manualshive.com logo in svg

Cisco Catalyst 3550, Software Configuration Manual

The Cisco Catalyst 3550 is a powerful network switch that provides high-performance networking capabilities. Ensure a smooth installation with the comprehensive Installation Manual, available for free download from manualshive.com. This manual offers step-by-step instructions and valuable insights to maximize the potential of your Catalyst 3550, delivering exceptional networking performance.

Share
Download
background image

 

19-5

Catalyst 3550 Multilayer Switch Software Configuration Guide

78-11194-03

Chapter 19      Configuring Network Security with ACLs

Configuring Router ACLs

Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet 
is fragmented, the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4 
information is present. The remaining fragments in the packet do not match the second ACE because 
they are missing Layer 4 information. Instead, they match the third ACE (a permit).

Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet 
B is effectively denied. However, the later fragments that are permitted will consume bandwidth on 
the network and resources of host 10.1.1.2 as it tries to reassemble the packet.

Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet 
is fragmented, the first fragment matches the fourth ACE (a deny). All other fragments also match 
the fourth ACE because that ACE does not check any Layer 4 information and because Layer 3 
information in all fragments shows that they are being sent to host 10.1.1.3, and the earlier permit 
ACEs were checking different hosts.

Configuring Router ACLs

Configuring router ACLs on Layer 3 switch-routed VLAN interfaces is the same as configuring ACLs 
on other Cisco routers. The process is briefly described here. For more detailed information on 
configuring router ACLs, refer to the “Configuring IP Services” chapter in the Cisco IP and IP Routing 
Configuration Guide for IOS Release 12.1. For detailed information about the commands, refer to Cisco 
IOS IP and IP Routing Command Reference for IOS Release 12.1. For a list of IOS features not 
supported on the Catalyst 3550 switch, see the 

“Unsupported Features” section on page 19-6

Caution

By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when 
a packet is denied by an access group; these access-group denied packets are not dropped in hardware 
but are bridged to the switch CPU so that it can generate the ICMP-unreachable message. To drop 
access-group denied packets in hardware, you must disable ICMP unreachables by using the no ip 
unreachables interface configuration command. Note that the ip unreachables command is enabled 
by default.

This section includes the following information:

Hardware and Software Handling of Router ACLs, page 19-5

Unsupported Features, page 19-6

Creating Standard and Extended IP ACLs, page 19-6

Applying the ACL to an Interface or Terminal Line, page 19-18

Displaying ACLs and Access Groups, page 19-20

ACL Configuration Examples, page 19-22

Hardware and Software Handling of Router ACLs

ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to 
the CPU for software processing. The forwarding rate for software-forwarded traffic is substantially less 
than for hardware-forwarded traffic. When traffic flows are both logged and forwarded, forwarding is 
done by hardware, but logging must be done by software. Because of the difference in packet handling 
capacity between hardware and software, if the sum of all flows being logged (both permitted flows and 
denied flows) is of great enough bandwidth, not all of the packets that are forwarded can be logged.

Summary of Contents for Catalyst 3550

Page 1: ...San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 526 4100 Catalyst 3550 Multilayer Switch Software Configuration Guide Cisco IOS Release 12 1 8 EA1 February 2002 Customer Order Number DOC 7811194 Text Part Number 78 11194 03 ...

Page 2: ... TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AccessPath AtmDirector Browse with Me CCIP CCSI CD PAC CiscoLink the Cisco Powered Network logo Cisco Systems Networking Academy the Cisco Systems Networking Academy logo Cisco Unity Fast Step Follow Me Browsing FormShare FrameShare IGX Internet Quotie...

Page 3: ...e Center xxxiii Cisco TAC Web Site xxxiii Cisco TAC Escalation Center xxxiv C H A P T E R 1 Overview 1 1 Features 1 1 Management Options 1 5 Management Interface Options 1 5 Advantages of Using CMS and Clustering Switches 1 6 Network Configuration Examples 1 7 Design Concepts 1 7 Small to Medium Sized Network Using Mixed Switches 1 11 Large Network Using Only Catalyst 3550 Switches 1 13 Multidwell...

Page 4: ... more Commands 2 8 Accessing the CLI 2 9 C H A P T E R 3 Getting Started with CMS 3 1 Features 3 2 Front Panel View 3 4 Cluster Tree 3 5 Front Panel Images 3 6 Redundant Power System LED 3 7 Port Modes and LEDs 3 8 VLAN Membership Modes 3 9 Topology View 3 10 Topology Icons 3 12 Device and Link Labels 3 13 Colors in the Topology View 3 14 Topology Display Options 3 14 Menus and Toolbar 3 15 Menu B...

Page 5: ...nding the Boot Process 4 1 Assigning Switch Information 4 2 Default Switch Information 4 3 Understanding DHCP Based Autoconfiguration 4 3 DHCP Client Request Process 4 4 Configuring the DHCP Server 4 5 Configuring the TFTP Server 4 5 Configuring the DNS 4 6 Configuring the Relay Device 4 6 Obtaining Configuration Files 4 7 Example Configuration 4 8 Manually Assigning IP Information 4 10 Checking a...

Page 6: ...5 7 Discovery through the Same Management VLAN 5 8 Discovery through Different Management VLANs 5 9 Discovery through Routed Ports 5 10 Discovery of Newly Installed Switches 5 11 HSRP and Standby Command Switches 5 12 Virtual IP Addresses 5 13 Automatic Recovery of Cluster Configuration 5 13 Considerations for Cluster Standby Groups 5 14 IP Addresses 5 15 Host Names 5 16 Passwords 5 16 SNMP Commun...

Page 7: ... TACACS 6 13 Default TACACS Configuration 6 13 Identifying the TACACS Server Host and Setting the Authentication Key 6 13 Configuring TACACS Login Authentication 6 14 Configuring TACACS Authorization for Privileged EXEC Access and Network Services 6 16 Starting TACACS Accounting 6 17 Displaying the TACACS Configuration 6 17 Controlling Switch Access with RADIUS 6 17 Understanding RADIUS 6 18 RADIU...

Page 8: ...e Daylight Saving Time 6 44 Configuring a System Name and Prompt 6 46 Default System Name and Prompt Configuration 6 46 Configuring a System Name 6 46 Configuring a System Prompt 6 47 Understanding DNS 6 47 Default DNS Configuration 6 48 Setting Up DNS 6 48 Displaying the DNS Configuration 6 49 Creating a Banner 6 49 Default Banner Configuration 6 49 Configuring a Message of the Day Login Banner 6...

Page 9: ...Switch to Client Retransmission Time 7 12 Setting the Switch to Client Frame Retransmission Number 7 13 Enabling Multiple Hosts 7 13 Resetting the 802 1X Configuration to the Default Values 7 14 Displaying 802 1X Statistics and Status 7 14 C H A P T E R 8 Configuring Interface Characteristics 8 1 Understanding Interface Types 8 1 Port Based VLANs 8 2 Switch Ports 8 2 Access Ports 8 2 Trunk Ports 8...

Page 10: ... 3 The VTP Domain and VTP Modes 9 4 VTP Advertisements 9 5 VTP Version 2 9 6 VTP Pruning 9 6 Configuring VTP 9 8 Default VTP Configuration 9 8 VTP Configuration Guidelines 9 8 Configuring a VTP Server 9 10 Configuring a VTP Client 9 11 Disabling VTP VTP Transparent Mode 9 11 Enabling VTP Version 2 9 12 Enabling VTP Pruning 9 13 Monitoring VTP 9 13 VLANs in the VTP Database 9 15 Token Ring VLANs 9 ...

Page 11: ...34 VMPS Database Configuration File 9 34 VMPS Configuration Guidelines 9 36 Default VMPS Configuration 9 37 Configuring an Interface as a Layer 2 Dynamic Access Port 9 37 Entering the IP Address of the VMPS 9 37 Configuring Dynamic Access Ports on VMPS Clients 9 38 Reconfirming VLAN Memberships 9 39 Changing the Reconfirmation Interval 9 39 Changing the Retry Count 9 39 Administering and Monitorin...

Page 12: ...g BackboneFast 10 18 Understanding Root Guard 10 20 Understanding EtherChannel Guard 10 20 Configuring Basic STP Features 10 21 Default STP Configuration 10 21 Disabling STP 10 22 Configuring the Root Switch 10 22 Configuring a Secondary Root Switch 10 24 Configuring STP Port Priority 10 26 Configuring STP Path Cost 10 27 Configuring the Switch Priority of a VLAN 10 28 Configuring the Hello Time 1...

Page 13: ...g IGMP Snooping Information 11 9 Understanding Multicast VLAN Registration 11 12 Using MVR in a Multicast Television Application 11 12 Configuring MVR 11 14 Configuration Guidelines and Limitations 11 14 Default MVR Configuration 11 15 Configuring MVR Global Parameters 11 15 Configuring MVR Interfaces 11 16 Displaying MVR Information 11 18 Configuring IGMP Filtering 11 20 Default IGMP Filtering Co...

Page 14: ...ng CDP 13 2 Default CDP Configuration 13 2 Configuring the CDP Characteristics 13 2 Disabling and Enabling CDP 13 3 Disabling and Enabling CDP on an Interface 13 4 Monitoring and Maintaining CDP 13 5 C H A P T E R 14 Configuring UDLD 14 1 Understanding UDLD 14 1 Configuring UDLD 14 3 Default UDLD Configuration 14 3 Enabling UDLD Globally 14 3 Enabling UDLD on an Interface 14 4 Resetting an Interfa...

Page 15: ...Displaying RMON Status 16 6 C H A P T E R 17 Configuring System Message Logging 17 1 Understanding System Message Logging 17 1 Configuring System Message Logging 17 2 System Log Message Format 17 2 Default System Message Logging Configuration 17 3 Disabling and Enabling Message Logging 17 4 Setting the Message Display Destination Device 17 4 Synchronizing Log Messages 17 6 Enabling and Disabling T...

Page 16: ...Displaying SNMP Status 18 10 C H A P T E R 19 Configuring Network Security with ACLs 19 1 Understanding ACLs 19 1 Supported ACLs 19 2 Router ACLs 19 2 VLAN Maps 19 3 Handling Fragmented and Unfragmented Traffic 19 4 Configuring Router ACLs 19 5 Hardware and Software Handling of Router ACLs 19 5 Unsupported Features 19 6 Creating Standard and Extended IP ACLs 19 6 Access List Numbers 19 7 Creating ...

Page 17: ... the ACL Configuration Fits in Hardware 19 37 Examples of Router ACLs and VLAN Maps Applied to VLANs 19 39 ACLs and Switched Packets 19 39 ACLs and Bridged Packets 19 40 ACLs and Routed Packets 19 41 ACLs and Multicast Packets 19 42 C H A P T E R 20 Configuring QoS 20 1 Understanding QoS 20 1 Basic QoS Model 20 3 Classification 20 4 Classification Based on QoS ACLs 20 7 Classification Based on Cla...

Page 18: ...0 44 Mapping CoS Values to Select Egress Queues 20 45 Configuring the Egress Queue Size Ratios 20 46 Configuring Tail Drop Threshold Percentages 20 47 Configuring WRED Drop Thresholds Percentages 20 48 Configuring the Egress Expedite Queue 20 50 Allocating Bandwidth among Egress Queues 20 50 Configuring Egress Queues on 10 100 Ethernet Ports 20 51 Mapping CoS Values to Select Egress Queues 20 52 C...

Page 19: ... for Configuring Routing 22 3 Configuring IP Addressing 22 4 Default Addressing Configuration 22 4 Assigning IP Addresses to Network Interfaces 22 5 Use of Subnet Zero 22 8 Classless Routing 22 8 Configuring Address Resolution Methods 22 10 Define a Static ARP Cache 22 11 Set ARP Encapsulation 22 12 Enable Proxy ARP 22 13 Routing Assistance When IP Routing is Disabled 22 14 Proxy ARP 22 14 Default...

Page 20: ... Express Forwarding 22 53 Configuring the Number of Equal Cost Routing Paths 22 54 Configuring Static Routes 22 55 Specifying Default Routes 22 56 Specifying a Default Network 22 56 Redistributing Routing Information 22 57 Filtering Routing Information 22 61 Setting Passive Interfaces 22 61 Controlling Advertising and Processing in Routing Updates 22 62 Filtering Sources of Routing Information 22 ...

Page 21: ...ring IP Multicast Routing 24 13 Default Multicast Routing Configuration 24 13 Multicast Routing Configuration Guidelines 24 14 PIMv1 and PIMv2 Interoperability 24 14 Auto RP and BSR Configuration Guidelines 24 15 Configuring Basic Multicast Routing 24 15 Configuring a Rendezvous Point 24 17 Manually Assigning an RP to Multicast Groups 24 17 Configuring Auto RP 24 18 Configuring PIMv2 BSR 24 22 Usi...

Page 22: ...ty Features 24 43 Configuring DVMRP Interoperability 24 44 Controlling Unicast Route Advertisements 24 44 Configuring a DVMRP Tunnel 24 46 Advertising Network 0 0 0 0 to DVMRP Neighbors 24 48 Responding to mrinfo Requests 24 49 Configuring Advanced DVMRP Interoperability Features 24 50 Enabling DVMRP Unicast Routing 24 50 Rejecting a DVMRP Nonpruning Neighbor 24 51 Controlling Route Exchanges 24 5...

Page 23: ...the RP Address 25 18 Monitoring and Maintaining MSDP 25 19 C H A P T E R 26 Configuring Fallback Bridging 26 1 Understanding Fallback Bridging 26 1 Configuring Fallback Bridging 26 3 Default Fallback Bridging Configuration 26 3 Creating a Bridge Group 26 4 Preventing the Forwarding of Dynamically Learned Stations 26 5 Configuring the Bridge Table Aging Time 26 6 Filtering Frames by a Specific MAC ...

Page 24: ...e show forward Command 27 15 Using the crashinfo File 27 17 A P P E N D I X A Supported MIBs A 1 MIB List A 1 Using FTP to Access the MIB Files A 2 A P P E N D I X B Working with the IOS File System Configuration Files and Software Images B 1 Working with the Flash File System B 1 Displaying Available File Systems B 2 Setting the Default File System B 3 Displaying Information about Files on a File...

Page 25: ...ion Information B 19 Clearing the Startup Configuration File B 19 Deleting a Stored Configuration File B 19 Working with Software Images B 19 Image Location on the Switch B 20 tar File Format of Images on a Server or Cisco com B 20 Copying Image Files By Using TFTP B 21 Preparing to Download or Upload an Image File By Using TFTP B 22 Downloading an Image File By Using TFTP B 22 Uploading an Image ...

Page 26: ...outing C 4 Unsupported Privileged EXEC Commands C 4 Unsupported Global Configuration Commands C 4 Unsupported Interface Configuration Commands C 5 IP Unicast Routing C 5 Unsupported Privileged EXEC or User EXEC Commands C 5 Unsupported Global Configuration Commands C 5 Unsupported Interface Configuration Commands C 6 Unsupported VPN Configuration Commands C 6 Unsupported VRF Configuration Commands...

Page 27: ... Ethernet switches from running the SMI to the EMI This guide provides procedures for using the commands that have been created or changed for use with the Catalyst 3550 switch It does not provide detailed information about these commands For detailed information about these commands refer to the Catalyst 3550 Multilayer Switch Command Reference for this release For information about the standard ...

Page 28: ...h It describes how to prevent unauthorized access to your switch through the use of passwords privilege levels the Terminal Access Controller Access Control System Plus TACACS and the Remote Authentication Dial In User Service RADIUS It also describes how to set the system date and time system name and prompt create a login banner how to manage the MAC address table and how to optimize system reso...

Page 29: ...w to configure quality of service QoS on your switch With this feature you can provide preferential treatment to certain types traffic Chapter 21 Configuring EtherChannel describes how to bundle a set of individual ports into a single logical link on Layer 2 and Layer 3 interfaces Chapter 22 Configuring IP Unicast Routing describes how to configuring IP unicast routing on your switch including con...

Page 30: ...ns Commands and keywords are in boldface text Arguments for which you supply values are in italic Square brackets mean optional elements Braces group required choices and vertical bars separate the alternative elements Braces and vertical bars within square brackets mean a required choice within an optional element Interactive examples use these conventions Terminal sessions and system displays ar...

Page 31: ... Command Reference order number DOC 7811195 Catalyst 3550 Multilayer Switch System Message Guide order number DOC 7811196 Cluster Management Suite CMS online help available only from the switch CMS software Catalyst 3550 Multilayer Switch Hardware Installation Guide order number DOC 7811358 1000BASE T Gigabit Interface Converter Installation Note not orderable but is available on Cisco com Catalys...

Page 32: ...World Wide Web you can send us your comments by completing the online survey When you display the document listing for this platform click Give Us Your Feedback After you display the survey select the manual that you wish to comment on Click Submit to send your comments to the Cisco documentation group You can e mail your comments to bug doc cisco com To submit your comments by mail use the respon...

Page 33: ...ing to the urgency of the issue Priority level 4 P4 You need information or assistance concerning Cisco product capabilities product installation or basic product configuration Priority level 3 P3 Your network performance is degraded Network functionality is noticeably impaired but most business operations continue Priority level 2 P2 Your production network is severely degraded affecting signific...

Page 34: ...fied as priority level 1 or priority level 2 these classifications are assigned when severe network degradation significantly impacts business operations When you contact the TAC Escalation Center with a P1 or P2 problem a Cisco TAC engineer will automatically open a case To obtain a directory of toll free Cisco TAC telephone numbers for your country go to the following URL http www cisco com warp...

Page 35: ...ade Catalyst 3550 Fast Ethernet switches from running the SMI to the EMI Table 1 1 Features Ease of Use and Ease of Deployment Cluster Management Suite CMS software for simplifying switch and switch cluster management through a web browser such as Netscape Communicator or Microsoft Internet Explorer from anywhere in your intranet Switch clustering technology used with CMS for Unified configuration...

Page 36: ... maximize support for user selected features Manageability Dynamic Host Configuration Protocol DHCP for automating configuration of switch information such as IP address default gateway host name and Domain Name System DNS and Trivial File Transfer Protocol TFTP server names Directed unicast requests to a DNS server for identifying a switch through its IP address and its corresponding host name an...

Page 37: ...nd changes management and control of broadcast and multicast traffic and network security by establishing VLAN groups for high security users and network resources Dynamic Trunking Protocol DTP for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation 802 1Q or ISL to be used VLAN Trunking Protocol VTP and VTP pruning for reducing network traffic...

Page 38: ... eight policers on ingress 10 100 ports Up to eight policers per egress port aggregate policers only Out of Profile Out of profile markdown for packets that exceed bandwidth utilization limits Egress Policing and Scheduling of Egress Queues Four egress queues on all switch ports These queues can either be configured with the Weighted Round Robin WRR scheduling algorithm or configured with one queu...

Page 39: ...access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station For more information about the CLI see Chapter 2 Using the Command Line Interface Internet Control Message Protocol ICMP and ICMP Router Discovery Protocol IRDP for using router advertisement and router solicitation messages to discover the addresses o...

Page 40: ...ia including Ethernet Fast Ethernet Fast EtherChannel Cisco GigaStack Gigabit Interface Converter GBIC Gigabit Ethernet and Gigabit EtherChannel connections Accomplish multiple configuration tasks from a single CMS window without needing to remember CLI commands to accomplish specific tasks Apply actions from CMS to multiple ports and multiple switches at the same time Here are some examples of co...

Page 41: ...easing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet Create smaller network segments so that fewer users share the bandwidth and use VLANs and IP subnets to place the network resources in the same logical network as the users who access those resources most Use full duplex operation betwe...

Page 42: ...st streams in a multicast VLAN but to isolate the streams from subscriber VLANs for bandwidth and security reasons High demand on network redundancy to provide always on mission critical applications Use HSRP for router redundancy Use VLAN trunks cross stack UplinkFast and BackboneFast for traffic load balancing on the uplink ports so that the uplink port with a lower relative port cost is selecte...

Page 43: ...rformance workgroup For high speed access to network resources you can use Catalyst 3550 switches in the access layer to provide Gigabit Ethernet to the desktop To prevent congestion use QoS DSCP marking priorities on these switches For high speed IP forwarding at the distribution layer connect the Catalyst 3550 switches in the access layer to a Gigabit multilayer switch such as the Catalyst 3550 ...

Page 44: ... 1 1 Example Configurations Si Si Si Si Catalyst 3550 GigaStack cluster 1 Gbps HSRP 50830 Catalyst 3550 12T or Catalyst 3550 12G switch Gigabit server Catalyst 3550 switch Cost Effective Wiring Closet High Performance Workgroup Redundant Gigabit Backbone Catalyst 3550 cluster Catalyst 3550 switch Catalyst 3550 switch Catalyst switches ...

Page 45: ...ry command switches regardless of the geographic location of the cluster members This network uses VLANs to segment the network logically into well defined broadcast groups and for security management Data and multimedia traffic are configured on the same VLAN When an end station in one VLAN needs to communicate with an end station in another VLAN a router or multilayer switch routes the traffic t...

Page 46: ...Figure 1 2 Catalyst 3550 Switches in a Collapsed Backbone Configuration IP Gigabit servers 50831 Cisco IP Phones Cisco IP Phones Workstations running Cisco SoftPhone software Catalyst GigaStack cluster Catalyst GigaStack cluster Cisco 2600 or 3600 routers Catalyst 3550 multilayer switches AC power source Internet IP IP IP Si Si ...

Page 47: ... VLAN maps provide intra VLAN security and prevent unauthorized users from accessing critical pieces of the network QoS features can limit bandwidth on a per port or per user basis The switch ports are configured as either trusted or untrusted You can configure a trusted port to trust the CoS value the DSCP value or the IP precedence If you configure the port as untrusted you can use an ACL to mar...

Page 48: ...RE XL Layer 2 only switches also can be used as residential switches for customers requiring connectivity through existing phone lines The Catalyst 2912 LRE or 2924 LRE XL switches can then connect to another residential switch or to an aggregation switch For more information about the LRE switches refer to the Catalyst 2900 Series XL Hardware Installation Guide All ports on the residential Cataly...

Page 49: ...rity and bandwidth management The aggregating switches and routers provide services such as those described in the previous examples Small to Medium Sized Network Using Mixed Switches and Large Network Using Only Catalyst 3550 Switches Figure 1 4 Catalyst 3550 Switches in a MAN Configuration 50833 Service Provider POP Mini POP Gigabit MAN Residential location Catalyst 3550 multilayer switches Cata...

Page 50: ...1 16 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 1 Overview Network Configuration Examples ...

Page 51: ...user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are not saved when the switch reboots To have access to all commands you must enter privileged EXEC mode No...

Page 52: ...rameters Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Interface configuration While in global configuration mode enter the interface command with a specific interface Switch config if To exit to global configuration ...

Page 53: ... privileged EXEC command Switch show conf Table 2 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command entry Tab Complete a partial command name For example Switch sh conf tab Switch show ...

Page 54: ...ult command enables the command and sets variables to their default values Understanding CLI Messages Table 2 3 lists some error messages that you might encounter while using the CLI to configure your switch Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your switch to recognize the command Re enter the c...

Page 55: ...is command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Recalling Commands To recall commands from the history buffer perform one of the actions listed in Table 2 4 Disabling the Command History Feature The command history feature is automatically enabled Table 2 4 Recall...

Page 56: ...command in privileged EXEC mode Switch terminal editing To reconfigure a specific line to have enhanced editing mode enter this command in line configuration mode Switch config line editing To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing Editing Commands through Keystrokes Table 2 5 shows the keystrokes that you need to edit com...

Page 57: ...d to the left of the cursor Press Esc D Delete from the cursor to the end of the word Capitalize or lowercase words or capitalize a set of letters Press Esc C Capitalize at the cursor Press Esc L Change the word at the cursor to lowercase Press Esc U Capitalize letters from the cursor to the end of the word Designate a particular keystroke as an executable command perhaps as a shortcut Press Ctrl ...

Page 58: ... entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 The software assumes you have a terminal screen that is 80 columns wide If you have a width other than that use the term...

Page 59: ...ware installation guide that shipped with your switch Then to understand the boot process and the options available for assigning IP information see Chapter 4 Assigning the Switch IP Address and Default Gateway If your switch is already configured you can access the CLI through a local console connection or through a remote Telnet session but your switch must first be configured for this type of a...

Page 60: ...2 10 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 2 Using the Command Line Interface Accessing the CLI ...

Page 61: ...7 CMS Window Components page 3 28 Accessing CMS page 3 30 Verifying Your Changes page 3 32 Saving Your Changes page 3 32 Using Different Versions of CMS page 3 33 Where to Go Next page 3 33 Note For system requirements and for browser and Java plug in configuration procedures refer to the release notes For procedures for using CMS refer to the online help Note This chapter describes the CMS interf...

Page 62: ...clusters cluster members cluster candidates neighboring devices that are not eligible to join a cluster and link types From this view you can select multiple switches and configure them to run with the same settings You can also display link information in the form of link reports and link graphs This view is available only when CMS is launched from a command switch Menus and toolbar to access con...

Page 63: ...Consistent set of GUI components such as tabs buttons drop down lists tables and so on for a consistent approach to setting configuration parameters Figure 3 1 CMS Features Menu bar Toolbar Move the cursor over the icon to display the tool tip For example the button displays the legend of icons and color codes Click Guide or Expert interaction mode to change how some configuration options will be ...

Page 64: ... Panel View from a Command Switch Right click a port to display the port pop up menu and select an option to view or change port related settings Press Ctrl and then left click ports to select multiple ports The color of the port LED reflects port or link status LEDs display the current port mode and the status of the switch and connected RPS Left click the Mode button to change the meaning of the...

Page 65: ...ster tree icon or the corresponding front panel image The front panel image is then highlighted with a yellow outline To select multiple front panel images press the Ctrl key and left click the cluster tree icons or the front panel images To deselect an icon or image press the Ctrl key and left click the icon or image If the cluster has many switches you might need to scroll down the window to dis...

Page 66: ...odes in CMS section on page 3 31 Figure 3 5 shows the port icons as they appear in the front panel images To select a port click the port on the front panel image The port is then highlighted with a yellow outline To select multiple ports you can Press the left mouse button drag the pointer over the group of ports that you want to select and then release the mouse button Press the Ctrl key and cli...

Page 67: ...es Refer to the appropriate switch hardware documentation for RPS descriptions specific for the switch Table 3 2 RPS LED Color RPS Status Black off RPS is off or is not installed Green RPS is connected and operational Blinking green RPS is providing power to another switch in the stack Amber RPS is connected but not functioning The RPS could be in standby mode To put the RPS in Active mode press t...

Page 68: ... Duplex setting on the ports SPEED Speed setting on the ports Table 3 4 Port LEDs Port Mode Port LED Color Description STAT Cyan off No link Green Link present Amber Link fault Error frames can affect connectivity and errors such as excessive collisions CRC errors and alignment and jabber errors are monitored for a link fault indication Port is not forwarding Port was disabled by management by an ...

Page 69: ...AN VLAN Configure VLANs The colors show the VLAN membership mode of each port The VLAN membership mode determines the kind of traffic the port carries and the number of VLANs it can belong to For more information about these modes see the VLAN Port Membership Modes section on page 9 3 Note This feature is not supported on the Catalyst 1900 and Catalyst 2820 switches Table 3 5 VLAN Membership Modes...

Page 70: ...k a command switch icon and select Collapse Cluster the cluster is collapsed and represented by a single icon The view shows how the cluster is connected to other clusters candidate switches and devices that are not eligible to join the cluster such as routers access points IP phones and so on Figure 3 7 Note The Topology view displays only the switch cluster and network neighborhood of the specif...

Page 71: ...r View Figure 3 7 Collapse Cluster View Right click a link icon to display a link popup menu Cluster members of cluster1 and other devices connected to cluster1 65722 Right click a device icon to display a device popup menu Devices connected to cluster1 that are not eligible to join the cluster Neighboring cluster connected to cluster1 65723 cluster1 ...

Page 72: ...ified as unknown devices such as some Cisco devices and third party devices Note Candidate switches are distinguished by the color of their device label Device labels and their colors are described in the Colors in the Topology View section on page 3 14 To select a device click the icon The icon is then highlighted To select multiple devices you can either Press the left mouse button drag the poin...

Page 73: ...ed and IDs of the interfaces on both ends of the link When using these labels keep these considerations in mind The IP address displays only in the labels for the command switch and member switches The label of a neighboring cluster icon only displays the IP address of the command switch IP address The displayed link speeds are the actual link speeds except on the LRE links which display the admin...

Page 74: ...th the device and link icons Table 3 6 Device Icon Colors Icon Color Color Meaning Green The device is operating Yellow1 1 Available only on the cluster members The internal fan of the switch is not operating or the switch is receiving power from an RPS Red1 The device is not operating Table 3 7 Single Link Icon Colors Link Color Color Meaning Green Active link Red Down or blocked link Table 3 8 M...

Page 75: ...r displays the features of all Layer 2 switches in the cluster The menu bar does not display Layer 3 features even if the cluster has Catalyst 3550 Layer 3 member switches Note We strongly recommend that the highest end command capable switch in the cluster be the command switch so that all of the features supported in the cluster are displayed from the menu bar If you have a switch cluster with a...

Page 76: ...nting from CMS Print Preview View the way the CMS window or help file will appear when printed Print Print a CMS window or help file Guide Mode Expert Mode1 Select which interaction mode to use when you select a configuration option Preferences2 Set CMS display properties such as polling intervals the default views to open at startup and the color of administratively shutdown ports Administration ...

