send off interface configuration commands This example shows how to t...

Page 255: ...erify the description Switch config terminal Enter configuration commands one per line End with CNTL Z Switch config interface fastethernet0 4 Switch config if description Connects to Marketing Switch config if end Switch show interfaces fastethernet0 4 description Interface Status Protocol Description Fa0 4 up down Connects to Marketing Command Purpose Step 1 configure terminal Enter global confi...

Page 256: ...nship between this number and the number of other features being configured might have an impact on CPU utilization because of hardware limitations For more information about feature combinations see the Optimizing System Resources for User Selected Features section on page 7 27 All Layer 3 interfaces require an IP address to route traffic The following procedure shows how to configure an interfac...

Page 257: ...1500 bytes Helper address is not set Directed broadcast forwarding is disabled output truncated Monitoring and Maintaining the Interfaces You can perform the tasks in these sections to monitor and maintain interfaces Monitoring Interface and Controller Status page 10 19 Clearing and Resetting Interfaces and Counters page 10 21 Shutting Down and Restarting the Interface page 10 22 Monitoring Interf...

Page 258: ...ion dot1q Negotiation of Trunking Off Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Trunking VLANs Enabled ALL Pruning VLANs Enabled 2 1001 Protected false Unknown unicast blocked disabled Unknown multicast blocked disabled Table 10 2 show Commands for Interfaces Command Purpose show interfaces interface id Display the status and configuration of all interfaces or a specific inter...

Page 259: ...n by the show interfaces privileged EXEC command use the clear counters privileged EXEC command The clear counters command clears all current interface counters from the interface unless optional arguments are specified to clear only a specific interface type from a specific interface number Note The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network M...

Page 260: ... no shutdown interface configuration command to restart the interface This example shows how to shut down Fast Ethernet interface 0 5 Switch configure terminal Switch config interface fastethernet0 5 Switch config if shutdown Switch config if Sep 30 08 33 47 LINK 5 CHANGED Interface FastEthernet0 5 changed state to a administratively down This example shows how to re enable Fast Ethernet interface...

Page 261: ...artPort Macros SmartPort macros provide a convenient way to save and share common configurations You can use SmartPort macros to enable features and settings based on the location of a switch in the network and for mass configuration deployments across the network Each SmartPort macro is a set of CLI commands that you define SmartPort macros do not contain new CLI commands they are simply a group ...

Page 262: ...in interface types The macro will fail the syntax check or the configuration check and the switch will return an error message if it is applied to an interface that does not accept the configuration When a macro is applied to an interface all existing configuration on the interface is retained This is helpful when applying an incremental configuration to an interface If you modify a macro definiti...

Page 263: ...ktop switchport port security maximum 1 Put all data traffic in vlan 1 switchport access vlan 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 macro name macro name Create a macro definition and enter a macro name A macro definition can contain up to 3000 characters Enter the macro commands with one command per line Use the character to end the macro Use the chara...

Page 264: ...e sent into the network spanning tree bpduguard enable Restrict the port to one address that of desktop switchport port security maximum 1 Put all data traffic in vlan 1 switchport access vlan 1 Switch show parser macro description Interface Macro Description Fa0 9 desktop config Displaying SmartPort Macros To display the SmartPort macros use one or more of the privileged EXEC commands in Table 11...

Page 265: ...ed by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations in the VLAN Each VLAN is conside...

Page 266: ...faces section on page 10 4 and the Configuring Layer 3 Interfaces section on page 10 18 Supported VLANs The Catalyst 3550 switch supports 1005 VLANs in VTP client server and transparent modes VLANs are identified with a number from 1 to 4094 VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs VTP only learns normal range VLANs with VLAN IDs 1 to 1005 VLAN IDs greater than 1005 ar...

Page 267: ...network wide basis VTP exchanges VLAN configuration messages with other switches over trunk links Dynamic access A dynamic access port can belong to one normal range VLAN VLAN ID 1 to 1005 and is dynamically assigned by a VMPS The VMPS can be a Catalyst 5000 or Catalyst 6000 series switch for example but never a Catalyst 3550 switch You can have dynamic access ports and trunk ports on the same swi...

Page 268: ...ering the show vlan privileged EXEC command The vlan dat file is stored in Flash memory Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan dat file If you want to modify the VLAN configuration use the commands described in these sections and in the command reference for this release To change the VTP configuration see Chapter 13 Configuring VTP You ...

Page 269: ... Ring TrCRF VLANs For more information on configuring Token Ring VLANs refer to the Catalyst 5000 Series Software Configuration Guide Normal Range VLAN Configuration Guidelines Follow these guidelines when creating and modifying normal range VLANs in your network The switch supports 1005 VLANs in VTP client server and transparent modes Normal range VLANs are identified with a number between 1 and ...

Page 270: ...ommand VLAN Configuration in VLAN Configuration Mode page 12 6 You access VLAN database configuration mode by entering the vlan database privileged EXEC command VLAN Configuration in config vlan Mode To access config vlan mode enter the vlan global configuration command with a VLAN ID Enter a new VLAN ID to create a VLAN or with an existing VLAN ID to modify the VLAN You can use the default VLAN c...

Page 271: ... database If the VTP mode or domain name in the startup configuration does not match the VLAN database the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database information If VTP mode is server the domain name and VLAN configuration for the first 1005 VLANs use the VLAN database information If the switch is running Cisco IOS Release 12 1 9 EA1 or later and you ...

Page 272: ...llow these steps to use config vlan mode to create or modify an Ethernet VLAN Table 12 2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 4094 Note Extended range VLANs VLAN IDs 1006 to 4094 are not saved in the VLAN database VLAN name VLANxxxx where xxxx represents four numeric digits including leading zeros equal to the VLAN ID number No range 802 10 SAID 100001 100000 pl...

Page 273: ...eged EXEC mode Step 7 show vlan name vlan name id vlan id Verify your entries Step 8 copy running config startup config Optional If the switch is in VTP transparent mode the VLAN configuration is saved in the running configuration file as well as in the VLAN database This saves the configuration in the switch startup configuration file Command Purpose Command Purpose Step 1 vlan database Enter VLA...

Page 274: ...e the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 Caution When you delete a VLAN any ports assigned to that VLAN become inactive They remain associated with the VLAN and thus inactive until you assign them to a new VLAN Beginning in privileged EXEC mode follow these steps to delete a VLAN on the switch by using global configuration mode To ...

Page 275: ...command This example shows how to configure Fast Ethernet interface 0 1 as an access port in VLAN 2 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface fastethernet0 1 Switch config if switchport mode access Switch config if switchport access vlan 2 Switch config if end Switch Command Purpose Step 1 configure terminal Enter global configurati...

Page 276: ...guration page 12 12 Extended Range VLAN Configuration Guidelines page 12 12 Creating an Extended Range VLAN page 12 13 Creating an Extended Range VLAN with an Internal VLAN ID page 12 14 Default VLAN Configuration See Table 12 2 on page 12 8 for the default configuration for Ethernet VLANs You can change only the MTU size on extended range VLANs all other characteristics must remain at the default...

Page 277: ...he internal VLAN which frees up the internal VLAN and then create the extended range VLAN and re enable the port which then uses another VLAN as its internal VLAN See the Creating an Extended Range VLAN with an Internal VLAN ID section on page 12 14 Creating an Extended Range VLAN You create an extended range VLAN in global configuration mode by entering the vlan global configuration command with ...

Page 278: ...ig vlan mode The range is 1006 to 4094 Step 4 mtu mtu size Optional Modify the VLAN by changing the MTU size Note Although all commands appear in the CLI help in config vlan mode only the mtu mtu size command is supported for extended range VLANs Step 5 end Return to privileged EXEC mode Step 6 show vlan id vlan id Verify that the VLAN has been created Step 7 copy running config startup config Sav...

Page 279: ...port that you shut down in Step 4 Step 10 no shutdown Re enable the routed port It will be assigned a new internal VLAN ID Step 11 end Return to privileged EXEC mode Step 12 copy running config startup config Save your entries in the switch startup configuration file To save an extended range VLAN configuration you need to save the VTP transparent mode configuration and the extended range VLAN con...

Page 280: ...unking encapsulation 802 1Q 802 1Q is industry standard trunking encapsulation Figure 12 2 shows a network of switches that are connected by ISL trunks Figure 12 2 Switches in an ISL Trunking Environment You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle For more information about EtherChannel see Chapter 30 Configuring EtherChannels Ethernet trunk interfaces sup...

Page 281: ... Modes Mode Function switchport mode access Puts the interface access port into permanent nontrunking mode The interface becomes a nontrunk interface even if the neighboring interface is a trunk interface switchport mode dynamic desirable Makes the interface actively attempt to convert the link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk des...

Page 282: ...tree instance of the non Cisco 802 1Q switch However spanning tree information for each VLAN is maintained by Cisco switches separated by a cloud of non Cisco 802 1Q switches The non Cisco 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches Make sure the native VLAN for an 802 1Q trunk is the same on both ends of the trunk link If the native VLAN on on...

Page 283: ...ow trunking the link is a Layer 2 trunk or if the interface is in Layer 3 mode it becomes a Layer 2 trunk when you enter the switchport interface configuration command By default trunks negotiate encapsulation If the neighboring interface supports ISL and 802 1Q encapsulation and both interfaces are set to negotiate the encapsulation type the trunk uses ISL encapsulation Interaction with Other Fea...

Page 284: ...igure the port to support ISL or 802 1Q encapsulation or to negotiate the default with the neighboring interface for encapsulation type You must configure each end of the link with the same encapsulation type Step 4 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk required only if the interface is a Layer 2 access port or tunnel port or to specify the trunkin...

Page 285: ...on any individual VLAN trunk port by removing VLAN 1 from the allowed list This is known as VLAN 1 minimization VLAN 1 minimization disables VLAN 1 the default VLAN on all Cisco switch trunk ports on an individual VLAN trunk link As a result no user traffic including spanning tree advertisements is sent or received on VLAN 1 When you remove VLAN 1 from a trunk port the interface continues to send ...

Page 286: ...4094 or a range of VLANs described by two VLAN numbers the lower one first separated by a hyphen Do not enter any spaces between comma separated VLAN parameters or in hyphen specified ranges All VLANs are allowed by default Step 5 end Return to privileged EXEC mode Step 6 show interfaces interface id switchport Verify your entries in the Trunking VLANs Enabled field of the display Step 7 copy runn...

Page 287: ...packet is sent untagged otherwise the switch sends the packet with a tag Load Sharing Using STP Load sharing divides the bandwidth supplied by parallel trunks connecting switches To avoid loops STP normally blocks all but one parallel link between switches Using load sharing you divide the traffic between the links according to which VLAN the traffic belongs Step 5 show interfaces interface id swi...

Page 288: ... this example the switches are configured as follows VLANs 8 through 10 are assigned a port priority of 10 on Trunk 1 VLANs 3 through 6 retain the default port priority of 128 on Trunk 1 VLANs 3 through 6 are assigned a port priority of 10 on Trunk 2 VLANs 8 through 10 retain the default port priority of 128 on Trunk 2 In this way Trunk 1 carries traffic for VLANs 8 through 10 and Trunk 2 carries ...

Page 289: ...tep 14 Repeat Steps 7 through 11 on Switch 2 to configure the trunk ports on Fast Ethernet ports 0 1 and 0 2 Step 15 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch 2 Verify that Switch 2 has learned the VLAN configuration Step 16 configure terminal Enter global configuration mode on Switch 1 Step 17 interface fastethernet0 1 Enter interface configuration m...

Page 290: ...tch 1 Step 2 interface fastethernet 0 1 Enter interface configuration mode and define Fast Ethernet port 0 1 as the interface to be configured as a trunk Step 3 switchport trunk encapsulation isl dot1q negotiate Configure the port to support ISL or 802 1Q encapsulation You must configure each end of the link with the same encapsulation type Step 4 switchport mode trunk Configure the port as a trun...

Page 291: ...the port access to the VLAN In response to a request the VMPS takes one of these actions If the assigned VLAN is restricted to a group of ports the VMPS verifies the requesting port against this group and responds as follows If the VLAN is allowed on the port the VMPS sends the VLAN name to the client in response If the VLAN is not allowed on the port and the VMPS is not in secure mode the VMPS se...

Page 292: ...es that the domain name in the packet matches its own domain name before accepting the request and responds to the client with the assigned VLAN number for the client If there is no match the VMPS either denies the request or shuts down the port depending on the VMPS secure mode setting Multiple hosts MAC addresses can be active on a dynamic port if they are all in the same VLAN however the VMPS s...

Page 293: ...he VMPS domain must be defined vmps mode open secure The default mode is open vmps fallback vlan name vmps no domain req allow deny The default value is allow vmps domain DSBU vmps mode open vmps fallback default vmps no domain req deny MAC Addresses vmps mac addrs address addr vlan name vlan_name address 0012 2233 4455 vlan name hardware address 0000 6509 a080 vlan name hardware address aabb ccdd...

Page 294: ...tandard port names For the cluster based port naming conventions see the VMPS Database Configuration File section on page 12 28 When you configure a port as a dynamic access port the spanning tree Port Fast feature is automatically enabled for that port The Port Fast mode accelerates the process of bringing the port into the forwarding state 802 1X ports cannot be configured as dynamic access port...

Page 295: ... the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client Note If the VMPS is being defined for a cluster of switches enter the address on the command switch Beginning in privileged EXEC mode follow these steps to enter the IP address of the VMPS Note The switch port that is connected to the VMPS server cannot be a dynamic access port It can ...

Page 296: ...port access vlan dynamic interface configuration command the port might allow unauthorized users to access network resources if the interface changes from access mode to trunk mode through the DTP negotiation The workaround is to configure the port as a static access port Reconfirming VLAN Memberships Beginning in privileged EXEC mode follow these steps to confirm the dynamic port VLAN membership ...

Page 297: ...times that the switch attempts to contact the VMPS before querying the next server To return the switch to its default setting use the no vmps retry global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vmps reconfirm minutes Enter the number of minutes between reconfirmations of the dynamic VLAN membership Enter a number from 1 to 120 The de...

Page 298: ...connecting to the network More than 20 active hosts reside on a dynamic port To re enable a disabled dynamic port enter the no shutdown interface configuration command VMPS VQP Version The version of VQP used to communicate with the VMPS The switch queries the VMPS that is using VQP version 1 Reconfirm Interval The number of minutes the switch waits before reconfirming the VLAN to MAC address assi...

Page 299: ...he database configuration file is stored on the TFTP server with the IP address 172 20 22 7 Figure 12 5 Dynamic Port VLAN Membership Configuration Primary VMPS Server 1 Catalyst 6000 series Secondary VMPS Server 2 Catalyst 6000 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6000 series 172 20 26 152 Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 2...

Page 300: ...12 36 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 12 Configuring VLANs Configuring VMPS ...

Page 301: ...nfigurations and configuration inconsistencies that can cause several problems such as duplicate VLAN names incorrect VLAN type specifications and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in ...

Page 302: ... configuration revision number is lower than the configuration revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number If you add a switch that has a revision number higher than the revision number in the VTP domain it can erase all VLAN information from the VTP server and VT...

Page 303: ...version for the entire VTP domain VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links In VTP server mode VLAN configurations are saved in nonvolatile RAM NVRAM VTP server is the default mode VTP client A VTP client behaves like a VTP server but you ca...

Page 304: ...on and domain name Consistency Checks In VTP version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information through the CLI the Cluster Management Software CMS or SNMP Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM If the MD5 digest on a received VTP message is correc...

Page 305: ...domain Making VLANs pruning eligible or pruning ineligible affects pruning eligibility for those VLANs on that device only not on all switches in the VTP domain See the Enabling VTP Pruning section on page 13 13 VTP pruning takes effect several seconds after you enable it VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 and VLANs 1002 to 1005 are always pruning inel...

Page 306: ...AN pruning eligibility whether or not VTP pruning is enabled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking Configuring VTP This section includes guidelines and procedures for configuring VTP These sections are included Default VTP Configuration page 13 6 VTP Configuration Options page 13 7 VTP Configuration Guidelines page 13 8 Confi...

Page 307: ...onfiguration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode or domain name in the startup configuration do not match the VLAN database the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database informat...

Page 308: ... a password or with the wrong password reject VTP advertisements If you configure a VTP password for a domain a switch that is booted without a VTP configuration does not accept VTP advertisements until you configure it with the correct password After the configuration the switch accepts the next VTP advertisement that uses the same password and domain name in the advertisement If you are adding a...

Page 309: ...configured on the switch you cannot change VTP mode to server You receive an error message and the configuration is not allowed Beginning in privileged EXEC mode follow these steps to configure the switch as a VTP server When you configure a domain name it cannot be removed you can only reassign a switch to a different domain To return the switch to a no password state use the no vtp password glob...

Page 310: ...ch vlan vtp domain eng_group Switch vlan vtp password mypassword Switch vlan exit APPLY completed Exiting Configuring a VTP Client When a switch is in VTP client mode you cannot change its VLAN configuration The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly Command Purpose Step 1 vlan database Enter VLAN configuration mode St...

Page 311: ... 13 9 Use the no vtp client VLAN configuration command to return the switch to VTP server mode or the no vtp password VLAN configuration command to return the switch to a no password state When you configure a domain name it cannot be removed you can only reassign a switch to a different domain Disabling VTP VTP Transparent Mode When you configure the switch for VTP transparent mode you disable VT...

Page 312: ...rver section on page 13 9 Use the no vtp transparent VLAN configuration command to return the switch to VTP server mode If extended range VLANs are configured on the switch you cannot change VTP mode to server You receive an error message and the configuration is not allowed Enabling VTP Version 2 VTP version 2 is disabled by default on VTP version 2 capable switches When you enable VTP version 2 ...

Page 313: ...evices You can only enable VTP pruning on a switch in VTP server mode Beginning in privileged EXEC mode follow these steps to enable VTP pruning in the VTP domain To disable VTP pruning use the no vtp pruning global configuration command Note You can also enable VTP pruning by using the vlan database privileged EXEC command to enter VLAN configuration mode and entering the vtp pruning VLAN configu...

Page 314: ... domain name by entering the vlan database privileged EXEC command to enter VLAN configuration mode and by entering the vtp domain domain name command In this mode you must enter the exit command to update VLAN information and return to privileged EXEC mode After resetting the configuration revision number add the switch to the VTP domain Command Purpose Step 1 show vtp status Check the VTP config...

Page 315: ... 69 VTP Operating Mode Server VTP Domain Name test VTP Pruning Mode Disabled VTP V2 Mode Disabled VTP Traps Generation Disabled MD5 digest 0x59 0xBA 0x92 0xA4 0x74 0xD5 0x42 0x29 Configuration last modified by 0 0 0 0 at 3 1 93 00 18 42 Local updater ID is 10 1 1 59 on interface Vl1 lowest numbered VLAN interface found This is an example of output from the show vtp counters privileged EXEC command...

Page 316: ...13 16 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 13 Configuring VTP Monitoring VTP ...

Page 317: ...0 IP Phone and carry IP voice traffic Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1P class of service CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner For more information on QoS see Chapter 29 Configuring QoS The Cisco 7960 IP Phone ...

Page 318: ...ng Voice VLAN This section describes how to configure voice VLAN on access ports It contains this configuration information Default Voice VLAN Configuration page 14 2 Voice VLAN Configuration Guidelines page 14 3 Configuring a Port to Connect to a Cisco 7960 IP Phone page 14 3 Default Voice VLAN Configuration The voice VLAN feature is disabled by default When the voice VLAN feature is enabled all ...

Page 319: ...gure static secure or sticky secure MAC addresses on a voice VLAN Voice VLAN ports can also be these port types Dynamic access port See the Configuring Dynamic Access Ports on VMPS Clients section on page 12 32 for more information Secure port See the Configuring Port Security section on page 21 8 for more information 802 1X authenticated port See the Using 802 1X with Voice VLAN Ports section on ...

Page 320: ...or untagged packets use the port default CoS value Step 5 switchport voice vlan vlan id Instruct the Cisco IP Phone to forward all voice traffic through the specified VLAN By default the Cisco IP Phone forwards the voice traffic with an 802 1Q priority of 5 Valid VLAN IDs are from 1 to 4094 Step 6 end Return to privileged EXEC mode Step 7 show interfaces interface id switchport or show running con...

Page 321: ...tend cos 0 interface configuration command to return the port to its default setting Step 7 show interfaces interface id switchport or show running config interface interface id Verify your voice VLAN entries Verify your QoS and voice VLAN entries Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal...

Page 322: ...chport priority extend cos 0 interface configuration command to return the port to its default setting Displaying Voice VLAN To display voice VLAN for an interface use the show interfaces interface id switchport privileged EXEC command For detailed information about the fields in the display refer to the command reference for this release Command Purpose Step 1 configure terminal Enter global conf...

Page 323: ...neling page 15 7 Configuring Layer 2 Protocol Tunneling page 15 9 Monitoring and Maintaining Tunneling Status page 15 17 Understanding 802 1Q Tunneling Business customers of SPs often have specific requirements for VLAN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same SP network might overlap and traffic of customers through the infrastructure...

Page 324: ...trunk port into the SP network they are encapsulated with another layer of an 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer 802 1Q tag is preserved in the encapsulated packet Therefore packets entering the SP network are double tagged with the metro tag containing the customer s access VLAN ID and the inner VLAN ID being that of the ...

Page 325: ... trunk port The priority field on the metro tag is set to the interface class of service CoS priority configured on the tunnel port The default is zero if none is configured In Figure 15 1 Customer A was assigned VLAN 30 and Customer B was assigned VLAN 40 Packets entering the edge switch tunnel ports with 802 1Q tags are double tagged when they enter the SP network with the metro tag containing V...

Page 326: ...unking links When 802 1Q trunks are used in these core switches the native VLANs of the 802 1Q trunks must not match any native VLAN of the nontrunking tunneling port on the same switch because traffic on the native VLAN would not be tagged on the 802 1Q sending trunk port See Figure 15 3 VLAN 40 is configured as the native VLAN for the 802 1Q trunk port from Customer A at the ingress edge switch ...

Page 327: ...thernet switches is 1546 bytes 802 1Q Tunneling and Other Features Although 802 1Q tunneling works well for Layer 2 packet switching there are incompatibilities between some Layer 2 features and Layer 3 switching A tunnel port cannot be a routed port IP routing is not supported on a VLAN that includes 802 1Q ports Packets received from a tunnel port are forwarded based only on Layer 2 information ...

Page 328: ...cally disabled on the interface Configuring an 802 1Q Tunneling Port Beginning in privileged EXEC mode follow these steps to configure a port as an 802 1Q tunnel port Use the no switchport mode dot1q tunnel interface configuration command to return the port to the default state of dynamic desirable Use the no vlan dot1q tag native global configuration command to disable tagging of native VLAN pack...

Page 329: ...ge switches on the inbound side of the SP network encapsulate Layer 2 protocol packets with a special MAC address and send them across the SP network Core switches in the network do not process these packets but forward them as normal packets Layer 2 protocol data units PDUs for CDP STP or VTP cross the SP network and are delivered to customer switches on the outbound side of the SP network Identi...

Page 330: ... s Site 1 will build a spanning tree on the switches at that site without considering convergence parameters based on Customer A s switch in Site 2 This could result in the topology shown in Figure 15 5 Figure 15 4 Layer 2 Protocol Tunneling Figure 15 5 Layer 2 Network Topology without Proper Convergence Customer A Site 2 VLANs 1 to 100 Customer B Site 2 VLANs 1 to 200 Customer B Site 1 VLANs 1 to...

Page 331: ...2 1Q trunk ports Edge switch access ports are connected to customer access ports The Catalyst 3550 switch supports Layer 2 protocol tunneling for CDP STP and VTP For emulated point to point network topologies it also supports PAgP LACP and UDLD protocols Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tunnele...

Page 332: ...ring Layer 2 protocol tunneling Default Layer 2 Protocol Tunneling Configuration page 15 10 Layer 2 Protocol Tunneling Configuration Guidelines page 15 10 Configuring Layer 2 Tunneling page 15 11 Configuring Layer 2 Tunneling for EtherChannels page 15 13 Default Layer 2 Protocol Tunneling Configuration Table 15 1 shows the default configuration for Layer 2 protocol tunneling Layer 2 Protocol Tunne...

Page 333: ...nabled on an interface you can set a per protocol per port shutdown threshold for the PDUs generated by the customer network If the limit is exceeded the port shuts down You can also limit the BPDU rate by using QoS ACLs and policy maps on a tunnel port When protocol tunneling is enabled on an interface you can set a per protocol per port drop threshold for the PDUs generated by the customer netwo...

Page 334: ... default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If n...

Page 335: ...ode and enter the interface to be configured as a tunnel port This should be the edge port in the SP network that connects to the customer switch Valid interfaces are physical interfaces Step 3 switchport mode dot1q tunnel Configure the interface as an 802 1Q tunnel port Step 4 l2protocol tunnel point to point pagp lacp udld Optional Enable point to point protocol tunneling for the desired protoco...

Page 336: ... interface the drop threshold value must be less than or equal to the shutdown threshold value Step 7 no cdp enable Disable CDP on the interface Step 8 spanning tree bpdufilter enable Enable BPDU filtering on the interface Step 9 exit Return to global configuration mode Step 10 errdisable recovery cause l2ptguard Optional Configure the recovery mechanism from a Layer 2 maximum rate error so that t...

Page 337: ...ig if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface fastethernet0 3 Switch config if switchport trunk encapsulation isl Switch config if switchport mode trunk SP edge switch 2 configurat...

Page 338: ...to activate the EtherChannel configuration Switch config interface fastethernet0 1 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if udld enable Switch config if channel group 1 mode desirable Switch config if exit Switch config interface fastethernet0 2 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mod...

Page 339: ...lear l2protocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery timer from a Layer 2 prot...

Page 340: ...15 18 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 15 Configuring 802 1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status ...

Page 341: ... Chapter 18 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter refer to the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page 16 1 Configuring Spanning Tree Features page 16 11 Displaying the Spanning Tree Status page 16 24 Understanding Spanning Tree Fea...

Page 342: ...ed for every switched LAN segment Alternate A blocked port providing an alternate path to the root port in the spanning tree Backup A blocked port in a loopback configuration Switches that have ports with these assigned roles are called root or designated switches Spanning tree forces redundant data paths into a standby blocked state If a network segment in the spanning tree fails and a redundant ...

Page 343: ...spanning tree topology in a switched network For each VLAN the switch with the highest switch priority the lowest numerical priority value is elected as the root switch If all switches are configured with the default priority 32768 the switch with the lowest MAC address in the VLAN becomes the root switch The switch priority value occupies the most significant bits of the bridge ID as shown in Tab...

Page 344: ...guring the Switch Priority of a VLAN section on page 16 20 Spanning Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN As a result topology changes can take place at different times and at different places in a switched network When an interface transitions directly from nonparticipation in the spanning tree topology to the forwarding state i...

Page 345: ... moves the interface to the learning state and resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State A...

Page 346: ...e for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding The interface enters the learning state from the listening state An interface in the learning state performs as follows Discards frames received on the port Discards frames switched from another interface for forwarding Learns addresses Recei...

Page 347: ...ulated based on default parameters the path between source and destination end stations in a switched network might not be ideal For instance connecting higher speed links to an interface that has a higher number than the root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another...

Page 348: ...nectivity The default for aging dynamic addresses is 5 minutes the default setting of the mac address table aging time global configuration command However a spanning tree reconfiguration can cause many station locations to change Because these stations could be unreachable for 5 minutes or more during a reconfiguration the address aging time is accelerated so that station addresses can be dropped...

Page 349: ...g time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode ea...

Page 350: ...tch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco 802 1Q switch However all PVST or rapid PVST information is maintained by Cisco switches separated by a cloud of non Cisco 802 1Q switches The non Cisco 802...

Page 351: ...guring the Root Switch page 16 14 optional Configuring a Secondary Root Switch page 16 16 optional Configuring the Port Priority page 16 17 optional Configuring the Path Cost page 16 18 optional Configuring the Switch Priority of a VLAN page 16 20 optional Configuring Spanning Tree Timers page 16 20 optional Default Spanning Tree Configuration Table 16 3 shows the default spanning tree configurati...

Page 352: ...witches in the VLAN however if you are running spanning tree only on a minimal set of switches an incautious change to the network that introduces another loop into the VLAN can result in a broadcast storm Note If you have already used all available spanning tree instances on your switch adding another VLAN anywhere in the VTP domain creates a VLAN that is not running spanning tree on that switch ...

Page 353: ...st to enable MSTP and RSTP For more configuration steps see Chapter 17 Configuring MSTP Select rapid pvst to enable rapid PVST Step 3 interface interface id Recommended for rapid PVST mode only Enter interface configuration mode and specify an interface to configure Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 64 Step...

Page 354: ...omes the root switch for that VLAN To configure a switch to become the root for the specified VLAN use the spanning tree vlan vlan id root global configuration command to modify the switch priority from the default value 32768 to a significantly lower value When you enter this command the switch checks the switch priority of the root switches for each VLAN Because of the extended system ID support...

Page 355: ... the spanning tree vlan 100 root primary command on the switch sets the switch priority for VLAN 100 to 8192 which causes this switch to become the root switch for VLAN 100 Note If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases th...

Page 356: ...hes Use the same network diameter and hello time values as you used when you configured the primary root switch with the spanning tree vlan vlan id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root primary diameter net diameter hello time seconds Configure a switch to become the root for the sp...

Page 357: ...tion mode Step 2 spanning tree vlan vlan id root secondary diameter net diameter hello time seconds Configure a switch to become the secondary root for the specified VLAN For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 Optional For diameter net diameter specify the maximum...

Page 358: ...have the same cost value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 The default is 128 The lower the number the higher the priority Valid priority values are 0 16 32 48 64 80 96...

Page 359: ...sical interfaces and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost represents higher speed transmission For cost the range is 1 to 200000000 the default value is derived from the medi...

Page 360: ...tion mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the sw...

Page 361: ...AN This procedure is optional To return the switch to its default setting use the no spanning tree vlan vlan id hello time global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id hello time seconds Configure the hello time of a VLAN The hello time is the interval between the generation of configuration messages by the...

Page 362: ...nd listening states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config st...

Page 363: ... default spanning tree settings and those that are acceptable for these configurations Figure 16 4 Gigabit Ethernet Stack Table 16 5 Default and Acceptable Spanning Tree Parameter Settings in seconds STP Parameter STP Default Acceptable for Option 1 Acceptable for Option 2 Acceptable for Option 3 Hello Time 2 1 1 1 Max Age 20 6 10 6 Forwarding Delay 15 4 7 4 Catalyst 2950 2955 or 3550 switches 746...

Page 364: ...r information about other keywords for the show spanning tree privileged EXEC command refer to the command reference for this release Table 16 6 Commands for Displaying Spanning Tree Status Command Purpose show spanning tree active Displays spanning tree information on active interfaces only show spanning tree detail Displays a detailed summary of interface information show spanning tree interface...

Page 365: ...tocol RSTP which is based on IEEE 802 1W is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based...

Page 366: ...n by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance MST configuration command specify the region name by using the name MST configuration command and set the revision number by using the revision MST configuration command A region can have one m...

Page 367: ...ster When an MSTP switch initializes it sends BPDUs claiming itself as the root of the CST and the IST master with both of the path costs to the CST root and to the IST master set to zero The switch also initializes all of its MST instances and claims to be the root for all of them If the switch receives superior MST root information lower bridge ID lower path cost and so forth than currently stor...

Page 368: ...red on both the CST instance and the MST instance MSTP switches use version 3 RSTP BPDUs or 802 1D STP BPDUs to communicate with legacy 802 1D switches MSTP switches use MSTP BPDUs to communicate with MSTP switches Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost...

Page 369: ... to the forwarding state because of an agreement received from its peer port the MST ports also immediately transition to the forwarding state If a boundary port transitions to the forwarding state in an IST instance it is forwarding in all MST instances and a topology change is triggered If a boundary port with the IST root or designated port role receives a topology change notice external to the...

Page 370: ...ts to the root switch Designated port Connects to the designated switch which incurs the lowest path cost when forwarding packets from that LAN to the root switch The port through which the designated switch is attached to the LAN is called the designated port Alternate port Offers an alternate path toward the root switch to that provided by the current root port Backup port Acts as a backup for t...

Page 371: ...tch B Switch A sends a proposal message a configuration BPDU with the proposal flag set to Switch B proposing itself as the designated switch After receiving the proposal message Switch B selects as its new root port the port from which the proposal message was received forces all nonedge ports to the blocking state and sends an agreement message a BPDU with the agreement flag set through its new ...

Page 372: ...rt is in the forwarding state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring all of the ports are synchronized the switch se...

Page 373: ...sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN The port role in the proposal message is always set to the designated port The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal The port role in the agreement message is always set to the root port 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Design...

Page 374: ...imer expires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher bridge ID higher path cost and so forth than currently stored for the port with a designated port role it immediately replies with its own information Topology Changes This section describes the differences between the RSTP and the 802 1...

Page 375: ...ation delay timer has expired it assumes that it is connected to an 802 1D switch and starts using only 802 1D BPDUs However if the RSTP switch is using 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections describe how to configure basic MSTP features Default MSTP Configu...

Page 376: ...one version can be active at any time For example all VLANs run PVST all VLANs run rapid PVST or all VLANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 16 10 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 12 19 VTP propagation of the MST configuration is not suppo...

Page 377: ...r of MST regions in a network but each region can support up to 16 spanning tree instances You can assign a VLAN to only one spanning tree instance at a time Beginning in privileged EXEC mode follow these steps to specify the MST region configuration and enable MSTP This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst configu...

Page 378: ...onfig Configuring the Root Switch The switch maintains a spanning tree instance for the group of VLANs mapped to it A bridge ID consisting of the switch priority and the switch MAC address is associated with each instance The switch with the lowest bridge ID becomes the root switch for the group of VLANs To configure a switch to become the root use the spanning tree mst instance id root global con...

Page 379: ...any two end stations in the Layer 2 network When you specify the network diameter the switch automatically sets an optimal hello time forward delay time and maximum age time for a network of that diameter which can significantly reduce the convergence time You can use the hello keyword to override the automatically calculated hello time Note After configuring the switch as the root switch we recom...

Page 380: ...ot switch This procedure is optional To return the switch to its default setting use the no spanning tree mst instance id root global configuration command Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst instance id Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 config...

Page 381: ...confirm the configuration To return the interface to its default setting use the no spanning tree mst instance id port priority interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify an interface to configure Valid interfaces include physical ports and port channels Valid...

Page 382: ...m the configuration To return the interface to its default setting use the no spanning tree mst instance id cost interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify an interface to configure Valid interfaces include physical ports and port channels Valid port channel n...

Page 383: ... hello time Note Exercise care when using this command For most situations we recommend that you use the spanning tree mst instance id root primary and the spanning tree mst instance id root secondary global configuration commands to modify the hello time Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id priority priority Configure the s...

Page 384: ...ds Configure the hello time for all MST instances The hello time is the interval between the generation of configuration messages by the root switch These messages mean that the switch is alive For seconds the range is 1 to 10 the default is 2 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Optional Save your ent...

Page 385: ...on mode Step 2 spanning tree mst max age seconds Configure the maximum aging time for all MST instances The maximum aging time is the number of seconds a switch waits without receiving spanning tree configuration messages before attempting a reconfiguration For seconds the range is 6 to 40 the default is 20 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries...

Page 386: ...PDU with the protocol version set to 0 it sends only 802 1D BPDUs on that port An MSTP switch can also detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU version 3 associated with a different region or an RST BPDU version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives 802 1D BPDUs because it cannot determine wh...

Page 387: ...panning tree privileged EXEC command refer to the command reference for this release Table 17 4 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst instance id Displays MST information for the specified instance show spanning tree mst interface interface id Displays MST information for the specified in...

Page 388: ...17 24 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 17 Configuring MSTP Displaying the MST Configuration and Status ...

Page 389: ...o map multiple VLANs to the same spanning tree instance see Chapter 17 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter refer to the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 18 1 Configuring Optional Spanning Tree Features page 18 14 Displaying the Spanning Tree...

Page 390: ...rotocol data units BPDUs A port with Port Fast enabled goes through the normal cycle of spanning tree status changes when the switch is restarted Note Because the purpose of Port Fast is to minimize the time ports must wait for spanning tree to converge it is effective only when used on ports connected to end stations If you enable Port Fast on a port connecting to another switch you risk creating...

Page 391: ... prevent an access port from participating in the spanning tree If your switch is running PVST rapid PVST or MSTP you can enable the BPDU guard feature for the entire switch or for an interface Understanding BPDU Filtering The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface but the feature operates with some differences At the global level you can enabl...

Page 392: ...se these protocols use fast convergence and take precedence over UplinkFast When the spanning tree reconfigures the new root port other interfaces flood the network with multicast packets one for each address that was learned on the interface You can limit these bursts of multicast traffic by reducing the max update rate parameter the default for this parameter is 150 packets per second However if...

Page 393: ...provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a stack of switches that use the GigaStack GBICs connected in a shared cascaded configuration multidrop backbone During the fast transition an alternate redundant link on the stack of switches is placed in the forwarding state without causing temporary spanning tree loops or loss ...

Page 394: ...oot link is in the spanning tree forwarding state Links B and C are alternate redundant links that are in the spanning tree blocking state If Switch A fails if its stack root port fails or if Link A fails CSUF selects either the Switch B or Switch C alternate stack root port and puts it into the forwarding state in less than 1 second Figure 18 5 Cross Stack UplinkFast Topology CSUF uses the Stack ...

Page 395: ...ts normal rate 2 forward delay time max age time The Fast Uplink Transition Protocol is implemented on a per VLAN basis and affects only one spanning tree instance at a time Events that Cause Fast Convergence Depending on the network event or failure the CSUF fast convergence might or might not occur Fast convergence less than 1 second under normal network conditions occurs under these circumstanc...

Page 396: ...ts of a mixture of Catalyst 3550 Catalyst 3500 XL Catalyst 2950 and Catalyst 2900 XL switches up to 64 VLANs with spanning tree enabled are supported If the stack consists of only Catalyst 3550 switches up to 128 VLANs with spanning tree enabled are supported Connecting the Stack Ports A fast transition occurs across the stack of switches if the multidrop backbone connections are a continuous link...

Page 397: ... 14 15 16 17 18 19 20 21 22 23 24 2 1 1 2 1 2 Catalyst 2950G 12 1 1X 2X 11X 12X 2 3 4 5 6 7 8 9 10 11 12 2 1 1 2 Catalyst 2950G 24 Catalyst 2950G 48 SPEED DUPLX UTIL STATUS RPS SYSTEM Catalyst 2950 MODE Catalyst 2950G 48 1 1X 2X 11X 12X 13X 14X 15X 16X 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 65276 RPS SYST STAT UTIL DUPLXSPEED Catalyst 2950 MODE RPS SYST STAT UTIL DUPLXSPEED C...

Page 398: ...nd The switch tries to determine if it has an alternate path to the root switch If the inferior BPDU arrives on a blocked port the root port and other blocked ports on the switch become alternate paths to the root switch Self looped ports are not considered alternate paths to the root switch If the inferior BPDU arrives on the root port all blocked ports become alternate paths to the root switch I...

Page 399: ...Fast then transitions the Layer 2 interface on Switch C to the forwarding state providing a path from Switch B to Switch A This switchover takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 18 8 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 18 8 BackboneFast Example After Indirect...

Page 400: ...n err disable state If your switch is running PVST rapid PVST or MSTP you can enable this feature by using the spanning tree etherchannel guard misconfig global configuration command Understanding Root Guard The Layer 2 network of a service provider SP can include many connections to switches that are not owned by the SP In such a topology the spanning tree can reconfigure itself and select a cust...

Page 401: ...ng Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard prevents alternate and root ports from becoming designated ports and spanning tree does not send BPDUs on root or alternate ports If your switch ...

Page 402: ... 18 20 optional Enabling Root Guard page 18 21 optional Enabling Loop Guard page 18 21 optional Default Optional Spanning Tree Configuration Table 18 1 shows the default optional spanning tree configuration Optional Spanning Tree Configuration Guidelines The UplinkFast BackboneFast and cross stack UplinkFast features are not supported with the rapid PVST or the MSTP Enabling Port Fast A port with ...

Page 403: ...onfiguration command Enabling BPDU Guard When you globally enable BPDU guard on ports that are Port Fast enabled the ports are in a Port Fast operational state spanning tree shuts down Port Fast enabled ports that receive BPDUs In a valid configuration Port Fast enabled ports do not receive BPDUs Receiving a BPDU on a Port Fast enabled port signals an invalid configuration such as the connection o...

Page 404: ...guration command Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast enabled ports it prevents ports that are in a Port Fast operational state from sending or receiving BPDUs The ports still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these ports do not receiv...

Page 405: ...nd Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured for switch priority To enable UplinkFast on a VLAN with switch priority configured first restore the switch priority on the VLAN to the default value by using the no spanning tree vlan vlan id priority global configuration command Note When you enable UplinkFast it affects all VLANs ...

Page 406: ...the chance that the switch will become the root switch When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did not modify them from their defaults To return the update packet rate to the default setting use the no spanning tree uplinkfast max update rate global configuration command To disable UplinkFast use the no spanni...

Page 407: ...de Step 2 spanning tree uplinkfast max update rate pkts per second Enable UplinkFast on the switch Optional For max update rate pkts per second specify the number of packets per second at which update packets are sent The range is 0 to 65535 the default is 150 packets per second Step 1 interface interface id Enter interface configuration mode and specify the GBIC interface on which to enable CSUF ...

Page 408: ... Guard You can enable EtherChannel guard to detect an EtherChannel misconfiguration that causes a loop You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable EtherChannel guard This procedure is optional To disable the EtherChannel guard feature use the no spanning tree etherchannel guard misconfig global configu...

Page 409: ...tate Note You cannot enable both root guard and loop guard at the same time You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable root guard on an interface This procedure is optional To disable root guard use the no spanning tree guard interface configuration command Enabling Loop Guard You can use loop guard t...

Page 410: ... refer to the command reference for this release Command Purpose Step 1 show spanning tree active or show spanning tree mst Determine which ports are alternate or root ports Step 2 configure terminal Enter global configuration mode Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify y...

Page 411: ...need to be permanently assigned to hosts only those hosts that are connected to the network consume IP addresses DHCP Snooping DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table An untrusted message is a message that is received from outside the network or firewall that can cause...

Page 412: ...es between the clients and the server Figure 19 1 DHCP Relay Agent in a Metropolitan Ethernet Network When you enable the DHCP information option 82 on the switch this sequence of events occurs The host DHCP client generates a DHCP request and broadcasts it on the network When the switch receives the DHCP request it adds the option 82 information in the packet The option 82 information contains th...

Page 413: ...ge 19 3 DHCP Snooping Configuration Guidelines page 19 3 Upgrading from a Previous Software Release page 19 4 Enabling DHCP Snooping and Option 82 page 19 4 Enabling the DHCP Relay Agent and Option 82 page 19 6 Validating the Relay Agent Information Option 82 page 19 6 Configuring the Reforwarding Policy page 19 7 Specifying the Packet Forwarding Address page 19 7 Default DHCP Configuration Table ...

Page 414: ...us Software Release In Cisco IOS Release 12 1 19 EA1 the implementation for the Option 82 Subscriber Identification changed from the previous release The new option 82 format uses a different circuit ID and remote ID suboption vlan mod port The previous version uses the snmp ifindex circuit ID and remote ID suboption If you have option 82 configured on the switch and you upgrade to Cisco IOS Relea...

Page 415: ...ault is enabled Step 5 ip dhcp snooping information option format snmp ifindex Optional Specify ip dhcp snooping information option format snmp ifindex to select an alternate format for the circuit ID and remote ID suboption of the option 82 feature See the Upgrading from a Previous Software Release section on page 19 4 for more information The default setting is no ip dhcp snooping information op...

Page 416: ... option 82 field for validity but still removes the option from the packet and forwards it This feature is not available when DHCP snooping is enabled on the switch Note If the switch receives a packet that contains the option 82 field from a DHCP client and the information checking feature is enabled the switch drops the packet because it is invalid However in some instances you might configure a...

Page 417: ...nct from the normal forwarding of an IP router where IP datagrams are transparently switched between networks By contrast relay agents receive DHCP messages and then generate a new DHCP message to send on another interface If the DHCP server and the DHCP clients are on different networks or subnets you must configure the switch with the ip helper address address interface configuration command The...

Page 418: ...Switch config if switchport access vlan 10 Switch config if exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and create a switch virtual interface Step 3 ip address ip address subnet mask Configure the interface with an IP address and an IP subnet Step 4 ip helper address address Specify the DHCP packet ...

Page 419: ...ows how to display the DHCP snooping binding entries for a switch Switch show ip dhcp snooping binding MacAddress IpAddress Lease sec Type VLAN Interface 00 30 94 C2 EF 35 41 0 0 51 286 dynamic 41 FastEthernet0 3 00 D0 B7 1B 35 DE 41 0 0 52 237 dynamic 41 FastEthernet0 3 00 00 00 00 00 01 40 0 0 46 286 dynamic 40 FastEthernet0 9 00 00 00 00 00 03 42 0 0 33 286 dynamic 42 FastEthernet0 9 00 00 00 0...

Page 420: ... DHCP snooping configuration for a switch Switch show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs 40 42 Insertion of option 82 is enabled Interface Trusted Rate limit pps FastEthernet0 5 yes unlimited FastEthernet0 7 yes unlimited FastEthernet0 3 no 5000 FastEthernet0 5 yes unlimited FastEthernet0 7 yes unlimited FastEthernet0 5 yes unlimited Fas...

Page 421: ...lticast VLAN Registration page 20 13 Configuring MVR page 20 16 Displaying MVR Information page 20 20 Configuring IGMP Filtering and Throttling page 20 21 Displaying IGMP Filtering and Throttling Configuration page 20 27 Note For MAC addresses that map to IP multicast groups you can either manage them through features such as IGMP snooping and MVR or you can use static MAC addresses However you ca...

Page 422: ...ation by IGMP snooping Multicast group membership lists can consist of both user defined and IGMP snooping learned settings If a port spanning tree a port group or a VLAN ID change occurs the IGMP snooping learned multicast groups from this port on the VLAN are deleted These sections describe characteristics of IGMP snooping on the switch IGMP Versions page 20 2 Joining a Multicast Group page 20 3...

Page 423: ... switch The switch CPU creates a multicast forwarding table entry for the group if it is not already present The CPU also adds the interface where the join message was received to the forwarding table entry The host associated with that interface receives multicast traffic for that multicast group See Figure 20 1 Figure 20 1 Initial IGMP Join Message Router A sends a general query to the switch wh...

Page 424: ...of Host 4 to the forwarding table as shown in Table 20 2 Note that because the forwarding table directs IGMP messages to only the CPU the message is not flooded to other ports on the switch Any known multicast traffic is forwarded to the group and not to the CPU Figure 20 2 Second Host Joining a Multicast Group Leaving a Multicast Group The router sends periodic multicast general queries and the s...

Page 425: ...re more than one host is connected to a port some hosts might inadvertently be dropped IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This feature is not supported when the query includes IGMPv3 reports The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast device...

Page 426: ...ng re enable aging of the forwarding table entries The switch can now age out the multicast addresses that were learned by the source only learning method and are not in use Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content To enable IGMP snooping on the switch to discover external multicast routers the Layer 3 inte...

Page 427: ...erfaces use the no ip igmp snooping global configuration command Beginning in privileged EXEC mode follow these steps to enable IGMP snooping on a VLAN interface To disable IGMP snooping on a VLAN interface use the no ip igmp snooping vlan vlan id global configuration command for the specified VLAN number Aging forward table entries for traffic that aliases with reserved destination multicast IP a...

Page 428: ...lan id mrouter learn pim dvmrp global configuration command Note If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP proxy enabled you must enter the ip cgmp router only command to dynamically access the router For more information see Chapter 34 Configuring IP Multicast Routing Beginning in privileged EXEC mode follow these steps to alter the method in whi...

Page 429: ... the VLAN use the no ip igmp snooping vlan vlan id mrouter interface interface id global configuration command This example shows how to enable a static connection to a multicast router and verify the configuration Switch configure terminal Switch config ip igmp snooping vlan 200 mrouter interface gigabitethernet0 2 Switch config end Switch show ip igmp snooping mrouter vlan 200 vlan ports 200 Gi0...

Page 430: ... When you enable IGMP Immediate Leave processing the switch immediately removes a port when it detects an IGMP version 2 leave message on that port You should use the Immediate Leave feature only when there is a single receiver present on every port in the VLAN Immediate Leave is supported with only IGMP version 2 hosts Command Purpose Step 1 configure terminal Enter global configuration mode Step...

Page 431: ... has IGMPv1 and IGMPv2 reports This feature is not supported when the query includes IGMPv3 reports Beginning in privileged EXEC mode follow these steps to disable IGMP report suppression To re enable IGMP report suppression use the ip igmp snooping report suppression global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan...

Page 432: ...ning age timer time Set the aging time The range is from 0 to 2880 seconds The default is 600 seconds 10 minutes Step 3 end Return to privileged EXEC mode Step 4 show running config include source only learning Verify the aging time Step 5 copy running config startup config Optional Save your entries in the configuration file Table 20 4 Commands for Displaying IGMP Snooping Information Command Pur...

Page 433: ...enabled MVR reacts only to join and leave messages from multicast groups configured under MVR Join and leave messages from all other multicast groups are managed by IGMP snooping The switch CPU identifies the MVR IP multicast streams and their associated MAC addresses in the switch forwarding table intercepts the IGMP messages and modifies the forwarding table to include or remove the subscriber a...

Page 434: ...e set top box or PC sends an IGMP report to the S1 switch to join the appropriate multicast If the IGMP report matches one of the configured multicast MAC addresses the switch CPU modifies the hardware address table to include this receiver port and VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN Uplink ports that send and receive mult...

Page 435: ...e access layer switch S1 switch modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN selectively allowing traffic to cross between two VLANs IGMP reports are sent to the same MAC addresses as the multicast data The S1 CPU must capture all IGMP join and leave messages from receiver ports and forward them to the mult...

Page 436: ...256 Each channel is one multicast stream destined for a unique IP multicast address These IP addresses cannot alias between themselves or with the reserved IP multicast addresses in the range 224 0 0 xxx Multicast routing and MVR cannot coexist on a switch If you enable multicast routing and a multicast routing protocol while MVR is enabled MVR is disabled and you receive a warning message If you ...

Page 437: ... address Each multicast address would correspond to one television channel Note Each IP address translates to a multicast 48 bit MAC address If an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses the command fails Step 4 mvr querytime value Optional Define the maximum time to wait for IGMP report memberships on a recei...

Page 438: ...mber of the Layer 2 port to configure for example enter gi0 1 or gigabitethernet 0 1 for Gigabit Ethernet port 1 Step 4 mvr type source receiver Configure an MVR port as one of these source Configure uplink ports that receive and send multicast data as source ports Subscribers cannot be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Con...