Page 77: ...cessing on the switch Join or leave multicast groups and configure multicast routers ACL2 guide mode available1 Create and maintain access control lists ACLs and attach ACLs to specific ports Security Wizard1 Filter certain traffic such as HTTP traffic to certain users or devices QoS2 guide mode available on some options1 Display submenu options to enable and disable quality of service QoS and to ...

Page 78: ... port parameters on a switch Port Search Search for a port through its description Port Security1 Enable port security on a port EtherChannels2 Group ports into logical units for high speed links between switches SPAN2 Enable Switch Port Analyzer SPAN port monitoring Protected Port2 Configure a port to prevent it from receiving bridged traffic from another port on the same switch Flooding Control2...

Page 79: ...System Messages Display the most recent system messages IOS messages and switch specific messages sent by the switch software This option is available on the Catalyst 2950 or Catalyst 3550 switches It is not available from the Catalyst 2900 XL and Catalyst 3500 XL switches You can display the system messages of the Catalyst 2900 XL and Catalyst 3500 XL switches when they are in a cluster where the...

Page 80: ... describes the icons labels and links About Display the CMS version number 1 Not available in read only mode For more information about the read only and read write access modes see the Access Modes in CMS section on page 3 31 2 Some options from this menu option are not available in read only mode 3 Available only from a Device Manager session on a cluster member 4 Available only from a Device Ma...

Page 81: ... write access modes see the Access Modes in CMS section on page 3 31 Ctrl S Save the configuration for the cluster or switch to Flash memory Software Upgrade2 Ctrl U Upgrade the software for the cluster or a switch Port Settings1 Display and configure port parameters on a switch VLAN1 Display VLAN membership assign ports to VLANs and configure ISL and 802 1Q trunks Inventory Display the device typ...

Page 82: ...ble only from the command switch 3 Available only from a cluster management session 4 Not available in read only mode For more information about the read only and read write access modes see the Access Modes in CMS section on page 3 31 Delete a cluster Remove from Cluster3 4 Remove a member from the cluster Bandwidth Graphs Display graphs that plot the total bandwidth in use Host Name4 Change the ...

Page 83: ...s Devices that are not eligible to join the cluster If multiple links are configured between two devices when you click the link icon and right click the Multilink Content window appears Figure 3 10 Click the link icon in this window and right click to display the link popup menu specific for that link Figure 3 10 Multilink Decomposer Window Table 3 14 Link Popup Menu Popup Menu Option Task Link R...

Page 84: ...ific topology view Properties Display information about the device and port on either end of the link and the state of the link Table 3 16 Device Popup Menu of a Command Switch Icon Popup Menu Option Task Collapse cluster View the neighborhood outside a specific cluster Host Name1 1 Not available in read only mode For more information about the read only and read write access modes see the Access ...

Page 85: ...andidate Switch Does Not Have an IP Address Popup Menu Option Task Add to Cluster1 1 Not available in read only mode For more information about the read only and read write access modes see the Access Modes in CMS section on page 3 31 Add a candidate to a cluster Properties Display information about the device and port on either end of the link and the state of the link Table 3 20 Device Popup Men...

Page 86: ... Clicking Cancel at any time closes and ends the configuration task without applying any changes If Expert Mode is selected and you want to use guide mode you must click Guide Mode before selecting an option from the menu bar tool bar or popup menu If you change the interaction mode after selecting a configuration option the mode change does not take effect until you select another configuration o...

Page 87: ...ndows Figure 3 11 Feature help available from the menu bar by selecting Help Contents provides background information and concepts on the features Dialog specific help available from Help on the CMS windows provides procedures for performing tasks Index of help topics Glossary of terms used in the online help You can send us feedback about the information provided in the online help Click Feedback...

Page 88: ...ndow does not include Catalyst 1900 and Catalyst 2820 switches even though they are part of the cluster Similarly the Host Name list on the LRE Profiles window only lists the LRE switches in the cluster Click a tab to display more information Click a row to select it Press Shift and left click another row to select contiguous multiple rows Press Ctrl and left click rows to select non contiguous ro...

Page 89: ...cons Used in Windows Some window have icons for sorting information in tables for showing which cells in a table are editable and for displaying further information from Cisco com Figure 3 13 Figure 3 13 Window Icons Buttons These are the most common buttons that you use to change the information in a CMS window OK Save any changes and close the window If you made no changes the window closes If C...

Page 90: ...cess to the command line interface from a cached copy of the Cisco Systems Access page To prevent unauthorized access to CMS and the CLI exit your browser to end the browser session To access CMS follow these steps Step 1 Enter the switch IP address and your privilege level in the browser Location field Netscape Communicator or Address field Microsoft Internet Explorer For example http 10 1 126 45...

Page 91: ...ose switches display incomplete information Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12 0 5 WC2 or earlier Catalyst 2950 member switches running Cisco IOS Release 12 0 5 WC2 or earlier Catalyst 3550 member switches running Cisco IOS Release 12 1 6 EA1 or earlier For more information about this limitation refer to the Catalyst 3550 release notes These switches ...

Page 92: ... error Saving Your Changes Note The Save Configuration option is not available if your switch access level is read only For more information about the read only access mode see the Access Modes in CMS section on page 3 31 Tip As you make cluster configuration changes except for changes to the Topology view and in the Preferences window make sure that you periodically save the configuration from th...

Page 93: ...or earlier or Cisco IOS Release 12 1 6 EA1 or earlier the CMS versions in those software releases might appear similar but are not the same as this release For example the Topology view in this release is not the same as the Topology view or Cluster View in those earlier software releases CMS on the Catalyst 1900 and Catalyst 2820 switches is referred to as Switch Manager Cluster management option...

Page 94: ...3 34 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 3 Getting Started with CMS Where to Go Next ...

Page 95: ...tion page 4 10 Modifying the Startup Configuration page 4 12 Scheduling a Reload of the Software Image page 4 17 Understanding the Boot Process Before you can assign switch information IP address subnet mask default gateway secret and Telnet passwords and so forth you need to install and power on the switch as described in the hardware installation guide that shipped with your switch The normal bo...

Page 96: ...al to the console port and configured the PC or terminal emulation software baud rate and character format to match those of the switch console port For more information refer to the hardware installation guide that shipped with your switch Assigning Switch Information You can assign IP information through the switch setup program through a Dynamic Host Configuration Protocol DHCP server or manual...

Page 97: ...our switch However you need to configure the DHCP server for various lease options associated with IP addresses If you are using DHCP to relay the configuration file location on the network you might also need to configure a Trivial File Transfer Protocol TFTP server and a Domain Name System DNS server The DHCP server can be on the same LAN or on a different LAN than the switch If the DHCP server ...

Page 98: ...s message the client and server are bound and the client uses configuration information received from the server The amount of information the switch receives depends on how you configure the DHCP server For more information see the Configuring the DHCP Server section on page 4 5 If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid a configuration error e...

Page 99: ...uter IP address or TFTP server name are not found the switch might send broadcast instead of unicast TFTP requests Unavailability of other lease options does not affect autoconfiguration The DHCP server can be on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay For more information see the Configuring the Relay De...

Page 100: ...server name to an IP address You must configure the TFTP server name to IP address map on the DNS server The TFTP server contains the configuration files for the switch You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them You can enter up to two DNS server IP addresses in the lease database The DNS server can ...

Page 101: ...is reserved for the switch and provided in the DHCP reply The configuration filename is not provided two file read method The switch receives its IP address subnet mask and the TFTP server address from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the network confg or cisconet cfg default configuration file If the network confg file cannot be read the switch rea...

Page 102: ...ses on the DHCP server Switch 1 00e0 9f1e 2001 Cisco router 49066 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server DNS server TFTP server maritsu 10 0 0 1 10 0 0 10 10 0 0 2 10 0 0 3 Switch 4 00e0 9f1e 2004 Table 4 2 DHCP Server Configuration Switch 1 Switch 2 Switch 3 Switch 4 Binding key hardware address 00e0 9f1e 2001 00e0 9f1e 2002 00e0 9f1e 2003 00e0 9f1e 2004 IP address 10 0 0 21 ...

Page 103: ... confg switch2 confg switch3 confg switch4 confg prompt cat network confg ip host switch1 10 0 0 21 ip host switch2 10 0 0 22 ip host switch3 10 0 0 23 ip host switch4 10 0 0 24 DHCP Client Configuration No configuration file is present on Switch 1 through Switch 4 Configuration Explanation In Figure 4 3 Switch 1 reads its configuration file as follows It obtains its IP address 10 0 0 21 from the ...

Page 104: ...onfiguration 1363 bytes version 12 1 no service pad service timestamps debug uptime service timestamps log uptime no service password encryption hostname Switch enable secret 5 1 ej9 DMUvAUnZOAmvmgqBEzIxE0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assig...

Page 105: ...fault gateway 172 20 137 1 snmp server community private RW snmp server community public RO snmp server community private es0 RW snmp server community public es0 RO snmp server chassis id 0x12 end To store the configuration or changes you have made to your startup configuration in Flash memory enter this privileged EXEC command Switch copy running config startup config Destination filename startup...

Page 106: ...ch by using the DHCP based autoconfiguration feature For more information see the Understanding DHCP Based Autoconfiguration section on page 4 3 Table 4 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and...

Page 107: ...gure it to manually boot Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to load during the next boot cycle For file url specify the path directory and the configuration filename File...

Page 108: ...ng of the MANUAL_BOOT environment variable The next time you reboot the system the switch is in boot loader mode shown by the switch prompt To boot the system use the boot filesystem file url boot loader command For filesystem use flash for the system board Flash device For file url specify the path directory and the name of the bootable image Filenames and directory names are case sensitive Step ...

Page 109: ... it is not listed in this file it has a value if it is listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the IOS configuration file For example the name of a boo...

Page 110: ... attempts to load and execute the first executable image it can find by using a recursive depth first search through the Flash file system If the BOOT variable is set but the specified images cannot be loaded the system attempts to boot the first bootable file that it can find in the Flash file system boot system filesystem file url Specifies the IOS image to load during the next boot cycle This c...

Page 111: ...rrent day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has been set through Network Time Protocol NTP the hardware calendar or manually The time is relative to the configured time zone on the switch To schedule ...

Page 112: ...Thu Jun 20 1996 in 344 hours and 53 minutes Proceed with reload confirm To cancel a previously scheduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to determine if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information includi...

Page 113: ...dditional information about switch clusters and the clustering options For complete procedures on using CMS to configure switch clusters refer to the online help For the CLI cluster commands refer to the switch command reference Refer to the release notes for the list of Catalyst switches eligible for switch clustering including which ones can be command switches and which ones can only be member ...

Page 114: ... software configuration guide for that specific switch Command switch redundancy if a command switch fails One or more switches can be designated as standby command switches to avoid loss of contact with cluster members A cluster standby group is a group of standby command switches Management of a variety of Catalyst switches through a single IP address This conserves on IP addresses especially if...

Page 115: ...an be these switches also running Cisco IOS Release 12 0 5 WC2 or earlier Catalyst 2900 XL Catalyst 2950 and Catalyst 3500 XL switches Candidate and Member Switches Characteristics Candidate switches are cluster capable switches that have not yet been added to a cluster Member switches are switches that have actually been added to a switch cluster Although not required a candidate or member switch...

Page 116: ...nes can only be member switches and for the required software versions and browser and Java plug in configurations Automatic Discovery of Cluster Candidates and Members The command switch uses Cisco Discovery Protocol CDP to discover member switches candidate switches neighboring switch clusters and edge devices across multiple VLANs and in star or cascaded topologies Note Do not disable CDP on th...

Page 117: ...d member switches by selecting Cluster Hop Count When new candidate switches are added to the network the command switch discovers them and adds them to the list of candidate switches Figure 5 1 shows a switch cluster with candidate switches The command switch has ports assigned to VLANs 16 and 62 The CDP hop count is three The command switch discovers switches 11 12 13 and 14 because they are wit...

Page 118: ...a noncluster capable Cisco device it cannot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 5 2 shows that the command switch discovers the Catalyst 3500 XL switch which is connected to a third party hub However the command switch does not discover the Catalyst 3550 switch that is connected to a Catalyst 5000 switch Figure 5 2 Discovery through Non CDP...

Page 119: ...iscovers the switches in those VLANs It does not discover the switch in VLAN 50 It also does not discover the switch in VLAN 16 in the first column because the command switch has no VLAN connectivity to it For more information about VLANs see Chapter 9 Creating and Maintaining VLANs For information about discovery through management VLANs see the Discovery through the Same Management VLAN section ...

Page 120: ... they belong to different management VLANs see the Discovery through Different Management VLANs section on page 5 9 The command switch in Figure 5 4 has ports assigned to management VLAN 9 It discovers all but these switches Switches 7 and 10 because their management VLAN VLAN 4 is different from the command switch management VLAN VLAN 9 Switch 9 because automatic discovery does not extend beyond ...

Page 121: ...8 For information about management VLANs on these switches refer to the software configuration guide for that specific switch The command switch in Figure 5 5 has ports assigned to VLANs 9 16 and 62 It discovers all the switches in the different management VLANs except these Switches 7 and 10 because their management VLAN VLAN 4 is different from the command switch management VLAN VLAN 9 Switch 9 ...

Page 122: ...ormation about routed ports see the Routed Ports section on page 8 4 The command switch in Figure 5 6 can discover the switches in VLANs 9 and 62 but not the switch in VLAN 4 If the routed port path between the command switch and member switch 7 is lost connectivity with member switch 7 is maintained because of the redundant path through VLAN 9 Figure 5 6 Discovery through Routed Ports Si Si Si RP...

Page 123: ...pstream neighbor An access port AP carries the traffic of and belongs to only one VLAN For more information about access ports see the Access Ports section on page 8 2 For example the command switch in Figure 5 7 belongs to VLAN 9 and VLAN 16 A new Catalyst 3550 switch automatically configures the access port to belong to the immediately upstream VLAN VLAN 9 A new Catalyst 2950 switch configures t...

Page 124: ...ling HSRP disables the cluster standby group The switches in the cluster standby group are ranked according to HSRP priorities The switch with the highest priority in the group is the active command switch AC The switch with the next highest priority is the standby command switch SC The other switches in the cluster standby group are the passive command switches PC If the active command switch and...

Page 125: ...formation but not device configuration information to the standby command switch This ensures that the standby command switch can take over the cluster immediately after the active command switch fails Automatic discovery has these limitations This limitation applies only to clusters that have Catalyst 2950 and Catalyst 3550 command and standby command switches If the active command switch and sta...

Page 126: ...to a cluster You can have more than one router redundancy standby group An HSRP group can be both a cluster standby group and a router redundancy group However if a router redundancy group becomes a cluster standby group router redundancy becomes disabled on that group You can reenable it by using the CLI For more information about HSRP and router redundancy see Chapter 23 Configuring HSRP All sta...

Page 127: ...sses available on the new active command switch You can assign an IP address to a cluster capable switch but it is not necessary A member switch is managed and communicates with other member switches through the command switch IP address If the member switch leaves the cluster and it does not have its own IP address you then must assign IP information to it to manage it as a standalone switch Note...

Page 128: ...ins it when it leaves the cluster If no command switch password is configured the member switch inherits a null password Member switches only inherit the command switch password If you change the member switch password to be different from the command switch password and save the change the switch is not manageable by the command switch until you change the member switch password to match the comm...

Page 129: ...ess to these member switches some configuration windows for those switches display incomplete information Catalyst 2900 XL or Catalyst 3500 XL member switches running Cisco IOS Release 12 0 5 WC2 or earlier Catalyst 2950 member switches running Cisco IOS Release 12 0 5 WC2 or earlier Catalyst 3550 member switches running Cisco IOS Release 12 1 6 EA1 or earlier For more information about this limit...

Page 130: ...ate a cluster is easier than using the CLI commands This section provides this information Enabling a Command Switch section on page 5 19 Adding Member Switches section on page 5 20 Creating a Cluster Standby Group section on page 5 22 Verifying a Switch Cluster section on page 5 24 This section assumes you have already cabled the switches as described in the switch hardware installation guide and...

Page 131: ... command switch If your switch cluster has Catalyst 1900 Catalyst 2820 Catalyst 2900 XL and Catalyst 3500 XL switches either the Catalyst 2900 XL or Catalyst 3500 XL should be the command switch You can enable a command switch name the cluster and assign an IP address and a password to the command switch when you run the setup program during initial switch setup For information about using the set...

Page 132: ...didate switches are cyan and member switches are green To add more than one candidate switch press Ctrl and left click the candidates that you want to add Instead of using CMS to add members to the cluster you can use the cluster setup privileged EXEC command or cluster member global configuration command from the command switch You can select one or more switches as long as the total number of sw...

Page 133: ...to Add Member Switches Enter the password of the candidate switch If no password exists for the switch leave this field blank Select a switch and click Add Press Ctrl and left click to select more than one switch 2900 LRE 24 1 65724 Thin line means a connection to a candidate switch Right click a candidate switch to display the pop up menu and select Add to Cluster to add the switch to the cluster...

Page 134: ...running Cisco IOS Release 12 0 5 WC2 or earlier Catalyst 2900 XL Catalyst 2950 and Catalyst 3500 XL switches These abbreviations are appended to the switch host names in the Standby Command Group list to show their eligibility or status in the cluster standby group AC Active command switch SC Standby command switch PC Member of the cluster standby group but not the standby command switch HC Candid...

Page 135: ...h Cluster Figure 5 12 Standby Command Configuration Window 2950C cisco WS C2950 C 24 HC NMS 3550 12T 149 cisco WS C3550 1 3550 150 cisco WS C3550 12T SC Active command switch Standby command switch Must be a valid IP address in the same subnet as the active command switch Once entered this information cannot be changed 65726 ...

Page 136: ...entory to display an inventory of the switches in the cluster Figure 5 13 The summary includes information such as switch model numbers serial numbers software versions IP information and location You can also display port and switch statistics from Reports Port Statistics and Port Port Settings Runtime Status Instead of using CMS to verify the cluster you can use the show cluster members user EXE...

Page 137: ...me privilege level as on the command switch The IOS commands then operate as usual For instructions on configuring the switch for a Telnet session see the Setting a Telnet Password for a Terminal Line section on page 6 6 Catalyst 1900 and Catalyst 2820 CLI Considerations If your switch cluster has Catalyst 1900 and Catalyst 2820 switches running standard edition software the Telnet session accesse...

Page 138: ...tch The command switch uses this community string to control the forwarding of gets sets and get next messages between the SNMP management station and the member switches Note When a cluster standby group is configured the command switch can change without your knowledge Use the first read write and read only community strings to communicate with the command switch if there is a cluster standby gr...

Page 139: ...d Authorization page 6 31 Managing the System Time and Date page 6 32 Configuring a System Name and Prompt page 6 46 Creating a Banner page 6 49 Managing the MAC Address Table page 6 51 Optimizing System Resources for User Selected Features page 6 57 Preventing Unauthorized Access to Your Switch You can prevent unauthorized users from reconfiguring your switch and viewing configuration information...

Page 140: ... want to use username and password pairs but you want to store them centrally on a server instead of locally you can store them in a database on a security server Multiple networking devices can then use the same database to obtain user authentication and if necessary authorization information For more information see the Controlling Switch Access with TACACS section on page 6 10 Protecting Access...

Page 141: ... before it is written to the configuration file Line password No password is defined Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode By default no password is defined For password specify a string from 1 to 25 alphanumeric characters The string cannot st...

Page 142: ...taneously Beginning in privileged EXEC mode follow these steps to configure encryption for enable and enable secret passwords Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing pass...

Page 143: ... new password The password recovery disable feature for Catalyst 3550 Fast Ethernet switches allows the system administrator to protect access to the switch password by disabling part of this functionality and allowing the user to interrupt the boot process only by agreeing to set the system back to the default configuration With password recovery disabled you can still interrupt the boot process ...

Page 144: ... configure terminal Enter global configuration mode Step 2 no service password recovery Disable password recovery This setting is saved in an area of the Flash memory that is accessible by the boot loader and the IOS image but it is not part of the file system and is not accessible by any user Step 3 end Return to privileged EXEC mode Step 4 show version Verify the configuration by checking the la...

Page 145: ...n the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user ID as one word Spaces and quotation marks are not allowed Optional For level specify the privilege level the user has after ga...

Page 146: ...information Setting the Privilege Level for a Command page 6 8 Changing the Default Privilege Level for Lines page 6 9 Logging into and Exiting a Privilege Level page 6 10 Setting the Privilege Level for a Command Beginning in privileged EXEC mode follow these steps to set the privilege level for a command mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 privil...

Page 147: ...ower the privilege level by using the disable command If users know the password to a higher privilege level they can use that password to enable the higher privilege level You might specify a high level or privilege level for your console line to restrict line usage To return to the default line privilege level use the no privilege level line configuration command Step 5 show running config or sh...

Page 148: ...nformation Understanding TACACS page 6 10 TACACS Operation page 6 12 Configuring TACACS page 6 13 Displaying the TACACS Configuration page 6 17 Understanding TACACS TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstati...

Page 149: ...he company s password aging policy Authorization Provides fine grained control over user capabilities for the duration of the user s session including but not limited to setting autocommands access control session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used fo...

Page 150: ...he user is authenticated and service can begin If the switch is configured to require authorization authorization begins at this time REJECT The user is not authenticated The user can be denied access or is prompted to retry the login sequence depending on the TACACS daemon ERROR An error occurred at some time during authentication with the daemon or in the network connection between the daemon an...

Page 151: ...austed This section contains this configuration information Default TACACS Configuration page 6 13 Identifying the TACACS Server Host and Setting the Authentication Key page 6 13 Configuring TACACS Login Authentication page 6 14 Configuring TACACS Authorization for Privileged EXEC Access and Network Services page 6 16 Starting TACACS Accounting page 6 17 Default TACACS Configuration TACACS and AAA...

Page 152: ...mand Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a list of preferred hosts The software searches for hosts in the order in which you specify them For hostname specify the name or IP address of the host...

Page 153: ...ntication command use the default keyword followed by the methods that are to be used in default situations The default method list is automatically applied to all interfaces For list name specify a character string to name the list you are creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method...

Page 154: ...user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through the CLI even if autho...

Page 155: ...th RADIUS This section describes how to enable and configure the Remote Authentication Dial In User Service RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information for the commands used in thi...

Page 156: ... been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server Network in which the user must only access a single service Using RADIUS you can control user access to a single host to a sin...

Page 157: ...sed for privileged EXEC or network authorization Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization if it is enabled The additional data included with the ACCEPT or REJECT packets includes these items Telnet rlogin or privileged EXEC services Connection parameters including the host or client IP address access list and user timeouts Configuring R...

Page 158: ...Settings for All RADIUS Servers page 6 28 optional Configuring the Switch to Use Vendor Specific RADIUS Attributes page 6 28 optional Configuring the Switch for Vendor Proprietary RADIUS Server Communication page 6 29 optional Default RADIUS Configuration RADIUS and AAA are disabled by default To prevent a lapse in security you cannot configure RADIUS through a network management application When ...

Page 159: ...an be configured globally for all RADIUS servers on a per server basis or in some combination of global and per server settings To apply these settings globally to all RADIUS servers communicating with the switch use the three unique global configuration commands radius server timeout radius server retransmit and radius server key To apply these values on a specific RADIUS server use the radius se...

Page 160: ...e radius server host command the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command...

Page 161: ...od list which by coincidence is named default The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authenticat...

Page 162: ...character string to name the list you are creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Select one of these methods line Use the line password for authentication You must define a line password before you can use this authentication method Use the passw...

Page 163: ...the UDP destination port for accounting requests Optional For timeout seconds specify the time interval that the switch waits for the RADIUS server to reply before retransmitting The range is 1 to 1000 This setting overrides the radius server timeout global configuration command setting If no timeout is set with the radius server host command the setting of the radius server timeout command is use...

Page 164: ...services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use the aaa authorization global configuration command with the radiu...

Page 165: ...ounting network exec start stop method1 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network related service requests Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization to determine if the user has privileg...

Page 166: ...ACS specification and sep is for mandatory attributes and for optional attributes This allows the full set of features available for TACACS authorization to also be used for RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret text string used between the switch and all RADIUS servers Note The key is a text strin...

Page 167: ...hod for communicating vendor proprietary information between the switch and the RADIUS server some vendors have extended the RADIUS attribute set in a unique way Cisco IOS software supports a subset of vendor proprietary RADIUS attributes As mentioned earlier to configure RADIUS whether vendor proprietary or IETF draft compliant you must specify the host running the RADIUS server daemon and the se...

Page 168: ...nning config privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address non standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor proprietary implementation of RADIUS Step 3 radius server key string Specify the shared secret text string used between th...

Page 169: ...uthorization exec local Configure user AAA authorization to determine if the user is allowed to run an EXEC shell by checking the local database Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username name privilege level password encryption type password Enter the local database and establish a username based authentication ...

Page 170: ...dinated UTC also known as Greenwich Mean Time GMT You can configure information about the local time zone and summer time daylight saving time so that the time is correctly displayed for the local time zone The system clock keeps track of whether the time is authoritative or not that is whether it has been set by a time source considered to be authoritative If it is not authoritative the time is a...

Page 171: ...can simply be configured to send or receive broadcast messages However in that case information flow is one way only The time kept on a device is a critical resource you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time Two mechanisms are available an access list based restriction scheme and an encrypted authentication mechanism Cisco s imple...

Page 172: ...ble This section contains this configuration information Default NTP Configuration page 6 35 Configuring NTP Authentication page 6 35 Configuring NTP Associations page 6 36 Configuring NTP Broadcast Service page 6 37 Configuring NTP Access Restrictions page 6 38 Configuring the Source IP Address for NTP Packets page 6 40 Displaying the NTP Configuration page 6 41 Catalyst 3550 switch Catalyst 3550...

Page 173: ...ckets NTP access restrictions No access control is specified NTP packet source IP address The source address is determined by the outgoing interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp authenticate Enable the NTP authentication feature which is disabled by default Step 3 ntp authentication key number md5 value Define the authentication keys By defau...

Page 174: ...our entries Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a pe...

Page 175: ... receive NTP broadcast packets on an interface by interface basis if there is an NTP broadcast server such as a router broadcasting time information on the network The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it The switch can also receive NTP broadcast packets to synchronize its own clock This section provides procedures for both sending and receiving NT...

Page 176: ...estrictions You can control NTP access on two levels as described in these sections Creating an Access Group and Assigning a Basic IP Access List page 6 39 Disabling NTP Services on a Specific Interface page 6 40 Step 6 copy running config startup config Optional Save your entries in the configuration file Step 7 Configure the connected peers to receive NTP broadcast packets as described in the ne...

Page 177: ...rve peer access list number Create an access group and apply a basic IP access list The keywords have these meanings query only Allows only NTP control queries serve only Allows only time requests serve Allows time requests and NTP control queries but does not allow the switch to synchronize to the remote device peer Allows time requests and NTP control queries and allows the switch to synchronize...

Page 178: ...n interface use the no ntp disable interface configuration command Configuring the Source IP Address for NTP Packets When the switch sends an NTP packet the source IP address is normally set to the address of the interface through which the NTP packet is sent Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets The address is taken...

Page 179: ...nfiguration Fundamentals Command Reference for Release 12 1 Configuring Time and Date Manually If no other source of time is available you can manually configure the current time and date after the system is restarted The time remains accurate until the next system restart We recommend that you use manual configuration only as a last resort If you have an outside source to which the switch can syn...

Page 180: ...t by a timing source such as NTP the flag is set If the time is not authoritative it is used only for display purposes Until the clock is authoritative and the authoritative flag is set the flag prevents peers from synchronizing to the clock when the peers time is invalid The symbol that precedes the show clock display has this meaning Time is not authoritative blank Time is authoritative Time is ...

Page 181: ...is clock timezone AST 3 30 To set the time to UTC use the no clock timezone global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock timezone zone hours offset minutes offset Set the time zone The switch keeps internal time in universal time coordinated UTC so this command is used only for display purposes and when the time is manually set...

Page 182: ...fig clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring w...

Page 183: ...pril 26 2001 at 02 00 Switch config clock summer time pdt date 12 October 2000 2 00 26 April 2001 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone date month date year hh mm month date year hh mm offset or clock summer time zone date date month year hh mm date month year hh mm offset Configure summer time to start on the first date and en...

Page 184: ...on page 6 46 Configuring a System Name page 6 46 Configuring a System Prompt page 6 47 Understanding DNS page 6 47 Default System Name and Prompt Configuration The default switch system name and prompt is Switch Configuring a System Name Beginning in privileged EXEC mode follow these steps to manually configure a system name When you set the system name it is also used as the system prompt You can...

Page 185: ...ecific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track of domain names IP has defined the concept of a domain name server which holds a cache or database of names mapped to IP addresses To map domain names to IP addresses you must first identify the host names specify the name server that is present on your network and enable the...

Page 186: ...separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specify ...

Page 187: ...onfiguration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also displays on all connected terminals It is displayed after t...

Page 188: ...le shows the banner displayed from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message of t...

Page 189: ...ypes of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast or multicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address Note For complete syntax and usage informa...

Page 190: ... out those that are currently not in use The aging interval is configured on a per switch basis However the switch maintains an address table for each VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any combination of ports based on the destination address of the received packet Using the MAC address table the switch forwards the packet only to t...

Page 191: ...earned Flooding results which can impact switch performance Beginning in privileged EXEC mode follow these steps to configure the dynamic address table aging time To return to the default value use the no mac address table aging time global configuration command Table 6 4 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned ...

Page 192: ...traffic The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled MAC address notifications are generated for dynamic and secure MAC addresses events are not generated for self addresses multicast addresses or other static addresses Beginning in privileged EXEC mode follow these steps to configure the switch to send MAC address notifica...