Page 439: ...Type RECEIVER Status ACTIVE Immediate Leave ENABLED This is an example of output from the show mvr interface privileged EXEC command when the member keyword is included Switch show mvr interface gigabitethernet0 6 members 239 255 0 0 DYNAMIC ACTIVE 239 255 0 1 DYNAMIC ACTIVE 239 255 0 2 DYNAMIC ACTIVE 239 255 0 3 DYNAMIC ACTIVE 239 255 0 4 DYNAMIC ACTIVE 239 255 0 5 DYNAMIC ACTIVE 239 255 0 6 DYNA...

Page 440: ...leged EXEC command for a specified interface Switch show mvr interface fastethernet0 2 224 0 1 1 DYNAMIC ACTIVE Table 20 6 Commands for Displaying MVR Information show mvr Displays MVR status and values for the switch whether MVR is enabled or disabled the multicast VLAN the maximum 256 and current 0 through 256 number of multicast groups the query response time and the MVR mode show mvr interface...

Page 441: ...rvices such as IP TV based on some type of subscription or service plan You might also want to limit the number of multicast groups to which a user on a switch port can belong With the IGMP filtering feature you can filter multicast joins on a per port basis by configuring IP multicast profiles and associating them with individual switch ports An IGMP profile can contain one or more multicast grou...

Page 442: ...ult IGMP throttling action is to deny the IGMP report For configuration guidelines see the Configuring the IGMP Throttling Action section on page 20 25 Configuring IGMP Profiles To configure an IGMP profile use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode From this mode you can specify the parameters o...

Page 443: ...rofile to the appropriate interfaces You can apply IGMP profiles to Layer 2 ports only you cannot apply IGMP profiles to routed ports or SVIs You cannot apply profiles to ports that belong to an EtherChannel port group You can apply a profile to multiple interfaces but each interface can only have one profile applied to it Command Purpose Step 1 configure terminal Enter global configuration mode S...

Page 444: ...2 interface can join by using the ip igmp max groups interface configuration command Use the no form of this command to set the maximum back to the default which is no limit This restriction can be applied to Layer 2 ports only you cannot set a maximum number of IGMP groups on routed ports or SVIs You also can use this command on a logical EtherChannel interface but cannot use it on ports that bel...

Page 445: ...oup to it by using the ip igmp max groups action replace interface configuration command Use the no form of this command to return to the default which is to drop the IGMP join report Follow these guidelines when configuring the IGMP throttling action This restriction can be applied to Layer 2 ports only you can use this command on a logical EtherChannel interface but cannot use it on ports that b...

Page 446: ...configure the throttling action when the maximum number of entries is in the forwarding table To return to the default action of dropping the report use the no ip igmp max groups action interface configuration command This example shows how to configure an interface to remove a randomly selected multicast entry in the forwarding table and to add an IGMP group to the forwarding table when the maxim...

Page 447: ...ation for all interfaces on the switch or for a specified interface Use the privileged EXEC commands in Table 20 8 to display IGMP filtering and throttling configuration Table 20 8 Commands for Displaying IGMP Filtering and Throttling Configuration show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running configuration inter...

Page 448: ...20 28 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 449: ...21 6 Configuring Port Security page 21 8 Displaying Port Based Traffic Control Settings page 21 16 Configuring Storm Control These sections include storm control configuration information and procedures Understanding Storm Control page 21 1 Default Storm Control Configuration page 21 3 Enabling Storm Control page 21 3 Disabling Storm Control page 21 4 Understanding Storm Control Storm control prev...

Page 450: ...ecified as a percentage of total available bandwidth that can be used by broadcast multicast or unicast traffic The graph in Figure 21 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traffic In this example the broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 ...

Page 451: ...c the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported only on physical interfaces it is not supported on EtherChannel port channels even though the command is available in the CLI Beginning in privileged EXEC mode follow these steps to enable a particular type of storm control Command Purpose Step 1 configure terminal En...

Page 452: ...nal fraction of a level can be from 0 to 99 A threshold value of 100 percent means that no limit is placed on broadcast traffic A value of 0 0 means that all unicast traffic on that port is blocked Step 6 end Return to privileged EXEC mode Step 7 show storm control interface id broadcast multicast unicast Verify the storm control suppression levels set on the interface for the specified traffic ty...

Page 453: ...ng is enabled it is possible for packets to be forwarded from one protected port on a switch to another protected port on the same switch if the ports are in different VLANs Note There could be times when unknown unicast or multicast traffic from a nonprotected port is flooded to a protected port because a MAC address has timed out or has not been learned by the switch Use the switchport block uni...

Page 454: ... traffic from being forwarded from one port to another you can configure a port protected or nonprotected to block unknown unicast or multicast packets Note Blocking unicast or multicast traffic is not automatically enabled on protected ports you must explicitly configure it Blocking Flooded Traffic on an Interface Note The interface can be a physical interface for example Gigabit Ethernet 0 1 or ...

Page 455: ...nabled Unknown multicast blocked enabled Resuming Normal Forwarding on a Port Beginning in privileged EXEC mode follow these steps to resume normal forwarding on a port Step 6 show interfaces interface id switchport Verify your entries Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter globa...

Page 456: ... learned or manually configured stored in the address table and added to the running configuration If these addresses are saved in the configuration file the interface does not need to dynamically relearn them when the switch restarts Although sticky secure addresses can be manually configured we do not recommend it You can configure an interface to convert the dynamic MAC addresses to sticky secu...

Page 457: ...wn source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses In this mode you are notified that a security violation has occurred Specifically an SNMP trap is sent a syslog message is logged and the violation counter increments shutdown In this mode a port security violation causes the interface to immediately be...

Page 458: ...n interface that is also configured with a voice VLAN you must set the maximum allowed secure addresses on the port to at least two If any type of port security is enabled on the access VLAN dynamic port security is automatically enabled on the voice VLAN When a voice VLAN is configured on a secure port that is also configured as a sticky secure port all addresses seen on the voice VLAN are learne...

Page 459: ...nk Set the interface mode as access or trunk an interface in the default mode dynamic desirable cannot be configured as a secure port Step 4 switchport port security Enable port security on the interface Step 5 switchport port security maximum value vlan vlan list Optional Set the maximum number of secure MAC addresses for the interface The maximum number of available addresses is determined by th...

Page 460: ...rt security violation causes the interface to immediately become error disabled and turns off the port LED It also sends an SNMP trap logs a syslog message and increments the violation counter Note When a secure port is in the error disabled state you can bring it out of this state by entering the errdisable recovery cause psecure violation global configuration command or you can manually re enabl...

Page 461: ... a VLAN use the clear port security dynamic interface interface id privileged EXEC command To delete a sticky secure MAC addresses from the address table use the clear port security sticky address mac address privileged EXEC command To delete all the sticky addresses on an interface or a VLAN use the clear port security sticky interface interface id privileged EXEC command This example shows how t...

Page 462: ...ow to configure a maximum of eight secure MAC addresses on VLAN 5 on Fast Ethernet port 12 and verify the configuration Switch config if switchport port security maximum 8 vlan 5 Switch config if end Switch show port security interface fastethernet0 12 vlan Default maximum not set using 6176 VLAN Maximum Current 1 default 0 5 8 0 Enabling and Configuring Port Security Aging You can use port securi...

Page 463: ...d Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port on which you want to enable port security aging and enter interface configuration mode Note The switch does not support port security aging of sticky secure addresses Step 3 switchport port security aging static time time type absolute inactivity Enable or disable static aging...

Page 464: ...traffic type or for broadcast traffic if no traffic type is entered show interfaces interface id counters broadcast Displays the storm control broadcast suppression discard counter with the number of packets discarded for all interfaces or the specified interface show interfaces interface id counters multicast Displays the storm control multicast suppression discard counter with the number of pack...

Page 465: ...d the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different network layer protocols can learn about each oth...

Page 466: ...er holdtime and advertisement type Note Steps 2 through 4 are all optional and can be performed in any order Table 22 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP version 2 advertisements Enabled Command Purpose Step 1 configure terminal Enter glob...

Page 467: ...e Creating and maintaining switch clusters is based on the regular exchange of CDP messages Disabling CDP can interrupt cluster discovery For more information see Chapter 6 Clustering Switches Beginning in privileged EXEC mode follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled Step 6 show cd...

Page 468: ...erminal Switch config interface gigabitethernet0 5 Switch config if cdp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the interface on which you are disabling CDP Step 3 no cdp enable Disable CDP on an interface Step 4 end Return to privileged EXEC mode Step 5 copy run...

Page 469: ...specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface type number Display information about interfaces where CDP is enab...

Page 470: ...22 6 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 22 Configuring CDP Monitoring and Maintaining CDP ...

Page 471: ... link it administratively shuts down the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected interfaces on fiber optic connections In aggressive mode UDLD can also detec...

Page 472: ... the interfaces is down while the other is up One of the fiber strands in the cable is disconnected In these cases UDLD shuts down the affected interface In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bid...

Page 473: ... interface is shut down If UDLD in normal mode is in the advertisement or in the detection phase and all the neighbor cache entries are aged out UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up seq...

Page 474: ...on Configuration Guidelines These are the UDLD configuration guidelines UDLD is not supported on ATM interfaces A UDLD capable interface also cannot detect a unidirectional link if it is connected to a UDLD incapable port of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Table 23 1 Default UDLD Configuration Featur...

Page 475: ... on all fiber optic interfaces enable Enables UDLD in normal mode on all fiber optic interfaces on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 23 1 message time message timer interval Configures the ...

Page 476: ...ble interface configuration command followed by the udld port aggressive interface configuration command re enables UDLD on the specified interface The errdisable recovery cause udld global configuration command enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from ...

Page 477: ...iguring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces use the show udld interface id privileged EXEC command For detailed information about the fields in the display refer to the command reference for this release ...

Page 478: ...23 8 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 23 Configuring UDLD Displaying UDLD Status ...

Page 479: ... Displaying SPAN and RSPAN Status page 24 23 Understanding SPAN and RSPAN You can analyze network traffic passing through ports or VLANs by using SPAN to send a copy of the traffic to another port on the switch that has been connected to a SwitchProbe device or other Remote Monitoring RMON probe or security device SPAN mirrors received or transmitted or both traffic on a source port and received t...

Page 480: ...g switches The SPAN traffic from the sources is copied onto the RSPAN VLAN through a reflector port and then forwarded over trunk ports that are carrying the RSPAN VLAN to any RSPAN destination sessions monitoring the RSPAN VLAN as shown in Figure 24 2 Figure 24 2 Example of RSPAN Configuration SPAN and RSPAN do not affect the switching of network traffic on source ports or source VLANs a copy of ...

Page 481: ...ps port monitoring a 100 Mbps port results in dropped or lost packets You can configure SPAN sessions on disabled ports however a SPAN session does not become active unless you enable the destination port and at least one source port or VLAN for that session The show monitor session session_number privileged EXEC command displays the operational status of a SPAN session A SPAN session remains inac...

Page 482: ...he packet the SPAN destination would also drop the packet In the case of egress QoS policing if the SPAN source drops the packet the SPAN destination might not drop it If the source port is oversubscribed the destination ports will have different dropping behavior Both In a SPAN session you can monitor a single port for both received and sent packets Source Port A source port also called a monitor...

Page 483: ... it is a destination port it does not participate in any of the Layer 2 protocols STP VTP CDP DTP PagP or LACP A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored No address learning occurs on the destination port Reflector Port The reflector port is the mechanism that copies packets onto an RSPAN VLAN The reflector port forwar...

Page 484: ...between VLANs For example if a VLAN is being Rx monitored and the multilayer switch routes traffic from another VLAN to the monitored VLAN that traffic is not monitored and is not received on the SPAN destination port You cannot use filter VLANs in the same session with VLAN sources You can monitor only Ethernet VLANs SPAN Traffic You can use local SPAN to monitor all network traffic including mul...

Page 485: ...group is monitored If a port is added to a monitored EtherChannel group the new port is added to the SPAN source port list If a port is removed from a monitored EtherChannel group it is automatically removed from the source port list If the port is the only port in the EtherChannel group the EtherChannel group is removed from SPAN If a physical port that belongs to an EtherChannel group is configu...

Page 486: ... destination sessions You can configure multiple source ports or source VLANs for each session Default SPAN and RSPAN Configuration Table 24 1 shows the default SPAN and RSPAN configuration Configuring SPAN This section describes how to configure SPAN on your switch It contains this configuration information SPAN Configuration Guidelines page 24 9 Creating a SPAN Session and Specifying Ports to Mo...

Page 487: ...ed encapsulation headers either Inter Switch Link ISL or IEEE 802 1Q If no encapsulation type is defined the packets are sent in native form You can configure a disabled port to be a source or destination port but the SPAN function does not start until the destination port and at least one source port or source VLAN are enabled For received traffic you can mix multiple source port and source VLANs...

Page 488: ...l logical interfaces port channel port channel number Optional Specify a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional Specify the direction of traffic to monitor If you do not specify a traffic direction the source interface sends both sent and received traffic Only received rx traffic can be monitored on additional sourc...

Page 489: ...tep 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number all local remote Clear any existing SPAN configuration for the session For session_number specify 1 or 2 Specify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id both rx t...

Page 490: ...destination port monitoring port the packet encapsulation and the ingress VLAN For session_number specify 1 or 2 For interface id specify the destination port Valid interfaces include physical interfaces Optional Specify the encapsulation of the packets transmitted on the SPAN destination port If no encapsulation is specified all transmitted packets will be sent in native format untagged Enter enc...

Page 491: ...ig no monitor session 1 source interface fastEthernet0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number source interface interface id both rx tx Specify the characteristics of the source port monitored port and SPA...

Page 492: ...mode Step 2 no monitor session session_number all local remote Clear any existing SPAN configuration for the session For session_number specify 1 or 2 Specify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source vlan vlan id rx Specify the SPAN session and the source VLANs monitored VLANs You ca...

Page 493: ...l to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id rx Specify the characteristics of the source port monitored port and SPAN session For session_number specify 1 or 2 For interface id specify the source port to monitor The interface specified must already be configured as ...

Page 494: ...SPAN source switches RSPAN sessions can coexist with SPAN sessions within the limits described in the SPAN and RSPAN Session Limits section on page 24 8 For RSPAN configuration you can distribute the source ports and the destination ports across multiple switches in your network A port cannot serve as an RSPAN source port or RSPAN destination port while designated as an RSPAN reflector port When y...

Page 495: ...t flow of RSPAN traffic or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic After creating the RSPAN VLAN begin in privileged EXEC mode and follow these steps to start an RSPAN source session and to specify the source monitored ports and the destination RSPAN VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor s...

Page 496: ...LAN and the reflector port For session_number enter 1 or 2 For vlan id specify the RSPAN VLAN to carry the monitored traffic to the destination port See the Creating or Modifying an Ethernet VLAN section on page 12 8 for more information about creating an RSPAN VLAN For interface specify the interface that will flood the RSPAN traffic onto the RSPAN VLAN Step 5 end Return to privileged EXEC mode S...

Page 497: ... source RSPAN VLAN For session_number specify 1 or 2 For vlan id specify the source RSPAN VLAN to monitor Step 3 monitor session session_number destination interface interface id encapsulation dot1q ingress vlan vlan id ISL ingress ingress vlan vlan id Specify the RSPAN session the destination port the packet encapsulation and the ingress VLAN For session_number specify 1 or 2 For interface id spe...

Page 498: ...ceived on port 1 is disabled but traffic sent from this port continues to be monitored Step 5 show monitor session session_number Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number source interface interfa...

Page 499: ...on mode Step 2 no monitor session session_number all local remote Clear any existing SPAN configuration for the session For session_number specify 1 or 2 Specify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source vlan vlan id rx Specify the RSPAN session and the source VLANs monitored VLANs Yo...

Page 500: ...l SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id rx Specify the characteristics of the source port monitored port and RSPAN session For session_number specify 1 or 2 For interface id specify the source port to monitor The interface specified must already be configured as a trunk port ...

Page 501: ...he show monitor privileged EXEC command This is an example of output for the show monitor privileged EXEC command for SPAN source session 1 Switch show monitor session 1 Session 1 Type Local Session Source Ports RX Only None TX Only None Both Fa0 4 Source VLANs RX Only None TX Only None Both None Source RSPAN VLAN None Destination Ports Fa0 5 Encapsulation DOT1Q Ingress Enabled default VLAN 5 Refl...

Page 502: ...24 24 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 24 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status ...

Page 503: ...ation Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12 1 This chapter consists of these sections Understanding RMON page 25 1 Configuring RMON page 25 2 Displaying RMON Status page 25 6 Understanding RMON RMON is an Internet Engineering Task Force IETF standard monitorin...

Page 504: ...nts the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Determines the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this Cisco IOS release use hardware counters for RMON data processing the monitoring is more efficient and little processing power is required Co...

Page 505: ...events Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in second...

Page 506: ...et and can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this c...

Page 507: ...ange is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is 50 buckets Optional For interval seconds specify the number of seconds in each polling cycle Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privil...

Page 508: ...hese displays refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12 1 Step 6 show rmon statistics Display the contents of the switch statistics table Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 25 1 Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON stati...

Page 509: ...g on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or output from other commands Messages appear on the console after the process that generated the...

Page 510: ...cription The part of the message preceding the percent sign depends on the setting of the service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timestamps log uptime global configuration command Table 26 1 describes the elements of syslog messages Table 26 1 System Log Message Elements Element Description seq no Stamps log ...

Page 511: ... 195 36 Mar 1 18 48 50 483 UTC SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Default System Message Logging Configuration Table 26 2 shows the default system message logging configuration MNEMONIC Text string that uniquely describes the message description Text string containing detailed information about the event being reported Table 26 1 System Log Message Elements continued Eleme...

Page 512: ...ee the Synchronizing Log Messages section on page 26 6 To re enable message logging after it has been disabled use the logging on global configuration command Setting the Message Display Destination Device If message logging is enabled you can send messages to specific locations in addition to the console Beginning in privileged EXEC mode use one or more of the following commands to specify the lo...

Page 513: ...rver configuration steps see the Configuring UNIX Syslog Servers section on page 26 10 Step 4 logging file flash filename max file size min file size severity level number type Store log messages in a file in Flash memory For filename enter the log message filename Optional For max file size specify the maximum logging file size The range is 4096 to 2147483647 The default is 4069 bytes Optional Fo...

Page 514: ...erminal Enter global configuration mode Step 2 line console vty line number ending line number Specify the line to be configured for synchronous logging of messages Use the console keyword for configurations that occur through the switch console port Use the line vty line number command to specify which vty lines are to have synchronous logging enabled You use a vty connection for configurations t...

Page 515: ...36 This example shows part of a logging display with the service timestamps log uptime global configuration command enabled 00 00 46 LINK 3 UPDOWN Interface Port channel1 changed state to up Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter glo...

Page 516: ...3 Beginning in privileged EXEC mode follow these steps to define the message severity level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service sequence numbers Enable sequence numbers Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration...

Page 517: ... how to recover from these malfunctions refer to the system message guide for this release Output from the debug commands displayed at the debugging level Debug commands are typically used only by the Technical Assistance Center Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information switch functionality is not affected...

Page 518: ...w the new message entry to be stored To return the logging of syslog messages to the default level use the no logging history global configuration command To return the number of messages in the history table to the default value use the no logging history size global configuration command Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and...

Page 519: ...essages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid For more i...

Page 520: ...mmand For information about the fields in this display refer to the Cisco IOS Configuration Fundamentals Command Reference for Cisco IOS Release 12 1 Step 4 logging facility facility type Configure the syslog facility See Table 26 4 on page 26 12 for facility type keywords The default is local7 Step 5 end Return to privileged EXEC mode Step 6 show running config Verify your entries Step 7 copy run...

Page 521: ... can be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB th...

Page 522: ...ce Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Both SNMPv1 and SNMPv2C use a community based form of security The community of managers able to access the agent s MIB is defined by an IP address access c...

Page 523: ...NoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard Table 27 2 SNMP Operations Operation Description get request Retrieves...

Page 524: ...read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Read write all Gives read and write access to authorized management stations to all objects in the MIB including the community strings Note When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application Th...

Page 525: ...ore reliable than traps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore...

Page 526: ...sco IOS Configuration Fundamentals Command Reference for Release 12 1 for information about when you should configure notify views To configure a remote user specify the IP address or port number for the remote SNMP agent of the device where the user resides Before you configure remote users for a particular agent configure the SNMP engine ID using the snmp server engineID global configuration wit...

Page 527: ...rsion 2C and version 3 on the device No specific Cisco IOS command exists to enable SNMP The first snmp server global configuration command that you enter enables all versions of SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent The community string acts like a password to permit access to the agent on the switch ...

Page 528: ... want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optional For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then crea...

Page 529: ...eged EXEC mode follow these steps to configure SNMP on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote ip address udp port port number engineid string Configure a name for either the local or remote copy of SNMP The engineid string is a 24 character ID string with the name of the copy of SNMP You need not...

Page 530: ...acket authentication noauth The noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you can only ...

Page 531: ...he username is the name of the user on the host that connects to the agent The groupname is the name of the group to which the user is associated Optional Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 v2c or v3 If you enter v3 you have these a...

Page 532: ...rter RTR snmp Generates a trap for SNMP type notifications stpx Generates SNMP STP Extended MIB traps syslog Generates SNMP syslog traps tty Sends Cisco enterprise specific notifications when a Transmission Control Protocol TCP connection closes udp port Sends notification of the User Datagram Protocol UDP port number of the host vlan membership Generates a trap for SNMP VLAN membership changes vl...

Page 533: ...eyword is available only when the cryptographic software image is installed For community string enter the password like community string sent with the notification operation Optional For udp port port enter the UDP port on the remote device Optional For notification type use the keywords listed in Table 27 4 on page 27 11 If no type is specified all notifications are sent Step 6 snmp server enabl...

Page 534: ... The highest marker values 7 for IP precedence and 63 for DSCP are generally reserved for network control traffic Choose a marker value that corresponds to the importance of SNMP notifications in your network For example set the IP precedence to 6 to assign a very high priority to outgoing SNMP notifications DSCP is partially backward compatible with IP precedence To choose DSCP values that work l...

Page 535: ...ep 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server tftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter a...

Page 536: ...s to members of access list 4 that use the comaccess community string No other SNMP managers have access to any objects SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco com using the community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public T...

Page 537: ...able 27 5 to display SNMP information For information about the fields in the output displays refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 1 Table 27 5 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have...

Page 538: ...27 18 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 27 Configuring SNMP Displaying SNMP Status ...

Page 539: ...e number of security access control entries ACEs allowed on the switch you can use the sdm prefer access global configuration command to set the Switch Database Management sdm feature to the access template For more information on the SDM templates see the Optimizing System Resources for User Selected Features section on page 7 27 For information about determining resource usage for your configura...

Page 540: ...CLs filter IP traffic including TCP User Datagram Protocol UDP Internet Group Management Protocol IGMP and Internet Control Message Protocol ICMP Ethernet or MAC ACLs filter non IP traffic Supported ACLs The switch supports three applications of ACLs to filter traffic Router ACLs access control routed traffic between VLANs and are applied to Layer 3 interfaces You can apply one router ACL in each ...

Page 541: ...e feature can use multiple ACLs When a single router ACL is used by multiple features it is examined multiple times Standard IP access lists use source addresses for matching operations Extended IP access lists use source and destination addresses and optional protocol type information for matching operations The switch examines ACLs associated with features configured on a given interface and a d...

Page 542: ...filters traffic on both data and voice VLANs With port ACLs you can filter IP traffic by using IP access lists and non IP traffic by using MAC addresses You can filter both IP and non IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface Note You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface If ...

Page 543: ...onfig access list 102 permit tcp any host 10 1 1 1 eq smtp Switch config access list 102 deny tcp any host 10 1 1 2 eq telnet Switch config access list 102 permit tcp any host 10 1 1 2 Switch config access list 102 deny tcp any any Note In the first and second ACEs in the examples the eq keyword after the destination address means to test for the TCP destination port well known numbers equaling Si...

Page 544: ... section on page 28 7 Caution By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group these access group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP unreachable message To drop access group denied packets in hardware you must disable ICMP unreachables by usin...

Page 545: ... are handled as follows The hardware controls permit and deny actions of standard and extended ACLs input and output for security access control If log has not been specified the flows that match a deny statement in a security ACL are dropped by the hardware if ip unreachables is disabled The flows matching a permit statement are switched in hardware Logging is not supported for port ACLs Adding t...

Page 546: ...es for matching operations Extended IP access lists use source and destination addresses for matching operations and optional protocol type information for finer granularity of control These sections describe access lists and the steps for using them Access List Numbers page 28 8 Creating a Numbered Standard ACL page 28 9 Creating a Numbered Extended ACL page 28 11 Creating Named Standard and Exte...

Page 547: ...ist expanded range Yes Table 28 1 Access List Numbers continued Access List Number Type Supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IP access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter d...

Page 548: ... order in which they were entered The switch software can provide logging messages about packets permitted or denied by a standard IP access list That is any packet that matches the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Beca...

Page 549: ...on Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic routing encapsulation gre Internet Control Message Protocol icmp Internet Group Management Protocol igmp Interior Gateway Routing Protocol igrp any Interior Protocol ip IP in IP tunneling ipinip KA9Q NOS compatible IP over IP tunneling nos Open Shortest Path First routing ospf Payload...

Page 550: ...ee steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can be specified as The 32 bit quantity in ...

Page 551: ...sion Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a por...

Page 552: ...ation wildcard icmp type icmp type icmp code icmp message precedence precedence tos tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and...

Page 553: ...accept a name A standard ACL and an extended ACL cannot have the same name Numbered ACLs are also available as described in the Creating Standard and Extended IP ACLs section on page 28 8 You can apply standard and extended ACLs named or numbered to VLAN maps Beginning in privileged EXEC mode follow these steps to create a standard ACL using names To remove a named standard ACL use the no ip acces...