Page 193: ...ify the previous commands by entering the show mac address table notification interface and the show mac address table notification privileged EXEC commands Step 3 snmp server enable traps mac notification Enable the switch to send MAC address traps to the NMS Step 4 mac address table notification Enable the MAC address notification feature Step 5 mac address table notification interval value hist...

Page 194: ...d with the interface id option Beginning in privileged EXEC mode follow these steps to add a static address To remove static entries from the address table use the no mac address table static mac addr vlan vlan id interface interface id global configuration command This example shows how to add the static address c2f3 220a 12f4 to the MAC address table When a packet is received in VLAN 4 with this...

Page 195: ...d typically be selected for a Catalyst 3550 used as a Layer 2 switch Default The default template gives balance to all functionalities QoS ACLs unicast routing multicast routing VLANs and MAC addresses Table 6 6 lists the approximate number of each resource supported in each of the four templates for Catalyst 3550 Gigabit Ethernet switches Table 6 7 compares the four templates for a Catalyst 3550 ...

Page 196: ...t routes will be in the range of 1K 5K entries for the access template Table 6 6 Approximate Resources Allowed in Each Template for Gigabit Ethernet Switches Resource Default Template Access Template Routing Template VLAN Template Unicast MAC addresses 6 K 2 K 6 K 12 K IGMP groups managed by Layer 2 multicast features such as MVR or IGMP snooping 6 K 8 K 6 K 6 K QoS classification ACEs 2 K 2 K 1 K...

Page 197: ...ing the approximately 17 K of memory allocated to unicast and multicast routing in the routing template This procedure shows how to change the SDM template from the default The switch must reload before the configuration takes effect If you use the show sdm prefer privileged EXEC command before the switch reloads the previous configuration in this case the default is displayed Beginning in privile...

Page 198: ...sdm prefer routing Switch config end Switch copy running config startup config Switch reload Proceed with reload confirm Switch show sdm prefer The current template is routing template The selected template optimizes the resources in the switch to support this level of features for 16 routed interfaces and 1K VLANs number of unicast mac addresses 6K number of igmp groups 6K number of qos aces 1K n...

Page 199: ...aying 802 1X Statistics and Status page 7 14 Understanding 802 1X Port Based Authentication The IEEE 802 1X standard defines a client server based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports The authentication server authenticates each client connected to a switch port before making available any services...

Page 200: ...in Cisco Secure Access Control Server version 3 0 RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients Switch edge switch or wireless access point controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client...

Page 201: ...rames from the client are dropped If the client does not receive an EAP request identity frame after three attempts to start authentication the client transmits frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated For more information see the Ports in Authorized and Unauthorized States section on page ...

Page 202: ...es normal traffic without 802 1X based authentication of the client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the interface auto enables 802 1X authentication and causes the port to begin in the unauthorized state allow...

Page 203: ...ess to the network to all of the attached clients In this topology the wireless access point is responsible for authenticating the clients attached to it and the wireless access point acts as a client to the switch Figure 7 3 Wireless LAN Example Configuring 802 1X Authentication The section describes how to configure 802 1X port based authentication on your switch It contains this configuration i...

Page 204: ...seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before retransmitting the request Maximum retransmission number 2 times number of times that the switch will send an EAP request id...

Page 205: ...t mode is not changed Dynamic access ports If you try to enable 802 1X on a dynamic access VLAN Query Protocol VQP port an error message appears and 802 1X is not enabled If you try to change an 802 1X enabled port to dynamic VLAN assignment an error message appears and the VLAN configuration is not changed EtherChannel port Before enabling 802 1X on the port you must first remove it from the Ethe...

Page 206: ...1x port control interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa new model Enable AAA Step 3 aaa authentication dot1x default method1 method2 Create an 802 1X authentication method list To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the met...

Page 207: ...ver parameters on the switch This procedure is required To delete the specified RADIUS server use the no radius server host hostname ip address global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address auth port port number key string Configure the RADIUS server parameters on the switch For hostname ip addre...

Page 208: ...hentication attempts is 3600 Automatic 802 1X client re authentication is a global setting and cannot be set for clients connected to individual ports To manually re authenticate the client connected to a specific port see the Manually Re Authenticating a Client Connected to a Port section on page 7 11 Beginning in privileged EXEC mode follow these steps to enable periodic re authentication of the...

Page 209: ... and then tries again The idle time is determined by the quiet period value A failed authentication of the client might occur because the client provided an invalid password You can provide a faster response time to the user by entering a smaller number than the default Beginning in privileged EXEC mode follow these steps to change the quiet period To return to the default quiet time use the no do...

Page 210: ...llow these steps to change the amount of time that the switch waits for client notification To return to the default retransmission time use the no dot1x timeout tx period global configuration command This example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP request identity frame from the client before retransmitting the request Switch config dot1x t...

Page 211: ...shown in Figure 7 3 on page 7 5 In this mode only one of the attached hosts must be successfully authorized for all hosts to be granted network access If the port becomes unauthorized re authentication fails or an EAPOL logoff message is received all attached clients are denied access to the network Beginning in privileged EXEC mode follow these steps to allow multiple hosts clients on an 802 1X a...

Page 212: ...c interface use the show dot1x statistics interface interface id privileged EXEC command To display the 802 1X administrative and operational status for the switch use the show dot1x privileged EXEC command To display the 802 1X administrative and operational status for a specific interface use the show dot1x interface interface id privileged EXEC command For detailed information about the fields ...

Page 213: ...nformation for the commands used in this chapter refer to the Catalyst 3550 Multilayer Switch Command Reference for this release and the online Cisco IOS Interface Command Reference for Release 12 1 Understanding Interface Types This section describe the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these ...

Page 214: ...be either an access port or a trunk port You can configure a port as an access port or trunk port or let the Dynamic Trunking Protocol DTP operate on a per port basis to determine if a switch port should be an access port or a trunk port by negotiating with the port on the other end of the link Switch ports are used for managing the physical interface and associated Layer 2 protocols and do not ha...

Page 215: ...om the trunk port for that VLAN If VTP learns of a new enabled VLAN that is not in the allowed list for a trunk port the port does not become a member of the VLAN and no traffic for the VLAN is forwarded to or from the port Note VLAN 1 cannot be excluded from the allowed list For more information about trunk ports see Chapter 9 Creating and Maintaining VLANs EtherChannel Port Groups EtherChannel p...

Page 216: ...it an IP address For more information see the Configuring IP Addressing section on page 22 4 SVIs support routing protocol and bridging configurations For more information about configuring IP routing see Chapter 22 Configuring IP Unicast Routing Chapter 24 Configuring IP Multicast Routing and Chapter 26 Configuring Fallback Bridging Routed Ports A routed port is a physical port that acts like a p...

Page 217: ...e or interface With a standard Layer 2 switch ports in different VLANs have to exchange information through a router In the configuration shown in Figure 8 1 when Host A in VLAN 20 sends data to Host B in VLAN 30 it must go from Host A to the switch to the router back to the switch and then to Host B Figure 8 1 Connecting VLANs with Layer 2 Switches By using the Catalyst 3550 with the enhanced mul...

Page 218: ...n see Chapter 22 Configuring IP Unicast Routing Chapter 24 Configuring IP Multicast Routing and Chapter 25 Configuring MSDP Fallback bridging forwards traffic that the switch with the enhanced multilayer software image does not route or traffic belonging to a nonroutable protocol such as DECnet Fallback bridging connects multiple VLANs into one bridge domain by bridging between two or more SVIs or...

Page 219: ...pply to all interface configuration processes Step 1 Enter the configure terminal command at the privileged EXEC prompt Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config Step 2 Enter the interface global configuration command Identify the interface type and the number of the connector In this example Gigabit Ethernet interface 0 1 is selected Switch ...

Page 220: ...001 bia 0000 00 MTU 1500 bytes BW 100000 Kbit DLY 100 usec reliability 255 255 txload 1 255 rxload 1 255 Encapsulation ARPA loopback not set Keepalive set 10 sec Auto duplex Auto speed input flow control is off output flow control is off ARP type ARPA ARP Timeout 04 00 00 Last input never output never output hang never Last clearing of show interface counters never Queueing strategy fifo Output qu...

Page 221: ...note these guidelines Valid entries for port range vlan vlan ID vlan ID fastethernet slot first port last port where slot is 0 gigabitethernet slot first port last port where slot is 0 port channel port channel number port channel number where port channel number is from 1 to 64 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface range port range macro macro_...

Page 222: ...otocol on Interface GigabitEthernet0 05 changed state to up Oct 6 08 24 36 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet0 3 changed state to up Oct 6 08 24 36 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet0 4 changed state to up This example shows how to use a comma to add different interface type strings to the range to enable all Gigabit Ethernet interfaces in the ...

Page 223: ...a valid range The VLAN interfaces SVIs must have been configured with the interface vlan command The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces in a range must be the same type that is all Fast Ethernet ports all Gigabit Ethernet ports all Ethe...

Page 224: ...itch config if range This example shows how to delete the interface range macro enet_list and to verify that it has been deleted Switch configure terminal Switch config no define interface range enet_list Switch show run include define Switch Configuring Layer 2 Interfaces These sections describe the default interface configuration and the optional features that you can configure on most physical ...

Page 225: ...nstalled You can order the Enhanced Multilayer Software Image Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI Allowed VLAN range VLANs 1 1005 Default VLAN for access ports VLAN 1 Native VLAN for 802 1Q trunks VLAN 1 VLAN trunking Switchport mode dynamic desirable supports DTP Port enable state All ports are enabled Port description None defined Speed Autonegotia...

Page 226: ...d re enable the interface during the reconfiguration Setting the Interface Speed and Duplex Parameters You can configure interface speed on Fast Ethernet 10 100 Mbps and Gigabit Ethernet 10 100 1000 Mbps interfaces you cannot configure speed on Gigabit Interface Converter GBIC interfaces You can configure duplex mode on any Fast Ethernet or Gigabit Ethernet interfaces that are not set to autonegot...

Page 227: ...out 04 00 00 Last input never output never output hang never Last clearing of show interface counters never Queueing strategy fifo Output queue 0 40 0 drops input queue 0 75 0 drops 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0...

Page 228: ...r Gigabit Ethernet ports is receive off and send desired The default state for Fast Ethernet ports is receive off and send off Note On Catalyst 3550 switches Gigabit Ethernet ports are capable of receiving and sending pause frames Fast Ethernet ports can only receive pause frames Therefore for Fast Ethernet ports only the conditions described with send off are applicable These rules apply to flow ...

Page 229: ...ted Adding a Description for an Interface You can add a description about an interface to help you remember its function The description appears in the output of these commands show configuration show running config and show interfaces Beginning in privileged EXEC mode follow these steps to add a description for an interface Command Purpose Step 1 configure terminal Enter global configuration mode...

Page 230: ...ileged EXEC prompt display information about the interface including the version of the software and the hardware the controller status and statistics about the interfaces Table 8 2 lists some of these interface monitoring commands You can display the full list of show commands by using the show command at the privileged EXEC prompt These commands are fully described in the Cisco IOS Interface Com...

Page 231: ... frame 0 overrun 0 ignored 0 input packets with dribble condition detected 60387 packets output 5984015 bytes 0 underruns 0 output errors 0 collisions 16 interface resets 0 babbles 0 late collision 0 deferred 0 lost carrier 0 no carrier 0 output buffer failures 0 output buffers swapped out This example shows how to display the status of all interfaces Switch show interfaces status Port Name Status...

Page 232: ...n negotiate Negotiation of Trunking On Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Trunking VLANs Enabled ALL Pruning VLANs Enabled 2 1001 Protected True Unknown unicast blocked disabled Unknown multicast blocked disabled output truncated Clearing and Resetting Interfaces and Counters Table 8 3 lists the privileged EXEC mode clear commands that you can use to clear counters and ...

Page 233: ... the specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to restart the inter...

Page 234: ...ating and Maintaining VLANs Layer 3 EtherChannel ports EtherChannel interfaces made up of routed ports EtherChannel port interfaces are described in Chapter 21 Configuring EtherChannel Routed ports Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command Note A Layer 3 switch can have an IP address assigned to each routed port and ...

Page 235: ...ARP Timeout 04 00 00 Last input 00 00 02 output 00 00 08 output hang never Last clearing of show interface counters never Queueing strategy fifo Output queue 0 40 0 drops input queue 0 75 0 drops 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 89604 packets input 8480109 bytes 0 no buffer Received 81848 broadcasts 0 runts 0 giants 0 throttles 0 input erro...

Page 236: ...es are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route cache flags are Fast CEF Router Discovery is disabled IP output packet accounting is disabled IP access viol...

Page 237: ...ithout regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations in the VLAN Each VLAN is considered a logical network and packets destined f...

Page 238: ... using switch virtual interfaces SVIs An SVI must be explicitly configured and assigned an IP address to route traffic between VLANs For more information see the Switch Virtual Interfaces section on page 8 4 and the Configuring Layer 3 Interfaces section on page 8 22 Number of Supported VLANs The Catalyst 3550 switch supports 1005 VLANs in VTP client server and transparent modes VLANs are identifi...

Page 239: ...her switches in the network Without VTP you cannot send information about VLANs to other switches Table 9 1 Port Membership Modes Membership Mode VLAN Membership Characteristics Static access A static access port can belong to one VLAN and is manually assigned by using the switchport mode access interface configuration command For more information see the Assigning Static Access Ports to a VLAN se...

Page 240: ...nter Switch Link ISL and IEEE 802 1Q VTP maps VLANs dynamically across multiple LAN types with unique names and internal index associates Mapping eliminates excessive device administration required from network administrators If you configure a switch for VTP transparent mode you can create and modify VLANs but the changes are not sent to other switches in the domain and they affect only the indiv...

Page 241: ...unk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch Otherwise the switch cannot receive any VTP advertisements For more information on trunk ports see the Understanding VLAN Trunks section on page 9 22 VTP advertisements distribute this global domain information VTP domain name VTP configuration revision number Update identity and update ...

Page 242: ...e performed only when you enter new information through the CLI the Cluster Management Software CMS or SNMP Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM If the MD5 digest on a received VTP message is correct its information is accepted VTP Pruning VTP pruning increases network available bandwidth by restricting floo...

Page 243: ...g VTP Pruning section on page 9 13 VTP pruning takes effect several seconds after you enable it VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 is always pruning ineligible traffic from VLAN 1 cannot be pruned VTP pruning is not designed to function in VTP transparent mode If one or more switches in the network are in VTP transparent mode you should do one of these...

Page 244: ...e 9 10 Configuring a VTP Client page 9 11 Disabling VTP VTP Transparent Mode page 9 11 Enabling VTP Version 2 page 9 12 Enabling VTP Pruning page 9 13 Monitoring VTP page 9 13 Default VTP Configuration Table 9 3 shows the default VTP configuration VTP Configuration Guidelines These sections describe guidelines you should follow when implementing VTP in your network Domain Names When configuring VT...

Page 245: ...rsion 1 if version 2 is disabled on the version 2 capable switch version 2 is disabled by default Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2 capable When you enable version 2 on a switch all of the version 2 capable switches in the domain enable version 2 If there is a version 1 only switch it does not exchange VTP information with switc...

Page 246: ...g_group VTP Pruning Mode Disabled VTP V2 Mode Disabled VTP Traps Generation Disabled MD5 digest 0x31 0xB3 0xCD 0xEF 0x34 0xD2 0x44 0xAD Configuration last modified by 172 20 135 204 at 3 1 93 00 05 51 Local updater ID is 172 20 135 202 on interface Vl1 lowest numbered VLAN interface found Command Purpose Step 1 vlan database Enter VLAN configuration mode Step 2 vtp server Configure the switch for ...

Page 247: ...s on all of its trunk links Beginning in privileged EXEC mode follow these steps to configure the switch for VTP transparent mode Command Purpose Step 1 vlan database Enter VLAN configuration mode Step 2 vtp client Configure the switch for VTP client mode The default setting is VTP server Step 3 vtp domain domain name Configure a VTP administrative domain name The name can be from 1 to 32 characte...

Page 248: ...switching to function properly For Token Ring and Token Ring Net media VTP version 2 must be disabled For more information on VTP version configuration guidelines see the VTP Version section on page 9 9 Beginning in privileged EXEC mode follow these steps to enable VTP version 2 To disable VTP version 2 use the no vtp v2 mode VLAN configuration command Step 3 exit Update the VLAN database propagat...

Page 249: ...n page 9 28 To disable VTP pruning use the no vtp pruning VLAN configuration command Monitoring VTP You monitor VTP by displaying VTP configuration information the domain name the current VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Beginning in privileged EXEC mode follow these steps to monitor VTP activity Command P...

Page 250: ...xA4 0x74 0xD5 0x42 0x29 Configuration last modified by 0 0 0 0 at 3 1 93 00 18 42 Local updater ID is 10 1 1 59 on interface Vl1 lowest numbered VLAN interface found This is an example of output from the show vtp counters privileged EXEC command Switch show vtp counters VTP statistics Summary advertisements received 0 Subset advertisements received 0 Request advertisements received 0 Summary adver...

Page 251: ...om one VLAN type to another The Default VLAN Configuration section on page 9 15 lists the default values and possible ranges for each VLAN media type Token Ring VLANs Although the Catalyst 3550 switches do not support Token Ring connections a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches Switches running VTP vers...

Page 252: ...TP domain creates a VLAN on that switch that is not running spanning tree If you have the default allowed list on the trunk ports of that switch which is to allow all VLANs the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop in the new VLAN that would not be broken particularly if there are several adjacent switches that all have run out of ...

Page 253: ...the file by entering the show running config privileged EXEC command Note VLANs can be configured to support a number of parameters that are not discussed in detail in this section For complete information on the commands and parameters that control VLAN configuration refer to the Catalyst 3550 Multilayer Switch Command Reference for this release Adding an Ethernet VLAN Each Ethernet VLAN has a un...

Page 254: ... to verify a VLAN configuration Switch show vlan id 20 VLAN Name Status Ports show vlan 20 VLAN0020 active VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 20 enet 100020 1500 0 0 Deleting a VLAN from the Database When you delete a VLAN from a switch that is in VTP server mode the VLAN is removed from all switches in the VTP domain When you delete a VLAN from a switch that is i...

Page 255: ...s to a VLAN You can assign a static access port to a VLAN without having VTP globally propagate VLAN configuration information VTP is disabled Note If you assign an interface to a VLAN that does not exist the new VLAN is created See the Adding an Ethernet VLAN section on page 9 17 Beginning in privileged EXEC mode follow these steps to assign a port to a VLAN in the VTP database Command Purpose St...

Page 256: ...e GigabitEthernet0 1 no ip address snmp trap link status end Switch show interfaces gigabitethernet0 1 switchport Name Gi0 1 Switchport Enabled Administrative Mode dynamic desirable Operational Mode static access Administrative Trunking Encapsulation negotiate Operational Trunking Encapsulation native Negotiation of Trunking On Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Trunkin...

Page 257: ...ns2 1 enet 100001 1500 1002 1003 20 enet 100020 1500 0 0 21 enet 100021 1500 0 0 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 22 enet 100022 1500 0 0 27 enet 100027 1500 0 0 31 enet 100031 1500 0 0 1002 fddi 101002 1500 1 1003 1003 trcrf 101003 4472 1005 3276 srb 1 1002 1004 fdnet 101004 1500 1 ibm 0 0 1005 trbrf 101005 4472 15 ibm 0 0 VLAN AREHops STEHops Backup CRF 1003 7...

Page 258: ...SL ISL is Cisco proprietary trunking encapsulation 802 1Q 802 1Q is industry standard trunking encapsulation Figure 9 4 shows a network of switches that are connected by ISL trunks Figure 9 4 Switches in an ISL Trunking Environment You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle For more information about EtherChannel see Chapter 21 Configuring EtherChannel Et...

Page 259: ...ecomes a nontrunk interface even if the neighboring interface is not a trunk interface switchport mode dynamic desirable Makes the interface actively attempt to convert the link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk desirable or auto mode The default switch port mode for all Ethernet interfaces is dynamic desirable switchport mode dyna...

Page 260: ... switches is treated as a single trunk link between the switches Make sure the native VLAN for an 802 1Q trunk is the same on both ends of the trunk link If the native VLAN on one end of the trunk is different from the native VLAN on the other end spanning tree loops might result Disabling STP on the native VLAN of an 802 1Q trunk without disabling STP on every VLAN in the network can potentially ...

Page 261: ...ate the encapsulation type the trunk uses ISL encapsulation Configuring a Trunk Port Beginning in privileged EXEC mode follow these steps to configure a port as an ISL or 802 1Q trunk port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter the interface configuration mode and the port to be configured for trunking Step 3 switchport trunk e...

Page 262: ...se examples show how to verify the configuration Switch show running config interface gigabitethernet0 4 Building configuration Current configuration 112 bytes interface GigabitEthernet0 4 switchport trunk encapsulation dot1q no ip address snmp trap link status end Switch show interfaces gigabitethernet0 4 switchport Name Gi0 4 Switchport Enabled Administrative Mode dynamic desirable Operational M...

Page 263: ...d list for a trunk port the trunk port automatically becomes a member of the enabled VLAN When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port the trunk port does not become a member of the new VLAN Beginning in privileged EXEC mode follow these steps to modify the allowed list of an ISL or 802 1Q trunk Command Purpose Step 1 configure terminal Enter global configur...

Page 264: ...ppression Level 100 Changing the Pruning Eligible List The pruning eligible list applies only to trunk ports Each trunk port has its own eligibility list VTP pruning must be enabled for this procedure to take effect The Enabling VTP Pruning section on page 9 13 describes how to enable VTP pruning Beginning in privileged EXEC mode follow these steps to remove VLANs from the pruning eligible list on...

Page 265: ...oid loops STP normally blocks all but one parallel link between switches Using load sharing you divide the traffic between the links according to which VLAN the traffic belongs You configure load sharing on trunk ports by using STP port priorities or STP path costs For load sharing using STP port priorities both load sharing links must be connected to the same switch For load sharing using STP pat...

Page 266: ... Trunk 2 VLANs 8 through 10 retain the default port priority of 128 on Trunk 2 In this way Trunk 1 carries traffic for VLANs 8 through 10 and Trunk 2 carries traffic for VLANs 3 through 6 If the active trunk fails the trunk with the lower priority takes over and carries the traffic for all of the VLANs No duplication of traffic occurs over any trunk port Figure 9 5 Load Sharing by Using STP Port P...

Page 267: ...he VTP and VLAN information to Switch 2 Verify that Switch 2 has learned the VLAN configuration Step 16 configure terminal Enter global configuration mode on Switch 1 Step 17 interface gigabitethernet0 1 Enter interface configuration mode and define the interface to set the STP port priority Step 18 spanning tree vlan 8 port priority 10 Assign the port priority of 10 for VLAN 8 Step 19 spanning tr...

Page 268: ...on Trunk port 2 of 19 Figure 9 6 Load Sharing Trunks with Traffic Distributed by Path Cost Configuring STP Path Costs and Load Sharing Beginning in privileged EXEC mode follow these steps to configure the network shown in Figure 9 6 16591 Switch 1 Switch 2 Trunk port 1 VLANs 2 4 path cost 30 VLANs 8 10 path cost 19 Trunk port 2 VLANs 8 10 path cost 30 VLANs 2 4 path cost 19 Command Purpose Step 1 ...

Page 269: ...and active hosts exist on the port the VMPS sends an access denied or a port shutdown response depending on the secure mode of the VMPS Step 8 show running config Verify your entries In the display make sure that interfaces Fast Ethernet 0 1 and Fast Ethernet 0 2 are configured as trunk ports Step 9 show vlan When the trunk links come up Switch 1 receives the VTP information from the other switche...

Page 270: ...t with the assigned VLAN number for the client If there is no match the VMPS either denies the request or shuts down the port depending on the VMPS secure mode setting Multiple hosts MAC addresses can be active on a dynamic port if they are all in the same VLAN however the VMPS shuts down a dynamic port if more than 20 hosts are active on the port If the link goes down on a dynamic port the port r...

Page 271: ... name The VMPS domain must be defined vmps mode open secure The default mode is open vmps fallback vlan name vmps no domain req allow deny The default value is allow vmps domain DSBU vmps mode open vmps fallback default vmps no domain req deny MAC Addresses vmps mac addrs address addr vlan name vlan_name address 0012 2233 4455 vlan name hardware address 0000 6509 a080 vlan name hardware address aa...

Page 272: ...ventions see the VMPS Database Configuration File section on page 9 34 When you configure a port as dynamic the spanning tree Port Fast feature is automatically enabled for that port The Port Fast mode accelerates the process of bringing the port into the forwarding state You can disable Port Fast mode on a dynamic port If you try to enable 802 1X on a dynamic access VQP port an error message appe...

Page 273: ...n the command switch Beginning in privileged EXEC mode follow these steps to enter the IP address of the VMPS Table 9 9 Default VMPS Client and Dynamic Port Configuration Feature Default Setting VMPS domain server None VMPS reconfirm interval 60 minutes VMPS server retry count 3 Dynamic ports None configured Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vmps serv...

Page 274: ...ileged EXEC mode follow these steps to configure a dynamic access port on a VMPS client switch To return an interface to its default configuration use the default interface interface id interface configuration command To return an interface to its default switchport mode dynamic desirable use the no switchport mode interface configuration command To reset the access mode to the default VLAN for th...

Page 275: ...tch attempts to contact the VMPS before querying the next server To return the switch to its default setting use the no vmps retry global configuration command Command Purpose Step 1 vmps reconfirm Reconfirm dynamic port VLAN membership Step 2 show vmps Verify the dynamic VLAN reconfirmation status Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vmps reconfirm minu...

Page 276: ... switches The Catalyst 6000 series Switch 1 is the primary VMPS server The Catalyst 6000 series Switch 3 and Switch 10 are secondary VMPS servers End stations are connected to the Catalyst 3550 clients Switch 2 and Switch 9 The database configuration file is stored on the TFTP server with the IP address 172 20 22 7 VMPS VQP Version The version of VQP used to communicate with the VMPS The switch qu...

Page 277: ...172 20 26 150 172 20 26 151 Catalyst 6000 series 172 20 26 152 Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 client client Catalyst 3550 switch Catalyst 3550 switch End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch 10 Switch 9 Switch 8 Switch 7 Switch 6 Switch 5 Switch 3 Switch 2 Sw...

Page 278: ...9 42 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 9 Creating and Maintaining VLANs Understanding VMPS ...

Page 279: ...age 10 21 Configuring Advanced STP Features page 10 32 Understanding Basic STP Features This section describes how basic STP features work It includes this information Supported STP Instances page 10 2 STP Overview page 10 2 Bridge ID Switch Priority and Extended System ID page 10 3 Election of the Root Switch page 10 3 Bridge Protocol Data Units page 10 4 STP Timers page 10 5 Creating the STP Top...

Page 280: ...ng another VLAN anywhere in the VTP domain creates a VLAN that is not running STP on that switch If you have the default allowed list on the trunk ports of that switch the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop in the new VLAN that will not be broken particularly if there are several adjacent switches that have all run out of spanni...

Page 281: ...n Release 12 1 8 EA1 and later Catalyst 3550 switches support the 802 1T spanning tree extensions and some of the bits previously used for the switch priority are now used as the VLAN identifier The result is that fewer MAC addresses are reserved for the switch and a larger range of VLAN IDs can be supported all while maintaining the uniqueness of the bridge ID As shown in Table 10 1 the two bytes...

Page 282: ...d network is determined by these elements The unique bridge ID switch priority and MAC address associated with each VLAN on each switch The STP path cost to the root switch The port identifier port priority and MAC address associated with each Layer 2 interface The BPDUs are sent in one direction from the root switch and each switch sends configuration BPDUs to communicate and to compute the STP t...

Page 283: ...stations in a switched network might not be ideal For instance connecting higher speed links to an interface that has a higher number than the current root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B a 10 100 link is the root port Network traffic might ...

Page 284: ... the blocking state when STP determines that the Layer 2 interface should participate in frame forwarding Learning The Layer 2 interface prepares to participate in frame forwarding Forwarding The Layer 2 interface forwards frames Disabled The Layer 2 interface is not participating in STP because of a shutdown port no link on the port or no spanning tree instance running on the port A Layer 2 inter...

Page 285: ...es BPDUs with other switches This exchange establishes which switch in the network is the root or root switch If there is only one switch in the network no exchange occurs the forward delay timer expires and the interfaces move to the listening state An interface always enters the blocking state after switch initialization A Layer 2 interface in the blocking state performs as follows Discards fram...

Page 286: ...ging from 0x00180C2000000 to 0x0180C2000010 to be used by different bridge protocols These addresses are static addresses that cannot be removed Regardless of the STP state the switch receives but does not forward packets destined for addresses between 0x0180c2000000 and 0x1080C200000F If STP is enabled the switch CPU receives packets destined for 0x0180C2000000 and 0x0180C2000010 If STP is disabl...

Page 287: ...nning trees to prevent loops from forming if there are multiple connections among VLANs It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree To support VLAN bridge STP some of the spanning tree timers are increased For more information see Chapter 26 Configuring Fallback Bridging STP and Redundant Connectivity You can create a redu...

Page 288: ...k It includes this information Understanding Port Fast page 10 10 Understanding BPDU Guard page 10 11 Understanding UplinkFast page 10 12 Understanding Cross Stack UplinkFast page 10 13 Understanding BackboneFast page 10 18 Understanding Root Guard page 10 20 Understanding EtherChannel Guard page 10 20 For configuration information see the Configuring Advanced STP Features section on page 10 32 Un...