Page 554: ...d of numbered ACLs After creating an ACL you must apply it to a line or interface as described in the Applying an IP ACL to an Interface or Terminal Line section on page 28 19 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IP access list using a name and enter access list configuration mode Note The name can be a num...

Page 555: ...range relies on the switch system clock therefore you need a reliable clock source We recommend that you use Network Time Protocol NTP to synchronize the switch clock For more information see the Managing the System Time and Date section on page 7 1 Beginning in privileged EXEC mode follow these steps to configure a time range parameter for an ACL To remove a configured time range limitation use t...

Page 556: ...xtended ACL that can implement time ranges This example shows how to create and verify extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday time ranges and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2000 Switch config access list 188 deny tcp any any time range thanskgivi...

Page 557: ...et is not allowed to use outbound Telnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet out Switch config ext nacl deny tcp host 171 69 2 88 any eq telnet Applying an IP ACL to an Interface or Terminal Line After you create an IP ACL you can apply it to one or more interfaces or terminal lines ACLs can be applied on either outboun...

Page 558: ... the console terminal line The console port is DCE vty Enter to specify a virtual terminal for remote console access The line number is the first line number in a contiguous group that you want to configure when the line type is specified The range is from 0 to 16 Step 3 access class access list number in out Restrict incoming or outgoing connections between a virtual terminal line into a device b...

Page 559: ...witch discards the packet If the input interface is configured to send ICMP Unreachable messages these messages are sent whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are normally limited to no more than one every one half second per input interface but this can b...

Page 560: ...m the specified source address This example uses an extended ACL to filter traffic coming from Server B into port 0 3 permitting traffic from any source address in this case Server B to only the Accounting destination addresses 172 20 128 64 to 172 20 128 95 Switch config access list 106 permit ip any 172 20 128 64 0 0 0 31 Switch config end Switch show access lists Extended IP access list 106 per...

Page 561: ...o the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same port numbers are used throughout the...

Page 562: ...ing_group in Time Range Applied to an IP ACL This example denies Hypertext Transfer Protocol HTTP traffic on IP on Monday through Friday between the hours of 8 00 a m and 6 00 p m The example allows UDP traffic only on Saturday and Sunday from noon to 8 00 p m Switch config time range no http Switch config periodic weekdays 8 00 to 18 00 Switch config time range udp yes Switch config periodic week...

Page 563: ...ccess list standard stan1 Switch config std nacl deny 10 1 1 0 0 0 0 255 log Switch config std nacl permit any log Switch config std nacl exit Switch config interface gigabitethernet0 1 Switch config if ip access group stan1 in Switch config if end Switch show logging Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Console logging level debugging 37 messages logged Monitor logging l...

Page 564: ...e input interface information 00 05 47 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 10 1 1 61 0 0 1 packet Configuring Named MAC Extended ACLs You can filter non IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs The procedure is similar to that of configuring other extended named ACLs You can use a number to name the access li...

Page 565: ...dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address with a mask or a specific host source MAC address and any destination MAC address destination MAC address with a mask or a specific destination MAC address Optional You can also enter these options type mask An arb...

Page 566: ...ce 0 3 to filter packets entering the interface Switch config interface gigabitethernet0 3 Router config if mac access group mac1 in Note The mac access group interface configuration command is only valid when applied to a physical Layer 2 interface For inbound ACLs after receiving a packet the switch checks it against the ACL If the ACL permits the packet the switch continues to process the packe...

Page 567: ...Ls that you want to apply to the VLAN See the Creating Standard and Extended IP ACLs section on page 28 8 and the Configuring Named MAC Extended ACLs section on page 28 26 Step 2 Enter the vlan access map global configuration command to create a VLAN ACL map entry Step 3 In access map configuration mode optionally enter an action forward the default or drop and enter the match command to specify a...

Page 568: ...nterface you can create VLAN maps but you cannot apply a VLAN map to any of the switch VLANs An error message is generated if you attempt to do so Creating a VLAN Map Each VLAN map consists of an ordered series of entries Beginning in privileged EXEC mode follow these steps to create add to or delete a VLAN map entry Use the no vlan access map name global configuration command to delete a map Comm...

Page 569: ...mit tcp any any Switch config ext nacl exit Switch config vlan access map map_1 10 Switch config access map match ip address ip1 Switch config access map action drop This example shows how to create a VLAN map to permit a packet ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch...

Page 570: ... host 000 0c00 0111 any Switch config ext macl permit host 000 0c00 0211 any Switch config ext nacl exit Switch config mac access list extended good protocols Switch config ext macl permit any any decnet ip Switch config ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config ...

Page 571: ...AN page 28 35 Wiring Closet Configuration In a wiring closet configuration routing might not be enabled on the Catalyst 3550 switch In this configuration the switch can still support a VLAN map and a QoS classification ACL In Figure 28 4 assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C Traffic from Host X to Host Y is eventually being routed ...

Page 572: ... 34 eq www Switch config ext nacl exit Next create VLAN access map map2 so that traffic that matches the http access list is dropped and all other IP traffic is forwarded Switch config vlan access map map2 10 Switch config access map match ip address http Switch config access map action drop Switch config access map exit Switch config ip access list extended match_all Switch config ext nacl permit...

Page 573: ...ERVER1 to VLAN 10 Step 1 Define the IP ACL that will match the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 8 host 10 1 1 100 Switch config ext nacl exit Step 2 Define a VLAN map using this ACL that will...

Page 574: ... VLAN map entry This section includes this information about using VLAN maps with router ACLs Guidelines for Using Router ACLs and VLAN Maps page 28 36 Examples of Router ACLs and VLAN Maps Applied to VLANs page 28 37 Guidelines for Using Router ACLs and VLAN Maps These guidelines are for configurations where you need to have an router ACL and a VLAN map on the same VLAN These guidelines do not ap...

Page 575: ...hile the hardware is being updated To change this behavior you can use the mls aclmerge delay and the access list hardware program nonblocking global configuration commands Refer to the command reference for this release for descriptions of these commands Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched ...

Page 576: ...ridged Packets Figure 28 7 shows how an ACL is applied on fallback bridged packets For bridged packets only Layer 2 ACLs are applied to the input VLAN Only non IP non ARP packets can be fallback bridged Figure 28 7 Applying ACLs on Bridged Packets Frame Fallback bridge VLAN 10 Host A VLAN 10 Packet 86309 Catalyst 3550 switch VLAN 20 Host B VLAN 20 VLAN 10 map VLAN 20 map ...

Page 577: ...8 shows how ACLs are applied on routed packets For routed packets the ACLs are applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Figure 28 8 Applying ACLs on Routed Packets Frame Routing function VLAN 10 Host A VLAN 10 Packet 86308 Catalyst 3550 switch VLAN 20 Host B VLAN 20 VLAN 10 map Input router ACL Output router ACL VLAN 20 map ...

Page 578: ...acket has been routed The packet might be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in some of the output VLANs and not in others A copy of the packet is forwarded to those destinations where it is permitted However if the input VLAN map VLAN 10 map in Fig...

Page 579: ... permit 172 20 10 10 Standard IP access list 10 permit 12 12 12 12 Standard IP access list 12 deny 1 3 3 2 Standard IP access list 32 permit 172 20 20 20 Standard IP access list 34 permit 10 24 35 56 permit 23 45 56 34 Extended IP access list 120 permit eigrp host 12 3 6 5 host 25 36 1 24 Extended MAC access list mac1 Table 28 2 Commands for Displaying Access Lists and Access Groups Command Purpos...

Page 580: ...C access list macl e1 applied Switch show mac access group Interface GigabitEthernet0 1 Inbound access list is not set Interface GigabitEthernet0 2 Inbound access list is macl_e1 Interface GigabitEthernet0 3 Inbound access list is not set Interface GigabitEthernet0 4 Inbound access list is not set Interface GigabitEthernet0 5 Inbound access list is not set output truncated You can also display inf...

Page 581: ...elease for more detailed information about these commands This section describes how to display this information about these ACL issues Configuration Conflicts page 28 44 ACL Configuration Fitting in Hardware page 28 45 TCAM Usage page 28 47 Table 28 4 Commands for Displaying VLAN Map Information Command Purpose show fm vlan vlan id or show fm interface interface id Display feature manager informa...

Page 582: ...ace gigabitethernet0 1 Conflicts exist with layer 3 access groups Input Port Label 2 Switch show fm port label 2 Conflicts exist with layer 3 access groups Needed in CAM s 1 Loaded into CAM s 1 Sent to CPU by CAM s Interfaces Gi0 1 IP Access Group ip3 0 VMRs DHCP Broadcast Suppression Disabled MAC Access Group None 0 VMRs This example shows the result of trying to apply ACL 121 to an SVI VLAN 1 wh...

Page 583: ... problem in fitting the configuration into hardware is logged You can use the show fm privileged EXEC commands to determine if any interface configuration or VLAN configuration did not fit into hardware Port ACL Examples This is an example of a port access list that is too big for the available TCAM space Switch config if interface gigabitethernet0 3 Switch config if ip access group 100 in Switch ...

Page 584: ...ess available space than CAM 3 The output shows that the label is loaded into CAM 3 and that CAM 1 sends packets on this label to the CPU because the entries for the port ACLs on port label 4 have been unloaded from CAM 1 VLAN or Router ACL Examples This example shows how to display the feature manager information for VLAN 1 Switch show fm vlan 1 Input VLAN Label 1 Output VLAN Label 0 default Prio...

Page 585: ...utAccessGroup Input Features Interfaces or VLANs Vl1 Priority normal Vlan Map none Access Group bigone 11 VMRs Multicast Boundary none 0 VMRs Output Features Interfaces or VLANs Vl2 Priority normal Bridge Group Member no Vlan Map none Access Group bigtwo 11 VMRs Note When configuring ACLs on the switch to allocate maximum hardware resources for ACLs you can use the sdm prefer access global configu...

Page 586: ...tch show fm vlan 1 Input VLAN Label 1 Output VLAN Label 0 default Priority normal Switch show tcam inacl 1 vlan labels 1 Label Value 8193 vlan label 1 Number of entries 779 Entry List Mask Index 4 F7 00 00 00 00 00 00 00 00 80 FF C0 00 C0 FF FF 00 00 Entry Index 32 Timestamp 1 96 00 00 00 00 00 00 00 00 80 01 40 00 80 00 01 00 00 As Data hex 00260086 Mask Index 5 F7 00 00 00 00 00 00 00 00 80 FF C...

Page 587: ...ed in this chapter refer to the command reference for this release This chapter consists of these sections Understanding QoS page 29 2 Configuring Auto QoS page 29 17 Displaying Auto QoS Information page 29 22 Auto QoS Configuration Example page 29 23 Configuring Standard QoS page 29 25 Displaying Standard QoS Information page 29 69 Standard QoS Configuration Examples page 29 69 Note When you are ...

Page 588: ...field to carry the classification class information Classification can also be carried in the Layer 2 frame These special bits in the Layer 2 frame or in the Layer 3 packet are described here and shown in Figure 29 1 Prioritization bits in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1P class of service CoS value in the three least si...

Page 589: ...r traffic class The behavior of an individual device when handling traffic in the DiffServ architecture is called per hop behavior If all devices along a path have a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the traffic types and pa...

Page 590: ...s which of the four egress queues in which to place the packet The DSCP value is mapped to a CoS value which selects one of the queues For more information see the Mapping Tables section on page 29 10 Scheduling services the four egress queues based on their configured weighted round robin WRR weights and thresholds One of the queues can be the expedite queue which is serviced until empty before t...

Page 591: ... the classification based on the configured Layer 2 MAC access control list ACL which can examine the MAC source address the MAC destination address and the Ethertype field If no ACL is configured the packet is assigned the default DSCP of 0 which means best effort traffic otherwise the policy map specifies the DSCP to assign to the incoming frame For IP traffic these are the classification option...

Page 592: ...P identical to DSCP in packet Check if packet came with CoS label tag Generate DSCP from CoS to DSCP map Yes Read next ACL Is there a match with a permit action Assign the DSCP as specified by ACL action Assign the default DSCP 0 Are there any more QoS ACLs configured for this interface Check if packet came with CoS label tag Use Cos from frame Start Trust CoS IP and non IP traffic IP and non IP t...

Page 593: ...iguration command you implement Layer 2 MAC ACLs to classify non IP traffic by using the mac access list extended global configuration command For configuration information see the Configuring a QoS Policy section on page 29 35 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name and to isolate a specific traffic flow or class from all other traffic Th...

Page 594: ...that exceed the limits are out of profile or nonconforming Each policer specifies the action to take for packets that are in or out of profile These actions carried out by the marker include passing through the packet without modification dropping the packet or marking down the packet with a new DSCP value that is obtained from the configurable policed DSCP map For information on the policed DSCP ...

Page 595: ... a per port per VLAN basis specifies the bandwidth limits for the traffic on a per VLAN basis for a given port Per port per VLAN policing is not supported on routed ports or on virtual logical interfaces It is supported only on an ingress port configured as a trunk or as a static access port Only one policer can be applied to a packet per direction Only the average rate and committed burst paramet...

Page 596: ...e configurable DSCP to DSCP mutation map to the interface that is on the boundary between the two QoS domains During policing QoS can assign another DSCP value to an IP or non IP packet if the packet is out of profile and the policer specifies a marked down DSCP value This configurable map is called the policed DSCP map Before the traffic reaches the scheduling stage QoS uses the configurable DSCP...

Page 597: ...ap is the only map you apply to a specific Gigabit capable Ethernet port or to a group of 10 100 Ethernet ports All other maps apply to the entire switch For configuration information see the Configuring DSCP Maps section on page 29 51 Queueing and Scheduling After a packet is policed and marked the queueing and scheduling process begins as described in these sections Queueing and Scheduling on Gi...

Page 598: ... expedite queue You can configure the buffer space allocated to each queue as a ratio of weights by using the wrr queue queue limit interface configuration command where the relative size differences in the numbers show the relative differences in the queue sizes To display the absolute value of the queue size use the show mls qos interface interface id statistics privileged EXEC command and exami...

Page 599: ... wrr queue cos map interface configuration command All four queues participate in the WRR unless the expedite queue is enabled in which case the fourth bandwidth weight is ignored and is not used in the ratio calculation The expedite queue is a priority queue and it is serviced until empty before the other queues are serviced You enable the expedite queue by using the priority queue out interface ...

Page 600: ...kets at once Thus WRED allows the transmission line to be fully used at all times WRED also drops more packets from large users than small Therefore sources that generate the most traffic are more likely to be slowed down versus sources that generate little traffic You can enable WRED and configure the two threshold percentages assigned to the four egress queues on a Gigabit capable Ethernet port ...

Page 601: ...s 100 packets of buffer space by default for queueing packets When the buffer specified for the minimum reserve level is full packets are dropped until space is available Figure 29 7 is an example of the 10 100 Ethernet port queue assignments minimum reserve levels and buffer sizes The figure shows four egress queues per port with each queue assigned to a minimum reserve level For example for Fast...

Page 602: ...ortance of the queue For example if one queue has a weight of 3 and another has a weight of 4 three packets are sent from the first queue for every four that are sent from the second queue By using this scheduling low priority queues can send packets even though the high priority queues are not empty Queues are selected by the CoS value that is mapped to an egress queue CoS to egress queue map thr...

Page 603: ...3550 switches During policing IP and non IP packets can have another DSCP assigned to them if they are out of profile and the policer specifies a markdown DSCP For IP packets the packet modification occurs at a later stage for non IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions Configuring Auto QoS You can use the auto QoS feature to simplify the deployment o...

Page 604: ...bled It uses the Cisco Discovery Protocol CDP to detect the presence or absence of a Cisco IP phone When a Cisco IP phone is detected the ingress classification on the interface is set to trust the QoS label received in the packet When a Cisco IP phone is absent the ingress classification is set to not trust the QoS label in the packet The egress queues on the interface are also reconfigured see T...

Page 605: ... hold 26 packets Switch config mls qos min reserve 5 170 Switch config mls qos min reserve 6 10 Switch config mls qos min reserve 7 65 Switch config mls qos min reserve 8 26 The switch automatically sets the ingress classification on the interface to trust the CoS value received in the packet Switch config if mls qos trust cos If you entered the auto qos voip cisco phone command the switch automat...

Page 606: ...is enabled on all interfaces For auto QoS to function properly do not disable the CDP Policing is not enabled with auto QoS You can manually enable policing as described in the Configuring a QoS Policy section on page 29 35 On Gigabit capable Ethernet ports only the switch automatically configures the ratio of the sizes of the WRR egress queues Queue 1 is 80 percent Queue 3 is 20 percent Queue 4 i...

Page 607: ...one Switch config interface fastethernet0 1 Switch config if auto qos voip cisco phone This example shows how to enable auto QoS and to trust the QoS labels in incoming packets when the switch or router connected to Gigabit Ethernet interface 0 1 is a trusted device Switch config interface gigabitethernet0 1 Switch config if auto qos voip trust Command Purpose Step 1 configure terminal Enter globa...

Page 608: ... user changes to that configuration use the show running config privileged EXEC command You can compare the show auto qos and the show running config command output to identify the user defined QoS settings To display information about the QoS configuration that might be affected by auto QoS use one of these commands show mls qos show mls qos map cos dscp show mls qos interface interface id buffer...

Page 609: ...any standard QoS commands before entering the auto QoS commands You can fine tune the QoS configuration but we recommend that you do so only after the auto QoS configuration is completed Cisco router Intelligent wiring closet Catalyst 3550 switches Catalyst 3550 24 EMI switch Catalyst 3550 switch at the edge of the QoS domain Catalyst 3550 switch at the edge of the QoS domain Catalyst 3550 24 EMI ...

Page 610: ...net0 5 Enter interface configuration mode Step 7 auto qos voip cisco phone Enable auto QoS on the interface and specify that the interface is connected to a Cisco IP phone Step 8 interface fastethernet0 7 Enter interface configuration mode Step 9 auto qos voip cisco phone Enable auto QoS on the interface and specify that the interface is connected to a Cisco IP phone Step 10 interface gigabitether...

Page 611: ...29 51 Configuring Egress Queues on Gigabit Capable Ethernet Ports page 29 57 Configuring Egress Queues on 10 100 Ethernet Ports page 29 64 Default Standard QoS Configuration Table 29 4 shows the default standard QoS configuration when QoS is disabled When QoS is disabled there is no concept of trusted or untrusted ports because the packets are not modified the CoS DSCP and IP precedence values in ...

Page 612: ...ing QoS on the switch To disable it use the flowcontrol receive off and flowcontrol send off interface configuration commands If you have EtherChannel ports configured on your switch you must configure QoS classification policing mapping and queueing on the individual physical ports that comprise the EtherChannel You must decide whether the QoS configuration should match on all ports in the EtherC...

Page 613: ... can configure a per port per VLAN policer only on an ingress port specifies the bandwidth limits for the traffic on a per VLAN basis for a given port You cannot police at the switch virtual interface level You cannot configure per port per VLAN policing on routed ports or on virtual logical interfaces It is supported only on an ingress port configured as a trunk or as a static access port The swi...

Page 614: ...size All CoS values map to egress queue 1 with both tail drop thresholds set to 100 percent of the total queue size for Gigabit capable Ethernet ports On 10 100 Ethernet ports all CoS values map to egress queue 1 which uses minimum reserve level 1 and can hold up to 100 packets When the buffer is full packets are dropped Beginning in privileged EXEC mode follow these steps to enable QoS After QoS ...

Page 615: ...ge 29 33 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 29 34 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the pack...

Page 616: ...s the port default CoS value is used The default port CoS value is 0 dscp Classifies ingress packets with packet DSCP values For non IP packets the packet CoS value is used if the packet is tagged for untagged packets the default port CoS is used Internally the switch maps the CoS value to a DSCP value by using the CoS to DSCP map ip precedence Classifies ingress packets with the packet IP precede...

Page 617: ... value for the port For default cos specify a default CoS value to be assigned to a port If the port is CoS trusted and packets are untagged the default CoS value becomes the CoS value for the packet The CoS range is 0 to 7 The default is 0 Use the override keyword to override the previously configured trust state of the incoming packets and to apply the default port CoS value to all incoming pack...

Page 618: ...y the PC are trusted by the switch because of the trusted CoS setting and can allow misuse of high priority queues The trusted boundary feature solves this problem by using the CDP to detect the presence of a Cisco IP phone such as the Cisco IP Phone 7910 7935 7940 and 7960 on a switch port If the telephone is not detected the trusted boundary feature disables the trusted setting on the switch por...

Page 619: ...low these steps to enable pass through mode on an interface To disable pass through mode use the no mls qos trust cos pass through dscp or the no mls qos trust dscp pass through cos interface configuration command If you configure the mls qos trust cos pass through dscp dscp pass through cos interface configuration command and then configure the mls qos trust cos dscp interface configuration comma...

Page 620: ...ing strategy across both QoS domains you must perform this procedure on the ports in both domains 46982 Catalyst 3550 12T switch Catalyst 3550 12T switch QoS Domain 1 QoS Domain 2 Set interface to the DSCP trusted state Configure the DSCP to DSCP mutation map IP traffic Gigabit Ethernet 0 3 Gigabit Ethernet 0 3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qo...

Page 621: ...he Classification section on page 29 5 and the Policing and Marking section on page 29 8 These sections how to configure a QoS policy Classifying Traffic by Using ACLs page 29 36 Classifying Traffic on a Physical Port Basis by Using Class Maps page 29 39 Classifying Traffic on a Per Port Per VLAN Basis by Using Class Maps page 29 41 Classifying Policing and Marking Traffic by Using Policy Maps pag...

Page 622: ...gure terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of traffic if the conditions...

Page 623: ...of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is being sent You specify this by using dotted decimal notation by using the any keyword as an a...

Page 624: ...t from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard 255 255 255 or by using the host keyword for source 0 0 0 For mask enter the wildcard bits by placing ones in the bit positions that you want to ignore For dst MAC addr enter the MAC address of the host to which the packet is bein...

Page 625: ...ement entered within the class map configuration mode You cannot configure both port based classification and VLAN based classification at the same time Note You can also create class maps during policy map creation by using the class policy map configuration command For more information see the Classifying Policing and Marking Traffic by Using Policy Maps section on page 29 43 Beginning in privil...

Page 626: ... map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same Step 5 match access group acl index or name ip dscp dscp list ip precedence ip precedence list De...

Page 627: ...guration command The class map specified in the match class map class map name command must be predefined and cannot contain the match vlan vlan list and the match class map class map name commands You cannot configure both port based classification and VLAN based classification at the same time When you configure the match vlan vlan list command the class map becomes per port per VLAN based If yo...

Page 628: ...By default no match criterion is defined For access group acl index or name specify the number or name of the ACL For ip dscp dscp list enter a list of up to eight IP DSCP values to match against incoming packets Separate each value with a space The range is 0 to 63 For ip precedence ip precedence list enter a list of up to eight IP precedence values to match against incoming packets Separate each...

Page 629: ...ting the CoS DSCP or IP precedence values in the traffic class setting a specific CoS DSCP or IP precedence value in the traffic class and specifying the traffic bandwidth limitations for each matched traffic class policer and the action to take marking when the traffic is out of profile A policy map also has these characteristics A policy map can contain multiple class statements each with differ...

Page 630: ...fy traffic as necessary For more information see the Classifying Traffic on a Physical Port Basis by Using Class Maps section on page 29 39 and the Classifying Traffic on a Per Port Per VLAN Basis by Using Class Maps section on page 29 41 Step 5 mls qos cos policy map Optional Define the CoS value of a port in a policy map When you enter this command you must also enter the trust dscp policy map c...

Page 631: ...om the CoS to DSCP map Note If you use the mls qos cos policy map global configuration command you must use the dscp keyword ip precedence QoS derives the internal DSCP value by using the IP precedence value from the ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the internal DSCP value by using the received CoS value for non IP packets that are unt...

Page 632: ...see the Configuring the Policed DSCP Map section on page 29 53 Step 11 exit Return to policy map configuration mode Step 12 exit Return to global configuration mode Step 13 interface interface id Enter interface configuration mode and specify the interface to attach to the policy map Valid interfaces include physical interfaces Step 14 service policy input policy map name output policy map name Ap...

Page 633: ...0 bps and a normal burst size of 8000 bytes its DSCP is marked down based on the policed DSCP map and sent Switch config access list 1 permit 10 1 0 0 0 0 255 255 Switch config class map ipclass1 Switch config cmap match access group 1 Switch config cmap exit Switch config policy map flow1t Switch config pmap class ipclass1 Switch config pmap c trust dscp Switch config pmap c police 48000 8000 exc...

Page 634: ...Switch config pmap c set ip dscp 45 Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet0 1 Switch config if mls qos trust cos Switch config if service policy input macpolicy1 This example shows how to create a policy map that contains per port per VLAN classification and attach it to an ingress interface A class map called vlan_class matches traffic received o...

Page 635: ...on ingress Gigabit capable Ethernet ports up to 8 policers on ingress 10 100 Ethernet ports and up to 8 policers on egress ports For aggregate policer name specify the name of the aggregate policer For rate bps specify average traffic rate in bits per second bps The range is 8000 to 2000000000 For burst byte specify the normal burst size in bytes The range is 8000 to 512000000 Note Although the co...

Page 636: ...terfaces Step 10 service policy input policy map name output policy map name Apply a policy map to the input or output of a particular interface Only one policy map per interface per direction is supported Use input policy map name to apply the specified policy map to the input of an interface Use output policy map name to apply the specified policy map to the output of an interface You cannot use...

Page 637: ...onfig mls qos aggregate police transmit1 48000 8000 exceed action policed dscp transmit Switch config class map ipclass1 Switch config cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Switch config pmap c trust dscp Switch config pmap...

Page 638: ...cp 10 15 20 25 30 35 40 45 Configuring the IP Precedence to DSCP Map You use the IP precedence to DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 29 7 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Table 29 6 Default CoS to DSCP ...

Page 639: ... return to the default map use the no mls qos map policed dscp global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map ip prec dscp dscp1 dscp8 Modify the IP precedence to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space The range is 0 to 63 Ste...

Page 640: ...e of 53 corresponds to a marked down DSCP value of 0 Configuring the DSCP to CoS Map You use the DSCP to CoS map to generate a CoS value which is used to select one of the four egress queues Table 29 8 shows the default DSCP to CoS map If these values are not appropriate for your network you need to modify them Beginning in privileged EXEC mode follow these steps to modify the DSCP to CoS map To r...

Page 641: ...utation Map You apply the DSCP to DSCP mutation map to a port at the boundary of a QoS administrative domain If the two domains have different DSCP definitions between them use the DSCP to DSCP mutation map to translate a set of DSCP values to match the definition of the other domain The default DSCP to DSCP mutation map is a null map which maps an incoming DSCP value to the same DSCP value Beginn...

Page 642: ... 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Note In this DSCP to DSCP mutation map the mutated values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values gives the mutated value For example a DSCP value of ...

Page 643: ...olds apply to each queue and which DSCP values map to each threshold Is one of the queues the expedite high priority egress queue How much of the available bandwidth is allotted to each queue These sections contain this configuration information Mapping CoS Values to Select Egress Queues page 29 57 Configuring the Egress Queue Size Ratios page 29 58 Configuring Tail Drop Threshold Percentages page...

Page 644: ...ect one of the egress queues The default map has these values CoS value 0 1 selects queue 1 CoS value 2 3 selects queue 2 CoS value 4 5 selects queue 3 CoS value 6 7 selects queue 4 For queue id specify the ID of the egress queue The range is 1 to 4 where 4 can be configured as the expedite queue For more information see the Configuring the Egress Expedite Queue section on page 29 62 For cos1 cos8...

Page 645: ...wrr queue dscp map interface configuration command By default all DSCPs are mapped to threshold 1 and when this threshold is exceeded all the packets are dropped If you use tail drop thresholds you cannot use WRED and vice versa Beginning in privileged EXEC mode follow these steps to configure the tail drop threshold percentage values on Gigabit capable Ethernet ports Step 4 wrr queue queue limit ...

Page 646: ...ig if wrr queue dscp map 1 0 8 16 24 32 40 48 56 Switch config if wrr queue dscp map 2 10 20 30 40 50 60 Step 4 wrr queue threshold queue id threshold percentage1 threshold percentage2 Configure tail drop threshold percentages on each egress queue The default threshold is 100 percent for thresholds 1 and 2 For queue id specify the ID of the egress queue The range is 1 to 4 For threshold percentage...

Page 647: ...figure the WRED drop threshold percentage values on Gigabit capable Ethernet ports Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 interface interface id Enter interface configuration mode and specify the egress Gigabit capable Ethernet interface Step 4 wrr queue random detect max threshold queue id threshold percentage1 thre...

Page 648: ...tch config interface gigabitethernet0 2 Switch config if mls qos trust dscp Switch config if wrr queue dscp map 1 0 8 16 24 32 40 48 56 Switch config if wrr queue dscp map 2 10 20 30 40 50 60 As a result of this configuration when the queues 1 and 3 are filled above 50 percent packets with DSCPs 0 8 16 24 32 40 48 and 56 are randomly dropped The same packets are randomly dropped when queues 2 and ...

Page 649: ...he configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 interface interface id Enter interface configuration mode and specify the egress Gigabit capable Ethernet interface Step 4 wrr queue bandwidth weight1 weight2 weight3 weight4 Assign WRR weights to the egress queues By default all the weights...

Page 650: ... of your network and your QoS solution you might need to perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by CoS value to each queue How much of the available buffer space is allotted to each queue Is one of the queues the expedite high priority egress queue How much of the available bandwidth is allotted to each q...

Page 651: ...ed EXEC mode follow these steps to configure the egress queue sizes Step 4 wrr queue cos map queue id cos1 cos8 Map assigned CoS values to select one of the egress queues Theses are the default map values CoS value 0 1 selects queue 1 CoS value 2 3 selects queue 2 CoS value 4 5 selects queue 3 CoS value 6 7 selects queue 4 For queue id specify the ID of the egress queue The range is 1 to 4 where 4...

Page 652: ...ult the buffer size for all eight minimum reserve levels is 100 packets For min reserve level specify the minimum reserve level number The range is 1 to 8 For min reserve buffersize specify the buffer size The range is 10 to 170 packets When you enter this command the queue is temporarily shutdown during the hardware reconfiguration and the switch drops newly arrived packets to this queue Step 4 i...

Page 653: ...ets from each queue Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 interface interface id Enter interface configuration mode and specify the egress 10 100 Ethernet interface Step 4 priority queue out Enable the egress expedite queue which is disabled by default When you configure this command the WRR weight is affected becau...

Page 654: ...fy the egress 10 100 Ethernet interface Step 4 wrr queue bandwidth weight1 weight2 weight3 weight4 Assign WRR weights to the egress queues By default all the weights are set to 25 1 4 of the bandwidth is allocated to each queue For weight1 weight2 weight3 weight4 enter the ratio which determines the ratio of the frequency in which the WRR scheduler dequeues packets Separate each value with a space...

Page 655: ...match criteria to classify traffic show mls qos aggregate policer aggregate policer name Display the aggregate policer configuration show mls qos interface interface id buffers policers queueing statistics Display QoS information at the interface level including the configuration of the egress queues and the CoS to egress queue map which interfaces have configured policers and ingress and egress s...

Page 656: ...t priority default default priority id interface configuration command for each port For ISL or IEEE 802 1Q frames with tag information the priority value from the header frame is used On the Catalyst 3524 PWR XL and 3548 XL switches you can override this priority with the default value by using the switchport priority default override interface configuration command For Catalyst 3500 XL 2950 othe...

Page 657: ...e video packets over all other traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list 1 permit 172 20 10 16 Define an IP standard ACL and permit traffic from the video server at 172 20 10 16 Step 3 class map videoclass Create a class map called videoclass and enter class map configuration mode Step 4 match access group 1 Define the match criterion by m...

Page 658: ...S to egress queue map is sufficient however you need to configure the DSCP to CoS map so that DSCP values 57 to 63 map to CoS 5 For the egress interface Gigabit Ethernet interface 0 5 WRR weights need to be configured by using the wrr queue bandwidth interface configuration command WRED needs to be enabled and the threshold percentages configured for each queue The bandwidth allocated to each queu...

Page 659: ...CP values separated by spaces in the DSCP to CoS map For example to map DSCP values 57 to 63 to CoS 5 enter mls qos map dscp cos 57 58 59 60 61 62 63 to 5 Step 13 interface gigabitethernet0 5 Enter interface configuration mode and specify the egress interface to configure Step 14 priority queue out Enable the expedite queue Step 15 wrr queue bandwidth weight1 weight2 weight3 weight4 Configure WRR ...

Page 660: ...ter 29 Configuring QoS Standard QoS Configuration Examples Step 17 end Return to privileged EXEC mode Step 18 show mls qos interface and show interfaces Verify your entries Step 19 copy running config startup config Optional Save your entries in the configuration file Command Purpose ...

Page 661: ... load across the remaining links If a link fails EtherChannel redirects traffic from the failed link to the remaining links in the channel without intervention This chapter consists of these sections Understanding EtherChannels page 30 1 Configuring EtherChannels page 30 7 Displaying EtherChannel PAgP and LACP Status page 30 18 Note For complete syntax and usage information for the commands used i...

Page 662: ... the switch the EtherChannel and the failed link Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel Understanding Port Channel Interfaces You create an EtherChannel for Layer 2 interfaces differently from Layer 3 interfaces Both configurations involve logical interfaces With Layer 3 interfaces you manually create ...

Page 663: ...exchanging packets between Ethernet interfaces PAgP is a Cisco proprietary protocol that can be run only on Cisco switches and on those switches licensed by licensed vendors to support PAgP LACP is defined in IEEE 802 3AD and allows Cisco switches to manage Ethernet channels between switches that conform to the 802 3AD protocol By using one of these protocols a switch learns the identity of partne...

Page 664: ...is connected to a partner that is PAgP capable you can configure the switch interface for nonsilent operation by using the non silent keyword If you do not specify non silent with the auto or desirable mode silent mode is assumed The silent mode is used when the switch is connected to a device that is not PAgP capable and seldom if ever sends packets An example of a silent partner is a file server...

Page 665: ...cs If the group is misconfigured packet loss or spanning tree loops might occur Physical Learners and Aggregate Port Learners Network devices are classified as PAgP physical learners or aggregate port learners A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge A device is an aggregate port learner if it learns addresses by aggr...

Page 666: ...rwarding is used load distribution based on the source and destination IP address is also enabled for routed IP traffic All routed IP traffic chooses a port based on the source and destination IP address Packets between two IP hosts always use the same port in the channel and traffic between any other pair of hosts can use a different port in the channel With destination MAC address forwarding whe...

Page 667: ... 30 11 Configuring EtherChannel Load Balancing page 30 14 Configuring the PAgP Learn Method and Priority page 30 15 Note Make sure that the interfaces are correctly configured see the EtherChannel Configuration Guidelines section on page 30 8 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical interfaces assigned to the por...

Page 668: ...n a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters you must also make the changes to all ports in the group Allowed VLAN list Spanning tree path cost for each VLAN Spanning tree port priority for each VLAN Spanning tree Port Fast setting An EtherChannel interface that is configured as...

Page 669: ...herwise compatibly configured Setting different spanning tree path costs does not by itself make interfaces incompatible for the formation of an EtherChannel For Layer 3 EtherChannels assign the Layer 3 address to the port channel logical interface not to the physical interfaces in the channel Configuring Layer 2 EtherChannels You configure Layer 2 EtherChannels by configuring the Ethernet interfa...

Page 670: ...the interface starts negotiations with other interfaces by sending PAgP packets on Forces the interface to channel without PAgP With the on mode a usable EtherChannel exists only when an interface group in the on mode is connected to another interface group in the on mode non silent If your switch is connected to a partner that is PAgP capable you can configure the switch interface for nonsilent o...

Page 671: ...cal interface to an EtherChannel you must delete the IP address from the physical interface before configuring it on the port channel interface Beginning in privileged EXEC mode follow these steps to create a port channel interface for a Layer 3 EtherChannel To remove the port channel use the no interface port channel port channel number global configuration command This example shows how to creat...

Page 672: ...de follow these steps to assign an Ethernet interface to a Layer 3 EtherChannel Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify a physical interface to configure Valid interfaces include physical interfaces Up to eight interfaces of the same type and speed can be configured for the same group Ste...

Page 673: ... enables PAgP It places an interface into an active negotiating state in which the interface starts negotiations with other interfaces by sending PAgP packets non silent If your switch is connected to a partner that is PAgP capable you can configure the switch interface for nonsilent operation You can configure an interface with the non silent keyword for use with the auto or desirable mode If you...

Page 674: ...mode Step 2 port channel load balance dst mac src mac Configure an EtherChannel load balancing method The default is src mac Select one of these keywords to determine the load distribution method dst mac Load distribution is based on the destination host MAC address of the incoming packet Packets to the same destination are sent on the same port but packets to different destinations are sent on di...

Page 675: ...face configuration command and to set the load distribution method based on the source MAC address by using the port channel load balance src mac global configuration command Use the pagp learn method command only in this situation Beginning in privileged EXEC mode follow these steps to configure your switch as a PAgP physical port learner and to adjust the priority so that the same port in the bu...

Page 676: ...e active links becomes inactive a link that is in hot standby mode becomes active in its place If more than eight links are configured for an EtherChannel group the software determines which of the hot standby ports to make active based on LACP port priority Port ID Step 6 show running config or show pagp channel group number internal Verify your entries Step 7 copy running config startup config O...

Page 677: ... for all of the EtherChannels that are configured for LACP by using the lacp system priority privileged EXEC command The range is from 1 to 65535 Note The lacp system priority command is global You cannot set a system priority for each LACP configured channel separately We recommend using this command only when there are a combination of LACP configured EtherChannels that are in both active and st...

Page 678: ...Displays EtherChannel information in a detailed and one line summary form Also displays the load balance or frame distribution scheme port and port channel information show pagp channel group number counters internal neighbor 1 1 You can clear PAgP channel group information and traffic filters by using the clear pagp channel group number counters counters privileged EXEC command Displays PAgP info...

Page 679: ...yntax and usage information for the commands used in this chapter refer to the Cisco IOS IP and IP Routing Command Reference for Release 12 1 This chapter consists of these sections Understanding IP Routing page 31 2 Steps for Configuring Routing page 31 3 Configuring IP Addressing on Layer 3 Interfaces page 31 4 Enabling IP Unicast Routing page 31 18 Configuring RIP page 31 19 Configuring IGRP pa...

Page 680: ...st routing in three different ways By using default routing By using preprogrammed static routes for the traffic By dynamically calculating routes by using a routing protocol Default routing refers to sending traffic with a destination unknown to the router to a default outlet or destination Static unicast routing forwards packets from predetermined ports through a single path into and out of a ne...

Page 681: ...I a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface An EtherChannel port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Lay...

Page 682: ...e 31 11 Configuring Broadcast Packet Handling page 31 13 Monitoring and Maintaining IP Addressing page 31 17 Default Addressing Configuration Table 31 1 shows the default addressing configuration Table 31 1 Default Addressing Configuration Feature Default Setting IP address None defined ARP No permanent entries in the Address Resolution Protocol ARP cache Encapsulation Standard Ethernet style ARP ...

Page 683: ...se the mask to subnet a network the mask is referred to as a subnet mask To receive an assigned network number contact your Internet service provider IRDP Disabled Defaults when enabled Broadcast IRDP advertisements Maximum interval between advertisements 600 seconds Minimum interval between advertisements 0 75 times max interval Preference 0 IP proxy ARP Enabled IP routing Disabled IP subnet zero...

Page 684: ...couraged you can enable the use of subnet zero if you need the entire subnet space for your IP address Beginning in privileged EXEC mode follow these steps to enable subnet zero Use the no ip subnet zero global configuration command to restore the default and disable the use of subnet zero Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter...

Page 685: ...ss space In Figure 31 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet Figure 31 2 IP Classless Routing In Figure 31 3 the router in ...

Page 686: ...sociate IP address with MAC addresses Taking an IP address as input ARP determines the associated MAC address and then stores the IP address MAC address association in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests or replies on IEEE 802 networks other than Ethernet is specified by...

Page 687: ...dress type global configuration command To remove all nonstatic entries from the ARP cache use the clear arp cache privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp ip address hardware address type Globally associate an IP address with a MAC hardware address in the ARP cache and specify encapsulation type as one of these arpa ARP encapsula...

Page 688: ...nfiguration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork Address Protocol Step 4 end Return to privileged EXEC mode Step 5 show interfaces inter...

Page 689: ...d see the Enable Proxy ARP section on page 31 10 Proxy ARP works as long as other routers support it Default Gateway Another method for locating routes is to define a default router or default gateway All nonlocal packets are sent to this router which either routes them appropriately or sends an IP Control Message Protocol ICMP redirect message back defining which local router the host should use ...

Page 690: ...ommand Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip irdp Enable IRDP processing on the interface Step 4 ip irdp multicast Optional Send IRDP advertisements to the multicast address 224 0 0 1 instead of IP broadcasts Note This command allows for compatibilit...

Page 691: ...dges including intelligent bridges because they are Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most modern IP implementations you can set the address to be used as the broadcast address Many implementations including the one in the Catalyst ...

Page 692: ...work Disk ND protocol which is used by older diskless Sun workstations and the network security protocol SDNS By default both UDP and ND forwarding are enabled if a helper address has been defined for an interface The description for the ip forward protocol interface configuration command in the Cisco IOS IP and IP Routing Command Reference for Release 12 1 lists the ports that are forwarded by de...

Page 693: ... no ip broadcast address interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip helper address address Enable forwarding and specify the destination address for forwarding UDP broadcast packets including BOOTP Step 4 exit Retur...

Page 694: ...oded UDP datagram is given the destination address specified with the ip broadcast address interface configuration command on the output interface The destination address can be set to any address Thus the destination address might change as the datagram propagates through the network The source address is never changed The TTL value is decremented When a flooded UDP datagram is sent out an interf...

Page 695: ... Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Table 31 3 Commands to Clear Caches Tables and Databases Command Purpose clear arp cache Clear the IP ARP cache and the fast switching cache clear host name Remove one or all entries from the host name and the address c...

Page 696: ...uter end You can now set up parameters for the selected routing protocols as described in these sections Configuring RIP page 31 19 Configuring IGRP page 31 24 Configuring OSPF page 31 29 Configuring EIGRP page 31 38 Configuring BGP page 31 44 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing Step 3 router ip_routing_protocol Specify an I...

Page 697: ...nreachable This small range 0 to 15 makes RIP unsuitable for large networks If the router has a default network path RIP advertises a route that links the router to the pseudonetwork 0 0 0 0 The 0 0 0 0 network does not exist it is treated by RIP as a network to implement the default routing feature The switch advertises the default network if a default was learned by RIP or if the router has a ga...

Page 698: ...re Default Setting Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing required only if IP routing is disabled Step 3 router rip Enable a RIP routing process and enter router configuration mode Step 4 network network number Associate a network with a RIP routing process You can specify multiple network commands RIP routing updates are sent ...

Page 699: ...use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending and receiving on interfaces Step 9 no auto summary Optional Disable automatic summarization By default the switch summarizes subprefixes when crossing classful network boundaries Disable summarization RIP version 2 only to advertise subnet and host routing information to classful network bo...

Page 700: ...rmally use the split horizon mechanism to reduce the possibility of routing loops Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated This feature usually optimizes communication among multiple routers especially when links are broken Note In general disabling split horizon is not recommended unless you are certain...

Page 701: ...with the ip summary address rip router configuration command are advertised Switch config router rip Switch config router interface gi0 2 Switch config if ip address 10 1 5 1 255 255 255 0 Switch config if ip summary address rip 10 2 0 0 255 255 0 0 Switch config if no ip split horizon Switch config if exit Switch config router rip Switch config router network 10 0 0 0 Switch config router neighbo...

Page 702: ... do not include subnet information Exterior routes are routes to networks outside the AS that are considered when identifying a gateway of last resort The router chooses a gateway of last resort from the list of exterior routes that IGRP provides if it does not have a better route for a packet and the destination is not a connected network If the AS has more than one connection to an external netw...

Page 703: ... the primary and alternate paths determines the feasibility of a potential route An alternate route is feasible if the next router in the path is closer to the destination has a lower metric value than the router being used and if the metric for the entire alternate path is within the variance Only feasible paths are used for load balancing and are included in the routing table These conditions li...

Page 704: ... routing process is required other steps are optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing required only if IP routing is disabled Step 3 router igrp autonomous system Enable an IGRP routing process and enter router configuration mode The AS number identifies the routes to other IGRP routers and tags routing information Step ...

Page 705: ...eing used for a certain period of time and prevents routing loops caused by slow convergence This command disables holddown which increases the network s ability to quickly respond to topology changes Use the metric holddown command only if other routers or access servers within the IGRP AS are not configured with the no metric holddown command If all routers are not configured the same way you in...

Page 706: ...bling split horizon unless you are certain that your application requires it to properly advertise routes Beginning in privileged EXEC mode follow these steps to disable split horizon on the interface To enable the split horizon mechanism use the ip split horizon interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id ...

Page 707: ...protocol can be redistributed into another IP routing protocol At the intradomain level this means that OSPF can import routes learned through IGRP and RIP OSPF routes can also be exported into IGRP and RIP Plain text and MD5 authentication among neighboring routers within an area is supported Configurable routing interface parameters include interface output cost retransmission interval interface...

Page 708: ...area defined NSSA No NSSA area defined Auto cost 100 Mbps Default information originate Disabled When enabled the default metric setting is 10 and the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from...

Page 709: ...rval 5 seconds Transmit delay 1 second Dead interval 40 seconds Authentication key no key predefined Message digest key MD5 no key predefined Table 31 7 Default OSPF Configuration continued Feature Default Setting Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing required only if IP routing is disabled Step 3 router ospf process id Enable...

Page 710: ... link state update packet The range is 1 to 65535 seconds The default is 1 second Step 6 ip ospf priority number Optional Set priority to help determine the OSPF designated router for a network The range is from 0 to 255 The default is 1 Step 7 ip ospf hello interval seconds Optional Set the number of seconds between hello packets sent on an OSPF interface The value must be the same for all nodes ...

Page 711: ...ged EXEC mode follow these steps to configure area parameters Step 13 show ip ospf interface interface name Display OSPF related interface information Step 14 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router ospf process id Enable OSPF routing and enter rou...

Page 712: ...y router ID or neighbor ID Default Metrics OSPF calculates the OSPF metric for an interface according to the bandwidth of the interface The metric is calculated as ref bw divided by bandwidth where ref is 10 by default and bandwidth bw is determined by the bandwidth interface configuration command For multiple links with high bandwidth you can specify a larger number to differentiate the cost on t...

Page 713: ...ep 5 default information originate always metric metric value metric type type value route map map name Optional Force the ASBR to generate a default route into the OSPF routing domain Parameters are all optional Step 6 ip ospf name lookup Optional Configure DNS name lookup The default is disabled Step 7 ip auto cost reference bandwidth ref bw Optional Specify an address range for which a single r...

Page 714: ...its routing information out its interfaces If a loopback interface is configured with an IP address OSPF uses this IP address as its router ID even if other interfaces have higher IP addresses Because loopback interfaces never fail this provides greater stability OSPF automatically prefers a loopback interface over other interfaces and it chooses the highest IP address among all loopback interface...

Page 715: ...ocesses show ip ospf process id database router link state id show ip ospf process id database router self originate show ip ospf process id database router adv router ip address show ip ospf process id database network link state id show ip ospf process id database summary link state id show ip ospf process id database asbr summary link state id show ip ospf process id database external link stat...

Page 716: ...arization EIGRP scales to large networks Enhanced IGRP has these four basic components Neighbor discovery and recovery is the process that routers use to dynamically learn of other routers on their directly attached networks Routers must also discover when their neighbors become unreachable or inoperative Neighbor discovery and recovery is achieved with low overhead by periodically sending small h...

Page 717: ... describes how to configure EIGRP It includes this information Default EIGRP Configuration page 31 39 Configuring Basic EIGRP Parameters page 31 40 Configuring EIGRP Interfaces page 31 41 Configuring EIGRP Route Authentication page 31 42 Monitoring and Maintaining EIGRP page 31 43 Default EIGRP Configuration Table 31 9 shows the default EIGRP configuration Table 31 9 Default EIGRP Configuration Fe...

Page 718: ...ello interval For low speed nonbroadcast multiaccess NBMA networks 60 seconds all other networks 5 seconds IP hold time For low speed NBMA networks 180 seconds all other networks 15 seconds IP split horizon Enabled IP summary address No summary aggregate addresses are predefined Metric weights tos 0 k1 and k3 1 k2 k4 and k5 0 Network None specified Offset list Disabled Router EIGRP Disabled Set me...

Page 719: ...t the offset list with an access list or an interface Step 8 no auto summary Optional Disable automatic summarization of subnet routes into network level routes Step 9 ip summary address eigrp autonomous system number address mask Optional Configure a summary aggregate Step 10 end Return to privileged EXEC mode Step 11 show ip protocols Verify your entries Step 12 copy running config startup confi...

Page 720: ...l Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated Step 8 end Return to privileged EXEC mode Step 9 show ip eigrp interface Display which interfaces EIGRP is active on and information about EIGRP relating to those interfaces Step 10 copy running config startup config Optional Save your entries in the configuratio...

Page 721: ...is infinite Step 10 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be sent The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step...

Page 722: ...BGP updates run internal BGP IBGP and routers that belong to different autonomous systems and that exchange BGP updates run external BGP EBGP Most configuration commands are the same for configuring EBGP and IBGP The difference is that the routing updates are exchanged either between autonomous systems EBGP or within an AS IBGP Figure 31 5 shows a network that is running both EBGP and IBGP Figure ...

Page 723: ...ormation about the list of AS paths with other BGP systems This information can be used to determine AS connectivity to prune routing loops and to enforce AS level policy decisions A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next hop router and it has received synchronization from an IGP unless IGP synchronization is disabled Whe...

Page 724: ...peers Compare router ID Disabled BGP community list Number None defined When you permit a value for the community number the list defaults to an implicit deny for everything else that has not been permitted Format Cisco default format 32 bit number BGP confederation identifier peers Identifier None configured Peers None identified BGP Fast external fallover Enabled BGP local preference 100 The ran...

Page 725: ...e neighbor Description None Distribute list None defined External BGP multihop Only directly connected neighbors are allowed Filter list None used Maximum number of prefixes received No limit Next hop router as next hop for BGP neighbor Disabled Password Disabled Neighbor Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defin...

Page 726: ...zed with the IGP Synchronization is enabled by default If your AS does not pass traffic from one AS to another AS or if all routers in your autonomous systems are running BGP you can disable synchronization which allows your network to carry fewer routes in the IGP and allows BGP to converge more quickly Beginning in privileged EXEC mode follow these steps to enable BGP routing establish a BGP rou...

Page 727: ...eighbor 192 208 10 2 remote as 200 To verify that BGP peers are running use the show ip bgp neighbors privileged EXEC command This is the output of this command on Router A Switch show ip bgp neighbors BGP neighbor is 129 213 1 1 remote AS 200 external link BGP version 4 remote router ID 175 220 212 1 BGP state established table version 3 up for 0 10 59 Last read 0 00 29 hold time is 180 keepalive...