Page 289: ...rt Fast enabled interface means an invalid configuration such as the connection of an unauthorized device and the BPDU guard feature places the interface into the ErrDisable state The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service For more information see the Configuring BPDU Guard section on page 10 33 Note When ...

Page 290: ...e rate parameter the default for this parameter is 150 packets per second However if you enter zero station learning frames are not generated so the STP topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types o...

Page 291: ... transition fast convergence in less than 1 second under normal network conditions across a stack of switches that use the GigaStack GBICs connected in a shared cascaded configuration multidrop backbone During the fast transition an alternate redundant link on the stack of switches is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbo...

Page 292: ...nate redundant links that are in the STP blocking state If Switch A fails if its stack root port fails or if Link A fails CSUF selects either the Switch B or Switch C alternate stack root port and puts it into the forwarding state in less than 1 second Figure 10 8 Cross Stack UplinkFast Topology CSUF implements the Stack Membership Discovery Protocol and the Fast Uplink Transition Protocol Using t...

Page 293: ...normal rate 2 forward delay time max age time The Fast Uplink Transition Protocol is implemented on a per VLAN basis and affects only one spanning tree instance at a time Events that Cause Fast Convergence Depending on the network event or failure the CSUF fast convergence might or might not occur Fast convergence less than 1 second under normal network conditions occurs under these circumstances ...

Page 294: ... 3550 Catalyst 3500 XL and Catalyst 2900 XL switches up to 64 VLANs with STP enabled are supported If the stack consists of Catalyst 3550 switches up to 128 VLANs with STP enabled are supported Connecting the Stack Ports A fast transition occurs across the stack of switches if the multidrop backbone connections are a continuous link from one GigaStack GBIC to another as shown in the top half of Fi...

Page 295: ...L DUPLX Catalyst 3500 XL 7 8 3 5 6 4 2 1 SPEED SYSTEM RPS STATUS MODE UTIL DUPLX 2 Catalyst 3500 XL 1 MODE 1x 2x 3x 4x 5x 6x 7x 8x 9x 10x 11x 12x 13x 14x 15x 16x 17x 18x 19x 20x 21x 22x 23x 24x Catalyst 2900 2 1 2 1 2 Catalyst 3508G XL Catalyst 2924M XL Catalyst 3512 XL MODE 1x 2x 3x 4x 5x 6x 7x 8x 9x 10x 11x 12x 13x 14x 15x 16x 17x 18x 19x 20x 21x 22x 23x 24x Catalyst 2900 1 2 SPEED SYSTEM RPS ST...

Page 296: ...alternate paths to the root switch If the switch determines that it still has an alternate path to the root it causes the maximum aging time on the ports on which it received the inferior BPDU to expire If all the alternate paths to the root switch indicate that the switch has lost connectivity to the root switch the switch causes the maximum aging times on the ports on which it received an inferi...

Page 297: ... 10 12 BackboneFast is not activated because the inferior BPDUs did not come from the recognized designated bridge Switch B The new switch begins sending inferior BPDUs that say it is the root switch However the other switches ignore these inferior BPDUs and the new switch learns that Switch B is the designated bridge to Switch A the root switch For more information see the Configuring BackboneFas...

Page 298: ...ot switch The customer s switch does not become the root switch and is not in the path to the root For more information see the Configuring Root Guard section on page 10 36 Caution Misuse of the root guard feature can cause a loss of connectivity Figure 10 13 STP in a Service Provider Network Understanding EtherChannel Guard EtherChannel guard detects a misconfigured EtherChannel when Catalyst 355...

Page 299: ...TP Status page 10 31 For advanced configuration information see the Configuring Advanced STP Features section on page 10 32 Default STP Configuration Table 10 3 shows the default STP configuration Table 10 3 Default STP Configuration Feature Default Setting Enable state Enabled on VLAN 1 Up to 128 spanning tree instances can be enabled Switch priority 32768 Spanning tree port priority configurable...

Page 300: ...ctive VLAN configured on it A bridge ID consisting of the switch priority and the switch MAC address is associated with each instance For each VLAN the switch with the lowest bridge ID becomes the root switch for that VLAN Forward delay time 15 seconds Maximum aging time 20 seconds Port Fast Disabled on all interfaces BPDU guard Disabled on the switch UplinkFast Disabled on the switch BackboneFast...

Page 301: ...th and without the extended system ID support For Catalyst 3550 switch with the extended system ID Release 12 1 8 EA1 and later if all network devices in VLAN 20 have the default priority of 32768 entering the spanning tree vlan 20 root primary command on the switch sets the switch priority to 24576 which causes this switch to become the switch bridge for VLAN 20 For Catalyst 3550 switches without...

Page 302: ... system ID support software before Release 12 1 8 EA1 the switch priority is changed to 16384 You can execute this command on more than one switch to configure multiple backup root switches Use the same network diameter and hello time values as you used when configuring the primary root switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan ...

Page 303: ...econds Configure a switch as the secondary root switch For vlan id the range is 1 to 1005 Do not enter leading zeros Optional For diameter net diameter specify the maximum number of switches between any two end stations The range is 2 to 7 Optional For hello time seconds specify the interval in seconds between the generation of configuration messages by the root switch The range is 1 to 10 seconds...

Page 304: ... EXEC command to confirm the configuration To return the interface to its default setting use the no spanning tree vlan vlan id port priority interface configuration command For information on how to configure load sharing on trunk ports by using STP port priorities see the Load Sharing Using STP section on page 9 29 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ...

Page 305: ...command For information on how to configure load sharing on trunk ports using STP path costs see the Load Sharing Using STP section on page 9 29 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify an interface to configure Valid interfaces include physical interfaces and port channel logical interfac...

Page 306: ...witch to its default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id the range is 1 to 1005 Do not enter leading zeros For priority the range is 0 to 61440 in increments of 4096 the defa...

Page 307: ... tree vlan vlan id hello time seconds Configure the hello time of a VLAN The hello time is the interval between the generation of configuration messages by the root switch These messages mean that the switch is alive For vlan id the range is 1 to 1005 Do not enter leading zeros For seconds the range is 1 to 10 seconds the default is 2 seconds Step 3 end Return to privileged EXEC mode Step 4 show s...

Page 308: ... shows switches in three cascaded stacks that use the GigaStack GBIC Table 10 4 shows the default STP settings and those that are acceptable for these configurations Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id max age seconds Configure the maximum aging time of a VLAN The maximum aging time is the number of seconds a switch waits with...

Page 309: ...0 series or 6000 series backbone Option 1 standalone cascaded stack Option 2 cascaded stack connected to a Layer 2 backbone Option 3 cascaded stack connected to a Layer 3 backbone Catalyst 5000 series switch Catalyst 6000 switch Layer 3 backbone Cisco 7000 router Catalyst 3550 switches Cisco 7000 router Table 10 5 Commands for Displaying STP Status Command Purpose show spanning tree active Display...

Page 310: ...e connected to a switch or hub could prevent STP from detecting and disabling loops in your network which could cause broadcast storms and address learning problems Beginning in privileged EXEC mode follow these steps to enable Port Fast on a Layer 2 access port To disable the Port Fast feature use the no spanning tree portfast interface configuration command Command Purpose Step 1 configure termi...

Page 311: ...abled interfaces do not receive BPDUs Receiving a BPDU on a Port Fast enabled interface means an invalid configuration such as the connection of an unauthorized device If a BPDU is received on Port Fast enabled interface the BPDU guard feature places the interface into the ErrDisable state The BPDU guard feature provides a secure response to invalid configurations because you must manually put the...

Page 312: ... UplinkFast is enabled the switch priority of all VLANs is set to 49152 and the path cost of all interfaces and VLAN trunks is increased by 3000 if you did not modify the path cost from its default setting This change reduces the chance that the switch will become the root port When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values...

Page 313: ...h Optional For max update rate pkts per second specify the number of packets per second at which update packets are sent The range is 0 to 65535 the default is 150 packets per second Step 1 interface interface id Enter interface configuration mode and specify the GBIC interface on which to enable CSUF Step 2 spanning tree stack port Enable CSUF on only one stack port GBIC interface The stack port ...

Page 314: ...plinkFast feature are placed in the root inconsistent state blocked and are prevented from reaching the forwarding state Beginning in privileged EXEC mode follow these steps to enable root guard on an interface To disable the root guard feature use the no spanning tree guard or the spanning tree guard none interface configuration command Command Purpose Step 1 configure terminal Enter global confi...

Page 315: ... the misconfiguration and in the err disabled state enter the show interfaces status err disabled privileged EXEC command To check the EtherChannel configuration on the remote device enter the show etherchannel summary privileged EXEC command on the remote device After you correct the configuration enter the shutdown and the no shutdown interface configuration commands on the associated port chann...

Page 316: ...10 38 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 10 Configuring STP Configuring Advanced STP Features ...

Page 317: ...egistration page 11 12 Configuring MVR page 11 14 Displaying MVR Information page 11 18 Configuring IGMP Filtering page 11 20 Displaying IGMP Filtering Configuration page 11 24 Note For MAC addresses that map to IP multicast groups you can either manage them through features such as IGMP snooping and MVR or you can use static MAC addresses However you cannot use both methods simultaneously Therefo...

Page 318: ...ly configure MAC multicast groups by using the ip igmp snooping vlan static global configuration command If you specify group membership for a multicast group address statically your setting supersedes any automatic manipulation by IGMP snooping Multicast group membership lists can consist of both user defined and IGMP snooping learned settings Note If a spanning tree VLAN topology change occurs t...

Page 319: ...t group The first entry in the table tells the switching engine to send IGMP packets to only the switch CPU This prevents the CPU from becoming overloaded with multicast frames The second entry tells the switching engine to send frames addressed to the 0x0100 5E01 0203 multicast MAC address that are not IGMP packets IGMP to the router and to the host that has joined the group If another host for e...

Page 320: ...hat interface are interested in traffic for the specific multicast group The switch then updates the forwarding table for that MAC group so that only those hosts interested in receiving multicast traffic for the group are listed in the forwarding table If the router receives no reports from a VLAN it removes the group for the VLAN from its IGMP cache Immediate Leave Processing The switch uses IGMP...

Page 321: ...he Snooping Method page 11 6 Configuring a Multicast Router Port page 11 7 Configuring a Host Statically to Join a Group page 11 8 Enabling IGMP Immediate Leave Processing page 11 9 Default IGMP Snooping Configuration Table 11 3 shows the default IGMP snooping configuration Enabling or Disabling IGMP Snooping By default IGMP snooping is globally enabled on the switch When globally enabled or disab...

Page 322: ...s or to listen to CGMP self join or proxy join packets By default the switch snoops on PIM DVMRP packets on all VLANs To learn of multicast router ports through only CGMP packets use the ip igmp snooping vlan vlan id mrouter learn cgmp global configuration command When this command is issued the router listens to only CGMP self join and CGMP proxy join packets and no other CGMP packets To learn of...

Page 323: ... connection to a multicast router use the ip igmp snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Beginning in privileged EXEC mode follow these steps to enable a static connection to a multicast router Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vl...

Page 324: ...mand This example shows how to statically configure a host on an interface and verify the configuration Switch configure terminal Switch config ip igmp snooping vlan 1 static 0100 5e00 0203 interface gigabitethernet0 11 Switch config end Switch show mac address table multicast vlan 1 Vlan Mac Address Type Ports 1 0100 5e00 0203 USER Gi0 11 Step 4 show ip igmp snooping mrouter vlan vlan id Verify t...

Page 325: ...ping vlan 130 immediate leave Switch config end Switch show ip igmp snooping vlan 130 vlan 130 IGMP snooping is globally enabled IGMP snooping is enabled on this Vlan IGMP snooping immediate leave is enabled on this Vlan IGMP snooping mrouter learn mode is pim dvmrp on this Vlan IGMP snooping is running in IGMP_ONLY mode on this Vlan Displaying IGMP Snooping Information You can display IGMP snoopi...

Page 326: ...p on this Vlan IGMP snooping is running in IGMP_ONLY mode on this Vlan Table 11 4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping vlan vlan id Display the snooping configuration information for all VLANs on the switch or for a specified VLAN Optional Enter vlan vlan id to display information for a single VLAN show ip igmp snooping mrouter vlan vlan id Displa...

Page 327: ... display the Layer 2 multicast entries for VLAN 1 Switch show mac address table multicast vlan 1 vlan mac address type ports 1 0100 5e02 0203 user Gi0 1 Gi0 2 1 0100 5e00 0127 igmp Gi0 1 Gi0 2 1 0100 5e00 0128 user Gi0 1 Gi0 2 1 0100 5e00 0001 igmp Gi0 1 Gi0 2 This is an example of output from the show mac address table multicast count privileged EXEC command for the switch Switch show mac address...

Page 328: ...550 switch has these modes of MVR operation dynamic and compatible When operating in MVR dynamic mode the switch performs standard IGMP snooping IGMP information packets are sent to the switch CPU but multicast data packets are not sent to the CPU Dynamic mode allows the multicast router to run normally because the switch sends the IGMP join messages to the router and the router forwards multicast...

Page 329: ...a subscriber on a receiver port it sends out an IGMP query on that port and waits for IGMP group membership reports If no reports are received in a configured time period the receiver port is removed from multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave was received As soon as the leave message is received the receiver port is...

Page 330: ... Configuration Guidelines and Limitations page 11 14 Default MVR Configuration page 11 15 Configuring MVR Global Parameters page 11 15 Configuring MVR Interfaces page 11 16 Configuration Guidelines and Limitations Follow these guidelines when configuring MVR Receiver ports cannot be trunk ports Receiver ports on a switch can be in different VLANs but should not belong to the multicast VLAN The max...

Page 331: ...tch Step 3 mvr group ip address count Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses the range for count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address Each multicast ad...

Page 332: ...e the show mvr members privileged EXEC command to verify the MVR multicast group addresses on the switch Configuring MVR Interfaces Beginning in privileged EXEC mode follow these steps to configure MVR interfaces Step 6 mvr mode dynamic compatible Optional Specify the MVR mode of operation dynamic Allows dynamic MVR membership on source ports compatible Is compatible with Catalyst 3500 XL and Cata...

Page 333: ...a subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLAN The default configuration is as a non MVR port If you attempt to configure a non MVR port with MVR characteristics the operation fails Step 5 mvr vlan vlan id...

Page 334: ...t Groups 256 MVR Current multicast groups 256 MVR Global query response time 5 tenths of sec MVR Mode compatible Table 11 6 Commands for Displaying MVR Information show mvr Displays MVR status and values for the switch whether MVR is enabled or disabled the multicast VLAN the maximum 256 and current 0 through 256 number of multicast groups the query response time and the MVR mode show mvr interfac...

Page 335: ... Immediate Leave DISABLED This is an example of output from the show mvr interface privileged EXEC command when the members keyword is included Switch show mvr interface gigabitethernet0 6 members 239 255 0 0 DYNAMIC ACTIVE 239 255 0 1 DYNAMIC ACTIVE 239 255 0 2 DYNAMIC ACTIVE 239 255 0 3 DYNAMIC ACTIVE 239 255 0 4 DYNAMIC ACTIVE 239 255 0 5 DYNAMIC ACTIVE 239 255 0 6 DYNAMIC ACTIVE 239 255 0 7 DY...

Page 336: ... of IP multicast traffic The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic You can also set the maximum number of IGMP groups that a Layer 2 interface can join Default IGMP Filtering Configuration Table 11 5 shows the default IGMP filtering configuration Configuring IGMP Profiles To configure an IGMP profile use the ip igmp profile globa...

Page 337: ...mp profile end Switch show ip igmp profile 4 IGMP Profile 4 permit range 229 9 9 0 229 9 9 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp profile profile number Enter IGMP profile configuration mode and assign a number to the profile you are configuring The range is from 1 to 4294967295 Step 3 permit deny Optional Set the action to permit or deny access ...

Page 338: ...le 4 to an interface and verify the configuration Switch config t Switch config interface fastethernet0 12 Switch config if ip igmp filter 4 Switch config if end Switch show running config interface fastethernet0 12 Building configuration Current configuration 123 bytes interface FastEthernet0 12 no ip address shutdown snmp trap link status ip igmp max groups 25 ip igmp filter 4 end Command Purpos...

Page 339: ... can join to 25 Switch config t Switch config interface fastethernet0 12 Switch config if ip igmp max groups 25 Switch config if end Switch show running config interface fastethernet0 12 Building configuration Current configuration 123 bytes interface FastEthernet0 12 no ip address shutdown snmp trap link status ip igmp max groups 25 ip igmp filter 4 end Command Purpose Step 1 configure terminal E...

Page 340: ...4 permit range 229 9 9 0 229 255 255 255 This is an example of the output from the show running config privileged EXEC command when an interface is specified with IGMP maximum groups configured and IGMP profile 4 has been applied to the interface Switch show running config interface fastethernet0 12 Building configuration Current configuration 123 bytes interface FastEthernet0 12 no ip address shu...

Page 341: ...Default Storm Control Configuration page 12 3 Enabling Storm Control page 12 3 Disabling Storm Control page 12 4 Understanding Storm Control Storm control prevents switchports on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LAN creating excessive traffic and degrading network performance Errors in t...

Page 342: ...dcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and between T4 and T5 When the amount of specified traffic exceeds the threshold all traffic of that kind is dropped for the next time period Therefore broadcast traffic is blocked during the intervals following T2 and T5 At the next time interval for example T3 if broadcast traffic does not exceed the...

Page 343: ... mode follow these steps to enable a particular type of storm control Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the type and number of the physical interface to configure for example gigabitethernet0 1 Step 3 storm control broadcast level level level Specify the broadcast traffic suppression ...

Page 344: ...t0 17 multicast Interface Filter State Level Current Fa0 17 inactive 100 00 N A Step 7 show storm control interface id broadcast multicast unicast Verify the storm control suppression levels set on the interface for the specified traffic type If you do not enter a traffic type broadcast storm control settings are displayed Step 8 copy running config startup config Optional Save your entries in the...

Page 345: ...rts are in different VLANs Note There could be times when unknown unicast or multicast traffic from a nonprotected port is flooded to a protected port because a MAC address has timed out or has not been learned by the switch Use the switchport block unicast and switchport block multicast interface configuration commands to guarantee that no unicast or multicast traffic is flooded to the port in su...

Page 346: ...icast or multicast packets Note Blocking unicast or multicast traffic is not automatically enabled on protected ports you must explicitly configure it Blocking Flooded Traffic on an Interface Note The interface can be a physical interface for example GigabitEthernet 0 1 or an EtherChannel group for example port channel 5 When you block multicast or unicast traffic for a port channel it is blocked ...

Page 347: ...t Name Gi0 1 Switchport Enabled output truncated Protected True Unknown unicast blocked enabled Unknown multicast blocked enabled Resuming Normal Forwarding on a Port Beginning in privileged EXEC mode follow these steps to resume normal forwarding on a port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and...

Page 348: ... You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices You can configure a number of addresses and allow the rest to be dynamically configured Note If the port shuts down all dynamically learned addresses are removed Once the maximum number of secure MAC addresses is configured they are stored in an address table Setting a maximum number o...

Page 349: ...Enabling and Configuring Port Security Beginning in privileged EXEC mode follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port Table 12 1 Default IGMP Snooping Configuration Feature Default Setting Port security Disabled on a port Maximum number of secure MAC addresses 128 Violation mode Shutdown The port shuts dow...

Page 350: ...terface fastethernet0 12 Security Enabled Yes Port Status SecureUp Violation Mode Shutdown Max Addrs 5 Current Addrs 0 Configure Addrs 0 Step 6 switchport port security violation protect restrict shutdown Optional Set the violation mode the action to be taken when a security violation is detected as one of these shutdown The interface shuts down immediately and an SNMP trap notification is sent Wh...

Page 351: ...pose show interfaces interface id switchport Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadc...

Page 352: ... output from the show interfaces counters broadcast privileged EXEC command Switch show interfaces counters broadcast Port BcastSuppDiscards Gi0 1 0 Gi0 2 0 Gi0 3 0 Gi0 4 0 This is an example of output from the show switchport port security privileged EXEC command when you do not enter an interface Switch show port security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action Co...

Page 353: ...0 5 inactive 100 00 N A Fa0 6 inactive 100 00 N A Fa0 7 Forwarding 50 00 0 00 Fa0 8 inactive 100 00 N A output truncated This is an example of output from the show storm control command for a specified interface Because no traffic type keyword was entered the broadcast storm control settings are displayed Switch show storm control fastethernet0 17 Interface Filter State Level Current Fa0 17 Forwar...

Page 354: ...12 14 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 12 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 355: ...he Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different network layer protocols can learn about each other ...

Page 356: ...er holdtime and advertisement type Note Steps 2 through 4 are all optional and can be performed in any order Table 13 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP version 2 advertisements Enabled Command Purpose Step 1 configure terminal Enter glob...

Page 357: ...e Creating and maintaining switch clusters is based on the regular exchange of CDP messages Disabling CDP can interrupt cluster discovery For more information see Chapter 5 Clustering Switches Beginning in privileged EXEC mode follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled Step 6 show cd...

Page 358: ...erminal Switch config interface gigabitethernet0 5 Switch config if cdp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the interface on which you are disabling CDP Step 3 no cdp enable Disable CDP on an interface Step 4 end Return to privileged EXEC mode Step 5 copy run...

Page 359: ...ecific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface type number Display information about interfaces where CDP is enable...

Page 360: ...3A00FF0000 VTP Management Domain Duplex full Device ID idf2 1 lab l3 cisco com Entry address es IP address 10 1 1 10 Platform cisco WS C3524 XL Capabilities Trans Bridge Switch Interface GigabitEthernet0 1 Port ID outgoing port FastEthernet0 10 Holdtime 141 sec Version Cisco Internetwork Operating System Software IOS tm C3500XL Software C3500XL C3H2S M Version 12 0 5 1 XP MAINTENANCE IN TERIM SOFT...

Page 361: ...P packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0 6 is up line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0 7 is up line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds GigabitEthernet0 8 is up line protocol is down Encapsulation ARPA Sending CDP packets every 60 se...

Page 362: ...13 8 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 13 Configuring CDP Monitoring and Maintaining CDP ...

Page 363: ...s including spanning tree topology loops UDLD works with the Layer 1 mechanisms to determine the physical status of a link At Layer 1 autonegotiation takes care of physical signaling and fault detection UDLD performs tasks that autonegotiation cannot perform such as detecting the identities of neighbors and shutting down misconnected interfaces When you enable both autonegotiation and UDLD Layer 1...

Page 364: ...DLD sends at least one message to inform the neighbors to flush the part of their caches affected by the status change The message is intended to keep the caches synchronized Event driven detection and echoing UDLD relies on echoing as its detection mechanism Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out of sync neighbor it restarts the dete...

Page 365: ...e 14 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per interface enable state for fiber optic media Disabled on all Ethernet fiber optic interfaces UDLD per interface enable state for twisted pair copper media Disabled on all Ethernet 10 100 and 1000BASE TX interfaces Command Purpose Step 1 configure terminal Enter global configuration mode St...

Page 366: ...o reset all interfaces shut down by UDLD You can also bring up the interface by using these commands The no shutdown interface configuration command restarts the disabled interface The no udld enable global configuration command re enables UDLD globally The udld disable interface configuration command re enables UDLD on the specified interface Command Purpose Step 1 configure terminal Enter global...

Page 367: ...ware Configuration Guide 78 11194 03 Chapter 14 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified interface or for all interfaces use the show udld interface id privileged EXEC command ...

Page 368: ...14 6 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 14 Configuring UDLD Displaying UDLD Status ...

Page 369: ...us page 15 13 Understanding SPAN You can analyze network traffic passing through ports or VLANs by using SPAN to send a copy of the traffic to another port on the switch that has been connected to a SwitchProbe device or other Remote Monitoring RMON probe SPAN mirrors received or sent or both traffic on a source port or received traffic on one or more source ports or source VLANs to a destination ...

Page 370: ...xample a 10 Mbps port monitoring a 100 Mbps port can cause congestion on the switch Destination ports do not receive or forward traffic except that required for the SPAN session SPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN configuration SPAN Session A SPAN session is an association of a destination port with source ports or source VLANs You con...

Page 371: ...g have no effect on SPAN the destination port receives a copy of the packet even if the actual incoming packet is dropped These features include IP standard and extended input access control lists ACLs IP standard and extended output ACLs for unicast VLAN maps ingress QoS policing and policy based routing Switch congestion that causes packets to be dropped also has no effect on SPAN Transmit Tx SP...

Page 372: ... trunk source port You can limit SPAN traffic monitoring on trunk source ports to specific VLANs by using trunk VLAN filtering which is the analysis of network traffic on a selected set of VLANs on source trunk ports Only switched traffic in the selected VLANs is sent to the destination port This feature affects only traffic forwarded to the destination SPAN port and does not affect the switching ...

Page 373: ...ng is enabled by default In some SPAN configurations multiple copies of the same source packet are sent to the SPAN destination port For example a bidirectional both Rx and Tx SPAN session is configured for sources a1 and a2 to a destination port d1 If a packet enters the switch through a1 and is switched to a2 both incoming and outgoing packets are sent to destination port d1 Both packets are the...

Page 374: ...s removed from the SPAN session it rejoins the EtherChannel group QoS For ingress monitoring the packets sent to the SPAN destination port might be different from the packets actually received at the SPAN source port because the packets are forwarded after ingress QoS classification and policing The packet DSCP might not be the same as the received packet For egress monitoring the packets sent out...

Page 375: ...ion port is a trunk port outgoing packets through the SPAN port carry the encapsulation headers configured by the user either Inter Switch Link ISL or IEEE 802 1Q If no encapsulation type is defined the packets are sent in native form When you specify a single source port and do not specify a traffic type Tx Rx or both both is used as the default You can configure a disabled port to be a source or...

Page 376: ...N the number of ports being monitored changes when you move a switched port in or out of the monitored VLAN Creating a SPAN Session and Specifying Ports to Monitor Beginning in privileged EXEC mode follow these steps to create a SPAN session and specify the source monitored and destination monitoring ports Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor ...

Page 377: ...or session 1 Switch config monitor session 1 source interface gigabitethernet0 1 Switch config monitor session 1 destination interface gigabitethernet0 10 encapsulation dot1q Switch config end Switch show monitor session 1 Session 1 Source Ports RX Only None TX Only None Both Gi0 1 Source VLANs RX Only None TX Only None Both None Destination Ports Gi0 10 Encapsulation DOT1Q Filter VLANs None Step ...

Page 378: ...Only None Both None Destination Ports Gi0 6 Encapsulation DOT1Q Filter VLANs None Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number source interface interface id both rx tx Specify the characteristics of the source port monitored port and SPAN session to remove For session specify 1 or 2 For interface id specify the source port to no...

Page 379: ...ession_number Clear any existing SPAN configuration for the session For session_number specify 1 or 2 Step 3 monitor session session_number source vlan vlan id rx Specify the SPAN session and the source VLANs monitored VLANs You can monitor only received rx traffic on VLANs For session_number specify 1 or 2 For vlan id the range is 1 to 1005 Optional Use a comma to specify a series of VLANs or use...

Page 380: ...urce traffic to specific VLANs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number Clear any existing SPAN configuration for the session Step 3 monitor session session_number interface interface id rx Specify the characteristics of the source port monitored port and SPAN session For session_number specify 1 or 2 For interface id specif...

Page 381: ...2 destination interface gigabitethernet0 8 Switch config end Switch show monitor session 2 Session 2 Source Ports RX Only Gi0 4 TX Only None Both None Source VLANs RX Only None TX Only None Both None Destination Ports Gi0 8 Encapsulation Native Filter VLANs 1 5 9 Displaying SPAN Status To display the status of the current SPAN configuration use the show monitor privileged EXEC command This is an e...

Page 382: ...15 14 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 15 Configuring SPAN Displaying SPAN Status ...

Page 383: ... Command Reference for Release 12 1 This chapter consists of these sections Understanding RMON page 16 1 Configuring RMON page 16 2 Displaying RMON Status page 16 6 Understanding RMON RMON is an Internet Engineering Task Force IETF standard monitoring specification that allows various network agents and console systems to exchange network monitoring data You can use the RMON feature with the Simpl...

Page 384: ...vents the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Determines the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this IOS release use hardware counters for RMON data processing the monitoring is more efficient and little processing power is required Config...

Page 385: ...nd events Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval delta absolute rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in sec...

Page 386: ...et and can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this c...

Page 387: ...oup of statistics The range is 1 to 65535 Optional For ownername enter the name of the owner of the RMON group of statistics For bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is 50 buckets For seconds specify the number of seconds in each polling cycle Step 4 end Return to privileged EXEC mode Ste...

Page 388: ...vileged EXEC commands in Table 16 1 Step 6 show rmon statistics Display the contents of the switch statistics table Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 16 1 Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON statistics show rmon alarms Displays the RMON alarm table show rmon events Dis...

Page 389: ...ess also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed with prompts or output from other commands Messages are displayed on the console after the process that generated them has finished You can se...

Page 390: ...ty severity MNEMONIC description The part of the message preceding the percent sign depends on the setting of the service sequence numbers service timestamps log datetime service timestamps log datetime localtime msec show timezone or service timestamps log uptime global configuration command Table 17 1 describes the elements of syslog messages Table 17 1 System Log Message Elements Element Descri...

Page 391: ... 195 36 Mar 1 18 48 50 483 UTC SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Default System Message Logging Configuration Table 17 2 shows the default system message logging configuration MNEMONIC Text string that uniquely describes the message description Text string containing detailed information about the event being reported Table 17 1 System Log Message Elements continued Eleme...