Page 728: ...upport a soft reset without any prior configuration To use a soft reset without preconfiguration both BGP peers must support the soft route refresh capability which is advertised in the OPEN message sent when the peers establish a TCP session A soft reset allows the dynamic exchange of route refresh requests and routing information between BGP routers and the subsequent re advertisement of the res...

Page 729: ...are is the IP address of the next hop that is going to be used to reach a destination For EBGP this is usually the IP address of the neighbor specified by the neighbor remote as router configuration command You can disable next hop processing by using route maps or the neighbor next hop self router configuration command 2 Prefer the path with the largest weight a Cisco proprietary parameter The we...

Page 730: ...ns are all true insert the route for this path into the IP routing table Both the best route and this route are external Both the best route and this route are from the same neighboring autonomous system maximum paths is enabled 11 If multipath is not enabled prefer the route with the lowest IP address value for the BGP router ID The router ID is usually the highest IP address on the router or the...

Page 731: ...ong paths in the same AS Step 9 bgp bestpath med confed Optional Configure the switch to consider the MED in choosing a path from among those advertised by different subautonomous systems within a confederation Step 10 bgp deterministic med Optional Configure the switch to consider the MED variable when choosing among routes advertised by different peers in the same AS Step 11 bgp default local pr...

Page 732: ...atching requires the ip access list global configuration command Beginning in privileged EXEC mode follow these steps to apply a per neighbor route map Step 3 set ip next hop ip address ip address peer address Optional Set a route map to disable next hop processing In an inbound route map set the next hop of matching routes to be the neighbor peering address overriding third party next hops In an ...

Page 733: ...g access lists When there is a match the route is used Whether a prefix is permitted or denied is based upon these rules An empty prefix list permits all prefixes An implicit deny is assumed if a given prefix does not match any entries in a prefix list When multiple entries of a prefix list match a given prefix the sequence number of a prefix list entry identifies the entry with the lowest sequenc...

Page 734: ...nistrators can define to which communities a destination belongs By default all destinations belong to the general Internet community The community is identified by the COMMUNITIES attribute an optional transitive global attribute in the numerical range from 1 to 4294967200 These are some predefined well known communities internet Advertise this route to the Internet community All routers belong t...

Page 735: ...se steps to create and to apply a community list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip community list community list number permit deny community number Create a community list and assign it a number The community list number is an integer from 1 to 99 that identifies one or more permit or deny groups of communities The community number is the number c...

Page 736: ...EXEC mode use these commands to configure BGP peers Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 neighbor peer group name peer group Create a BGP peer group Step 4 neighbor ip address peer group peer group name Make a BGP neighbor a member of the peer group Step 5 neighbor ip address peer gr...

Page 737: ...Optional Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address Step 18 neighbor ip address peer group name timers keepalive holdtime Optional Set timers for the neighbor or peer group The keepalive interval is the time within which keepalive messages are sent to peers The range is 1 to 4294967295 seconds the default is 60 The holdtime is the interval after which a peer ...

Page 738: ...p MED and local preference information is preserved You can then use a single IGP for all of the autonomous systems Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from ...

Page 739: ...ster do not communicate with IBGP speakers outside their cluster When the route reflector receives an advertised route it takes one of these actions depending on the neighbor A route from an external BGP speaker is advertised to all clients and nonclient peers A route from a nonclient peer is advertised to all clients A route from a client is advertised to all clients and nonclient peers Hence the...

Page 740: ...eighbor ip address peer group name route reflector client Configure the local router as a BGP route reflector and the specified neighbor as a client Step 4 bgp cluster id cluster id Optional Configure the cluster ID if the cluster has more than one route reflector Step 5 no bgp client to client reflection Optional Disable client to client route reflection By default the routes from a route reflect...

Page 741: ...istics to make it less likely that a route will be dampened Step 9 clear ip bgp dampening Optional Clear route dampening information and unsuppress the suppressed routes Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 31 13 IP BGP Clear and Show Commands Command Purpose clear ip bgp address Reset a particular BGP connection clea...

Page 742: ...ress Display detailed information on the BGP and TCP connections to individual neighbors show ip bgp neighbors address advertised routes dampened routes flap statistics paths regular expression received routes routes Display routes learned from a particular BGP neighbor show ip bgp paths Display all BGP paths in the database show ip bgp peer group tag summary Display information about BGP peer gro...

Page 743: ... Sessions page 31 70 Multi VRF CE Configuration Example page 31 71 Displaying Multi VRF CE Status page 31 75 Understanding Multi VRF CE Multi VRF CE is a feature that allows a service provider to support two or more VPNs where IP addresses can be overlapped among the VPNs Multi VRF CE uses input interfaces to distinguish routes for different VPNs and forms virtual packet forwarding tables by assoc...

Page 744: ...ture each interface in a VRF must be a Layer 3 interface Figure 31 6 Catalyst 3550 Switches Acting as Multiple Virtual CEs When the CE switch receives a command to add a Layer 3 interface to a VRF it sets up the appropriate mapping between the VLAN ID and the policy label PL in multi VRF CE related data structures and adds the VLAN ID and PL to the VLAN database When multi VRF CE is configured the...

Page 745: ...thin the VPN To configure VRF you create a VRF table and specify the Layer 3 interface associated with the VRF Then configure the routing protocols in the VPN and between the CE and the PE BGP is the preferred routing protocol used to distribute VPN routing information across the provider s backbone The multi VRF CE network has three major components VPN route target communities lists of all other...

Page 746: ...o a specific routing table ID that is used to identify the appropriate routing tables stored on the switch To support multi VRF CE multiple routing tables are entered into the Layer 3 TCAM table Because an extra field is needed in the routing table to identify the table to which a route belongs you must modify the SDM template to enable the switch to support 144 bit Layer 3 TCAM Use the sdm prefer...

Page 747: ...Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing Step 3 ip vrf vrf name Name the VRF and enter VRF configuration mode Step 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an AS number and an arbitrary number xxx y or an IP address and abitrary number A B C D y Step 5 route target export import both route targ...

Page 748: ... subnets Set the switch to redistribute information from the BGP network to the OSPF network Step 5 network network number area area id Define a network address and mask on which OSPF runs and the area ID for that network address Step 6 end Return to privileged EXEC mode Step 7 show ip ospf process id Verify the configuration of the OSPF network Step 8 copy running config startup config Optional S...

Page 749: ...RF configuration for Switches S20 and S11 and the PE router commands related to traffic with Switch S8 Commands for configuring the other switches are not included but would be similar Figure 31 7 Multi VRF CE Configuration Example Step 9 end Return to privileged EXEC mode Step 10 show ip bgp ipv4 neighbors Verify BGP configuration Step 11 copy running config startup config Optional Save your entr...

Page 750: ... interface loopback2 Switch config if ip vrf forwarding v12 Switch config if ip address 8 8 2 8 255 255 255 0 Switch config if exit Switch config interface FastEthernet0 5 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if no ip address Switch config if exit Switch config interface FastEthernet0 8 Switch config if switchport access vlan 20...

Page 751: ...router af neighbor 83 0 0 3 remote as 100 Switch config router af neighbor 83 0 0 3 activate Switch config router af network 8 8 2 0 mask 255 255 255 0 Switch config router af exit Switch config router address family ipv4 vrf vl1 Switch config router af redistribute ospf 1 match internal Switch config router af neighbor 38 0 0 3 remote as 100 Switch config router af neighbor 38 0 0 3 activate Swit...

Page 752: ...nfig interface Loopback1 Router config if ip vrf forwarding v1 Router config if ip address 3 3 1 3 255 255 255 0 Router config if exit Router config interface Loopback2 Router config if ip vrf forwarding v2 Router config if ip address 3 3 2 3 255 255 255 0 Router config if exit Router config interface Fast Ethernet3 0 10 Router config if encapsulation dot1q 10 Router config if ip vrf forwarding v1...

Page 753: ...tatic Unicast Routes page 31 77 Specifying Default Routes and Networks page 31 78 Using Route Maps to Redistribute Routing Information page 31 79 Configuring Policy Based Routing page 31 82 Filtering Routing Information page 31 85 Managing Authentication Keys page 31 88 Configuring Cisco Express Forwarding Cisco Express Forwarding CEF is a Layer 3 IP switching technology used to optimize network p...

Page 754: ... interfaces You can disable CEF on an interface by using the no ip route cache cef interface configuration command You can enable CEF on an interface by using the ip route cache cef interface configuration command Beginning in privileged EXEC mode follow these steps to enable CEF on an interface after it has been disabled To disable CEF on an interface use the no ip route cache cef interface confi...

Page 755: ...tocol has a default administrative distance as listed in Table 31 16 If you want a static route to be overridden by information from a dynamic routing protocol set the administrative distance of the static route higher than that of the dynamic protocol Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp rip ospf igrp eigrp Enter router configuration mode Ste...

Page 756: ...se some routers as smart routers and give the remaining routers default routes to the smart router Smart routers have routing table information for the entire internetwork These default routes can be dynamically learned or can be configured in the individual routers Most dynamic interior routing protocols include a mechanism for causing a smart router to generate dynamic default information that i...

Page 757: ...he switch to readvertise IGRP derived routes by using RIP or to readvertise static routes by using IGRP Redistributing information from one routing protocol to another applies to all supported IP based routing protocols You can conditionally control the redistribution of routes between routing domains by defining route maps between the two domains The match and set route map configuration commands...

Page 758: ...ccess list number access list name Match a standard access list by specifying the name or number It can be an integer from 1 to 199 Step 6 match metric metric value Match the specified route metric The metric value can be an IGRP 5 part metric with a value from 0 to 4294967295 Step 7 match ip next hop access list number access list name access list number access list name Match a next hop router a...

Page 759: ...e to give the redistributed routes for IGRP or EIGRP only bandwidth Metric value or IGRP bandwidth in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between 0 no reliability and 255 100 percent reliability loading Effective bandwidth of the route e...

Page 760: ...g PBR you can have more control over routing by reducing the reliance on routes derived from routing protocols PBR can determine and implement routing policies that allow or deny paths based on Identity of a particular end system Application Protocol You can use PBR to provide equal access and source sensitive routing routing based on interactive versus batch traffic or routing based on dedicated ...

Page 761: ...Channel port channel in Layer 3 mode You can define a maximum of 247 IP policy route maps on the switch VRF and PBR are mutually exclusive on a switch interface You cannot enable VRF when PBR is enabled on an interface In contrast you cannot enable PBR when VRF is enabled on an interface WCCP and PBR are mutually exclusive on a switch interface You cannot enable WCCP when PBR is enabled on an inte...

Page 762: ...Number that shows the position of a new route map in the list of route maps already configured with the same name Step 3 match ip address access list number access list name access list number access list name Match the source and destination IP address that is permitted by one or more standard or extended access lists If you do not specify a match command the route map applies to all packets Step...

Page 763: ...bout routes you can use the passive interface router configuration command to keep routing update messages from being sent through a router interface When you use this command in the OSPF protocol the interface address you specify as passive appears as a stub network in the OSPF domain OSPF routing information is neither sent nor received through the specified router interface In networks with man...

Page 764: ... interface name You can also use a distribute list router configuration command to avoid processing certain routes listed in incoming updates This feature does not apply to OSPF Beginning in privileged EXEC mode follow these steps to control the advertising or processing of routing updates Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp rip ospf igrp eig...

Page 765: ...ces Because each network has its own requirements there are no general guidelines for assigning administrative distances Beginning in privileged EXEC mode follow these steps to filter sources of routing information To remove a distance definition use the no distance router configuration command Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Optional Save your e...

Page 766: ...privileged EXEC mode follow these steps to manage authentication keys To remove the key chain use the no key chain name of chain global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 key chain name of chain Identify a key chain and enter key chain configuration mode Step 3 key number Identify the key number The range is 0 to 2147483647 Step 4...

Page 767: ...to Clear IP Routes or Display Route Status Command Purpose clear ip route network mask Clear one or more routes from the IP routing table show ip protocols Display the parameters and state of the active routing protocol process show ip route address mask longer prefixes protocol process id Display the current state of the routing table show ip route summary Display the current state of the routing...

Page 768: ...31 90 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 31 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network ...

Page 769: ...ying HSRP Configurations page 32 11 Understanding HSRP HSRP is Cisco s standard method of providing high network availability by providing first hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address HSRP routes IP traffic without relying on the availability of any single router It enables a set of router interfaces to work together to present the appearance of...

Page 770: ...HSRP interfaces is 256 However the relationship between the number of HSRP interfaces and the number of active IP routing protocols and other configured features might have an impact on CPU utilization Because of other switch feature configurations we recommend that you do not assign more than 64 HSRP interfaces The switch returns an error message after a period of up to 1 minute if you exceed the...

Page 771: ...them to the MAC address of the virtual router If for any reason Router A stops transferring packets Router B responds to the virtual IP address and virtual MAC address and becomes the active router assuming the active router duties Host C continues to use the IP address of the virtual router to address packets destined for Host B which Router B now receives and sends to Host B Until Router A resum...

Page 772: ...itchport interface configuration command SVI a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface Etherchannel port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For ...

Page 773: ...figure bridge groups Enabling HSRP The standby ip interface configuration command activates HSRP on the configured interface If an IP address is specified that address is used as the designated address for the Hot Standby group If no IP address is specified the address is learned through the standby function You must configure at least one routing port on the cable with the designated address Conf...

Page 774: ... Assigning priority helps select the active and standby routers If preemption is enabled the router with the highest priority becomes the designated active router If priorities are equal the primary IP addresses are compared and the higher IP address has priority Step 3 standby group number ip ip address secondary Create or enable the HSRP group using its number and virtual IP address Optional gro...

Page 775: ...riority values have been configured the configured priority decrements are cumulative If tracked interfaces that were not configured with priority values fail the default decrement is 10 and it is noncumulative When routing is first enabled for the interface it does not have a complete routing table If it is configured to preempt it becomes the active router even though it is unable to provide ade...

Page 776: ...outer Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the active role for the number of seconds shown The range is 0 to 36000 1 hour the default is 0 no delay before taking over Use the no form of the command t...

Page 777: ...ation string interface configuration command to delete an authentication string Use the no standby group number timers hellotime holdtime interface configuration command to restore timers to their default values Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on which you want to...

Page 778: ...roups and Clustering When a device is participating in an HSRP standby routing and clustering is enabled you can use the same standby group for command switch redundancy and HSRP redundancy Use the cluster standby group HSRP group name routing redundancy global configuration command to enable the same HSRP standby group to be used for command switch and routing redundancy If you create a cluster w...

Page 779: ...dby command without qualifiers can result in an unwieldy display This is a an example of output from the show standby privileged EXEC command displaying HSRP information for two standby groups group 1 and group 100 Switch show standby VLAN1 Group 1 Local state is Standby priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 182 Hot standby IP address is 10 0 0 1 configured A...

Page 780: ...32 12 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 32 Configuring HSRP Displaying HSRP Configurations ...

Page 781: ... web servers Cache engines accelerate content delivery and ensure maximum scalability and availability of content In a service provider network you can deploy the WCCP and cache engine solution at the points of presence POPs In an enterprise network you can deploy the WCCP and cache engine solution at the regional site and the small branch office To use this feature you must have the enhanced mult...

Page 782: ...d server When a cache engine receives a request it attempts to service it from its own local cache If the requested information is not present the cache engine sends a separate request to the end server to retrieve the requested information After receiving the requested information the cache engine forwards it to the requesting client and also caches it to fulfill future requests This software rel...

Page 783: ...ch packets are distributed among the cache engines in the cluster The switch uses some of the least significant bits of the destination IP address to determine which cache engine receives the redirected packet The number of bits used is based on the number of cache engines If the number of cache engines is equal to a power of 2 for example 1 2 4 and so forth the switch evenly distributes load bala...

Page 784: ...ted to the client Packets returned or rejected by the cache engine These packets are sent to the web server Unsupported WCCPv2 Features These WCCPv2 features are not supported in this software release WCCP service numbers which are configured by using the ip wccp service number global and interface configuration commands These commands are not supported This software release supports caching only ...

Page 785: ...rect Layer 2 connection Connect up to 32 cache engines to a single Catalyst 3550 switch Connect only one Catalyst 3550 switch to multiple cache engines Do not connect multiple Catalyst 3550 switches to multiple cache engines Configure the switch interfaces that are connected to the web clients the cache engines and the web server as Layer 3 interfaces routed ports and switch virtual interfaces SVI...

Page 786: ...nd Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip wccp web cache password encryption number password Enable the web cache service on your switch By default this feature is disabled Optional For password encryption number password specify an encryption number The range is 0 to 7 Use 0 for not encrypted and use 7 for proprietary Specify a password name up to seven charac...

Page 787: ...if ip address 172 20 10 30 255 255 255 0 Switch config if no shutdown Switch config if exit Switch config interface gigabitethernet0 1 Switch config if no switchport Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if no shutdown Switch config if exit Switch config interface fastethernet0 2 Switch config if no switchport Switch config if ip address 175 20 30 20 255 255 255 0 Sw...

Page 788: ...the clients are configured as access ports in VLAN 301 The switch redirects HTTP packets received from the client interfaces to the cache engine Switch configure terminal Switch config ip wccp web cache Switch config vlan 299 Switch config vlan exit Switch config interface vlan 299 Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if exit Switch config interface gigabitethernet0...

Page 789: ...nd Maintaining WCCP Command Purpose clear ip wccp web cache Removes statistics for the web cache service show ip wccp web cache Displays global information related to WCCP show ip wccp web cache detail Displays information for the switch and all cache engines in the WCCP cluster show ip interface Displays status about any IP WCCP redirection commands that are configured on an interface for example...

Page 790: ...33 10 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 33 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP ...

Page 791: ... to the all multicast routers group on a subnet Any host regardless of whether it is a member of a group can send to a group However only the members of a group receive the message Membership in a multicast group is dynamic hosts can join and leave at any time There is no restriction on the location or number of members in a multicast group A host can be a member of more than one multicast group a...

Page 792: ... section on page 7 27 Cisco Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing Internet Group Management Protocol IGMP is used among hosts on a LAN and the routers and multilayer switches on that LAN to track the multicast groups of which hosts are members Protocol Independent Multicast PIM protocol is used among routers and mul...

Page 793: ...cast group on the local subnet In this model the router or switch acting as the IGMP querier periodically every 60 seconds multicasts an IGMPv1 membership query to the all hosts multicast group 224 0 0 1 on the local subnet All hosts enabled for multicasting listen for this address and receive the query A host responds with an IGMPv1 membership report to receive multicast traffic for a specific gr...

Page 794: ... maximum query response time and controls the burstiness of the response process This feature can be important when large numbers of groups are active on a subnet and you want to spread the responses over a longer period of time However increasing the maximum response timer value also increases the leave latency the query router must now wait longer to make sure there are no more hosts for the gro...

Page 795: ...uter section on page 34 8 All systems using Cisco IOS Release 11 3 2 T or later start in PIMv2 mode by default PIMv2 includes these improvements over PIMv1 A single active RP exists per multicast group with multiple backup RPs This single RP compares to multiple active RPs for the same group in PIMv1 A BSR provides a fault tolerant automated RP discovery and distribution mechanism that enables rou...

Page 796: ...224 1 1 1 PIM DM employs only SPTs to deliver S G multicast traffic by using a flood and prune method It assumes that every subnet in the network has at least one receiver of the S G multicast traffic and therefore the traffic is flooded to all points in the network To avoid unnecessary consumption of network resources PIM DM devices send prune messages up the source distribution tree to stop unwa...

Page 797: ...end along the branch When using a shared tree sources must send their traffic to the RP so that the traffic reaches all receivers The special notation G pronounced star comma G is used to represent the tree where means all sources and G represents the multicast group Figure 34 5 shows a shared tree for group 224 2 2 2 with the RP located at Router 3 Multicast group traffic from source Hosts A and ...

Page 798: ...s of their Group to RP mapping cache in RP discovery messages every 60 seconds default to the Cisco RP discovery multicast group 224 0 1 40 which all Cisco PIM routers and multilayer switches join to receive Group to RP mapping information Thus all routers and switches automatically discover which RP to use for the groups they support The discovery messages also contain a holdtime which defines ho...

Page 799: ...nterface to the next hop toward the destination With multicasting the source is sending traffic to an arbitrary group of hosts represented by a multicast group address in the destination address field of the IP packet To determine whether to forward or drop an incoming multicast packet the router or multilayer switch uses a reverse path forwarding RPF check on the packet as follows and shown in Fi...

Page 800: ...M neighbor adjacencies To establish adjacencies a PIM router or multilayer switch sends PIM hello messages to the all PIM routers multicast group 224 0 0 13 on each of its multicast enabled interfaces The hello message contains a holdtime which tells the receiver when the neighbor adjacency associated with the sender expires if no more PIM hello messages are received Keeping track of adjacencies i...

Page 801: ... its neighbor list including the address of the first router When the first DVMRP router receives a probe with its own address listed in the neighbor list a two way adjacency is formed between itself and the neighbor that sent the probe DVMRP Route Table DVMRP neighbors build a route table by periodically exchanging source network routing information in route report messages These messages contain...

Page 802: ... 3 as shown in Figure 34 7 Because LAN switches operate at Layer 2 and understand only MAC addresses the source and destination fields of the frame contain 48 bit MAC addresses for Host 3 0080 c7a2 1093 and MAC address equivalent of the multicast group address 0100 5e01 0203 The IGMP membership report is received by the Layer 2 switch and forwarded to the CGMP server for normal IGMP processing The...

Page 803: ...n IGMP leave message to the CGMP server which sends a group specific query to the multicast group to see if there are any remaining members in the group If there is no response the CGMP server updates its multicast routing table and sends a CGMP delete group message to the Layer 2 switch which updates its routing table Configuring IP Multicast Routing These sections describe how to configure IP mu...

Page 804: ...a standards track protocol in the IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and BSR Configuration Guidelines section on page 34 15 When PIMv2 devices interoperate with PIMv1 devices Auto RP should have already been deployed A PIMv2 BSR that is also an Auto RP mapping agent automati...

Page 805: ...uter If you have non Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches both Auto RP and a BSR are required We recommend that a Cisco PIMv2 device be both the Auto RP mapping agent and the BSR For more information see the Using Auto RP and a BSR section on page 34 27 Configuring Basic Multicast Routing You must enable IP multicast routing and configure t...

Page 806: ...ion on the interface By default Version 2 is enabled and is the recommended setting Note All IP multicast capable Cisco PIM routers using Cisco IOS Release 11 3 2 T or later start in PIMv2 by default An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor The interface returns to Version 2 mode after all Version 1 neighbors are shut down or upgraded...

Page 807: ...heir existence through register messages received from the source s first hop router designated router and forwarded to the RP Receivers of multicast packets use RPs to join a multicast group by using explicit join messages RPs are not members of the multicast group rather they serve as a meeting place for multicast sources and group members Beginning in privileged EXEC mode follow these steps to ...

Page 808: ...M in sparse mode or sparse dense mode and do not configure Auto RP you must manually configure an RP as described in the Manually Assigning an RP to Multicast Groups section on page 34 17 Note If routed interfaces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups Step 3 access list access list number deny permit so...

Page 809: ...ig Verify that a default RP is already configured on all PIM devices and the RP in the sparse mode network This step is not required for spare dense mode environments The selected RP should have good connectivity and be available across the network Use this RP for the global groups for example 224 x x x and other global groups Do not reconfigure the group address range that this RP serves RPs dyna...

Page 810: ...ther RPs by default use the ip pim accept rp auto rp global configuration command Step 4 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access...

Page 811: ...nnounce messages are accepted by default For rp list access list number configure an access list of candidate RP addresses that if permitted is accepted for the group ranges supplied in the group list access list number variable If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to e...

Page 812: ...hrough 239 255 255 255 range This range is the administratively scoped address range Configuring PIMv2 BSR BSR automates the distribution of group to RP mappings to all routers and multilayer switches in a PIMv2 network It eliminates the need to manually configure RP information in every device in the network However instead of using IP multicast to distribute group to RP mapping information BSR u...

Page 813: ...ed Step 3 ip pim bsr border Define a PIM bootstrap message boundary for the PIM domain Enter this command on each interface that connects to other bordering PIM domains This command instructs the multilayer switch to neither send or receive PIMv2 BSR messages on this interface as shown in Figure 34 8 Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 co...

Page 814: ...configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 which carry Auto RP information Opti...

Page 815: ...m bsr candidate gigabitethernet0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your multilayer switch to be a candidate BSR For interface id enter the interface type and number on this switch from which the BSR address is derived to make it a candidate This interface must be enabled wit...

Page 816: ...ep 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your multilayer switch to be a candidate RP For interface id enter the interface type and number whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group list access list...

Page 817: ... a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the same group prefixes This prevents the PIMv2 DRs from selecting a different RP from those PIMv1 DRs due to the longest match lookup in the RP mapping database Beginning in privileged EXEC mode follow these steps to verify the consistency of group to RP mappings Monitoring...

Page 818: ...red Tree and Source Tree page 34 28 Delaying the Use of PIM Shortest Path Tree page 34 29 Modifying the PIM Router Query Message Interval page 34 30 Understanding PIM Shared Tree and Source Tree By default members of a group receive data from senders to the group across a single data distribution tree rooted at the RP Figure 34 9 shows this type of shared distribution tree Data from senders is del...

Page 819: ...r that is directly connected to a source and are received by the RP for the group Multiple sources sending to groups use the shared tree You can configure the PIM device to stay on the shared tree For more information see the Delaying the Use of PIM Shortest Path Tree section on page 34 29 Delaying the Use of PIM Shortest Path Tree The change from shared to source tree happens when the first data ...