Page 392: ...on see the Synchronizing Log Messages section on page 17 6 To re enable message logging after it has been disabled use the logging on global configuration command Setting the Message Display Destination Device If message logging is enabled you can send messages to specific locations in addition to the console Beginning in privileged EXEC mode use one or more of the following commands to specify th...

Page 393: ...rver configuration steps see the Configuring UNIX Syslog Servers section on page 17 10 Step 4 logging file flash filename max file size min file size severity level number type Store log messages in a file in Flash memory For filename enter the log message filename Optional For max file size specify the maximum logging file size The range is 4096 to 2147483647 The default is 4069 bytes Optional Fo...

Page 394: ...p 1 configure terminal Enter global configuration mode Step 2 line console vty line number ending line number Specify the line to be configured for synchronous logging of messages Use the console keyword for configurations that occur through the switch console port Use the line vty line number command to specify which vty lines are to have synchronous logging enabled You use a vty connection for c...

Page 395: ... 36 This example shows part of a logging display with the service timestamps log uptime global configuration command enabled 00 00 46 LINK 3 UPDOWN Interface Port channel1 changed state to up Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter gl...

Page 396: ...3 Beginning in privileged EXEC mode follow these steps to define the message severity level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service sequence numbers Enable sequence numbers Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration...

Page 397: ...recover from these malfunctions refer to the Catalyst 3550 Multilayer Switch System Message Guide Output from the debug commands displayed at the debugging level Debug commands are typically used only by the Technical Assistance Center Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information switch functionality is not a...

Page 398: ...o allow the new message entry to be stored To return the logging of syslog messages to the default level use the no logging history global configuration command To return the number of messages in the history table to the default value use the no logging history size global configuration command Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daem...

Page 399: ...is level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes by entering this command kill HUP cat etc syslog pi...

Page 400: ...d EXEC command For information about the fields in this display refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12 1 Step 4 logging facility facility type Configure the syslog facility See Table 17 4 on page 17 12 for facility type keywords The default is local7 Step 5 end Return to privileged EXEC mode Step 6 show running config Verify your entries Step 7 copy runn...

Page 401: ...t and management information base MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device param...

Page 402: ...ved error handling includes expanded error codes that distinguish different kinds of error conditions these conditions are reported through a single error code in SNMPv1 Error return codes now report the error type You must configure the SNMP agent to use the version of SNMP supported by the management station An agent can communicate with multiple managers for this reason you can configure the so...

Page 403: ...ite access to authorized management stations to all objects in the MIB but does not allow access to the community strings Read write all Gives read and write access to authorized management stations to all objects in the MIB including the community strings Note When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application The Cluster M...

Page 404: ...gs page 18 5 Configuring Trap Managers and Enabling Traps page 18 7 Setting the Agent Contact and Location Information page 18 9 Limiting TFTP Servers Used Through SNMP page 18 9 SNMP Examples page 18 10 Default SNMP Configuration Table 18 2 shows the default SNMP configuration Get request Get next request Get bulk Set request Network device Get response traps 43581 SNMP Manager NMS MIB SNMP Agent...

Page 405: ...s accessible to the community Beginning in privileged EXEC mode follow these steps to configure a community string on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no snmp server Disable the SNMP agent operation Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Sa...

Page 406: ...If you specified an IP standard access list number in Step 2 then create the list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source enter the IP address of the SNMP managers that are permitted ...

Page 407: ...installed You can order the Enhanced Multilayer Software Image Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI Some notification types cannot be controlled with the snmp server enable global configuration command for example tty and udp port These notification types are always enabled You can use the snmp server host global configuration command to a specific ho...

Page 408: ...informs to send SNMP informs to the host Specify the SNMP version to support Version 1 the default is not available with informs Note Though visible in the command line help string the version 3 keyword SNMPv3 is not supported For community string specify the string to send with the notification operation Though you can set this string using the snmp server host command we recommend that you defin...

Page 409: ...p 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server tftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter an...

Page 410: ...by SNMPv2C to the host cisco com using the community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps ...

Page 411: ...ies ACEs allowed on the switch you can use the sdm prefer access global configuration command to set the Switch Database Management feature to the access template For more information on the SDM templates see the Optimizing System Resources for User Selected Features section on page 6 57 Understanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or...

Page 412: ...The meaning of permit or deny depends on the context in which the ACL is used The switch supports two types of ACLs IP ACLs filter IP traffic including TCP User Datagram Protocol UDP Internet Group Management Protocol IGMP and Internet Control Message Protocol ICMP Ethernet ACLs filter non IP traffic Supported ACLs The switch supports two applications of ACLs to filter traffic Router ACLs access c...

Page 413: ...e access lists to allow one host to access a part of a network but prevent another host from accessing the same part In Figure 19 1 ACLs applied at the router input allow Host A to access the Human Resources network but prevent Host B from accessing the same network Figure 19 1 Using ACLs to Control Traffic to a Network VLAN Maps VLAN maps can access control all traffic You can apply VLAN maps on ...

Page 414: ... match the fragment regardless of what the missing Layer 4 information might have been Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information Consider access list 102 configured with these commands applied to three fragmented packets Switch config access list 102 permit tcp any host 10 1 1 1 eq smtp Switch config access list 102 deny tcp an...

Page 415: ...tion Guide for IOS Release 12 1 For detailed information about the commands refer to Cisco IOS IP and IP Routing Command Reference for IOS Release 12 1 For a list of IOS features not supported on the Catalyst 3550 switch see the Unsupported Features section on page 19 6 Caution By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an acc...

Page 416: ...hables is disabled The flows matching a permit statement are switched in hardware Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the CPU only for logging If the ACE is a permit statement the packet is still switched and routed in hardware Unsupported Features The Catalyst 3550 switch does not support these IOS router ACL related features Non IP protocol ...

Page 417: ... 19 9 Creating Named Standard and Extended ACLs page 19 14 Applying Time Ranges to ACLs page 19 15 Including Comments About Entries in ACLs page 19 18 Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating Table 19 1 lists the access list number and corresponding access list type and shows whether or not they are supported in the switch The Ca...

Page 418: ...pported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IP access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify whether to deny or permit access if conditions are matched The so...

Page 419: ...ges logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log keyword the software might not be able to match the hardware processing rate and not all packets will be logged The first packet that triggers the ACL...

Page 420: ...s not support filtering based on the type of service ToS minimize monetary cost bit When you are creating ACEs in numbered extended access lists remember that after you create the ACL any additions are placed at the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Table 19 2 Filtering Parameter ACEs Supported by Different IP Protocols Filtering Par...

Page 421: ... parameters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can ...

Page 422: ...ission Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a p...

Page 423: ...nation wildcard icmp type icmp type icmp code icmp message precedence precedence tos tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type an...

Page 424: ...on interfaces can use a name VLAN maps also accept a name A standard ACL and an extended ACL cannot have the same name Numbered ACLs are also available as described in the Creating Standard and Extended IP ACLs section on page 19 6 You can apply standard and extended ACLs named or numbered to VLAN maps Beginning in privileged EXEC mode follow these steps to create a standard ACL using names To rem...

Page 425: ...19 18 Applying Time Ranges to ACLs You can implement extended ACLs based on the time of day and week by using the time range global configuration command First define the name and times of the day and week of the time range and then reference the time range by name in an ACL to apply restrictions to the access list You can use the time range to define when the permit or deny statements in the ACL ...

Page 426: ...se the no time range time range name global configuration command Repeat the steps if you have multiple items that you want in effect at different times This example shows how to configure time ranges for workhours and for company holidays and how to verify your configuration Switch config time range workhours Switch config time range periodic weekdays 8 00 to 12 00 Switch config time range period...

Page 427: ... permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2000 Switch config access list 188 deny tcp any any time range thanskgiving_2000 Switch config access list 188 deny tcp any any time range christmas_2000 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access ...

Page 428: ...through Switch config access list 1 permit 171 69 2 88 Switch config access list 1 remark Do not allow Smith workstation through Switch config access list 1 deny 171 69 3 13 For an entry in a named IP ACL use the remark access list configuration command To remove the remark use the no form of this command In this example the Jones subnet is not allowed to use outbound Telnet Switch config ip acces...

Page 429: ...mode console Enter to specify the console terminal line The console port is DCE vty Enter to specify a virtual terminal for remote console access The line number is the first line number in a contiguous group that you want to configure when the line type is specified The range is from 0 to 16 Step 3 access class access list number in out Restrict incoming and outgoing connections between a particu...

Page 430: ...every one half second per input interface but this can be changed by using the ip icmp rate limit unreachable global configuration command When you apply an undefined ACL to an interface the switch acts as if the ACL has not been applied to the interface and permits all packets Remember this behavior if you use undefined ACLs for network security Displaying ACLs and Access Groups You can display e...

Page 431: ...standard and extended ACLs Note that the named MAC extended ACL displayed in the previous example is not included in this display Switch show ip access lists Standard IP access list 1 permit 172 20 10 10 Standard IP access list 10 permit 12 12 12 12 Standard IP access list 12 deny 1 3 3 2 Standard IP access list 32 permit 172 20 20 20 Standard IP access list 34 permit 10 24 35 56 permit 23 45 56 3...

Page 432: ...23 23 23 2 access list 103 permit icmp any any 123 23 tos max throughput access list 103 permit igmp any any 12 information truncated ACL Configuration Examples This section provides examples of configuring ACLs For detailed information about compiling ACLs refer to the Security Configuration Guide and the IP Services chapter of the Cisco IOS IP and IP Routing Configuration Guide for IOS Release 1...

Page 433: ...urce address This example uses an extended ACL to filter traffic coming from Server B into port 0 3 permitting traffic from any source address in this case Server B to only the Accounting destination addresses 172 20 128 64 to 172 20 128 95 Switch config access list 106 permit ip any 172 20 128 64 0 0 0 31 Switch config end Switch show access lists Extended IP access list 106 permit ip any 172 20 ...

Page 434: ... to the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same port numbers are used throughout t...

Page 435: ...eting_group in Time Range Applied to an IP ACL This example denies Hypertext Transfer Protocol HTTP traffic on IP on Monday through Friday between the hours of 8 00 a m and 6 00 p m The example allows UDP traffic only on Saturday and Sunday from noon to 8 00 p m Switch config time range no http Switch config periodic weekdays 8 00 to 18 00 Switch config time range udp yes Switch config periodic we...

Page 436: ... stan1 Switch config std nacl deny 10 1 1 0 0 0 0 255 log Switch config std nacl permit any log Switch config std nacl exit Switch config interface gigabitethernet0 1 Switch config if ip access group stan1 in Switch config if end Switch show logging Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Console logging level debugging 37 messages logged Monitor logging level debugging 0 me...

Page 437: ...fic in a specific direction by using a VLAN map you need to include an ACL with specific source or destination addresses If there is a match clause for that type of packet IP or MAC in the VLAN map the default action is to drop the packet if the packet does not match any of the entries within the map If there is no match clause for that type of packet the default is to forward the packet Note For ...

Page 438: ...e VLAN map has at least one match clause for the type of packet IP or MAC and the packet does not match any of these match clauses the default is to drop the packet If there is no match clause for that type of packet in the VLAN map the default is to forward the packet The system might take longer to boot if you have configured a very large number of ACLs For information about using both router AC...

Page 439: ...type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address with a mask or a specific host source MAC address and any destination MAC address destina...

Page 440: ...s to drop any IP packet that does not match any of the match clauses Switch config ip access list extended ip1 Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map map_1 10 Switch config access map match ip address ip1 Switch config access map action drop Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan access map ...

Page 441: ...ts Drop all other IP packets Forward all non IP packets Switch config access list 101 permit udp any any Switch config ip access list extended igmp match Switch config ext nacl permit igmp any any Switch config ip access list extended tcp match Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map drop ip default 10 Switch config access map match ip ad...

Page 442: ...rd all TCP packets Forward MAC packets from hosts 0000 0c00 0111 and 0000 0c00 0211 Drop all other IP packets Drop all other MAC packets Switch config vlan access map drop all default 10 Switch config access map match ip address tcp match Switch config access map action forward Switch config access map exit Switch config vlan access map drop all default 20 Switch config access map match mac addres...

Page 443: ...auses mac address mac1 Action forward Vlan access map map_1 30 Match clauses Action drop This is an example of output from the show vlan filter privileged EXEC command Switch show vlan filter VLAN Map map_1 is filtering VLANs 20 22 Using VLAN Maps in Your Network This section describes some typical uses for VLAN maps and includes these topics Wiring Closet Configuration page 19 34 Denying Access t...

Page 444: ...affic from Host X IP address 10 1 1 32 to Host Y IP address 10 1 1 34 at Switch A and not bridge it to Switch B First define the IP access list http that permits matches any TCP traffic on the HTTP port Switch config ip access list extended http Switch config ext nacl permit tcp host 10 1 1 32 host 10 1 1 34 eq www Switch config ext nacl exit Next create VLAN access map map2 so that traffic that m...

Page 445: ...s to apply the map SERVER1 to VLAN 10 Step 1 Define the IP ACL that will match the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 8 host 10 1 1 100 Switch config ext nacl exit Step 2 Define a VLAN map usin...

Page 446: ...this information about using VLAN maps with router ACLs Guidelines page 19 36 Determining if the ACL Configuration Fits in Hardware page 19 37 Examples of Router ACLs and VLAN Maps Applied to VLANs page 19 39 Guidelines These guidelines are for configurations where you need to have an router ACL and a VLAN map on the same VLAN These guidelines do not apply to configurations where you are mapping r...

Page 447: ...is done in software For example if the combination of an input router ACL applied to a VLAN interface and a VLAN map applied to the same VLAN does not fit into the hardware these results might occur If the VLAN map alone fits in hardware the software sets up the hardware to send to the CPU all packets that need to be routed for filtering and possible routing if the packet passes the filter Packets...

Page 448: ...ow fm label 1 Unloaded due to merge failure or lack of space InputAccessGroup Input Features Interfaces or VLANs Vl1 Priority normal Vlan Map none Access Group bigone 11 VMRs Multicast Boundary none 0 VMRs Output Features Interfaces or VLANs Priority low Bridge Group Member no Vlan Map none Access Group none 0 VMRs This output from the show fm label privileged EXEC command shows not enough room fo...

Page 449: ...ing router ACLs and VLAN maps to a VLAN for switched bridged routed and multicast packets Although the following illustrations show packets being forwarded to their destination each time the packet s path crosses a line indicating a VLAN map or an ACL it is also possible that the packet might be dropped rather than forwarded ACLs and Switched Packets Figure 19 6 shows how an ACL is applied on pack...

Page 450: ...e 19 7 shows how an ACL is applied on fallback bridged packets For bridged packets only Layer 2 ACLs are applied to the input VLAN Only non IP non ARP packets can be fallback bridged Figure 19 7 Applying ACLs on Bridged Packets Frame Fallback bridge VLAN 10 Host A VLAN 10 Packet 53086 Catalyst 3550 switch with enhanced multilayer software image VLAN 20 Host B VLAN 20 VLAN 10 map VLAN 20 map ...

Page 451: ... applied on routed packets For routed packets the ACLs are applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Figure 19 8 Applying ACLs on Routed Packets Frame Routing function VLAN 10 Host A VLAN 10 Packet 53085 Catalyst 3550 switch with enhanced multilayer software image VLAN 20 Host B VLAN 20 VLAN 10 map Input router ACL Output rout...

Page 452: ...ed The packet might be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in some of the output VLANs and not in others A copy of the packet is forwarded to those destinations where it is permitted However if the input VLAN map VLAN 10 map in Figure 19 9 drops the ...

Page 453: ...es ACEs allowed you can use the sdm prefer access global configuration command to set the Switch Database Management feature to the access template For more information on the SDM templates see the Optimizing System Resources for User Selected Features section on page 6 57 Understanding QoS Typically networks operate on a best effort delivery basis which means that all traffic has equal priority a...

Page 454: ... trunks all traffic is in 802 1Q frames except for traffic in the native VLAN Other frame types cannot carry Layer 2 CoS values Layer 2 CoS values range from 0 for low priority to 7 for high priority Prioritization bits in Layer 3 packets Layer 3 IP packets can carry either an IP precedence value or a Differentiated Services Code Point DSCP value QoS supports the use of either value because DSCP v...

Page 455: ...arking Classifying distinguishes one kind of traffic from another The process generates an internal DSCP for a packet which identifies all the future QoS actions to be performed on this packet For more information see the Classification section on page 20 4 Policing determines whether a packet is in or out of profile by comparing the internal DSCP to the configured policer and the policer limits t...

Page 456: ...e in the three most significant bits of the Tag Control Information field CoS values range from 0 for low priority to 7 for high priority The trust DSCP and trust IP precedence configurations are meaningless for non IP traffic If you configure a port with either of these options and non IP traffic is received the switch assigns the default port CoS value and generates the internal DSCP from the Co...

Page 457: ...onfigure the port to trust IP precedence and generate a DSCP by using the configurable IP precedence to DSCP map The IP version 4 specification defines the three most significant bits of the 1 byte ToS field as the IP precedence IP precedence values range from 0 for low priority to 7 for high priority Trust the CoS value if present in the incoming packet and generate the DSCP by using the CoS to D...

Page 458: ...P identical to DSCP in packet Check if packet came with CoS label tag Generate DSCP from CoS to DSCP map Yes Read next ACL Is there a match with a permit action Assign the DSCP as specified by ACL action Assign the default DSCP 0 Are there any more QoS ACLs configured for this interface Check if packet came with CoS label tag Use Cos from frame Start Trust CoS IP and non IP traffic IP and non IP t...

Page 459: ...ration information see the Configuring a QoS Policy section on page 20 26 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to isolate and name a specific traffic flow or class from all other traffic The class map defines the criteria used to match against a specific traffic flow to further classify it the criteria can include matching the access group defi...

Page 460: ...plies the bandwidth limits specified in the policer separately to each matched traffic class You configure this type of policer within a policy map by using the police policy map configuration command Aggregate QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows You configure this type of policer by specifying the aggregate policer name with...

Page 461: ...on Only the average rate and committed burst parameters are configurable Policing can occur on ingress and egress interfaces 128 policers are supported on ingress Gigabit capable Ethernet ports 8 policers are supported on ingress 10 100 Ethernet ports 8 policers are supported on all egress ports Ingress policers can be individual or aggregate On an interface configured for QoS all traffic received...

Page 462: ...re 20 4 Policing and Marking Flowchart 46977 Yes Yes No No Pass through Drop Mark Read the DSCP of the packet Is a policer configured for this DSCP Check if the packet is in profile by querying the policer Check out of profile action configured for this policer Drop packet Modify DSCP according to the policed DSCP map Start Done ...

Page 463: ...er DSCP value to an IP or non IP packet if the packet is out of profile and the policer specifies a marked down DSCP value This configurable map is called the policed DSCP map Before the traffic reaches the scheduling stage QoS uses the configurable DSCP to CoS map to derive a CoS value from the internal DSCP value Through the CoS to egress queue map the CoS values select one of the four egress qu...

Page 464: ... the queueing and scheduling flowchart for Gigabit capable Ethernet ports Figure 20 5 Queueing and Scheduling Flowchart for Gigabit Capable Ethernet Ports Note If the expedite queue is enabled WRR services it until it is empty before servicing the other three queues 46978 T1 and T2 thresholds Queue size Queue number No Yes Read CoS value and the CoS to queue map Determine high and low threshold of...

Page 465: ...o an egress queue CoS to egress queue map through the wrr queue cos map interface configuration command All four queues participate in the WRR unless the expedite queue is enabled in which case the fourth bandwidth weight is ignored and not used in the ratio calculation The expedite queue is a strict priority queue and it is serviced until empty before the other queues are serviced You enable the ...

Page 466: ...llows the transmission line to be fully used at all times WRED also drops more packets from large users than small Therefore traffic sources that generate the most traffic are more likely to be slowed down than traffic sources that generate little traffic You can enable WRED and configure the two threshold percentages assigned to the four egress queues on a Gigabit capable Ethernet port by using t...

Page 467: ...el has 100 packets of buffer space by default for queueing packets When the buffer specified for the minimum reserve level is full packets are dropped until space is available Figure 20 7 is an example of the 10 100 Ethernet port queue assignments minimum reserve levels and buffer sizes The figure shows four egress queues per port with each queue assigned to a minimum reserve level For example for...

Page 468: ...s are selected by the CoS value that is mapped to an egress queue CoS to egress queue map through the wrr queue cos map interface configuration command All four queues participate in the WRR unless the egress expedite queue is enabled in which case the fourth bandwidth weight is ignored and not used in the ratio calculation The expedite queue is a strict priority queue and it is serviced until emp...

Page 469: ...CPs For non IP packets classification involves assigning an internal DSCP to the packet but because there is no DSCP in the non IP packet no overwrite occurs Instead the internal DSCP is translated to the CoS and is used both for queueing and scheduling decisions and for writing the CoS priority value in the tag if the packet is being sent on either an ISL or 802 1Q trunk port Because the CoS prio...

Page 470: ...onfiguring Egress Queues on Gigabit Capable Ethernet Ports page 20 44 Configuring Egress Queues on 10 100 Ethernet Ports page 20 51 Default QoS Configuration Table 20 1 shows the default QoS configuration when QoS is disabled When QoS is disabled there is no concept of trusted or untrusted ports because the packets are not modified the CoS DSCP and IP precedence values in the packet are not change...

Page 471: ...ame DSCP value no markdown The default DSCP to switch priority map maps DSCPs 0 to 15 to priority 0 DSCPs 16 to 31 to priority 1 DSCPs 32 to 47 to priority 2 and DSCPs 48 to 63 to priority 3 Table 20 2 Default QoS Parameters when QoS is Enabled Port Type QoS State Egress traffic DSCP and CoS Value Queue Queue Weights Tail drop Thresholds CoS Mapping to Queue Gigabit capable Ethernet ports Enabled ...

Page 472: ...g update packets received by the switch are subject to all ingress QoS processing You must disable the IEEE 802 3X flowcontrol on all ports before enabling QoS on the switch To disable it use the flowcontrol receive off and flowcontrol send off interface configuration commands Only one ACL per class map and only one match class map configuration command per class map are supported The ACL can have...

Page 473: ...his section describes how to classify incoming traffic by using port trust states It contains this configuration information Configuring the Trust State on Ports within the QoS Domain page 20 22 Configuring the CoS Value for an Interface page 20 24 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 20 25 Command Purpose Step 1 configure terminal Enter global configuration...

Page 474: ...oS domain When the packets are classified at the edge the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain Figure 20 8 shows a sample network topology Figure 20 8 Port Trusted States within the QoS Domain 46981 Catalyst 3550 12T switch Trunk Trusted interface Classification of tra...

Page 475: ...he port default CoS value is used The default port CoS value is 0 dscp Classifies ingress packets with packet DSCP values For non IP packets the packet CoS value is used if the packet is tagged for untagged packets the default port CoS is used Internally the switch maps the CoS value to a DSCP value by using the CoS to DSCP map ip precedence Classifies ingress packets with the packet IP precedence...

Page 476: ...e for the port For default cos specify a default CoS value to be assigned to a port If the port is CoS trusted and packets are untagged the default CoS value becomes the CoS value for the packet The CoS range is 0 to 7 The default is 0 Use the override keyword to override the previously configured trust state of the incoming packets and to apply the default port CoS value to all incoming packets B...

Page 477: ...s both QoS domains you must perform this procedure on the ports in both domains 46982 Catalyst 3550 12T switch Catalyst 3550 12T switch QoS Domain 1 QoS Domain 2 Set interface to the DSCP trusted state Configure the DSCP to DSCP mutation map IP traffic Gigabit Ethernet 0 3 Gigabit Ethernet 0 3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on th...

Page 478: ...icies to interfaces For background information see the Classification section on page 20 4 and the Policing and Marking section on page 20 8 This section contains this configuration information Classifying Traffic by Using ACLs page 20 27 Classifying Traffic by Using Class Maps page 20 30 Classifying Policing and Marking Traffic by Using Policy Maps page 20 32 Classifying Policing and Marking Traf...

Page 479: ... terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of traffic if the conditions are...

Page 480: ... traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is being sent You specify this by using dotted decimal notation by using the any keyword as an abb...

Page 481: ...om which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard 255 255 255 or by using the host keyword for source 0 0 0 For mask enter the wildcard bits by placing ones in the bit positions that you want to ignore For dst MAC addr enter the MAC address of the host to which the packet is being se...

Page 482: ... match criterion is defined with one match statement entered within the class map configuration mode Note You can also create class maps during policy map creation by using the class policy map configuration command For more information see the Classifying Policing and Marking Traffic by Using Policy Maps section on page 20 32 Beginning in privileged EXEC mode follow these steps to create a class ...

Page 483: ...m a logical OR of all matching statements under this class map One or more match criteria must be matched If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same Step 5 match access group acl index or name ip dscp dscp list ip precedence ip precedence li...

Page 484: ...ristics A policy map can contain multiple class statements each with different match criteria and policers A separate policy map class can exist for each type of traffic received through an interface A policy map trust state supersedes an interface trust state You can attach only one policy map per interface per direction Beginning in privileged EXEC mode follow these steps to create a policy map ...

Page 485: ...onfiguration mode By default no policy map class maps are defined If a traffic class has already been defined by using the class map global configuration command specify its name for class map name in this command To define a class map that uses an access list to filter traffic or that matches traffic to the specified DSCP or IP precedence values use one of these keywords For access group acl inde...

Page 486: ...non IP packets that are untagged QoS derives the internal DSCP value by using the default port CoS value In either case the internal DSCP value is derived from the CoS to DSCP map ip precedence QoS derives the internal DSCP value by using the IP precedence value from the ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the internal DSCP value by using...

Page 487: ... For burst byte specify the normal burst size in bytes The range is 8000 to 512000000 Optional Specify the action to take when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and send the packet For more information see the Configuring the Policed DSCP Map se...

Page 488: ...4 Switch config policy map ip104 Switch config pmap class ipclass104 access group 104 Switch config pmap c set ip dscp 63 Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet0 1 Switch config if service policy input ip104 This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress interface The first permit statemen...

Page 489: ...o 2000000000 For burst byte specify the normal burst size in bytes The range is 8000 to 512000000 Optional Specify the action to take when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and send the packet For more information see the Configuring the Policed...

Page 490: ...d dscp transmit Switch config policy map aggflow1 Switch config pmap class ipclass1 access group 1 Switch config pmap c trust dscp Switch config pmap c police aggregate transmit1 Switch config pmap c exit Switch config pmap class ipclass2 access group 2 Switch config pmap c set ip dscp 56 Switch config pmap c police aggregate transmit1 Switch config pmap c exit Switch config pmap exit Switch confi...

Page 491: ...S to DSCP Map You use the CoS to DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 20 3 shows the default CoS to DSCP map If these values are not appropriate for your network you need to modify them Beginning in privileged EXEC mode follow these steps to modify the CoS to DSCP map To return to the default map use ...

Page 492: ...to DSCP map To return to the default map use the no mls qos ip prec dscp global configuration command This example shows how to modify and display the IP precedence to DSCP map Switch configure terminal Switch config mls qos map ip prec dscp 10 15 20 25 30 35 40 45 Switch config end Switch show mls qos maps ip prec dscp IpPrecedence dscp map ipprec 0 1 2 3 4 5 6 7 dscp 10 15 20 25 30 35 40 45 Tabl...

Page 493: ...15 16 17 18 19 2 20 21 22 23 24 25 26 27 28 29 3 30 31 32 33 34 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The int...

Page 494: ... 03 3 03 03 00 04 04 04 04 04 04 04 4 00 05 05 05 05 05 05 05 00 06 5 00 06 06 06 06 06 07 07 07 07 6 07 07 07 07 Note In the above DSCP to CoS map the CoS values are shown in the body of the matrix The d1 column specifies the most significant digit of the DSCP the d2 row specifies the least significant digit of the DSCP The intersection of the d1 and d2 values provides the CoS value For example i...

Page 495: ...dscp enter up to 8 DSCP values separated by spaces Then enter the to keyword For out dscp enter up to 8 DSCP values separated by spaces The DSCP range is 0 to 63 Step 3 interface interface id Enter interface configuration mode and specify the interface to which to attach the map Valid interfaces include physical interfaces Step 4 mls qos trust dscp Configure the ingress port as a DSCP trusted port...

Page 496: ...the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the mutated value For example a DSCP value of 12 corresponds to a mutated value of 10 Configuring Egress Queues on Gigabit Capable Ethernet Ports This section describes how to configure the egress queues on Gigabit capable Ethernet ports For information on confi...

Page 497: ...onfiguration mode Step 2 mls qos Enable QoS on the switch Step 3 interface interface id Enter interface configuration mode and specify the egress Gigabit capable Ethernet interface Step 4 wrr queue cos map queue id cos1 cos8 Map assigned CoS values to select one of the egress queues The default map has these values CoS value 0 1 selects queue 1 CoS value 2 3 selects queue 2 CoS value 4 5 selects q...

Page 498: ...eue queue limit 1 2 3 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 interface interface id Enter interface configuration mode and specify the egress Gigabit capable Ethernet interface Step 4 wrr queue queue limit weight1 weight2 weight3 weight4 Configure the egress queue size ratios The defaults weights are 25 1 4 of the ...

Page 499: ...terface configuration mode and specify the egress Gigabit capable Ethernet interface Step 4 wrr queue threshold queue id threshold percentage1 threshold percentage2 Configure tail drop threshold percentages on each egress queue The default threshold is 100 percent for thresholds 1 and 2 For queue id specify the ID of the egress queue The range is 1 to 4 For threshold percentage1 threshold percenta...

Page 500: ...40 48 56 Switch config if wrr queue dscp map 2 10 20 30 40 50 60 As a result of this configuration when queue 1 is filled above 10 percent packets with DSCPs 0 8 16 24 32 40 48 and 56 are dropped The same packets are dropped when queue 2 is filled above 40 percent queue 3 above 60 percent and queue 4 above 80 percent When the second threshold 100 percent is exceeded all queues drop packets with DS...

Page 501: ... DSCPs 0 8 16 24 32 40 48 and 56 are randomly dropped The same packets are randomly dropped when queues 2 and 4 are filled above 70 percent When the second threshold 100 percent is exceeded all queues randomly drop packets with DSCPs 10 20 30 40 50 and 60 Step 4 wrr queue random detect max threshold queue id threshold percentage1 threshold percentage2 Configure WRED drop threshold percentages on e...

Page 502: ...ps to allocate bandwidth to each queue Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 interface interface id Enter interface configuration mode and specify the egress Gigabit capable Ethernet interface Step 4 priority queue out Enable the egress expedite queue which is disabled by default When you configure this command the ...

Page 503: ...ke decisions about these characteristics Which packets are assigned by CoS value to each queue How much of the available buffer space is allotted to each queue Is one of the queues the expedite high priority egress queue How much of the available bandwidth is allotted to each queue Step 4 wrr queue bandwidth weight1 weight2 weight3 weight4 Assign WRR weights to the egress queues By default all the...

Page 504: ...tch config if wrr queue cos map 3 2 3 Switch config if wrr queue cos map 4 0 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 interface interface id Enter interface configuration mode and specify the egress 10 100 Ethernet interface Step 4 wrr queue cos map queue id cos1 cos8 Map assigned CoS values to select one of the egre...

Page 505: ... mls qos min reserve min reserve level min reserve buffersize Configure the buffer size of the minimum reserve level if necessary for all the 10 100 Ethernet ports By default the buffer size for all eight minimum reserve levels is set to 100 packets For min reserve level specify the minimum reserve level number The range is 1 to 8 For min reserve buffersize specify the buffer size The range is 10 ...

Page 506: ...mode follow these steps to allocate bandwidth to each queue Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on the switch Step 3 interface interface id Enter interface configuration mode and specify the egress 10 100 Ethernet interface Step 4 priority queue out Enable the egress expedite queue which is disabled by default When you configure this ...

Page 507: ...s to the egress queues By default all the weights are set to 25 1 4 of the bandwidth is allocated to each queue For weight1 weight2 weight3 weight4 enter the ratio which determines the ratio of the frequency in which the WRR scheduler drops packets Separate each value with a space The range is 0 to 65536 All four queues participate in the WRR unless the expedite queue queue 4 is enabled in which c...

Page 508: ... traffic show policy map policy map name class class name interface interface id Display QoS policy maps which define classification criteria for incoming traffic show mls qos aggregate policer aggregate policer name Display the aggregate policer configuration show mls qos maps cos dscp dscp cos dscp mutation ip prec dscp policed dscp Display QoS mapping information Maps are used to generate an in...

Page 509: ...ority default default priority id interface configuration command for each port For ISL or IEEE 802 1Q frames with tag information the priority value from the header frame is used On the Catalyst 3524 PWR XL and 3548 XL switches you can override this priority with the default value by using the switchport priority default override interface configuration command For Catalyst 3500 XL 2950 other 290...

Page 510: ...deo packets over all other traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list 1 permit 172 20 10 16 Define an IP standard ACL and permit traffic from the video server at 172 20 10 16 Step 3 class map videoclass Create a class map called videoclass and enter class map configuration mode Step 4 match access group 1 Define the match criterion by match...

Page 511: ...queue map is sufficient however you need to configure the DSCP to CoS map so that DSCP values 57 to 63 map to CoS 5 For the egress interface Gigabit Ethernet interface 0 5 WRR weights need to be configured by using the wrr queue bandwidth interface configuration command WRED needs to be enabled and the threshold percentages configured for each queue The bandwidth allocated to each queue must be co...

Page 512: ...lues separated by spaces in the DSCP to CoS map For example to map DSCP values 57 to 63 to CoS 5 enter mls qos map dscp cos 57 58 59 60 61 62 63 to 5 Step 13 interface gigabitethernet0 5 Enter interface configuration mode and specify the egress interface to configure Step 14 priority queue out Enable the expedite queue Step 15 wrr queue bandwidth weight1 weight2 weight3 weight4 Configure WRR weigh...

Page 513: ... Chapter 20 Configuring QoS QoS Configuration Examples Step 17 end Return to privileged EXEC mode Step 18 show mls qos interface and show interfaces Verify your entries Step 19 copy running config startup config Optional Save your entries in the configuration file Command Purpose ...

Page 514: ...20 62 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 20 Configuring QoS QoS Configuration Examples ...

Page 515: ...el and PAgP Status page 21 16 Understanding EtherChannel EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 21 1 The EtherChannel provides full duplex bandwidth up to 800 Mbps Fast EtherChannel or 8 Gbps Gigabit EtherChannel between your switch and another switch or host Each EtherChannel can consist of up to eight comp...

Page 516: ...tion command With Layer 2 interfaces the logical interface is dynamically created With both Layer 3 and 2 interfaces you manually assign an interface to the EtherChannel by using the channel group interface configuration command This command binds the physical and logical ports together as shown in Figure 21 2 Each EtherChannel has a logical port channel interface numbered from 1 to 64 The channel...

Page 517: ...tanding the Port Aggregation Protocol The Port Aggregation Protocol PAgP facilitates the automatic creation of EtherChannels by exchanging packets between Ethernet interfaces By using PAgP the switch learns the identity of partners capable of supporting PAgP and learns the capabilities of each interface It then dynamically groups similarly configured interfaces into a single logical link channel o...

Page 518: ...tting the mode to on manual configuration All ports configured in the on mode are bundled in the same group and are forced to have similar characteristics If the group is misconfigured packet loss or STP loops might occur If your switch is connected to a partner that is PAgP capable you can configure the switch interface for nonsilent operation by using the non silent keyword If you do not specify...

Page 519: ...aces in the EtherChannel Trunk ports send and receive PAgP protocol data units PDUs on the lowest numbered VLAN STP sends packets over the first interface in the EtherChannel The MAC address of a Layer 3 EtherChannel is the MAC address of the first interface in the port channel PAgP sends and receives PAgP PDUs only from interfaces that are up and have PAgP enabled for the auto or desirable mode U...

Page 520: ...ion based forwarding because the large number of workstations ensures that the traffic is evenly distributed from the router EtherChannel Use the option that provides the greatest variety in your configuration For example if the traffic on a channel is going only to a single MAC address using the destination MAC address always chooses the same link in the channel using source addresses or IP addre...

Page 521: ...annel interface apply to all the physical interfaces assigned to the port channel interface and configuration changes applied to the physical interface affect only the interface where you apply the configuration Default EtherChannel Configuration Table 21 2 shows the default EtherChannel configuration Table 21 2 Default EtherChannel Configuration Feature Default Setting Channel groups None assigne...

Page 522: ...yzer SPAN destination port A port that belongs to an EtherChannel port group cannot be configured as a secure port Before enabling 802 1X on the port you must first remove it from the EtherChannel If you try to enable 802 1X on an EtherChannel or on an active port in an EtherChannel an error message appears and 802 1X is not enabled If you enable 802 1X on a not yet active port of an EtherChannel ...

Page 523: ...g in privileged EXEC mode follow these steps to assign a Layer 2 Ethernet interface to a Layer 2 EtherChannel Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify a physical interface to configure Valid interfaces include physical interfaces Up to eight interfaces of the same type and speed can be con...

Page 524: ...It places an interface into a passive negotiating state in which the interface responds to PAgP packets it receives but does not start PAgP packet negotiation desirable Unconditionally enables PAgP It places an interface into an active negotiating state in which the interface starts negotiations with other interfaces by sending PAgP packets on Forces the interface to channel without PAgP With the ...

Page 525: ...cal port channel 5 and assign 172 10 20 10 as its IP address Switch configure terminal Switch config interface port channel 5 Switch config if no switchport Switch config if ip address 172 10 20 10 255 255 255 0 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface port channel port channel number Enter interface configuration mode and crea...

Page 526: ...of up to eight compatibly configured Ethernet interfaces For mode select one of these keywords auto Enables PAgP only if a PAgP device is detected It places an interface into a passive negotiating state in which the interface responds to PAgP packets it receives but does not start PAgP packet negotiation desirable Unconditionally enables PAgP It places an interface into an active negotiating state...

Page 527: ...address Switch config if range channel group 5 mode desirable Switch config if range end Note For information about the range keyword see the Configuring a Range of Interfaces section on page 8 9 Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Under...

Page 528: ...nal Enter global configuration mode Step 2 port channel load balance dst mac src mac Configure an EtherChannel load balancing method The default is src mac Select one of these keywords to determine the load distribution method dst mac Load distribution is based on the destination host MAC address of the incoming packet Packets to the same destination are sent on the same port but packets to differ...

Page 529: ...guration command To return the learning method to its default setting use the no pagp learn method interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface for transmission Step 3 pagp learn method physical port Select the PAgP learning method By default aggre...

Page 530: ...21 3 Commands for Displaying EtherChannel and PAgP Status Command Description show etherchannel channel group number brief detail load balance port port channel summary Displays EtherChannel information in a brief detailed and one line summary form Also displays the load balance or frame distribution scheme port and port channel information show pagp channel group number counters internal neighbor...

Page 531: ... Configuration Guide for Release 12 1 For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS IP and IP Routing Command Reference for Release 12 1 This chapter consists of these sections Understanding Routing page 22 2 Steps for Configuring Routing page 22 3 Configuring IP Addressing page 22 4 Enabling IP Routing page 22 24 Configuring RIP page 22 25 ...

Page 532: ...d use Routers using link state protocols maintain a complex database of network topology based on the exchange of link state advertisements LSAs between routers LSAs are triggered by an event in the network which speeds up the convergence time or time required to respond to these changes Link state protocols respond quickly to topology changes but require greater bandwidth and more resources than ...

Page 533: ...n vlan_id global configuration command and by default a Layer 3 interface An EtherChannel port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Layer 3 EtherChannels section on page 21 11 Note A Layer...

Page 534: ...roadcast Packet Handling page 22 17 Monitoring and Maintaining IP Addressing page 22 21 Default Addressing Configuration Table 22 1 shows the default addressing configuration Table 22 1 Default Addressing Configuration Feature Default Setting IP address None defined ARP No permanent entries in the Address Resolution Protocol ARP cache Encapsulation Standard Ethernet style ARP Timeout 14400 seconds...

Page 535: ... to subnet a network the mask is referred to as a subnet mask To receive an assigned network number contact your Internet service provider IRDP Disabled Defaults when enabled Broadcast IRDP advertisements Maximum interval between advertisements 600 seconds Minimum interval between advertisements 0 75 times max interval Preference 0 IP proxy ARP Enabled IP routing Disabled IP subnet zero Disabled T...

Page 536: ... reliability 255 255 txload 1 255 rxload 1 255 Encapsulation ARPA loopback not set Keepalive set 10 sec Auto duplex Auto speed input flow control is off output flow control is off ARP type ARPA ARP Timeout 04 00 00 Last input never output 00 00 42 output hang never Last clearing of show interface counters never Input queue 0 75 0 0 size max drops flushes Total output drops 0 Queueing strategy fifo...

Page 537: ...ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route cache flags are Fast Router Discovery is disabled IP output ...

Page 538: ...h show running config Building configuration Current configuration 7454 bytes version 12 1 no service pad service timestamps debug uptime service timestamps log uptime no service password encryption hostname Perdido1 output truncated ip subnet zero ip routing no ip domain lookup ip domain name a b c ip name server 12 10 13 14 output truncated Classless Routing By default classless routing behavior...

Page 539: ... the packet Figure 22 2 IP Classless Routing In Figure 22 3 the router in network 128 20 0 0 is connected to subnets 128 20 1 0 128 20 2 0 and 128 20 3 0 If the host sends a packet to 120 20 4 1 because there is no network default route the router discards the packet Figure 22 3 No IP Classless Routing To prevent the switch from forwarding packets destined for unrecognized subnets to the best supe...

Page 540: ...ociated MAC address and then stores the IP address MAC address association in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests or replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP Proxy ARP helps hosts with no routing tables determin...

Page 541: ...no arp ip address hardware address type global configuration command To remove all nonstatic entries from the ARP cache use the clear arp cache privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp ip address hardware address type Globally associate an IP address with a MAC hardware address in the ARP cache and specify encapsulation type as on...

Page 542: ...lyst 3550 switch the output from the show arp privileged EXEC command and the show ip arp privileged EXEC command are usually the same Set ARP Encapsulation By default Ethernet ARP encapsulation represented by the arpa keyword is enabled on an IP interface You can change the encapsulation methods to SNAP if required by your network Beginning in privileged EXEC mode follow these steps to specify th...

Page 543: ...nput 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 input packets with dribble condition detected 30745 packets output 3432096 bytes 0 underruns 0 output errors 0 collisions 6 interface resets 0 babbles 0 late collision 0 deferred 0 lost carrier 0 no carrier 0 output buffer failures 0 output buffers swapped out Enable Proxy...

Page 544: ...fast switching is enabled IP multicast distributed fast switching is disabled IP route cache flags are Fast CEF Router Discovery is enabled IP output packet accounting is disabled IP access violation accounting is disabled TCP IP header compression is disabled RTP IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disab...

Page 545: ...how ip redirect Default gateway is 10 1 5 59 Host Gateway Last Use Total Uses Interface ICMP redirect cache is empty ICMP Router Discovery Protocol IRDP Router discovery allows the switch to dynamically learn about routes to other networks using IRDP IRDP allows hosts to locate routers When operating as a client the switch generates router discovery packets When operating as a host the switch rece...

Page 546: ...rface Step 4 ip irdp multicast Optional Send IRDP advertisements to the multicast address 224 0 0 1 instead of IP broadcasts Note This command allows for compatibility with Sun Microsystems Solaris which requires IRDP packets to be sent out as multicasts Many implementations cannot receive these multicasts ensure end host ability before using this command Step 5 ip irdp holdtime seconds Optional S...

Page 547: ...to the local cable Bridges including intelligent bridges because they are Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most modern IP implementations you can set the address to be used as the broadcast address Many implementations including th...

Page 548: ... protocol which is used by older diskless Sun workstations and the network security protocol SDNS By default both UDP and ND forwarding are enabled if a helper address has been defined for an interface The description for the ip forward protocol interface configuration command in the Cisco IOS IP and IP Routing Command Reference for Release 12 1 lists the ports that are forwarded by default if you...

Page 549: ...protocol or port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip helper address address Enable forwarding and specify the destination address for forwarding UDP broadcast packets including BOOTP Step 4 exit Return to global configuration mode Step 5 ip...

Page 550: ...must meet these criteria Note that these are the same conditions used to consider packet forwarding using IP helper addresses The packet must be a MAC level broadcast The packet must be an IP level broadcast The packet must be a TFTP DNS Time NetBIOS ND or BOOTP packet or a UDP specified by the ip forward protocol udp global configuration command The time to live TTL value of the packet must be at...

Page 551: ...e table or database have become or are suspected to be invalid you can remove all its contents by using the clear privileged EXEC commands Table 22 3 lists the commands for clearing contents Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward protocol spanning tree Use the bridging spanning tree database to flood UDP datagrams Step 3 end Return to privileged...

Page 552: ...et 172 20 135 197 230 0002 4b28 ce80 ARPA Vlan1 Internet 172 20 135 196 214 0002 4b28 ce00 ARPA Vlan1 Internet 172 20 135 193 58 0030 19c6 54e1 ARPA Vlan1 Switch show hosts Default domain is a b c Name address lookup uses static mappings Host Flags Age Type Address es Switch show ip aliases Address Type IP Address Port Interface 10 1 2 3 Interface 120 20 30 1 Interface 172 20 135 202 Switch show i...

Page 553: ...witch show ip interface Vlan1 is up line protocol is up Internet address is 172 20 142 153 25 Broadcast address is 255 255 255 255 Address determined by non volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Spl...

Page 554: ...uter rip Switch config router network 10 0 0 0 Switch config router end You can now set up parameters for the selected routing protocols as described in these sections Configuring RIP page 22 25 Configuring IGRP page 22 30 Configuring OSPF page 22 35 Configuring EIGRP page 22 46 You can also configure nonprotocol specific features Configuring Protocol Independent Features page 22 53 Command Purpos...

Page 555: ...range 0 to 15 makes RIP unsuitable for large networks If the router has a default network path RIP advertises a route that links the router to the pseudonetwork 0 0 0 0 The 0 0 0 0 network does not exist it is treated by RIP as a network to implement the default routing feature The switch advertises the default network if a default was learned by RIP or if the router has a gateway of last resort a...

Page 556: ... nonbroadcast networks Step 6 offset list access list number name in out offset type number Optional Apply an offset list to routing metrics to increase incoming and outgoing metrics to routes learned through RIP You can limit the offset list with an access list or an interface Step 7 timers basic update invalid holddown flush Optional Adjust routing protocol timers Valid ranges for all timers are...

Page 557: ...base This example shows output with a summary address entry for route 12 11 0 0 16 with three child routes active Switch show ip rip database 0 0 0 0 0 auto summary 0 0 0 0 0 redistributed 0 via 0 0 0 0 172 20 0 0 14 directly connected Vlan1 This is an example of output of the show ip rip database command with a prefix and mask Switch show ip rip database 172 19 86 0 255 255 255 0 172 19 86 0 24 1...

Page 558: ...EC command Switch show running config interface gigabitethernet0 3 Building configuration Current configuration 158 bytes interface GigabitEthernet0 3 no switchport ip address 10 1 3 59 255 255 255 0 ip directed broadcast ip irdp ip rip authentication key chain CHAIN end Summary Addresses and Split Horizon Routers connected to broadcast type IP networks and using distance vector routing protocols ...

Page 559: ...the default you must enter a no switchport interface configuration command before entering the ip address interface configuration command Note If split horizon is enabled neither autosummary nor interface summary addresses those configured with the ip summary address rip router configuration command are advertised Switch config router rip Switch config router interface gi0 2 Switch config if ip ad...

Page 560: ...tem routes do not include subnet information Exterior routes are routes to networks outside the autonomous system that are considered when identifying a gateway of last resort The router chooses a gateway of last resort from the list of exterior routes that IGRP provides if it does not have a better route for a packet and the destination is not a connected network If the autonomous system has more...

Page 561: ...lternate path is within the variance Only feasible paths are used for load balancing and are included in the routing table These conditions limit the number of load balancing occurrences but ensure that the dynamics of the network remain stable These general rules apply to IGRP unequal cost load balancing IGRP accepts up to four paths for a given destination network The local best metric must be g...

Page 562: ...t necessary to have a registered autonomous system number but if you do have a registered number we recommend that you use it to identify your process Step 4 offset list access list number name in out offset type number Optional Apply an offset list to routing metrics to increase incoming and outgoing metrics to routes learned through IGRP You can limit the offset list with an access list or an in...

Page 563: ...P autonomous system are not configured with the no metric holddown command If all routers are not configured the same way you increase the possibility of routing loops Step 9 metric maximum hops hops Optional Configure the maximum network diameter Routes with hop counts exceeding this diameter are not advertised The default is 100 hops the maximum is 255 hops Step 10 no validate update source Opti...

Page 564: ...routing protocols normally use the split horizon mechanism to reduce the possibility of routing loops Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated This feature can optimize communication among multiple routers especially when links are broken Note In general we do not recommend disabling split horizon unless...

Page 565: ...ndent Features section on page 22 53 The Cisco implementation conforms to the OSPF Version 2 specifications with these key features Stub areas Definition of stub areas is supported Route redistribution Routes learned through any IP routing protocol can be redistributed into another IP routing protocol At the intradomain level this means that OSPF can import routes learned through IGRP and RIP OSPF...

Page 566: ...d Auto cost 100 Mbps Default information originate Disabled When enabled the default metric setting is 10 and the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from other routing domains 110 OSPF datab...

Page 567: ...smit interval 5 seconds Transmit delay 1 second Dead interval 40 seconds Authentication key no key predefined Message digest key MD5 no key predefined Table 22 7 Default OSPF Configuration continued Feature Default Setting Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router ospf process id Enable OSPF routing and enter router configuration mode The process ID is...

Page 568: ... modify OSPF interface parameters Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip ospf cost Optional Explicitly specify the cost of sending a packet on the interface Step 4 ip ospf retransmit interval seconds Optional Specify the number of seconds betw...

Page 569: ...the area border router ABR generates a default external route into the stub area for destinations outside the autonomous system AS An NSSA does not flood all LSAs from the core into the area but can import AS external routes within the area by redistribution Route summarization is the consolidation of advertised addresses into a single summary route to be advertised by other areas If network numbe...

Page 570: ...Enable MD5 authentication on the area Step 5 area area id stub no summary Optional Define an area as a stub area The no summary keyword prevents an ABR from sending summary link advertisements into the stub area Step 6 area area id nssa no redistribution default information originate no summary Optional Defines an area as a not so stubby area Every router within the same area must agree that the a...

Page 571: ...reas must be connected to a backbone area You can establish a virtual link in case of a backbone continuity break by configuring two Area Border Routers as endpoints of a virtual link Configuration information includes the identity of the other virtual endpoint the other ABR and the nonbackbone link that the two routers have in common the transit area Virtual links cannot be configured through a s...

Page 572: ...nk and set its parameters See the OSPF Interface Parameters section on page 22 38 for parameter definitions and Table 22 7 on page 22 36 for virtual link defaults Step 5 default information originate always metric metric value metric type type value route map map name Optional Force the ASBR to generate a default route into the OSPF routing domain Parameters are all optional Step 6 ip ospf name lo...

Page 573: ...ing information out its interfaces If a loopback interface is configured with an IP address OSPF uses this IP address as its router ID even if other interfaces have higher IP addresses Because loopback interfaces never fail this provides greater stability OSPF automatically prefers a loopback interface over other interfaces and it chooses the highest IP address among all loopback interfaces Beginn...

Page 574: ... External flood list length 0 Area 1 Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 1 times Area ranges are Number of LSA 1 Checksum Sum 0x39E7 Number of opaque link LSA 0 Checksum Sum 0x0 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 Table 22 8 Show IP OSPF Statistics Commands Command Purpose show ip osp...

Page 575: ...esignated router id 131 119 254 28 Interface addr 131 119 254 28 Timer intervals configured Hello 10 Dead 60 Wait 40 Retransmit 5 Hello due in 0 00 05 Neighbor Count is 8 Adjacent neighbor count is 2 Adjacent with neighbor 131 119 254 28 Backup Designated Router Adjacent with neighbor 131 119 254 10 Designated Router This is an example of output from the show ip ospf neighbor privileged EXEC comma...

Page 576: ...arization EIGRP scales to large networks Enhanced IGRP has these four basic components Neighbor discovery and recovery is the process that routers use to dynamically learn of other routers on their directly attached networks Routers must also discover when their neighbors become unreachable or inoperative Neighbor discovery and recovery is achieved with low overhead by periodically sending small h...

Page 577: ...fault EIGRP Configuration Feature Default Setting Auto summary Enabled Subprefixes are summarized to the classful network boundary when crossing classful network boundaries Default information Exterior routes are accepted and default information is passed between IGRP or EIGRP processes when doing redistribution Default metric Only connected routes and interface static routes can be redistributed ...

Page 578: ...abled Set metric No metric set in the route map Traffic share Distributed proportionately to the ratios of the metrics Variance 1 equal cost load balancing Table 22 9 Default EIGRP Configuration continued Feature Default Setting Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router eigrp autonomous system Enable an EIGRP routing process and enter router configurat...

Page 579: ...EXEC mode follow these steps Step 6 offset list access list number name in out offset type number Optional Apply an offset list to routing metrics to increase incoming and outgoing metrics to routes learned through EIGRP You can limit the offset list with an access list or an interface Step 7 no auto summary Optional Disable automatic summarization of subnet routes into network level routes Step 8...

Page 580: ...r seconds Optional Change the hold time interval for an EIGRP routing process The range is 1 to 65535 seconds The default is 180 seconds for low speed NBMA networks and 15 seconds for all other networks Caution Do not adjust the hold time without consulting Cisco technical support Step 7 no ip split horizon eigrp autonomous system number Optional Disable split horizon to allow route information to...

Page 581: ... earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 10 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be sent The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest accept...

Page 582: ... 0 4 This is an example of output from the show ip eigrp topology privileged EXEC command Switch show ip eigrp topology IP EIGRP Topology Table for process 77 Codes P Passive A Active U Update Q Query R Reply r Reply status P 160 89 90 0 255 255 255 0 2 successors FD is 0 via 160 89 80 28 46251776 46226176 GigabitEthernet0 1 via 160 89 81 28 46251776 46226176 GigabitEthernet0 3 via 160 89 80 31 46...

Page 583: ...re frequently invalidated because of routing changes which can cause traffic to be process switched using the routing table instead of fast switched using the route cache CEF uses the Forwarding Information Base FIB lookup table to perform destination based switching of IP packets The two main components in CEF are the FIB and adjacency tables The FIB is similar to a routing table or information b...

Page 584: ...iguring the Number of Equal Cost Routing Paths When a router has two or more routes to the same network with the same metrics these routes can be thought of as having an equal cost The term parallel path is another way to refer to occurrences of equal cost routes in a routing table If a router has two or more equal cost paths to a network it can use them concurrently Parallel paths provide redunda...

Page 585: ...EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 E EGP i IS IS L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate default U per user static route o ODR P periodic downloaded static route Gateway of last resort is 172 20 135 193 to network 0 0 0 0 S 0 0 0 0 0 1 0 via 172 20 135 193 C 17...

Page 586: ... routing table When the software can no longer find a valid next hop for the address specified as the forwarding router s address in a static route the static route is also removed from the IP routing table Specifying Default Routes A router might not be able to determine the routes to all other networks To provide complete routing capability you can use some routers as smart routers and give the ...

Page 587: ... Information The switch can run multiple routing protocols simultaneously and it can redistribute information from one routing protocol to another For example you can instruct the switch to readvertise IGRP derived routes by using RIP or to readvertise static routes by using IGRP Redistributing information from one routing protocol to another applies to all supported IP based routing protocols You...

Page 588: ... Step 4 match metric metric value Match the specified route metric The metric value can be an IGRP five part metric with a specified value from 0 to 4294967295 Step 5 match ip next hop access list number access list name access list number access list name Match a next hop router address passed by one of the access lists specified numbered from 1 to 199 Step 6 match tag tag value tag value Match t...

Page 589: ...he route in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between 0 and 255 where 255 means 100 percent reliability and 0 means no reliability loading Effective bandwidth of the route expressed as a number from 0 to 255 255 is 100 percent loading ...

Page 590: ...formation from other IGRP routed autonomous systems IGRP assigns static routes a metric that identifies them as directly connected It does not change the metrics of routes derived from IGRP updates from other autonomous systems Any protocol can redistribute other routing protocols if a default mode is in effect Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router...

Page 591: ...k monitoring privileged EXEC command such as show ip ospf interface to verify the interfaces that you enabled as passive or use the show ip interface privileged EXEC command to verify the interfaces that you enabled as active To re enable the sending of routing updates use the no passive interface interface id router configuration command The default keyword sets all interfaces as passive by defau...

Page 592: ...f a routing information source such as a router or group of routers In a large network some routing protocols can be more reliable than others By specifying administrative distance values you enable the router to intelligently discriminate between sources of routing information The router always picks the route whose routing protocol has the lowest administrative distance Table 22 11 on page 22 56...

Page 593: ...the key numbers in order from lowest to highest and uses the first valid key it encounters The lifetimes allow for overlap during key changes Note that the router must know these lifetimes Beginning in privileged EXEC mode follow these steps to manage authentication keys Step 3 distance weight ip address ip address mask ip access list Define an administrative distance weight The administrative dis...

Page 594: ...fy the time period during which the key can be sent The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 7 end Return to privileged EXEC mode Step 8 show key chain Display authentication key informa...

Page 595: ...command showing IGRP processes Switch show ip protocols Routing Protocol is igrp 1 Sending updates every 90 seconds next due in 65 seconds Invalid after 270 seconds hold down 280 flushed after 630 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Default networks flagged in outgoing updates Default networks accepted from incoming updates IGRP metri...

Page 596: ...d B BGP derived i IS IS derived D EIGRP derived candidate default route IA OSPF inter area route E1 OSPF external type 1 route E2 OSPF external type 2 route L1 IS IS level 1 route L2 IS IS level 2 route EX EIGRP external route Gateway of last resort is not set B 198 92 0 0 mask is 255 255 0 0 20 0 via 198 92 72 30 0 00 50 B 192 0 0 0 mask is 255 0 0 0 20 0 via 198 92 72 24 0 02 50 This is an examp...

Page 597: ...e Catalyst 3550 Multilayer Switch Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12 1 This chapter consists of these sections Understanding HSRP page 23 1 Configuring HSRP page 23 3 Displaying HSRP Configurations page 23 10 Understanding HSRP HSRP is Cisco s standard method of providing high network availability by providing first hop redundancy for IP hosts on...

Page 598: ...tandby routers When HSRP is configured on an interface Internet Control Message Protocol ICMP redirect messages are disabled by default for the interface You can configure multiple Hot Standby groups among Catalyst 3550 switches that are operating in Layer 3 to make more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an interface F...