Page 820: ...cess list access list number deny permit source source wildcard Create a standard access list For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group to which the threshold will apply Optional For source wildcard enter the wildcard bits in dotted d...

Page 821: ... 34 35 Modifying the IGMP Host Query Message Interval page 34 36 Configuring the Multilayer Switch as a Statically Connected Member page 34 36 Default IGMP Configuration Table 34 2 shows the default IGMP configuration Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to be configured ...

Page 822: ...interface By default the switch waits twice the query interval controlled by the ip igmp query interval interface configuration command After that time if the switch has received no queries it becomes the querier Access to multicast groups All groups are allowed on an interface IGMP host query message interval 60 seconds on all interfaces Multilayer switch as a statically connected member Disabled...

Page 823: ...se time use the no ip igmp query max response time interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to be configured Step 3 ip igmp querier timeout seconds Specify the IGMP query timeout The default is 60 seconds twice the query interval The range is 6...

Page 824: ...ow these steps to configure the multilayer switch to be a member of a group To cancel membership in a group use the no ip igmp join group group address interface configuration command This example shows how to allow the switch to join multicast group 255 2 2 2 Switch config interface gigabitethernet0 1 Switch config if ip igmp join group 255 2 2 2 Command Purpose Step 1 configure terminal Enter gl...

Page 825: ...r global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to be configured Step 3 ip igmp access group access list number Specify the multicast groups that hosts on the subnet serviced by an interface can join By default all groups are allowed on an interface For access list number specify an IP standard access list number The range is 1...

Page 826: ...l interface configuration command Configuring the Multilayer Switch as a Statically Connected Member Sometimes there is either no group member on a network segment or a host cannot report its group membership by using IGMP However you might want multicast traffic to go to that network segment These are ways to pull multicast traffic down to a network segment Use the ip igmp join group interface co...

Page 827: ...r 2 connectivity and MBONE multimedia conference session and set up Enabling CGMP Server Support page 34 38 Configuring sdr Listener Support page 34 39 Features that control bandwidth utilization Configuring the TTL Threshold page 34 40 Configuring an IP Multicast Boundary page 34 42 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter inter...

Page 828: ...erface interface id Enter interface configuration mode and specify the interface that is connected to the Layer 2 Catalyst switch Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfaces Enabling CGMP triggers a CGMP join message Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches Optional When you enter the proxy keyword the CGMP pr...

Page 829: ...e SAP packet appears in the SDR Session Announcement window Enabling sdr Listener Support By default the multilayer switch does not listen to session directory advertisements Beginning in privileged EXEC mode follow these steps to enable the switch to join the default session directory group 224 2 127 254 on the interface and listen to session directory advertisements To disable sdr support use th...

Page 830: ... the RPF check succeeds and that Gigabit Ethernet interfaces 0 1 0 3 and 0 4 are all in the outgoing interface list the packet would normally be forwarded out these interfaces Because some TTL thresholds have been applied to these interfaces the multilayer switch makes sure that the packet TTL value which is decremented by 1 to 23 is greater than or equal to the interface TTL threshold before forw...

Page 831: ...mand 45153 Company XYZ TTL threshold 40 Engineering TTL threshold 40 TTL threshold 100 Marketing Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to be configured Step 3 ip multicast ttl threshold ttl value Configure the TTL threshold of packets being forwarded out an interface The d...

Page 832: ...raffic in the range 239 0 0 0 through 239 255 255 255 from entering or leaving the network Similarly the engineering and marketing departments have an administratively scoped boundary of 239 128 0 0 16 around the perimeter of their networks This boundary prevents multicast traffic in the range of 239 128 0 0 through 239 128 255 255 from entering or leaving their respective networks Figure 34 12 Ad...

Page 833: ...more advanced DVMRP features see the Configuring Advanced DVMRP Interoperability Features section on page 34 50 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword d...

Page 834: ...IOS command is configured to enable DVMRP interoperability however you must enable multicast routing For more information see the Configuring Basic Multicast Routing section on page 34 15 Controlling Unicast Route Advertisements You should configure an access list on the PIM routed interface connected to the MBONE to limit the number of unicast routes that are advertised in DVMRP route reports oth...

Page 835: ...ing sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything Step 3 interface interface id Enter interface configuration mode and specify the interface connected to the MBONE and enabled for mul...

Page 836: ...fig access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 255 Configuring a DVMRP Tunnel The Cisco IOS software supports DVMRP tunnels to the MBONE You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP The software then sends and receives multicast packets through the tunnel This strategy allows a PIM domain ...

Page 837: ...on ip address Specify the destination address of the tunnel interface Enter the IP address of the mrouted router Step 6 tunnel mode dvmrp Configure the encapsulation mode for the tunnel to DVMRP Step 7 ip address address mask or ip unnumbered type number Assign an IP address to the interface or Configure the interface as unnumbered Step 8 ip pim dense mode sparse mode Configure the PIM mode on the...

Page 838: ...im dense mode Switch config if tunnel source gigabitethernet 0 1 Switch config if tunnel destination 192 168 1 10 Switch config if tunnel mode dvmrp Switch config if ip dvmrp accept filter 1 100 Switch config if interface gigabitethernet 0 1 Switch config if ip address 172 16 2 1 255 255 255 0 Switch config if ip pim dense mode Switch config exit Switch config access list 1 permit 198 92 37 0 0 0 ...

Page 839: ...isco 11 1 flags PMS 171 69 214 27 171 69 214 26 mm1 r7kb cisco com 1 0 pim querier 171 69 214 27 171 69 214 25 mm1 45a cisco com 1 0 pim querier 171 69 214 33 171 69 214 34 mm1 45c cisco com 1 0 pim 171 69 214 137 0 0 0 0 1 0 pim querier down leaf 171 69 214 203 0 0 0 0 1 0 pim querier down leaf 171 69 214 18 171 69 214 20 mm1 45e cisco com 1 0 pim 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0...

Page 840: ...each other but they can exchange DVMRP routes The DVMRP routes provide a multicast topology that might differ from the unicast topology This allows PIM to run over the multicast topology thereby allowing sparse mode PIM over the MBONE topology When DVMRP unicast routing is enabled the router or switch caches routes learned in DVMRP report messages in a DVMRP routing table When PIM is running these...

Page 841: ...the multilayer switch from peering communicating with a DVMRP neighbor if that neighbor does not support DVMRP pruning or grafting To do so configure the multilayer switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 34 14 In this case when the mu...

Page 842: ... To disable this function use the no ip dvmrp reject non pruners interface configuration command Router A Router B Multilayer switch RP Multicast traffic gets to receiver not to leaf DVMRP device 44971 Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Si Command Purpose Step 1 configure terminal Enter global configuration ...

Page 843: ... interface where a DVMRP neighbor has been discovered or an interface configured to run the ip dvmrp unicast routing interface configuration command Beginning in privileged EXEC mode follow these steps to change the DVMRP route limit To configure no route limit use the no ip dvmrp route limit global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Ste...

Page 844: ...es are two routes that are advertisements for the two directly connected networks 176 32 10 0 24 and 176 32 15 0 24 that were taken from the unicast routing table Because the DVMRP tunnel shares the same IP address as Fast Ethernet 0 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router ...

Page 845: ... m 40 176 32 10 0 24 m 1 176 32 15 0 24 m 1 DVMRP router Cisco router Tunnel Fast Ethernet 0 1 176 32 10 0 24 Fast Ethernet 0 2 176 32 15 0 24 DVMRP Report 45156 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered fa0 1 interface fastethernet 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface fastethernet 0 2 ip addr 176 32 15 1 255 255 255 0 ip pi...

Page 846: ...these steps to disable DVMRP autosummarization To re enable auto summarization use the ip dvmrp auto summary interface configuration command Adding a Metric Offset to the DVMRP Route By default the multilayer switch increments by 1 the metric hop count of a DVMRP route advertised in incoming DVMRP reports You can change the metric if you want to favor or not favor a certain route For example a rou...

Page 847: ...pecify the interface to be configured Step 3 ip dvmrp metric offset in out increment Change the metric added to DVMRP routes advertised in incoming reports The keywords have these meanings Optional in Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies Optional out Specifies that the increment value is added to outgoing DVMRP reports for routes f...

Page 848: ... the Catalyst switches have cached clear ip dvmrp route route Delete routes from the DVMRP routing table clear ip igmp group group name group address interface Delete entries from the IGMP cache clear ip mroute group source Delete entries from the IP multicast routing table clear ip pim auto rp rp address Clear the Auto RP cache clear ip sdr group address session name Delete the Session Directory ...

Page 849: ...ow ip rpf source address name Display how the multilayer switch is doing Reverse Path Forwarding that is from the unicast routing table DVMRP routing table or static mroutes show ip sdr group session name detail Display the Session Directory Protocol Version 2 cache Table 34 4 Commands for Displaying System and Network Statistics continued Command Purpose Table 34 5 Commands for Monitoring IP Mult...

Page 850: ...34 60 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing ...

Page 851: ...or the commands used in this chapter refer to the Cisco IOS IP and IP Routing Command Reference for Release 12 1 This chapter consists of these sections Understanding MSDP page 35 1 Configuring MSDP page 35 4 Monitoring and Maintaining MSDP page 35 19 Understanding MSDP MSDP allows multicast sources for a group to be known to all rendezvous points RPs in different domains Each PIM SM domain uses i...

Page 852: ...all MSDP peers The SA message identifies the source the group the source is sending to and the address of the RP or the originator ID the IP address of the interface used as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer RPF flooding The MSDP device examines the BGP or MBGP routing table to determine which peer is the n...

Page 853: ...d tree never need to leave your domain PIM sparse mode domains can rely only on their own RPs decreasing reliance on RPs in another domain This increases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving memor...

Page 854: ...efault MSDP peer when the multilayer switch is not BGP or MBGP peering with an MSDP peer If a single MSDP peer is configured the multilayer switch always accepts all SA messages from that peer Figure 35 2 shows a network in which default MSDP peers might be used In Figure 35 2 a customer who owns Multilayer Switch B is connected to the Internet through two Internet service providers ISPs one ownin...

Page 855: ...For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the prefix list key...

Page 856: ...ter a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network length Optional...

Page 857: ...or list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched The...

Page 858: ...ts to receive multicast traffic To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA request messages to the MSDP peer at 171 69 1 1 Switch config ip msdp sa request 171 69 1 1 Controlling Source Information that Your Switch Originates You can control the multicast source information th...

Page 859: ...S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of an IP standard or extended access list The range is 1 to 99 for standard access lists and 100 to 199 for extended lists The access list controls which local sources are advertised and to which groups...

Page 860: ...ess if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore For destination e...

Page 861: ...171 69 2 2 list 1 Switch config access list 1 permit 192 4 22 0 0 0 0 255 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for groups that...

Page 862: ...e map Beginning in privileged EXEC mode follow these steps to apply a filter Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the specified peer pass ...

Page 863: ...necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to b...

Page 864: ... MSDP Reverse Path Forwarding peers send to it However you can control the source information that you receive from MSDP peers by filtering incoming SA messages In other words you can configure the switch to not accept them You can perform one of these actions Filter all incoming SA messages from an MSDP peer Specify an IP extended access list to pass certain source group pairs Filter based on mat...

Page 865: ... that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access list numb...

Page 866: ... name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it and later bring it up When a peer is shut down the TCP connection is terminated and is not restarted You can also shut down an MSDP session without losing configuration information for the p...

Page 867: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy ...

Page 868: ...y you might want dense mode sources to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as th...

Page 869: ...s system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message counts Ta...

Page 870: ...35 20 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Chapter 35 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 871: ...s being bridged to collapse each VLAN has its own spanning tree instance and a separate spanning tree called the VLAN bridge spanning tree which runs on top of the bridge group to prevent loops A VLAN bridge domain is represented with switch virtual interface SVI A set of SVIs and routed ports which do not have any VLANs associated with them can be configured grouped together to form a bridge grou...

Page 872: ...ing tree algorithm by receiving and in some cases sending BPDUs on the LANs to which they are attached A separate spanning tree process runs for each configured bridge group Each bridge group participates in a separate spanning tree instance A bridge group establishes a spanning tree instance based on the BPDUs it receives on only its member interfaces Figure 36 1 shows a fallback bridging network...

Page 873: ...ult fallback bridging configuration Fallback Bridging Configuration Guidelines A maximum of 31 bridge groups can be configured on the switch An interface an SVI or routed port can be a member of only one bridge group Use a bridge group for each separately bridged topologically distinct network connected to the switch Table 36 1 Default Fallback Bridging Configuration Feature Default Setting Bridge...

Page 874: ...gure terminal Enter global configuration mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to run in the bridge group The ibm and dec keywords are not supported For bridge group specify the bridge group number The range is 1 to 255 You can create up to 31 bridge groups Frames are bridged only among interfaces in the...

Page 875: ...cally Learned Stations By default the switch forwards any frames for stations that it has dynamically learned By disabling this activity the switch only forwards frames whose addresses have been statically configured into the forwarding cache Beginning in privileged EXEC mode follow these steps to prevent the switch from forwarding frames for stations that it has dynamically learned To cause the s...

Page 876: ...me To return to the default aging time interval use the no bridge bridge group aging time global configuration command This example shows how to change the bridge table aging time to 200 seconds for bridge group 10 Switch config bridge 10 aging time 200 Filtering Frames by a Specific MAC Address A switch examines frames and sends them through the internetwork according to the destination address a...

Page 877: ...igning a Path Cost page 36 9 Adjusting BPDU Intervals page 36 10 Disabling the Spanning Tree on an Interface page 36 12 Note Only network administrators with a good understanding of how switches and STP function should make adjustments to spanning tree parameters Poorly planned adjustments can have a negative impact on performance A good source on switching is the IEEE 802 1D specification for mor...

Page 878: ...rity to break the tie The switch with the lowest interface value is elected Beginning in privileged EXEC mode follow these steps to change the interface priority Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group priority number Change the priority of the switch For bridge group specify the bridge group number The range is 1 to 255 For number enter...

Page 879: ... change the path cost on an interface to 20 in bridge group 10 Switch config interface gigabitethernet0 1 Switch config if bridge group 10 path cost 20 Step 5 show running config Verify your entry Step 6 copy running config startup config Optional Save your entry in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface int...

Page 880: ... 10 Switch config bridge 10 hello time 5 Changing the Forward Delay Interval The forward delay interval is the amount of time spent listening for topology change information after an interface has been activated for switching and before forwarding actually begins Beginning in privileged EXEC mode follow these steps to change the forward delay interval Command Purpose Step 1 configure terminal Ente...

Page 881: ...e no bridge bridge group max age global configuration command This example shows how to change the maximum idle interval to 30 seconds in bridge group 10 Switch config bridge 10 max age 30 Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Command Purpose Command Purpose...

Page 882: ...g Fallback Bridging To monitor and maintain fallback bridging use one or more of the privileged EXEC commands in Table 36 2 For information about the fields in these displays refer to the Cisco IOS Bridging and IBM Networking Command Reference for Release 12 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode ...

Page 883: ...ions Using Recovery Procedures page 37 1 Preventing Autonegotiation Mismatches page 37 10 GBIC Module Security and Identification page 37 10 Diagnosing Connectivity Problems page 37 11 Using Debug Commands page 37 16 Using the show forward Command page 37 19 Using the crashinfo File page 37 20 Note If after applying ACLs you are experiencing packet performance problems or receiving messages about ...

Page 884: ...ode button a second or two after the LED above port 1X turns off Several lines of information about the software appear along with instructions The system has been interrupted prior to initializing the flash file system The following commands will initialize the flash file system and finish loading the operating system software flash_init load_helper boot Step 5 Initialize the Flash file system sw...

Page 885: ...ming you if the password recovery procedure has been disabled or not If you see a message that begins with this The system has been interrupted prior to initializing the flash file system The following commands will initialize the flash file system go to the Password Recovery with Password Recovery Enabled section on page 37 3 and follow the steps If you see a message that begins with this The pas...

Page 886: ...N Step 7 At the switch prompt enter privileged EXEC mode Switch enable Step 8 Rename the configuration file to its original name Switch rename flash config text old flash config text Step 9 Copy the configuration file into memory Switch copy flash config text system running config Source filename config text Destination filename running config Press Return in response to the confirmation prompts T...

Page 887: ...the system back to the default configuration y n Caution Returning the switch to the default configuration results in the loss of all existing configurations We recommend that you contact your system administrator to verify if there are backup switch and VLAN configuration files If you enter n no the normal boot process continues as if the Mode button had not been pressed you cannot access the boo...

Page 888: ...y running config startup config The new password is now in the startup configuration Note This procedure is likely to leave your switch virtual interface in a shutdown state You can see which interface is in this state by entering the show running config privileged EXEC command To re enable the interface enter the interface vlan vlan id global configuration command and specify the VLAN ID of the s...

Page 889: ...r To replace a failed command switch with a command capable member in the same cluster follow these steps Step 1 Disconnect the command switch from the member switches and physically remove it from the cluster Step 2 Insert the member switch in place of the failed command switch and duplicate its connections to the cluster members Step 3 Start a CLI session on the new command switch You can access...

Page 890: ... When prompted for the enable secret and enable passwords enter the passwords of the failed command switch again Step 13 When prompted make sure to enable the switch as the cluster command switch and press Return Step 14 When prompted assign a name to the cluster and press Return The cluster name can be 1 to 31 alphanumeric characters dashes or underscores Step 15 After the initial configuration a...

Page 891: ...mpt does not appear enter enable and press Return Enter setup and press Return to start the setup program Step 7 Respond to the questions in the setup program When prompted for the host name recall that on a command switch the host name is limited to 28 characters Do not use n where n is a number as the last characters in a host name for any switch When prompted for the Telnet virtual terminal pas...

Page 892: ...rectly align these settings reducing performance A mismatch occurs under these circumstances A manually set speed or duplex parameter is different from the manually set speed or duplex parameter on the connected port A port is set to autonegotiate and the connected port is set to full duplex with no autonegotiation To maximize switch performance and ensure a link follow one of these guidelines whe...

Page 893: ...pports IP ping which you can use to test connectivity to remote hosts Ping sends an echo request packet to an address and waits for a reply Ping returns one of these responses Normal response The normal response hostname is alive occurs in 1 to 10 seconds depending on network traffic Destination does not respond If the host does not respond a no answer message is returned Unknown host If the host ...

Page 894: ...ible ping character output To terminate a ping session enter the escape sequence Ctrl X by default You enter the default by simultaneously pressing and releasing the Ctrl Shift and 6 keys and then pressing the X key Using IP Traceroute This section consists of this information Understanding IP Traceroute page 37 13 Executing IP Traceroute page 37 13 Command Purpose ping ip host address Ping a remo...

Page 895: ...ack an Internet Control Message Protocol ICMP time to live exceeded message to the sender Traceroute determines the address of the first hop by examining the source address field of the ICMP time to live exceeded message To identify the next hop traceroute sends a UDP packet with a TTL value of 2 The first router decrements the TTL field by 1 and sends the datagram to the next router The second ro...

Page 896: ...ng the Ctrl Shift and 6 keys and then pressing the X key Using Layer 2 Traceroute This section describes this information Understanding Layer 2 Traceroute page 37 14 Usage Guidelines page 37 15 Displaying the Physical Path page 37 16 Understanding Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destinat...

Page 897: ...fied source and destination MAC addresses belong to the same VLAN If you specify source and destination MAC addresses that belong to different VLANs the Layer 2 path is not identified and an error message appears If you specify a multicast source or destination MAC address the path is not identified and an error message appears If the source or destination MAC address belongs to multiple VLANs you...

Page 898: ...roblems or during troubleshooting sessions with Cisco technical support staff It is best to use debug commands during periods of lower network traffic and fewer users Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use Note For complete syntax and usage information for specific debug commands refer to the command reference...

Page 899: ...l privileged EXEC command disables all diagnostic output Using the no debug all command is a convenient way to ensure that you have not accidentally left any debug commands enabled Redirecting Debug and Error Message Output By default the network server sends the output from debug commands and system error messages to the console If you use this default you can use a virtual terminal connection to...

Page 900: ...ebug autoqos Enable debugging for auto QoS When debugging is enabled the switch displays the QoS commands that are automatically generated when auto QoS is enabled or disabled Step 2 configure terminal Enter global configuration mode Step 3 interface interface id Enter interface configuration mode and specify the interface that is connected to a Cisco IP Phone You also can specify the uplink inter...

Page 901: ...vlanMask 00000000 00000000 0000FFFF FFFFFE7F portMask 00000000 00000000 00000000 00000080 sourceMask 00000000 00000000 00000000 00000000 globalMap 00000000 00000000 00000000 00000000 globalMask 00000000 00000000 0002FFFF EFFFFC03 forwMap 00000000 00000000 00000000 00000100 frame notifies src u_dat vlan fl q map 2 00 8 00 00000000 00000000 00000000 00000100 Egress q 8 signature 00000007 comparison ...

Page 902: ...o the Cisco technical support representative by using the show tech support privileged EXEC command All crashinfo files are kept in this directory on the Flash file system flash crashinfo crashinfo_n where n is a sequence number Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number so the file with the largest sequence number des...

Page 903: ...ing FTP to Access the MIB Files page A 3 MIB List BRIDGE MIB RFC1493 CISCO BULK FILE MIB CISCO CDP MIB CISCO CLUSTER MIB CISCO_CONFIG_COPY_MIB CISCO CONFIG MAN MIB CISCO ENTITY MIB CISCO_ENVMON_MIB CISCO FLASH MIB CISCO FTP CLIENT MIB CISCO HSRP MIB CISCO HSRP EXT MIB CISCO IGMP FILTER MIB CISCO IPMROUTE MIB CISCO IMAGE MIB CISCO L2L3 INTERFACE MIB CISCO MAC NOTIFICATION MIB CISCO MEMORY POOL MIB ...

Page 904: ...LAN IFTABLE RELATIONSHIP MIB CISCO VLAN MEMBERSHIP MIB CISCO VTP MIB ENTITY MIB IF MIB IGMP MIB IPMROUTE MIB OSPF MIB RFC 1253 OLD CISCO CHASSIS MIB OLD CISCO SYSTEM MIB OLD CISCO TS MIB PIM MIB RFC1213 MIB RMON1 MIB only RMON etherStats etherHistory alarms and events are supported RMON2 MIB SNMPv2 MIB TCP MIB UDP MIB Note You can also check this URL for a list of MIBs supported by the Catalyst 35...

Page 905: ...Files You can obtain each MIB file by using this procedure Step 1 Use FTP to access the server ftp cisco com Step 2 Log in with the username anonymous Step 3 Enter your e mail username when prompted for the password Step 4 At the ftp prompt change directories to pub mibs v1 and the pub mibs v2 Step 5 Use the get MIB_filename command to obtain a copy of the MIB file ...

Page 906: ...A 4 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Appendix A Supported MIBs Using FTP to Access the MIB Files ...

Page 907: ...onsists of these sections Working with the Flash File System page B 1 Working with Configuration Files page B 8 Working with Software Images page B 18 Working with the Flash File System The Flash file system on your switch provides several commands to help you manage software image and configuration files The Flash file system is a single Flash device on which you can store files This Flash device...

Page 908: ... in the file system in bytes Type Type of file system flash The file system is for a Flash memory device nvram The file system is for a nonvolatile RAM NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for file system ro read only rw read write wo wr...

Page 909: ...nfiguration file with the same name Similarly before copying a Flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to change d...

Page 910: ...rce to a destination use the copy erase source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of Flash memory to be used as the configuration during system initialization You c...

Page 911: ...ctory and all subdirectories and the files contained in it Use the force keyword to suppress the prompting that confirms a deletion of each file in the directory You are prompted only once at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive download sw command but are no longer needed If you omit t...

Page 912: ...amed saved tar on the TFTP server at 172 20 10 30 Switch archive tar create tftp 172 20 10 30 saved tar flash new configs Displaying the Contents of a tar File To display the contents of a tar file on the screen use this privileged EXEC command archive tar table source url For source url specify the source URL alias for the local or network file system These options are supported For the local Fla...

Page 913: ...P the syntax is tftp location directory tar filename tar The tar filename tar is the tar file from which to extract files For flash file url dir file specify the location on the local Flash file system into which the tar file is extracted Use the dir file option to specify an optional list of files or directories within the tar file to be extracted If none are specified all files and directories a...

Page 914: ...ver The protocol that you use depends on which type of server you are using The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol Internet Protocol TCP IP stack which is connection oriented This section includes this information Guideline...

Page 915: ...by using the copy ftp rcp tftp nvram startup config privileged EXEC command and reload the switch Configuration File Types and Location Startup configuration files are used during system startup to configure the software Running configuration files contain the current configuration of the software The two configuration files can be different For example you might want to change the configuration f...

Page 916: ... 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more information on the TFTP daemon refer to the documentation for your workstation Ensure that the switch has a route to the TFTP server The switch and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the TFTP server by using the ping command Ensure that the co...

Page 917: ...tch to a TFTP server for storage follow these steps Step 1 Verify that the TFTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page B 10 Step 2 Log into the switch through the console port or a Telnet session Step 3 Upload the switch configuration to the TFTP server Specify the IP address or host name of the TFTP serv...

Page 918: ...rname For more information refer to the documentation for your FTP server This section includes this information Preparing to Download or Upload a Configuration File By Using FTP page B 12 Downloading a Configuration File By Using FTP page B 13 Uploading a Configuration File By Using FTP page B 14 Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or upl...

Page 919: ... netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 conf...

Page 920: ...witch config ip ftp password mypass Switch config end Switch copy nvram startup config ftp Remote host 172 16 101 101 Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on pag...

Page 921: ... the Telnet username as the remote username The switch host name For a successful RCP copy request you must define an account on the network server for the remote username If the server has a directory structure the configuration file is written to or copied from the directory associated with the remote username on the server For example if the configuration file is in the home directory of a user...

Page 922: ...m the netadmin1 directory on the remote server with an IP address of 172 16 101 101 and load and run those commands on the switch Switch copy rcp netadmin1 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host1 confg OK Switch SYS 5 CONFIG Configured from host1 config by rcp from 172 16 101 1...

Page 923: ...steps to upload a configuration file by using RCP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config rcp netadmin1 172 16 101 101 switch2 confg Write file switch confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101...

Page 924: ...flash filename privileged EXEC command Depending on the setting of the file prompt global configuration command you might be prompted for confirmation before you delete a file By default the switch prompts for confirmation on destructive file operations For more information about the file prompt command refer to the Cisco IOS Command Reference for Release 12 1 Caution You cannot restore a file aft...

Page 925: ...at begins with System image file is It shows the directory name in Flash memory where the image is stored You can also use the dir filesystem privileged EXEC command to see the directory names of other software images you might have stored in Flash memory tar File Format of Images on a Server or Cisco com Software images located on a server or downloaded from Cisco com are provided in a tar file f...

Page 926: ...ne tftp dgram udp wait root usr etc in tftpd in tftpd p s tftpboot Make sure that the etc services file contains this line tftp 69 udp Note You must restart the inetd daemon after modifying the etc inetd conf and etc services files To restart the daemon either stop the inetd process and restart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more...

Page 927: ... create an empty file enter the touch filename command where filename is the name of the file you will use when uploading the image to the server During upload operations if you are overwriting an existing file including an empty file if you had to create one on the server ensure that the permissions on the file are set correctly Permissions on the file should be world write Downloading an Image F...

Page 928: ...e it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board Flash device For file url enter the directory name of the old image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Step 3 archive download sw overwrite reload ...

Page 929: ... upload the image from the switch to an FTP server You download a switch image file from a server to upgrade the switch software You can overwrite the current image with the new one or keep the current image after a download You upload a switch image file to a server for backup purposes You can use this uploaded image for future downloads to the switch or another switch of the same type This secti...

Page 930: ...r all copies Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation If the server has a directory structure the image file is written to or copied from the directory associated with the username on the server For example if the image file resides in the home directory of a user on the server specify tha...

Page 931: ...default remote username or password see Steps 4 5 and 6 Step 4 ip ftp username username Optional Change the default remote username Step 5 ip ftp password password Optional Change the default password Step 6 end Return to privileged EXEC mode Step 7 archive download sw overwrite reload ftp username password location directory image name tar Download the image file from the FTP server to the switch...

Page 932: ...ntering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board Flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using FTP You can...

Page 933: ...of the same type Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 12 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure terminal Enter global configuration mode This step is required only if you override the default remote username or...

Page 934: ...e command is entered The remote username associated with the current TTY terminal process For example if the user is connected to the router through Telnet and was authenticated through the username command the switch software sends the Telnet username as the remote username The switch host name For the RCP copy request to execute successfully an account must be defined on the network server for t...

Page 935: ... company com Switch1 For more information refer to the documentation for your RCP server Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image Beginning in privileged EXEC mode follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image To keep the current image skip Step 6 Command Purpose Step 1 Veri...

Page 936: ...he reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 28 For locati...

Page 937: ...ssociated with the Cluster Management Suite CMS have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an RCP server Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 28 Step 2 Log into the switch through the console...

Page 938: ...Working with Software Images The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image the HTML files and info ver After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names ...

Page 939: ...e limitations This is not a complete list The unsupported commands are listed by software feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination ARP Commands Unsupported G...

Page 940: ...bridge group bitswap_l3_addresses bridge bridge group bridge ip bridge bridge group circuit group circuit group pause milliseconds bridge bridge group circuit group circuit group source based bridge cmf bridge crb bridge bridge group domain domain name bridge irb bridge bridge group mac address table limit number bridge bridge group multicast source bridge bridge group route protocol bridge bridge...

Page 941: ... lsap list access list number bridge group bridge group output pattern list access list number bridge group bridge group output type list access list number bridge group bridge group sse bridge group bridge group subscriber loop control bridge group bridge group subscriber trunk bridge bridge group lat service filtering frame relay map bridge dlci broadcast interface bvi bridge group x25 map bridg...

Page 942: ...ket detail access list number group name or address command affects only packets received by the switch CPU Because most multicast packets are hardware switched use this command only when you know that the route will forward the packet to the CPU debug ip pim atm show frame relay ip rtp header compression interface type number The show ip mcache command displays entries in the cache for those pack...

Page 943: ...ress extended access list number ip multicast rate limit in out video whiteboard group list access list source list access list kbps ip multicast use functional ip pim minimum vc rate pps ip pim multipoint signalling ip pim nbma mode ip pim vc count number ip rtp compression connections number ip rtp header compression passive IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands cl...

Page 944: ...nterval seconds update rate seconds ip flow aggregation ip flow cache ip flow export ip gratituitous arps ip local ip reflexive list router egp router isis router iso igrp router mobile router odr router static Unsupported Interface Configuration Commands ip accounting ip load sharing per packet ip mtu bytes ip route cache ip verify ip unnumbered type number All ip security commands Unsupported BG...

Page 945: ...d reference for this release Unsupported Route Map Commands match length route map map tag deny set automatic tag set dampening half life reuse suppress max suppress time set default interface set interface set ip default next hop set ip destination ip address mask set ip df set ip precedence value set ip qos group set tag tag value set ip tos MSDP Unsupported Privileged EXEC Commands show access ...

Page 946: ... ip msdp peer command instead of this command Network Address Translation NAT commands Unsupported User EXEC Commands clear ip nat translation show ip nat statistics show ip nat translations Unsupported Global Configuration Commands ip nat inside destination ip nat inside source ip nat outside source ip nat pool Unsupported Interface Configuration Commands ip nat RADIUS Unsupported Global Configur...

Page 947: ...A1 SNMP SNMP Unsupported Global Configuration Commands snmp server enable informs snmp server enable traps flash insertion snmp server enable traps flash removal snmp server ifindex persist Spanning Tree Unsupported Global Configuration Commands spanning tree etherchannel guard misconfig VLAN Unsupported User EXEC Commands ifindex private vlan ...

Page 948: ...C 10 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 Appendix C Unsupported CLI Commands in Cisco IOS Release 12 1 19 EA1 VLAN ...

Page 949: ...ol 10 15 A abbreviating commands 2 4 ABRs 31 29 AC command switch 6 13 6 23 access class command 28 20 access control entries See ACEs access denied response VMPS 12 27 access groups IP 28 21 Layer 3 28 21 accessing clusters switch 6 16 command switches 6 13 member switches 6 16 switch clusters 6 16 access lists See ACLs access ports and Layer 2 protocol tunneling 15 10 defined 10 3 in switch clus...

Page 950: ...named 28 15 options and QoS guidelines 29 27 undefined 28 21 violations logging 28 16 virtual terminal lines setting on 28 19 limiting actions 28 37 logging messages 28 10 log keyword 28 16 MAC extended 28 26 29 38 matching 28 8 28 21 28 28 merge failure examples 28 46 monitoring 28 41 named 28 15 not fitting in hardware 28 45 number per QoS class map 29 27 numbers 28 8 policy maps and QoS classif...

Page 951: ...7 21 for STP 16 22 alarms RMON 25 3 allowed VLAN list 12 21 alternate routes IGRP 31 25 area border routers See ABRs ARP configuring 31 9 defined 31 8 encapsulation 31 10 static cache configuration 31 9 support for 1 3 ASBRs 31 29 AS path filters BGP 31 54 asymmetrical links and 802 1Q tunneling 15 4 attributes RADIUS vendor proprietary 8 31 vendor specific 8 29 audience xxxv authentication EIGRP ...

Page 952: ...guring login 7 20 message of the day login 7 19 default configuration 7 18 when displayed 7 18 BGP aggregate addresses 31 60 aggregate routes configuring 31 60 CIDR 31 60 clear commands 31 63 community filtering 31 56 configuring neighbors 31 58 default configuration 31 46 described 31 45 enabling 31 48 monitoring 31 63 multipath support 31 51 neighbors types of 31 48 path selection 31 51 peers co...

Page 953: ...date switch adding 6 20 automatic discovery 6 5 defined 6 4 HC 6 23 passwords 6 20 requirements 6 4 standby group 6 22 See also command switch cluster standby group and member switch caution described xxxvi CC command switch 6 23 CDP and trusted boundary 29 32 automatic discovery in switch clusters 6 5 configuring 22 2 default configuration 22 2 described 22 1 disabling for routing device 22 3 22 ...

Page 954: ...ing command output 2 9 getting help 2 3 history changing the buffer size 2 5 described 2 5 disabling 2 6 recalling commands 2 6 managing clusters 6 25 no and default forms of commands 2 4 client mode VTP 13 3 clock See system clock clusters switch accessing 6 16 adding member switches 6 20 automatic discovery 6 5 automatic recovery 6 12 benefits 1 8 command switch configuration 6 19 compatibility ...

Page 955: ...e PC 6 13 6 23 password privilege levels 6 26 priority 6 13 recovery from command switch failure 6 13 from failure 37 6 from lost member connectivity 37 10 redundant 6 12 6 22 replacing with another switch 37 8 with cluster member 37 7 requirements 6 3 standby SC 6 13 6 23 See also candidate switch cluster standby group member switch and standby command switch community list BGP 31 57 community st...

Page 956: ...on 2 13 4 console port connecting to 2 10 content routing technology See WCCP conventions command xxxvi for examples xxxvi publication xxxvi text xxxvi CoS in Layer 2 frames 29 2 override priority 14 5 trust priority 14 6 CoS to DSCP map for QoS 29 52 CoS to egress queue map 29 57 counters clearing interface 10 21 CPU q in show forward command output 37 20 crashinfo file 37 20 cross stack UplinkFa...

Page 957: ... 3 system name and prompt 7 15 TACACS 8 13 UDLD 23 4 VLAN Layer 2 Ethernet interfaces 12 19 VLANs 12 7 VMPS 12 30 voice VLAN 14 2 VTP 13 6 WCCP 33 5 default gateway 4 10 31 11 default networks 31 78 default routes 31 78 default routing 31 2 deleting VLANs 12 10 description command 10 17 designing your network examples 1 9 destination addresses in ACLs 28 12 detecting indirect link failures STP 18 ...

Page 958: ...ribute list command 31 86 DNS and DHCP based autoconfiguration 4 6 default configuration 7 17 displaying the configuration 7 18 overview 7 16 setting up 7 17 support for 1 2 documentation related xxxvi document conventions xxxvi domain names DNS 7 16 VTP 13 8 Domain Name System See DNS dot1q tunnel switchport mode 12 17 double tagged packets 802 1Q tunneling 15 2 Layer 2 protocol tunneling 15 9 do...

Page 959: ...ilding 34 11 support for 1 6 tunnels configuring 34 46 displaying neighbor information 34 49 dynamic access ports characteristics 12 3 configuring 12 32 defined 10 3 dynamic addresses See addresses dynamic desirable trunking mode 12 17 Dynamic Host Configuration Protocol See DHCP based autoconfiguration dynamic port VLAN membership described 12 28 reconfirming 12 32 12 33 troubleshooting 12 34 typ...

Page 960: ...ate port learners 30 5 compatibility with Catalyst 1900 30 15 displaying status 30 18 interaction with other features 30 6 learn method and priority configuration 30 15 modes 30 4 overview 30 3 silent mode 30 4 support for 1 2 port channel interfaces described 30 2 numbering of 30 3 port groups 10 5 source MAC address forwarding 30 6 support for 1 2 EtherChannel guard described 18 12 enabling 18 2...

Page 961: ...ce 36 12 forward delay interval 36 10 hello BPDU interval 36 10 interface priority 36 8 maximum idle interval 36 11 path cost 36 9 switch priority 36 8 VLAN bridge STP 36 1 36 2 support for 1 6 SVIs and routed ports 36 1 VLAN bridge STP 16 10 fallback VLAN name 12 28 Fast Uplink Transition Protocol 18 6 feature manager ACL 28 43 FIB 31 76 fiber optic detecting unidirectional links 23 1 files copyi...

Page 962: ... uploading B 26 G GBICs 1000BASE LX LH module 1 11 1000BASE SX module 1 11 1000BASE T module 1 11 1000BASE ZX module 1 11 CWDM module 1 19 GigaStack module 1 10 security and identification 37 10 get bulk request operation 27 3 get next request operation 27 3 27 4 get request operation 27 3 27 4 get response operation 27 3 Gigabit GBIC modules See GBICs Gigabit Interface Converters See GBICs GigaSt...

Page 963: ...ing 37 11 overview 37 11 ICMP Router Discovery Protocol See IRDP IDS using with SPAN and RSPAN 24 2 IE2100 CNS embedded agents described 5 5 enabling automated configuration 5 6 enabling configuration agent 5 9 enabling event agent 5 8 Configuration Registrar configID deviceID hostname 5 3 configuration service 5 2 described 5 1 event service 5 3 described 1 8 support for 1 2 IEEE 802 1P 14 1 IFS ...

Page 964: ...abling and disabling 20 7 global configuration 20 7 Immediate Leave 20 5 method 20 8 monitoring 20 12 support for 1 2 VLAN configuration 20 7 IGMP throttling configuring 20 25 default configuration 20 22 described 20 22 displaying action 20 27 IGP 31 29 IGRP advertisements 31 24 alternate routes 31 25 configuring 31 26 default configuration 31 25 described 31 24 exterior routes 31 24 flash updates...

Page 965: ...plicit deny 28 10 28 14 28 16 implicit masks 28 10 logging 28 16 named 28 15 standard creating 28 9 undefined 28 21 virtual terminal lines setting on 28 19 IP addresses candidate or member 6 4 6 16 classes of 31 5 cluster access 6 2 command switch 6 3 6 13 6 16 default configuration 31 4 for IP routing 31 4 MAC address association 31 8 monitoring 31 17 redundant clusters 6 13 standby command switc...

Page 966: ...e 34 59 enabling sdr listener support 34 39 limiting DVMRP routes advertised 34 53 limiting sdr cache entry lifetime 34 39 SAP packets for conference session announcement 34 39 Session Directory sdr tool described 34 39 monitoring packet rate loss 34 59 peering devices 34 59 tracing a path 34 59 multicast forwarding described 34 9 PIMv1 and PIMv2 interoperability 34 14 protocol interaction 34 2 re...

Page 967: ...l Layer 3 interface 31 3 IGP 31 29 inter VLAN 31 2 IP addressing classes 31 5 configuring 31 4 IRDP 31 12 Layer 3 interfaces 31 3 MAC address and IP address 31 8 passive interfaces 31 85 protocols distance vector 31 2 dynamic 31 2 link state 31 2 proxy ARP 31 8 redistribution 31 79 reverse address resolution 31 8 routed ports 31 3 static routing 31 2 steps to configure 31 3 subnet mask 31 5 subnet...

Page 968: ...described 37 14 IP addresses and subnets 37 15 MAC addresses and VLANs 37 15 multicast traffic 37 15 multiple devices on a port 37 15 unicast traffic 37 14 usage guidelines 37 15 Layer 2 trunks 12 16 Layer 3 features 1 6 Layer 3 interfaces assigning IP addresses to 31 6 changing from Layer 2 mode 31 6 types of 31 3 Layer 3 packets classification methods 29 2 LDAP 5 2 leave processing IGMP 20 10 li...

Page 969: ...on example 1 19 manageability features 1 2 management options benefits clustering 1 8 CMS 1 8 CLI 2 1 CNS 5 1 overview 1 7 management VLAN considerations in switch clusters 6 8 6 9 discovery through different management VLANs 6 9 discovery through same management VLAN 6 8 mapping tables for QoS configuring CoS to DSCP 29 52 CoS to egress queue 29 57 DSCP 29 51 DSCP to CoS 29 54 DSCP to DSCP mutati...

Page 970: ...0BASE LX LH 1 11 1000BASE SX 1 11 1000BASE T 1 11 1000BASE ZX 1 11 CWDM 1 19 GigaStack 1 10 monitoring 802 1Q tunneling 15 17 access groups 28 41 ACL configuration 28 41 configuration conflicts 28 44 fit in hardware 28 45 information 28 41 BGP 31 63 cables for unidirectional links 23 1 CDP 22 5 CEF 31 76 EIGRP 31 43 fallback bridging 36 12 features 1 7 HSRP 32 11 IGMP filters 20 27 snooping 20 12 ...

Page 971: ... down 35 16 source active messages caching 35 6 clearing cache entries 35 19 defined 35 2 filtering from a peer 35 11 filtering incoming 35 14 filtering to a peer 35 12 limiting data with TTL 35 14 monitoring 35 19 restricting advertised sources 35 9 MSTP boundary ports configuration guidelines 17 13 described 17 5 BPDU filtering described 18 3 enabling 18 16 BPDU guard described 18 3 enabling 18 ...

Page 972: ...cribed 18 12 enabling 18 21 root switch configuring 17 15 effects of extended system ID 17 14 unexpected behavior 17 15 shutdown Port Fast enabled port 18 3 multicast groups and IGMP snooping 20 6 Immediate Leave 20 5 joining 20 3 leaving 20 4 static joins 20 9 multicast packets ACLs on 28 40 blocking 21 6 multicast router interfaces monitoring 20 12 multicast router ports adding 20 9 Multicast So...

Page 973: ...P no commands 2 4 non IP traffic filtering 28 26 nontrunking mode 12 17 normal range VLANs configuration modes 12 6 defined 12 1 no switchport command 10 5 note described xxxvi not so stubby areas See NSSA NSM 5 3 NSSA OSPF 31 33 NTP associations authenticating 7 4 defined 7 2 enabling broadcast messages 7 6 peer 7 5 server 7 5 default configuration 7 4 displaying the configuration 7 10 overview 7...

Page 974: ...e 8 3 enable secret 8 4 Telnet 8 6 with usernames 8 7 VTP domain 13 8 path cost MSTP 17 18 STP 16 18 PBR defined 31 82 enabling 31 84 fast switched policy based routing 31 84 local policy based routing 31 84 support for 1 6 PC passive command switch 6 13 6 23 peers BGP 31 58 performance network design 1 9 performance features 1 2 per VLAN spanning tree plus See PVST PE to CE routing configuring 31...

Page 975: ...rChannel See PAgP port based authentication authentication server defined 9 2 RADIUS server 9 2 client defined 9 2 configuration guidelines 9 10 configuring 802 1X authentication 9 11 guest VLAN 9 17 host mode 9 17 manual re authentication of a client 9 14 periodic re authentication 9 14 quiet period 9 15 RADIUS server 9 14 RADIUS server parameters on the switch 9 13 switch to client frame retrans...

Page 976: ...ion 21 10 described 21 8 displaying 21 16 sticky learning 21 8 violations 21 9 with other features 21 10 port shutdown response VMPS 12 27 power inline 10 14 preferential treatment of traffic See QoS prefix lists BGP 31 55 preventing unauthorized access 8 1 priority HSRP 32 6 overriding CoS 14 5 trusting CoS 14 6 private VLAN edge ports See protected ports privileged EXEC mode 2 2 privilege levels...

Page 977: ...ibed 29 5 types for IP traffic 29 5 types for non IP traffic 29 5 class maps configuring per physical port 29 39 configuring per port per VLAN 29 41 displaying 29 69 configuration examples distribution layer 29 72 existing wiring closet 29 70 intelligent wiring closet 29 71 configuration guidelines auto QoS 29 20 standard QoS 29 26 configuring aggregate policers 29 49 auto QoS 29 17 default port C...

Page 978: ...ite 29 13 29 62 minimum reserve levels 29 65 serviced by WRR 29 13 29 16 size of 29 12 29 15 size ratios 29 58 tail drop threshold percentages 29 13 29 59 WRED drop percentage thresholds 29 13 29 61 WRR scheduling 29 63 scheduling allocating bandwidth on 10 100 Ethernet ports 29 67 allocating bandwidth on Gigabit capable ports 29 63 defined 29 4 support for 1 5 tail drop configuring drop threshold...

Page 979: ...downloading B 29 preparing the server B 28 uploading B 31 reconfirmation interval VMPS changing 12 33 recovery procedures 37 1 redundancy EtherChannel 30 2 features 1 3 HSRP 32 1 STP backbone 16 7 multidrop backbone 18 5 path cost 12 25 port priority 12 24 redundant clusters See cluster standby group redundant links and UplinkFast 18 17 reliable transport protocol EIGRP 31 38 reloading software 4 ...

Page 980: ...14 route calculation timers OSPF 31 35 route dampening BGP 31 62 routed packets ACLs on 28 39 routed ports configuring 31 3 defined 10 4 in switch clusters 6 10 IP addresses on 10 18 31 3 route map command for policy based routing 31 84 route maps BGP 31 53 route maps policy based routing defined 31 83 router ACLs 28 2 route reflectors BGP 31 61 router ID OSPF 31 36 route selection BGP 31 51 route...

Page 981: ... 7 30 described 7 27 templates number of 7 27 resources used for Fast Ethernet switches 7 28 resources used for Gigabit Ethernet switches 7 28 sdm prefer extended match command 31 68 secure ports configuring 21 8 secure remote connections 8 38 Secure Shell See SSH security port 21 8 security features 1 4 sequence numbers in log messages 26 8 server mode VTP 13 3 service provider network MSTP and R...

Page 982: ...g messages to NMS 26 10 manager functions 1 8 27 3 managing clusters with 6 26 MIBs location of A 3 supported A 1 notifications 27 5 overview 27 1 27 4 status displaying 27 17 system contact and location 27 15 trap manager configuring 27 12 27 14 traps described 27 3 27 5 differences from informs 27 5 enabling 27 11 27 14 enabling MAC address notification 7 23 overview 27 1 27 4 types of 27 11 use...

Page 983: ...so cluster standby group and HSRP standby group cluster See cluster standby group and HSRP standby ip command 32 5 standby router 32 1 standby timers HSRP 32 9 startup configuration booting manually 4 13 specific image 4 14 clearing B 18 configuration file automatically downloading 4 12 specifying the filename 4 13 default boot configuration 4 12 static access ports assigning to VLAN 12 11 defined...

Page 984: ... link failures 18 10 disabling 16 14 displaying status 16 24 EtherChannel guard described 18 12 enabling 18 20 extended system ID affects on root switch 16 14 affects on the secondary root switch 16 16 overview 16 3 unexpected behavior 16 15 features supported 1 3 inferior BPDU 16 3 instances supported 16 9 interface state blocking to forwarding 18 2 interface states blocking 16 5 disabled 16 6 fo...

Page 985: ... See also Device Manager switchport block multicast command 21 6 switchport block unicast command 21 6 switchport command 10 11 switchport mode dot1q tunnel command 15 6 switchport protected command 21 5 switch priority MSTP 17 19 STP 16 20 switch software features 1 1 switch virtual interface See SVI synchronization BGP 31 48 syslog See system message logging system clock configuring daylight sav...

Page 986: ...ervices to the user 8 16 operation of 8 12 overview 8 10 support for 1 5 tracking services accessed by user 8 17 tagged packets 802 1Q 15 3 Layer 2 protocol 15 7 tail drop described 29 13 support for 1 6 tar files creating B 5 displaying the contents of B 6 extracting B 7 image file format B 19 TCAMs ACL regions 28 47 ACLs not loading in 28 45 allocations monitoring 28 48 monitoring usage 28 47 Te...

Page 987: ...ddress notification 7 23 configuring managers 27 11 27 14 defined 27 3 enabling 7 23 27 11 27 14 notification types 27 11 overview 27 1 27 4 troubleshooting connectivity problems 37 11 detecting unidirectional links 23 1 determining packet disposition 37 19 displaying crash information 37 20 GBIC security and identification 37 10 PIMv1 and PIMv2 interoperability problems 34 28 show forward command...

Page 988: ...s 7 26 and CPU packets 7 26 and multicast addresses 7 26 and router MAC addresses 7 26 configuration guidelines 7 26 described 7 26 unicast storm control command 21 4 unicast storms 21 1 unicast traffic blocking 21 6 UniDirectional Link Detection protocol See UDLD UNIX syslog servers daemon configuration 26 11 facilities supported 26 12 message logging configuration 26 11 unrecognized Type Length ...

Page 989: ...ng and permitting packets 28 31 displaying 28 42 examples 28 35 support for 1 5 usage 28 4 VLAN membership confirming 12 32 modes 12 3 VLAN Query Protocol See VQP VLANs adding 12 8 adding to VLAN database 12 8 aging dynamic addresses 16 8 allowed on trunk 12 21 and spanning tree instances 12 2 12 6 12 13 configuration guidelines normal range VLANs 12 5 configuration options 12 6 configuring 12 1 c...

Page 990: ...ta traffic override CoS of incoming frame 14 5 trust CoS priority of incoming frame 14 6 configuring ports for voice traffic in 802 1P priority tagged frames 14 4 802 1Q frames 14 4 connecting to an IP phone 14 3 default configuration 14 2 described 14 1 displaying 14 6 VPN configuring routing in 31 70 forwarding 31 67 in service provider networks 31 65 routes 31 65 VPN routing and forwarding tabl...

Page 991: ...n 1 13 4 version 2 configuration guidelines 13 8 disabling 13 13 enabling 13 12 overview 13 4 W WCCP authentication 33 4 configuration guidelines 33 5 default configuration 33 5 described 33 2 displaying 33 9 enabling 33 6 features unsupported 33 4 forwarding method 33 3 Layer 2 header rewrite 33 3 MD5 security 33 4 message exchange 33 3 monitoring and maintaining 33 9 negotiation 33 3 packet redi...

Page 992: ...Index IN 44 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 09 ...

Reviews:

No comments