Page 599: ... or routing interfaces In the following procedures the specified interface must be one of these Layer 3 interfaces Routed port a physical port configured as a Layer 3 port by entering the no switchport interface configuration command SVI a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface Si Si Si Host B 172 20 130 5 172 20 1...

Page 600: ...andby function You must configure at least one routing port on the cable with the designated address Configuring an IP address always overrides another designated address currently in use When the standby ip command is enabled on an interface and proxy ARP is enabled if the interface s Hot Standby state is active proxy ARP requests are answered using the Hot Standby group MAC address If the interf...

Page 601: ...nd virtual IP address Optional group number The group number on the interface for which HSRP is being enabled The range is 0 to 255 the default is 0 If there is only one HSRP group you do not need to enter a group number Optional on all but one interface ip address The virtual IP address of the hot standby router interface You must enter the virtual IP address for at least one of the interfaces it...

Page 602: ...by track command and another interface on the router goes down The standby track interface configuration command ties the router hot standby priority to the availability of its interfaces and is useful for tracking interfaces that are not configured for HSRP When a tracked interface fails the hot standby priority on the device on which tracking has been configured decreases by 10 If an interface i...

Page 603: ...re the router to preempt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the active ro...

Page 604: ...ing is sent unencrypted in all HSRP messages You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation Authentication mismatch prevents a device from learning the designated Hot Standby IP address and timer values from other routers configured with HSRP Routers or access servers on which standby timer values are not configured can learn...

Page 605: ...SRP group name routing redundancy global configuration command to enable the same HSRP standby group to be used for command switch and routing redundancy If you create a cluster with the same HSRP standby group name without entering the routing redundancy keyword HSRP standby routing is disabled for the group This example shows how to bind standby group my_hsrp to the cluster and enable the same H...

Page 606: ...dby command without qualifiers can result in an unwieldy display This is a an example of output from the show standby privileged EXEC command displaying HSRP information for two standby groups group 1 and group 100 Switch show standby VLAN1 Group 1 Local state is Standby priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 182 Hot standby IP address is 10 0 0 1 configured A...

Page 607: ...eceive the message Membership in a multicast group is dynamic hosts can join and leave at any time There is no restriction on the location or number of members in a multicast group A host can be a member of more than one multicast group at a time How active a multicast group is and what members it has can vary from group to group and from time to time A multicast group can be active for a long tim...

Page 608: ... section on page 6 57 Cisco Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing Internet Group Management Protocol IGMP is used among hosts on a LAN and the routers and multilayer switches on that LAN to track the multicast groups of which hosts are members Protocol Independent Multicast PIM protocol is used among routers and mul...

Page 609: ...cast group on the local subnet In this model the router or switch acting as the IGMP querier periodically every 60 seconds multicasts an IGMPv1 membership query to the all hosts multicast group 224 0 0 1 on the local subnet All hosts enabled for multicasting listen for this address and receive the query A host responds with an IGMPv1 membership report to receive multicast traffic for a specific gr...

Page 610: ... maximum query response time and controls the burstiness of the response process This feature can be important when large numbers of groups are active on a subnet and you want to spread the responses over a longer period of time However increasing the maximum response timer value also increases the leave latency the query router must now wait longer to make sure there are no more hosts for the gro...

Page 611: ...ion on page 24 8 All systems using Cisco IOS Release 11 3 2 T or later start in PIMv2 mode by default PIMv2 includes these improvements over PIMv1 A single active RP exists per multicast group with multiple backup RPs This single RP compares to multiple active RPs for the same group in PIMv1 A BSR provides a fault tolerant automated RP discovery and distribution mechanism that enables routers and ...

Page 612: ...224 1 1 1 PIM DM employs only SPTs to deliver S G multicast traffic by using a flood and prune method It assumes that every subnet in the network has at least one receiver of the S G multicast traffic and therefore the traffic is flooded to all points in the network To avoid unnecessary consumption of network resources PIM DM devices send prune messages up the source distribution tree to stop unwa...

Page 613: ...end along the branch When using a shared tree sources must send their traffic to the RP so that the traffic reaches all receivers The special notation G pronounced star comma G is used to represent the tree where means all sources and G represents the multicast group Figure 24 5 shows a shared tree for group 224 2 2 2 with the RP located at Router 3 Multicast group traffic from source Hosts A and ...

Page 614: ...s of their Group to RP mapping cache in RP discovery messages every 60 seconds default to the Cisco RP discovery multicast group 224 0 1 40 which all Cisco PIM routers and multilayer switches join to receive Group to RP mapping information Thus all routers and switches automatically discover which RP to use for the groups they support The discovery messages also contain a holdtime which defines ho...

Page 615: ...nterface to the next hop toward the destination With multicasting the source is sending traffic to an arbitrary group of hosts represented by a multicast group address in the destination address field of the IP packet To determine whether to forward or drop an incoming multicast packet the router or multilayer switch uses a reverse path forwarding RPF check on the packet as follows and shown in Fi...

Page 616: ...M neighbor adjacencies To establish adjacencies a PIM router or multilayer switch sends PIM hello messages to the all PIM routers multicast group 224 0 0 13 on each of its multicast enabled interfaces The hello message contains a holdtime which tells the receiver when the neighbor adjacency associated with the sender expires if no more PIM hello messages are received Keeping track of adjacencies i...

Page 617: ... its neighbor list including the address of the first router When the first DVMRP router receives a probe with its own address listed in the neighbor list a two way adjacency is formed between itself and the neighbor that sent the probe DVMRP Route Table DVMRP neighbors build a route table by periodically exchanging source network routing information in route report messages These messages contain...

Page 618: ... 3 as shown in Figure 24 7 Because LAN switches operate at Layer 2 and understand only MAC addresses the source and destination fields of the frame contain 48 bit MAC addresses for Host 3 0080 c7a2 1093 and MAC address equivalent of the multicast group address 0100 5e01 0203 The IGMP membership report is received by the Layer 2 switch and forwarded to the CGMP server for normal IGMP processing The...

Page 619: ...ge to the CGMP server which sends a group specific query to the multicast group to see if there are any remaining members in the group If there is no response the CGMP server updates its multicast routing table and sends a CGMP delete group message to the Layer 2 switch which updates its routing table Configuring IP Multicast Routing This section describes how to configure IP multicast routing It ...

Page 620: ...a standards track protocol in the IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and BSR Configuration Guidelines section on page 24 15 When PIMv2 devices interoperate with PIMv1 devices Auto RP should have already been deployed A PIMv2 BSR that is also an Auto RP mapping agent automati...

Page 621: ... router If you have non Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches both Auto RP and a BSR are required We recommend that a Cisco PIMv2 device be both the Auto RP mapping agent and the BSR For more information see the Using Auto RP and a BSR section on page 24 27 Configuring Basic Multicast Routing You must enable IP multicast routing and configur...

Page 622: ...ersion on the interface By default Version 2 is enabled and is the recommended setting Note All IP multicast capable Cisco PIM routers using IOS Release 11 3 2 T or later start in PIMv2 by default An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor The interface returns to Version 2 mode after all Version 1 neighbors are shut down or upgraded Fo...

Page 623: ...their existence through register messages received from the source s first hop router designated router and forwarded to the RP Receivers of multicast packets use RPs to join a multicast group by using explicit join messages RPs are not members of the multicast group rather they serve as a meeting place for multicast sources and group members Beginning in privileged EXEC mode follow these steps to...

Page 624: ...M in sparse mode or sparse dense mode and do not configure Auto RP you must manually configure an RP as described in the Manually Assigning an RP to Multicast Groups section on page 24 17 Note If routed interfaces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups Step 3 access list access list number deny permit so...

Page 625: ...nfig Verify that a default RP is already configured on all PIM devices and the RP in the sparse mode network This step is not required for spare dense mode environments The selected RP should have good connectivity and be available across the network Use this RP for the global groups for example 224 x x x and other global groups Do not reconfigure the group address range that this RP serves RPs dy...

Page 626: ...ther RPs by default use the ip pim accept rp auto rp global configuration command Step 4 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access...

Page 627: ...nnounce messages are accepted by default For rp list access list number configure an access list of candidate RP addresses that if permitted is accepted for the group ranges supplied in the group list access list number variable If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to e...

Page 628: ...5 range This range is the administratively scoped address range Configuring PIMv2 BSR BSR automates the distribution of group to RP mappings to all routers and multilayer switches in a PIMv2 network It eliminates the need to manually configure RP information in every device in the network However instead of using IP multicast to distribute group to RP mapping information BSR uses hop by hop floodi...

Page 629: ...ed Step 3 ip pim bsr border Define a PIM bootstrap message boundary for the PIM domain Enter this command on each interface that connects to other bordering PIM domains This command instructs the multilayer switch to neither send or receive PIMv2 BSR messages on this interface as shown in Figure 24 8 Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 co...

Page 630: ...configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 which carry Auto RP information Opti...

Page 631: ...m bsr candidate gigabitethernet0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your multilayer switch to be a candidate BSR For interface id enter the interface type and number on this switch from which the BSR address is derived to make it a candidate This interface must be enabled wit...

Page 632: ...ep 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your multilayer switch to be a candidate RP For interface id enter the interface type and number whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group list access list...

Page 633: ...brange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the same group prefixes This prevents the PIMv2 DRs from selecting a different RP from those PIMv1 DRs due to the longest match lookup in the RP mapping database Beginning in privileged EXEC mode follow these steps to verify the consistency of group to RP mappings Monitoring the ...

Page 634: ...derstanding PIM Shared Tree and Source Tree page 24 28 Delaying the Use of PIM Shortest Path Tree page 24 29 Modifying the PIM Router Query Message Interval page 24 30 Understanding PIM Shared Tree and Source Tree By default members of a group receive data from senders to the group across a single data distribution tree rooted at the RP Figure 24 9 shows this type of shared distribution tree Data ...

Page 635: ...r that is directly connected to a source and are received by the RP for the group Multiple sources sending to groups use the shared tree You can configure the PIM device to stay on the shared tree For more information see the Delaying the Use of PIM Shortest Path Tree section on page 24 29 Delaying the Use of PIM Shortest Path Tree The change from shared to source tree happens when the first data ...

Page 636: ...cess list access list number deny permit source source wildcard Create a standard access list For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group to which the threshold will apply Optional For source wildcard enter the wildcard bits in dotted d...

Page 637: ...Multicast Groups page 24 35 Modifying the IGMP Host Query Message Interval page 24 36 Configuring the Multilayer Switch as a Statically Connected Member page 24 36 Default IGMP Configuration Table 24 2 shows the default IGMP configuration Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interf...

Page 638: ...interface By default the switch waits twice the query interval controlled by the ip igmp query interval interface configuration command After that time if the switch has received no queries it becomes the querier Access to multicast groups All groups are allowed on an interface IGMP host query message interval 60 seconds on all interfaces Multilayer switch as a statically connected member Disabled...

Page 639: ...se time use the no ip igmp query max response time interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to be configured Step 3 ip igmp querier timeout seconds Specify the IGMP query timeout The default is 60 seconds twice the query interval The range is 6...

Page 640: ...ow these steps to configure the multilayer switch to be a member of a group To cancel membership in a group use the no ip igmp join group group address interface configuration command This example shows how to allow the switch to join multicast group 255 2 2 2 Switch config interface gigabitethernet0 1 Switch config if ip igmp join group 255 2 2 2 Command Purpose Step 1 configure terminal Enter gl...

Page 641: ...r global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to be configured Step 3 ip igmp access group access list number Specify the multicast groups that hosts on the subnet serviced by an interface can join By default all groups are allowed on an interface For access list number specify an IP standard access list number The range is 1...

Page 642: ...nterface configuration command Configuring the Multilayer Switch as a Statically Connected Member Sometimes there is either no group member on a network segment or a host cannot report its group membership by using IGMP However you might want multicast traffic to go to that network segment These are ways to pull multicast traffic down to a network segment Use the ip igmp join group interface confi...

Page 643: ...r 2 connectivity and MBONE multimedia conference session and set up Enabling CGMP Server Support page 24 38 Configuring sdr Listener Support page 24 39 Features that control bandwidth utilization Configuring the TTL Threshold page 24 40 Configuring an IP Multicast Boundary page 24 42 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter inter...

Page 644: ...erface interface id Enter interface configuration mode and specify the interface that is connected to the Layer 2 Catalyst switch Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfaces Enabling CGMP triggers a CGMP join message Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches Optional When you enter the proxy keyword the CGMP pr...

Page 645: ...SAP packet is displayed in the SDR Session Announcement window Enabling sdr Listener Support By default the multilayer switch does not listen to session directory advertisements Beginning in privileged EXEC mode follow these steps to enable the switch to join the default session directory group 224 2 127 254 on the interface and listen to session directory advertisements To disable sdr support use...

Page 646: ... the RPF check succeeds and that Gigabit Ethernet interfaces 0 1 0 3 and 0 4 are all in the outgoing interface list the packet would normally be forwarded out these interfaces Because some TTL thresholds have been applied to these interfaces the multilayer switch makes sure that the packet TTL value which is decremented by 1 to 23 is greater than or equal to the interface TTL threshold before forw...

Page 647: ...mand 45153 Company XYZ TTL threshold 40 Engineering TTL threshold 40 TTL threshold 100 Marketing Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to be configured Step 3 ip multicast ttl threshold ttl value Configure the TTL threshold of packets being forwarded out an interface The d...

Page 648: ...raffic in the range 239 0 0 0 through 239 255 255 255 from entering or leaving the network Similarly the engineering and marketing departments have an administratively scoped boundary of 239 128 0 0 16 around the perimeter of their networks This boundary prevents multicast traffic in the range of 239 128 0 0 through 239 128 255 255 from entering or leaving their respective networks Figure 24 12 Ad...

Page 649: ...uests page 24 49 For more advanced DVMRP features see the Configuring Advanced DVMRP Interoperability Features section on page 24 50 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to ...

Page 650: ... command is configured to enable DVMRP interoperability however you must enable multicast routing For more information see the Configuring Basic Multicast Routing section on page 24 15 Controlling Unicast Route Advertisements You should configure an access list on the PIM routed interface connected to the MBONE to limit the number of unicast routes that are advertised in DVMRP route reports otherw...

Page 651: ...ing sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything Step 3 interface interface id Enter interface configuration mode and specify the interface connected to the MBONE and enabled for mul...

Page 652: ...fig access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 255 Configuring a DVMRP Tunnel The Cisco IOS software supports DVMRP tunnels to the MBONE You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP The software then sends and receives multicast packets through the tunnel This strategy allows a PIM domain ...

Page 653: ...on ip address Specify the destination address of the tunnel interface Enter the IP address of the mrouted router Step 6 tunnel mode dvmrp Configure the encapsulation mode for the tunnel to DVMRP Step 7 ip address address mask or ip unnumbered type number Assign an IP address to the interface or Configure the interface as unnumbered Step 8 ip pim dense mode sparse mode Configure the PIM mode on the...

Page 654: ...im dense mode Switch config if tunnel source gigabitethernet 0 1 Switch config if tunnel destination 192 168 1 10 Switch config if tunnel mode dvmrp Switch config if ip dvmrp accept filter 1 100 Switch config if interface gigabitethernet 0 1 Switch config if ip address 172 16 2 1 255 255 255 0 Switch config if ip pim dense mode Switch config exit Switch config access list 1 permit 198 92 37 0 0 0 ...

Page 655: ...isco 11 1 flags PMS 171 69 214 27 171 69 214 26 mm1 r7kb cisco com 1 0 pim querier 171 69 214 27 171 69 214 25 mm1 45a cisco com 1 0 pim querier 171 69 214 33 171 69 214 34 mm1 45c cisco com 1 0 pim 171 69 214 137 0 0 0 0 1 0 pim querier down leaf 171 69 214 203 0 0 0 0 1 0 pim querier down leaf 171 69 214 18 171 69 214 20 mm1 45e cisco com 1 0 pim 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0...

Page 656: ...ticast routing among each other but they can exchange DVMRP routes The DVMRP routes provide a multicast topology that might differ from the unicast topology This allows PIM to run over the multicast topology thereby allowing sparse mode PIM over the MBONE topology When DVMRP unicast routing is enabled the router or switch caches routes learned in DVMRP report messages in a DVMRP routing table When...

Page 657: ...the multilayer switch from peering communicating with a DVMRP neighbor if that neighbor does not support DVMRP pruning or grafting To do so configure the multilayer switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 24 14 In this case when the mu...

Page 658: ... To disable this function use the no ip dvmrp reject non pruners interface configuration command Router A Router B Multilayer switch RP Multicast traffic gets to receiver not to leaf DVMRP device 44971 Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Si Command Purpose Step 1 configure terminal Enter global configuration ...

Page 659: ... is a DVMRP tunnel an interface where a DVMRP neighbor has been discovered or an interface configured to run the ip dvmrp unicast routing interface configuration command Beginning in privileged EXEC mode follow these steps to change the DVMRP route limit To configure no route limit use the no ip dvmrp route limit global configuration command Command Purpose Step 1 configure terminal Enter global c...

Page 660: ...es are two routes that are advertisements for the two directly connected networks 176 32 10 0 24 and 176 32 15 0 24 that were taken from the unicast routing table Because the DVMRP tunnel shares the same IP address as Fast Ethernet 0 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router ...

Page 661: ... m 40 176 32 10 0 24 m 1 176 32 15 0 24 m 1 DVMRP router Cisco router Tunnel Fast Ethernet 0 1 176 32 10 0 24 Fast Ethernet 0 2 176 32 15 0 24 DVMRP Report 45156 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered fa0 1 interface fastethernet 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface fastethernet 0 2 ip addr 176 32 15 1 255 255 255 0 ip pi...

Page 662: ...these steps to disable DVMRP autosummarization To re enable auto summarization use the ip dvmrp auto summary interface configuration command Adding a Metric Offset to the DVMRP Route By default the multilayer switch increments by 1 the metric hop count of a DVMRP route advertised in incoming DVMRP reports You can change the metric if you want to favor or not favor a certain route For example a rou...

Page 663: ...figuration mode and specify the interface to be configured Step 3 ip dvmrp metric offset in out increment Change the metric added to DVMRP routes advertised in incoming reports The keywords have these meanings Optional in Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies Optional out Specifies that the increment value is added to outgoing DVMRP...

Page 664: ... the Catalyst switches have cached clear ip dvmrp route route Delete routes from the DVMRP routing table clear ip igmp group group name group address interface Delete entries from the IGMP cache clear ip mroute group source Delete entries from the IP multicast routing table clear ip pim auto rp rp address Clear the Auto RP cache clear ip sdr group address session name Delete the Session Directory ...

Page 665: ...ow ip rpf source address name Display how the multilayer switch is doing Reverse Path Forwarding that is from the unicast routing table DVMRP routing table or static mroutes show ip sdr group session name detail Display the Session Directory Protocol Version 2 cache Table 24 4 Commands for Displaying System and Network Statistics continued Command Purpose Table 24 5 Commands for Monitoring IP Mult...

Page 666: ...24 60 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 24 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing ...

Page 667: ...Multilayer Software Image Upgrade kit to upgrade Catalyst 3550 Fast Ethernet switches from the SMI to the EMI Note For complete syntax and usage information for the commands used in this chapter refer to the Cisco IOS IP and IP Routing Command Reference for Release 12 1 This chapter consists of these sections Understanding MSDP page 25 1 Configuring MSDP page 25 4 Monitoring and Maintaining MSDP p...

Page 668: ...all MSDP peers The SA message identifies the source the group the source is sending to and the address of the RP or the originator ID the IP address of the interface used as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer RPF flooding The MSDP device examines the BGP or MBGP routing table to determine which peer is the n...

Page 669: ...d tree never need to leave your domain PIM sparse mode domains can rely only on their own RPs decreasing reliance on RPs in another domain This increases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving memor...

Page 670: ...peer Configure a default MSDP peer when the multilayer switch is not BGP or MBGP peering with an MSDP peer If a single MSDP peer is configured the multilayer switch always accepts all SA messages from that peer Figure 25 2 shows a network in which default MSDP peers might be used In Figure 25 2 a customer who owns Multilayer Switch B is connected to the Internet through two Internet service provid...

Page 671: ...For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the prefix list key...

Page 672: ...ter a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network length Optional...

Page 673: ...or list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched The...

Page 674: ... wants to receive multicast traffic To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA request messages to the MSDP peer at 171 69 1 1 Switch config ip msdp sa request 171 69 1 1 Controlling Source Information that Your Switch Originates You can control the multicast source informatio...

Page 675: ...S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of an IP standard or extended access list The range is 1 to 99 for standard access lists and 100 to 199 for extended lists The access list controls which local sources are advertised and to which groups...

Page 676: ...ess if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore For destination e...

Page 677: ...171 69 2 2 list 1 Switch config access list 1 permit 192 4 22 0 0 0 0 255 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for groups that...

Page 678: ...e map Beginning in privileged EXEC mode follow these steps to apply a filter Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the specified peer pass ...

Page 679: ...necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to b...

Page 680: ... MSDP Reverse Path Forwarding peers send to it However you can control the source information that you receive from MSDP peers by filtering incoming SA messages In other words you can configure the switch to not accept them You can perform one of these actions Filter all incoming SA messages from an MSDP peer Specify an IP extended access list to pass certain source group pairs Filter based on mat...

Page 681: ... that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access list numb...

Page 682: ... name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it and later bring it up When a peer is shut down the TCP connection is terminated and is not restarted You can also shut down an MSDP session without losing configuration information for the p...

Page 683: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy ...

Page 684: ...y you might want dense mode sources to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as th...

Page 685: ...s system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message counts Ta...

Page 686: ...25 20 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 25 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 687: ...ging page 26 3 Monitoring and Maintaining the Network page 26 12 Understanding Fallback Bridging With fallback bridging the switch bridges together two or more VLANs or routed ports essentially connecting multiple VLANs within one bridge domain Fallback bridging forwards traffic that the multilayer switch does not route and forwards traffic belonging to a nonroutable protocol such as DECnet Fallba...

Page 688: ...e group If the packet destination address is in the bridge table it is forwarded on a single interface in the bridge group If the packet destination address is not in the bridge table it is flooded on all forwarding interfaces in the bridge group The bridge places source addresses in the bridge table as it learns them during the bridging process To participate in the spanning tree algorithm by rec...

Page 689: ...fic MAC Address page 26 6 Adjusting Spanning Tree Parameters page 26 7 Default Fallback Bridging Configuration Table 26 1 shows the default fallback bridging configuration Table 26 1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to an interface No VLAN bridge STP is defined Switch forwards frames for stations that it has dynamically lear...

Page 690: ... configuration mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to run in the bridge group The ibm and dec keywords are not supported For bridge group specify the bridge group number The range is 1 to 255 You can create up to 31 bridge groups Frames are bridged only among interfaces in the same group Step 3 interfa...

Page 691: ... forward frames to stations that it has dynamically learned use the bridge bridge group acquire global configuration command This example shows how to prevent the switch from forwarding frames for stations that it has dynamically learned in bridge group 10 Switch config no bridge 10 acquire Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no bridge bridge group acqu...

Page 692: ...g time global configuration command This example shows how to change the bridge table aging time to 200 seconds for bridge group 10 Switch config bridge 10 aging time 200 Filtering Frames by a Specific MAC Address A switch examines frames and sends them through the internetwork according to the destination address a switch does not forward a frame back to its originating network segment You can us...

Page 693: ...age 26 8 Assigning a Path Cost page 26 9 Adjusting BPDU Intervals page 26 10 Disabling the Spanning Tree on an Interface page 26 12 Note Only network administrators with a good understanding of how switches and STP function should make adjustments to spanning tree parameters Poorly planned adjustments can have a negative impact on performance A good source on switching is the IEEE 802 1d specifica...

Page 694: ...t switch you configure an interface priority to break the tie The switch with the lowest interface value is elected Beginning in privileged EXEC mode follow these steps to change the interface priority Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group priority number Change the priority of the switch For bridge group specify the bridge group numbe...

Page 695: ...w to change the path cost on an interface to 10 in bridge group 10 Switch config interface gigabitethernet0 1 Switch config if bridge group 10 path cost 20 Step 5 show running config Verify your entry Step 6 copy running config startup config Optional Save your entry in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface...

Page 696: ...g bridge 10 hello time 5 Changing the Forward Delay Interval The forward delay interval is the amount of time spent listening for topology change information after an interface has been activated for switching and before forwarding actually begins Beginning in privileged EXEC mode follow these steps to change the forward delay interval Command Purpose Step 1 configure terminal Enter global configu...

Page 697: ...se the no bridge bridge group max age global configuration command This example shows how to change the maximum idle interval to 30 seconds in bridge group 10 Switch config bridge 10 max age 30 Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Command Purpose Command Pu...

Page 698: ...ig if bridge group 10 spanning disabled Monitoring and Maintaining the Network To monitor and maintain the network use one or more of the privileged EXEC commands in Table 26 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface ID Step 3 bridge group bridge group spanning disabled Disa...

Page 699: ...r Switch Command Reference for this release and the Cisco IOS Command Summary for Release 12 1 This chapter consists of these sections Using Recovery Procedures page 27 1 Preventing Autonegotiation Mismatches page 27 10 Diagnosing Connectivity Problems page 27 11 Using Debug Commands page 27 14 Using the show forward Command page 27 15 Using the crashinfo File page 27 17 Using Recovery Procedures ...

Page 700: ...p 4 Press the Mode button and at the same time reconnect the power cord to the switch You can release the Mode button a second or two after the LED above port 1X goes off Several lines of information about the software appear along with instructions The system has been interrupted prior to initializing the flash file system The following commands will initialize the flash file system and finish lo...

Page 701: ...ep 3 Unplug the switch power cord Step 4 Press the Mode button and at the same time reconnect the power cord to the switch You can release the Mode button a second or two after the LED above port 1X turns off Several lines of information about the software appear with instructions informing you if the password recovery procedure has been disabled or not If you see a message that begins with this T...

Page 702: ...nfig text old This file contains the password definition switch rename flash config text flash config text old Step 6 Boot the system switch boot You are prompted to start the setup program Enter N at the prompt Continue with the configuration dialog yes no N Step 7 At the switch prompt enter privileged EXEC mode Switch enable Step 8 Rename the configuration file to its original name Switch rename...

Page 703: ...rrently disabled Access to the boot loader prompt through the password recovery mechanism is disallowed at this point However if you agree to let the system be reset back to the default system configuration access to the boot loader prompt can still be allowed Would you like to reset the system back to the default configuration y n Caution Returning the switch to the default configuration results ...

Page 704: ...itch config enable secret password The secret password can be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading spaces Step 8 Return to privileged EXEC mode Switch config exit Switch Step 9 Write the running configuration to the startup configuration file Switch copy running config startup config The new password is now in the star...

Page 705: ...dundant connectivity between the member switches and the replacement command switch This section describes two solutions for replacing a failed command switch Replacing a failed command switch with a cluster member Replacing a failed command switch with another switch For information on command capable switches refer to the release notes Replacing a Failed Command Switch with a Cluster Member To r...

Page 706: ...start the setup program Step 11 Respond to the questions in the setup program When prompted for the host name recall that on a command switch the host name is limited to 28 characters on a member switch to 31 characters Do not use n where n is a number as the last characters in a host name for any switch When prompted for the Telnet virtual terminal password recall that it can be from 1 to 25 alph...

Page 707: ... may enter a question mark for help Use ctrl c to abort configuration dialog at any prompt Default settings are in square brackets Basic management setup configures only enough connectivity for management of the system extended setup will ask you to configure each interface on the system Would you like to enter basic management setup yes no Step 6 Enter Y at the first prompt The prompts in the set...

Page 708: ...t 2950 Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 member switches must connect to the command switch through a port that belongs to the same management VLAN A member switch Catalyst 3550 Catalyst 2950 Catalyst 3500 XL Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 switch connected to the command switch through a secured port can lose connectivity if the port is disabled because of a securi...

Page 709: ...n host message is returned Destination unreachable If the default gateway cannot reach the specified network a destination unreachable message is returned Network or host unreachable If there is no entry in the route table for the host or network a network or host unreachable message is returned Executing Ping If you attempt to ping a host in a different IP subnetwork you must define a static rout...

Page 710: ...me VLAN However if the intermediate switch is a multilayer switch that is routing a particular packet this switch shows up as a hop in the traceroute output The traceroute privileged EXEC command uses the Time To Live TTL field in the IP header to cause routers and servers to generate specific return messages Traceroute starts by sending a User Datagram Protocol UDP datagram to the destination hos...

Page 711: ...e traceroute privileged EXEC command they are not supported in this release This example shows how to perform a traceroute to an IP host Switch traceroute ip 171 9 15 10 Type escape sequence to abort Tracing the route to 171 69 115 10 1 172 2 52 1 0 msec 0 msec 4 msec 2 172 2 1 203 12 msec 8 msec 0 msec 3 171 9 16 6 4 msec 0 msec 0 msec 4 171 9 4 5 0 msec 4 msec 0 msec 5 171 9 121 34 0 msec 4 msec...

Page 712: ...n for the Catalyst 3550 specific debug commands refer to the Catalyst 3550 Multilayer Switch Command Reference for this release Enabling Debugging on a Specific Feature All debug commands are entered in privileged EXEC mode and most debug commands take no arguments For example beginning in privileged EXEC mode enter this command to enable the debugging for Switch Port Analyzer Switch debug span se...

Page 713: ...ug output instead of connecting to the console port Possible destinations include the console virtual terminals internal buffer and UNIX hosts running a syslog server The syslog format is compatible with 4 3 Berkeley Standard Distribution BSD UNIX and its derivatives Note Be aware that the debugging destination you use affects system overhead Logging messages to the console produces very high over...

Page 714: ...0000000 vlan 8 vlanid entry 000C0012 00000000 00000000 04620000 FastEthernet0 9 vlan 8 dst 0022 3355 9800 src 0000 1111 2222 cos 0x0 dscp 0x0 Much of this information is useful mainly for Technical Support personnel who have access to detailed information about the switch application specific integrated circuits ASICs However you can look at the Egress q section to get information about the output...

Page 715: ...ile system flash crashinfo crashinfo_n where n is a sequence number Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number so the file with the largest sequence number describes the most recent failure Version numbers are used instead of a timestamp because the Catalyst 3550 switches do not include a real time clock You cannot cha...

Page 716: ...27 18 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Chapter 27 Troubleshooting Using the crashinfo File ...

Page 717: ... List RFC 1213 IF MIB CISCO CDP MIB CISCO IMAGE MIB CISCO FLASH MIB OLD CISCO CHASSIS MIB CISCO PAGP MIB CISCO VTP MIB CISCO HSRP MIB OLD CISCO TS MIB BRIDGE MIB RFC1493 CISCO VLAN MEMBERSHIP MIB CISCO VLAN IFINDEX RELATIONSHIP MIB CISCO STACK MIB only a subset of the available MIB objects are implemented not all objects are supported RMON 1 MIB only RMON etherStats etherHistory alarms and events ...

Page 718: ...R MIB Using FTP to Access the MIB Files You can obtain each MIB file by using this procedure Step 1 Use FTP to access the server ftp cisco com Step 2 Log in with the username anonymous Step 3 Enter your e mail username when prompted for the password Step 4 At the ftp prompt change directories to pub mibs v1 and the pub mibs v2 Step 5 Use the get MIB_filename command to obtain a copy of the MIB fil...

Page 719: ...ists of these sections Working with the Flash File System page B 1 Working with Configuration Files page B 8 Working with Software Images page B 19 Working with the Flash File System The Flash file system on your switch provides several commands to help you manage software image and configuration files The Flash file system is a single Flash device on which you can store files This Flash device is...

Page 720: ... the file system in bytes Type Type of file system flash The file system is for a Flash memory device nvram The file system is for a nonvolatile RAM NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for file system ro read only rw read write wo write...

Page 721: ...guration file with the same name Similarly before copying a Flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to change dire...

Page 722: ... to a destination use the copy erase source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of Flash memory to be used as the configuration during system initialization You can ...

Page 723: ...file or directory from a specified Flash device use the delete force recursive filesystem file url privileged EXEC command Use the recursive keyword for deleting a directory and all subdirectories and the files contained in it Use the force keyword to suppress the prompting that confirms a deletion of each file in the directory You are prompted only once at the beginning of this deletion process U...

Page 724: ...ar file to be created For flash file url specify the location on the local Flash file system from which the new tar file is created You can also specify an optional list of files or directories within the source directory to write to the new tar file If none are specified all files and directories at this level are written to the newly created tar file This example shows how to create a tar file T...

Page 725: ... html 0 bytes Extracting a tar File To extract a tar file into a directory on the Flash file system use this privileged EXEC command archive tar xtract source url flash file url For source url specify the source URL alias for the local or network file system These options are supported For the local Flash file system the syntax is flash For the File Transfer Protocol FTP the syntax is ftp username...

Page 726: ... or RCP server to the running configuration or startup configuration of the switch You might want to perform this for one of these reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can ...

Page 727: ...es the file Note The copy ftp rcp tftp system running config privileged EXEC command loads the configuration files on the switch as if you were entering the commands at the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is er...

Page 728: ...tch by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage This section includes this information Preparing to Download or Upload a Configuration File By Using TFTP page B 10 Downloading the Configuration File By Using TFTP page B 11 Uploading the Configuration File By Using TFTP page ...

Page 729: ...n File By Using TFTP To configure the switch by using a configuration file downloaded from a TFTP server follow these steps Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation Step 2 Verify that the TFTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page B 10 Step 3 Log into the sw...

Page 730: ...ration Files By Using FTP You can copy configuration files to or from an FTP server The FTP protocol requires a client to send a remote username and password on each FTP request to a server When you copy a configuration file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the copy command if a username is specifi...

Page 731: ...name is the one that you want to use for the FTP download You can enter the show users privileged EXEC command to view the valid username If you do not want to use this username create a new FTP username by using the ip ftp username username global configuration command during all copy operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you h...

Page 732: ...ration file host2 confg from the netadmin1 directory on the remote server with an IP address of 172 16 101 101 to the switch startup configuration Switch configure terminal Switch config ip ftp username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg hos...

Page 733: ...ch config ip ftp password mypass Switch config end Switch copy nvram startup config ftp Remote host 172 16 101 101 Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B...

Page 734: ...e Telnet username as the remote username The switch host name For a successful RCP copy request you must define an account on the network server for the remote username If the server has a directory structure the configuration file is written to or copied from the directory associated with the remote username on the server For example if the configuration file is in the home directory of a user on...

Page 735: ...he netadmin1 directory on the remote server with an IP address of 172 16 101 101 and load and run those commands on the switch Switch copy rcp netadmin1 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host1 confg OK Switch SYS 5 CONFIG Configured from host1 config by rcp from 172 16 101 101 ...

Page 736: ...ps to upload a configuration file by using RCP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config rcp netadmin1 172 16 101 101 switch2 confg Write file switch confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101 Sw...

Page 737: ...lete flash filename privileged EXEC command Depending on the setting of the file prompt global configuration command you might be prompted for confirmation before you delete a file By default the switch prompts for confirmation on destructive file operations For more information about the file prompt command refer to the Cisco IOS Command Reference for Release 12 1 Caution You cannot restore a fil...

Page 738: ...that begins with System image file is It shows the directory name in Flash memory where the image is stored You can also use the dir filesystem privileged EXEC command to see the directory names of other software images you might have stored in Flash memory tar File Format of Images on a Server or Cisco com Software images located on a server or downloaded from Cisco com are provided in a tar file...

Page 739: ...ge B 22 Downloading an Image File By Using TFTP page B 22 Uploading an Image File By Using TFTP page B 24 Table B 3 info and info ver File Description Field Description version_suffix Specifies the IOS image version string suffix version_directory Specifies the directory where the IOS image and the HTML subdirectory are installed image_name Specifies the name of the IOS image within the tar file i...

Page 740: ...the TFTP server by using the ping command Ensure that the image to be downloaded is in the correct directory on the TFTP server usually tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an ...

Page 741: ...e it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board Flash device For file url enter the directory name of the old image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Step 3 archive download sw overwrite reload ...

Page 742: ...loading these files in order info the IOS image the HTML files and info ver After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names Command Purpose Step 1 Make sure the TFTP server is properly configured see the Preparing to Download or Upload an Image File By Using TFTP section on ...

Page 743: ...ified in the archive download sw or archive upload sw privileged EXEC command if a username is specified The username set by the ip ftp username username global configuration command if the command is configured Anonymous The switch sends the first valid password in this list The password specified in the archive download sw or archive upload sw privileged EXEC command if a password is specified T...

Page 744: ...s username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username for that operation only When you upload an image file to the FTP server it must be properly configured to accept the write request from the user on the switch For more information refer to the documentation for...

Page 745: ...in Flash with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page B 25 For location sp...

Page 746: ...te CMS have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an FTP server Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13 Step 2 Log into the switch through the console port or a Telnet session Step 3 c...

Page 747: ...d uploading image files between remote hosts and the switch Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to crea...

Page 748: ...new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and there is no need to set the RCP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation When you upload an image to the RCP to the server it must be pr...

Page 749: ...ration has been changed and not been saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 29 For location specify the IP address of the RCP server For directory image name tar specify t...

Page 750: ...r file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using RCP You can upload an image from the switch to an RCP server You can later download this image to the same switch or to another switch of the same type...

Page 751: ...Step 5 end Return to privileged EXEC mode Step 6 archive upload sw rcp username location directory image na me tar Upload the currently running switch image to the RCP server For username specify the username for the RCP copy request to execute an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Usin...

Page 752: ...B 34 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Appendix B Working with the IOS File System Configuration Files and Software Images Working with Software Images ...

Page 753: ...ture and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination ARP Commands Unsupported Global Configuration Commands arp ip address hardware address smds arp ip address hardware add...

Page 754: ...wap_l3_addresses bridge bridge group bridge ip bridge bridge group circuit group circuit group pause milliseconds bridge bridge group circuit group circuit group source based bridge cmf bridge crb bridge bridge group domain domain name bridge irb bridge bridge group mac address table limit number bridge bridge group multicast source bridge bridge group route protocol bridge bridge group subscriber...

Page 755: ...s list number bridge group bridge group output pattern list access list number bridge group bridge group output type list access list number bridge group bridge group sse bridge group bridge group subscriber loop control bridge group bridge group subscriber trunk bridge bridge group lat service filtering frame relay map bridge dlci broadcast interface bvi bridge group x25 map bridge x 121 address ...

Page 756: ...r group name or address command affects only packets received by the switch CPU Because most multicast packets are hardware switched use this command only when you know that the route will forward the packet to the CPU debug ip pim atm show frame relay ip rtp header compression interface type number The show ip mcache command displays entries in the cache for those packets that are sent to the swi...

Page 757: ...urce list access list kbps ip multicast use functional ip pim minimum vc rate pps ip pim multipoint signalling ip pim nbma mode ip pim vc count number ip rtp compression connections number ip rtp header compression passive IP Unicast Routing Unsupported Privileged EXEC or User EXEC Commands clear ip accounting checkpoint show cef drop not cef switched show ip vrf brief detail interfaces vrf name o...

Page 758: ...erface Configuration Commands ip accounting ip load sharing per packet ip mtu bytes ip route cache ip verify ip vrf ip unnumbered type number All ip security commands Unsupported VPN Configuration Commands All Unsupported VRF Configuration Commands All Unsupported Route Map Commands set automatic tag set ip destination ip address mask set ip next hop ip address ip address set ip next hop peer addr...

Page 759: ...ow smf interface id show subscriber policy policy number show template template name Unsupported Global Configuration Commands ip msdp default peer ip address name prefix list list Because BGP MBGP is not supported use the ip msdp peer command instead of this command RADIUS Unsupported Global Configuration Commands aaa nas port extended radius server attribute nas port radius server configure radi...

Page 760: ...C 8 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 Appendix C Unsupported CLI Commands RADIUS ...

Page 761: ...e ACLs access modes CMS 3 31 access ports defined 8 2 in switch clusters 5 11 accounting with RADIUS 6 27 accounting with TACACS 6 11 6 17 ACEs and QoS 20 7 defined 19 2 Ethernet 19 2 IP 19 2 Layer 3 parameters 19 10 Layer 4 parameters 19 10 ACLs ACEs 19 2 any keyword 19 12 applying on bridged packets 19 40 on multicast packets 19 42 on routed packets 19 41 on switched packets 19 39 time ranges to...

Page 762: ...ation 20 27 creating 19 8 matching criteria 19 7 supported features 19 5 support for 1 3 time ranges 19 15 unsupported features 19 6 using router ACLs with VLAN maps 19 36 ACLs continued VLAN maps configuration guidelines 19 28 configuring 19 27 defined 19 3 active router 23 1 addresses displaying the MAC address table 6 57 dynamic accelerated aging 10 10 changing the aging time 6 53 default aging...

Page 763: ...TACACS defined 6 11 key 6 13 login 6 14 authentication keys and routing protocols 22 63 authoritative time source described 6 32 authorization with RADIUS 6 26 authorization with TACACS 6 11 6 16 authorized ports with 802 1X 7 4 autoconfiguration 4 3 automatic discovery adding member switches 5 20 considerations beyond a non candidate device 5 8 5 9 brand new switches 5 11 connectivity 5 4 differe...

Page 764: ... 3 1 5 1 buttons CMS 3 29 C cables monitoring for unidirectional links 14 1 Cancel button 3 29 candidate switch adding 5 20 automatic discovery 5 4 defined 5 3 HC 5 22 passwords 5 20 requirements 5 3 standby group 5 22 See also command switch cluster standby group and member switch caution described xxx CC command switch 5 22 CDP automatic discovery in switch clusters 5 4 configuring 13 2 default ...

Page 765: ...eating a cluster standby group 5 22 described 5 1 LRE profile considerations 5 17 managing through CLI 5 25 through SNMP 5 26 clusters switch continued planning considerations automatic discovery 5 4 automatic recovery 5 12 CLI 5 25 described 5 4 host names 5 16 IP addresses 5 15 LRE profiles 5 17 passwords 5 16 SNMP 5 16 5 26 switch specific features 5 18 TACACS 5 17 redundancy 5 22 See also cand...

Page 766: ...described 2 5 disabling 2 5 recalling commands 2 5 no and default forms of commands 2 4 command modes 2 1 commands abbreviating 2 3 no and default 2 4 setting privilege levels 6 8 command switch active AC 5 12 5 22 command switch with HSRP disabled CC 5 22 configuration conflicts 27 10 defined 5 2 enabling 5 19 passive PC 5 12 5 22 password privilege levels 5 25 priority 5 12 recovery from failure...

Page 767: ...inal command 8 7 conflicts configuration 27 10 congestion avoidance techniques 20 13 congestion management techniques 20 13 20 15 connectivity problems 27 11 consistency checks in VTP version 2 9 6 conventions command xxx for examples xxx publication xxx text xxx CoS 1 4 20 2 CoS to DSCP map for QoS 20 39 CoS to egress queue map 20 45 counters clearing interface 8 20 Cpu q in show forward command ...

Page 768: ...ing VLAN from database 9 18 description command 8 17 designing your network examples 1 7 destination addresses in ACLs 19 11 device discovery protocol 13 1 device icons Front Panel view 3 5 Topology view 3 12 device labels 3 13 Device Manager 3 2 See also Switch Manager device pop up menu Front Panel view 3 22 Topology view 3 24 DHCP autoconfiguration example 4 8 client request message exchange 4 ...

Page 769: ...on map for QoS 20 43 DSCP to threshold map for QoS 20 47 DTP 1 3 9 22 DUAL finite state machine EIGRP 22 46 duplex mode configuring 8 14 DVMRP all DVMRP routers multicast group address 24 11 autosummarization configuring a summary address 24 54 disabling 24 56 connecting PIM domain to DVMRP router 24 46 enabling unicast routing 24 50 interoperability with Cisco devices 24 44 with IOS software 24 1...

Page 770: ... configuring 22 48 default configuration 22 47 EIGRP continued definition 22 46 interface parameters configuring 22 49 monitoring 22 51 support for 1 4 enable password 6 4 enable secret password 6 4 encapsulation types Ethernet trunk 9 24 encryption for passwords 6 4 Enhanced IGRP See EIGRP environment variables function of 4 16 location in Flash 4 15 equal cost routing 1 4 22 54 error checking CM...

Page 771: ...iguration 1 7 Expand Cluster view 3 11 expedite queue for QoS 10 100 Ethernet ports allocating bandwidth 20 54 configuring 20 54 described 20 15 expedite queue for QoS continued Gigabit capable Ethernet ports allocating bandwidth 20 50 configuring 20 50 described 20 13 expert mode 3 26 extended system ID for STP 10 3 10 23 Extensible Authentication Protocol over LAN 7 1 exterior routes IGRP 22 30 ...

Page 772: ...ile format B 20 file system displaying available file systems B 2 displaying file information B 3 local file system names B 1 network file system names B 4 setting the default B 3 filtering in a VLAN 19 27 non IP traffic 19 28 show and more command output 2 8 with fallback bridging 26 6 filters IP See ACLs IP Flash device number of B 1 flash updates IGRP 22 31 flooded traffic blocking 12 6 flow ba...

Page 773: ...determining ACL configuration fit 19 37 HC candidate switch 5 22 hello time STP 10 29 help for the command line 2 3 Help button CMS 3 29 Help Contents 3 27 history changing the buffer size 2 5 described 2 5 disabling 2 5 recalling commands 2 5 history table level and number of syslog messages 17 10 host name list CMS 3 28 host names abbreviations appended to 5 22 in clusters 5 16 hosts limit on dy...

Page 774: ...ost query interval modifying 24 36 joining multicast group 11 2 join messages 11 2 IGMP continued leave processing enabling 11 9 leaving multicast group 11 4 multicast reachability 24 34 overview 24 3 queries 11 3 support for 1 2 Version 1 changing to Version 2 24 32 hosts joining a group 24 3 hosts leaving a group 24 3 membership queries 24 3 overview 24 3 query response model 24 3 Version 2 chan...

Page 775: ...g 8 7 configuring duplex mode 8 14 configuring speed 8 14 counters clearing 8 20 described 8 17 descriptive name adding 8 17 displaying information about 8 18 interfaces continued flow control 8 16 management 1 5 monitoring 8 18 naming 8 17 physical identifying 8 7 range of 8 9 restarting 8 21 shutting down 8 21 supported 8 6 types of 8 1 interfaces range macro command 8 11 Interior Gateway Protoc...

Page 776: ...st group address range 24 1 administratively scoped boundaries described 24 42 and IGMP snooping 11 1 11 5 IP multicast routing continued Auto RP adding to an existing sparse mode cloud 24 19 benefits of 24 18 clearing the cache 24 58 configuration guidelines 24 15 IOS release 24 5 overview 24 8 preventing candidate RP spoofing 24 21 preventing join messages to false RPs 24 20 setting up in a new ...

Page 777: ...m and network 24 58 TTL thresholds described 24 40 See also CGMP See also DVMRP See also IGMP See also PIM IP precedence 20 2 IP precedence to DSCP map for QoS 20 40 IP protocols in ACLs 19 11 routing 1 4 IP routes monitoring 22 64 IP routing connecting interfaces with 8 6 enabling 22 24 IP traceroute executing 27 13 overview 27 12 IP unicast routing address resolution 22 10 administrative distanc...

Page 778: ...rames classification with CoS 20 2 Layer 2 interfaces default configuration 8 13 Layer 2 trunks 9 22 Layer 3 features 1 4 Layer 3 interfaces assigning IP addresses to 22 6 changing from Layer 2 mode 22 6 types of 22 3 Layer 3 packets classification methods 20 2 Layer 3 parameters of ACEs 19 10 Layer 4 parameters of ACEs 19 10 leave processing IGMP 11 9 LEDs port 3 8 port modes 3 8 RPS 3 7 legend C...

Page 779: ...P to threshold 20 47 IP precedence to DSCP 20 40 policed DSCP 20 41 described 20 11 marking action in policy map 20 32 action with aggregate policers 20 37 described 20 3 20 8 matching ACLs 19 6 maximum aging time STP 10 30 maximum paths command 22 54 membership mode VLAN port 3 9 9 3 member switch adding 5 20 automatic discovery 5 4 defined 5 2 managing 5 25 passwords 5 15 recovering from lost co...

Page 780: ...king 12 11 port protection 12 11 RP mapping information 24 27 source active messages 25 19 monitoring continued speed and duplex mode 8 15 traffic flowing among switches 16 1 traffic suppression 12 11 VLAN filters 19 33 maps 19 33 VMPS 9 40 VTP 9 13 VTP database 9 21 MSDP and dense mode regions sending SA messages to 25 17 specifying the originating address 25 18 benefits of 25 3 clearing MSDP con...

Page 781: ...k icon 3 23 MVR configuring interfaces 11 16 default configuration 11 15 described 11 12 modes 11 16 monitoring 11 18 setting global parameters 11 15 support for 1 2 N named IP ACLs 19 14 native VLANs 9 29 negotiate trunk mode 3 9 neighbor discovery recovery EIGRP 22 46 neighboring devices types of 3 12 network configuration examples increasing network performance 1 7 large network 1 13 providing ...

Page 782: ...p pacing 22 43 monitoring 22 44 router IDs 22 43 route summarization 22 41 support for 1 4 virtual links 22 41 out of profile markdown 1 4 output interface getting information about 27 16 overheating indication switch 3 5 P packet modification with QoS 20 17 PAgP See EtherChannel parallel links 9 29 parallel paths in routing tables 22 54 passive interfaces configuring 22 61 OSPF 22 42 passwords de...

Page 783: ...11 overview 27 11 planning considerations switch clusters LRE profiles 5 17 switch specific features 5 18 poison reverse updates IGRP 22 31 policed DSCP map for QoS 20 41 policers configuring for each matched traffic class 20 32 for more than one traffic class 20 37 described 20 3 displaying 20 56 number of 1 4 20 9 types of 20 8 policing described 20 3 token bucket algorithm 20 8 policy maps for ...

Page 784: ...LEDs 3 8 port pop up menu Front Panel view 3 22 port priority STP 10 26 ports 802 1Q trunk 3 9 access 8 2 blocking 12 6 dynamic access 3 9 9 3 ports continued dynamic VLAN membership reconfirming 9 39 forwarding resuming 12 7 ISL trunk 3 9 negotiate trunk 3 9 protected 12 5 routed 8 4 secure 12 8 static access 3 9 9 3 9 19 switch 8 2 trunks 9 3 9 22 VLAN assignments 9 19 port security configuring ...

Page 785: ...4 trust DSCP described 20 4 trusted CoS described 20 4 trust IP precedence described 20 4 types for IP traffic 20 5 types for non IP traffic 20 4 QoS continued class maps configuring 20 30 displaying 20 56 configuration examples common wiring closet 20 57 distribution layer 20 59 intelligent wiring closet 20 58 configuration guidelines 20 20 configuring aggregate policers 20 37 default port CoS va...

Page 786: ...s of 20 32 configuring 20 32 displaying 20 56 queueing defined 20 3 QoS continued queues CoS to egress queue map 20 45 for 10 100 Ethernet ports 20 15 high priority expedite 20 13 20 50 minimum reserve levels 20 53 serviced by WRR 20 13 20 16 size of 20 13 20 15 size ratios 20 46 tail drop threshold percentages 20 13 20 47 WRED drop percentage thresholds 20 13 20 48 WRR scheduling 20 50 scheduling...

Page 787: ... image B 32 downloading B 30 preparing the server B 29 uploading B 32 read only access mode 3 31 read write access mode 3 31 reconfirmation interval VMPS changing 9 39 recovery procedures 27 1 redundancy EtherChannel 21 1 features 1 3 HSRP 23 1 STP backbone 10 9 multidrop backbone 10 13 path cost 9 32 port priority 9 30 redundant clusters See cluster standby group redundant power system See RPS Re...

Page 788: ...routed ports IP addresses on 8 22 22 3 router ACLs 19 2 router ID OSPF 22 43 route summarization OSPF 22 41 routing default 22 2 dynamic 22 2 redistribution of information 22 57 static 22 2 Routing Information Protocol See RIP routing protocol administrative distances 22 56 RPS LED 3 7 running configuration saving 4 10 S saving changes in CMS 3 32 SC standby command switch 5 12 5 22 scheduled relo...

Page 789: ...ps described 18 2 enabling 18 7 enabling MAC address notification 6 54 overview 18 1 18 3 types of 18 7 versions supported 18 2 snooping IGMP 11 1 software images location in Flash B 20 recovery procedures 27 2 scheduling reloads 4 17 tar file format described B 20 See also downloading and uploading source addresses in ACLs 19 11 SPAN configuration guidelines 15 7 default configuration 15 7 destin...

Page 790: ...22 2 static VLAN membership 9 2 statistics 802 1X 7 14 CDP 13 5 interface 8 18 IP multicast routing 24 58 OSPF 22 44 statistics continued QoS ingress and egress 20 56 RMON group Ethernet 16 5 RMON group history 16 5 SNMP input and output 18 10 VTP 9 13 storm control configuring 12 3 definition 12 1 displaying 12 11 thresholds 12 1 STP accelerating root port selection 10 12 BackboneFast described 1...

Page 791: ... 3 10 20 root port defined 10 4 STP continued root switch affects of extended system ID 10 3 10 23 configuring 10 23 election 10 3 unexpected behavior 10 23 settings in a cascaded stack 10 30 shutdown Port Fast configured interface 10 11 supported number of spanning tree instances 10 2 timers described 10 5 UplinkFast described 10 12 VLAN bridge 10 9 stratum NTP 6 32 stub areas OSPF 22 39 subnet m...

Page 792: ... 17 4 synchronizing log messages 17 6 syslog facility 1 5 timestamps enabling and disabling 17 7 UNIX syslog servers configuring the daemon 17 11 configuring the logging facility 17 11 facilities supported 17 12 system messages 3 19 system name default configuration 6 46 default setting 6 46 manual configuration 6 46 See also DNS system prompt default setting 6 46 manual configuration 6 47 system ...

Page 793: ...er B 22 uploading B 24 limiting access by servers 18 9 TFTP server 1 2 threshold traffic level 12 2 time See NTP and system clock time range command 19 15 time ranges in ACLs 19 15 timestamps in log messages 17 7 time zones 6 43 Token Ring VLANs support for 9 15 TrCRF and TrBRF 9 6 toolbar 3 21 tool tips 3 27 Topology view Collapse Cluster view 3 11 colors 3 14 described 3 10 device icons 3 12 dev...

Page 794: ...2 using STP port priorities 9 30 native VLAN for untagged traffic 9 29 parallel 9 32 pruning eligible list 9 28 to non DTP device 9 23 understanding 9 22 twisted pair Ethernet detecting unidirectional links 14 1 type of service See TOS U UDLD default configuration 14 3 echoing detection mechanism 14 2 enabling globally 14 3 per interface 14 4 link detection mechanism 14 1 neighbor database 14 2 ov...

Page 795: ...t Policy Server See VMPS VLAN map entries order of 19 28 VLAN maps applying 19 32 common uses for 19 33 configuration example 19 34 configuration guidelines 19 28 configuring 19 27 creating 19 30 defined 19 2 denying access example 19 35 denying and permitting packets 19 30 displaying 19 33 examples 19 35 support for 1 3 usage 19 3 with router ACLs 19 42 VLAN membership confirming 9 39 modes 3 9 9...

Page 796: ...ging 9 39 reconfirming membership 9 39 retry count changing 9 39 voice VLANs See VVIDs VQP 1 3 VTP advertisements 9 5 9 25 client mode configuring 9 11 configuration guidelines 9 8 requirements 9 9 VTP continued configuration requirements 9 9 configuring client mode 9 11 server mode 9 10 transparent mode 9 11 consistency checks 9 6 database 9 17 configuring VLANs 9 17 displaying 9 21 parameters 9 ...

Page 797: ...ling 9 12 enabling 9 12 overview 9 6 VLAN parameters 9 15 VTP monitoring 9 13 VTP pruning 1 3 VVIDs 1 8 W web based management software See CMS Weighted Random Early Detection See WRED Weighted Round Robin See WRR weighted round robin described 20 3 window components CMS 3 28 wizards 1 6 3 26 WRED 1 4 20 14 WRR 1 4 20 3 X XMODEM protocol 27 2 ...

Page 798: ...Index IN 38 Catalyst 3550 Multilayer Switch Software Configuration Guide 78 11194 03 ...

Reviews:

No comments

Related manuals for Catalyst 3550

Canon Optura Pi Software Starter Manual preview
Optura Pi
Brand: Canon Pages: 90
ScanSoft DRAGON NATURALLYSPEAKING 7 User Manual preview
DRAGON NATURALLYSPEAKING 7
Brand: ScanSoft Pages: 222
Autodesk AutoCAD Civil 3D 2013 User Manual preview
AutoCAD Civil 3D 2013
Brand: Autodesk Pages: 25
Autodesk ALIAS DESIGN Brochure preview
ALIAS DESIGN
Brand: Autodesk Pages: 12
Autodesk 235B1-05A761-1301 - AutoCAD MEP 2010 User Manual preview
235B1-05A761-1301 - AutoCAD MEP 2010
Brand: Autodesk Pages: 878
Autodesk AUTOCAD 2006 Command Reference Manual preview
AUTOCAD 2006
Brand: Autodesk Pages: 1490
Yamaha YC-3B Installation Manual preview
YC-3B
Brand: Yamaha Pages: 4
Yamaha YC-3B Owner'S Manual preview
YC-3B
Brand: Yamaha Pages: 6
Yamaha USB Installation Manual preview
USB
Brand: Yamaha Pages: 7
Yamaha Studio Manager v.2 Owner'S Manual preview
Studio Manager v.2
Brand: Yamaha Pages: 11
Yamaha Studio Manager v.2 Installation Manual preview
Studio Manager v.2
Brand: Yamaha Pages: 15
Yamaha VL Visual Editor Manual preview
VL Visual Editor
Brand: Yamaha Pages: 23
Yamaha TOOLS for MY16-mLAN Owner'S Manual preview
TOOLS for MY16-mLAN
Brand: Yamaha Pages: 24
Yamaha TOOLS for TYROS Installation Manual preview
TOOLS for TYROS
Brand: Yamaha Pages: 36
Pfaff CREATIVE 4D EXPRESS MONOGRAM WIZARD Brochure preview
CREATIVE 4D EXPRESS MONOGRAM WIZARD
Brand: Pfaff Pages: 2
Pfaff FILES AND FOLDERS Manual preview
FILES AND FOLDERS
Brand: Pfaff Pages: 8
VMware VCLOUD REQUEST MANAGER Datasheet preview
VCLOUD REQUEST MANAGER
Brand: VMware Pages: 2
KAPERSKY ANTI-VIRUS 5.6 - FOR NOVELL NETWARE Administrator'S Manual preview
ANTI-VIRUS 5.6 - FOR NOVELL NETWARE
Brand: KAPERSKY Pages: 130

Brands by name

Popular brands

Load more brands