Cisco Catalyst 3560-X Series Software Configuration Manual Download Page 375 | Manualshive

Page: 375 / 1538

background image

1-11

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-25303-03

Chapter 1 Configuring MACsec Encryption

Configuring Cisco TrustSec MACsec

Note

Before you configure Cisco TrustSec MACsec authentication, you should configure Cisco TrustSec seed
and non-seed devices. For 802.1x mode, you must configure at least one seed device, that device closest
to the access control system (ACS). See this section in the

Cisco TrustSec Configuration Guide

:

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/ident-conn_config.html

Configuring Cisco TrustSec Switch-to-Switch Link Security in 802.1x Mode

You enable Cisco TrustSec link layer switch-to-switch security on an interface that connects to another
Cisco TrustSec device. When configuring Cisco TrustSec in 802.1x mode on an interface, follow these
guidelines:

•

To use 802.1x mode, you must globally enable 802.1x on each device.

•

If you select GCM as the SAP operating mode, you must have a MACsec encryption software
license from Cisco. MACsec is supported on Catalyst 3750-X and 3560-X universal IP base and IP
services licenses. It is not supported with the NPE license or with a LAN base service image.

If you select GCM without the required license, the interface is forced to a link-down state.

Beginning in privilege EXEC mode, follow these steps to configure Cisco TrustSec switch-to-switch link
layer security with 802.1x.

Command

Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

interface

interface-id

Note

Enters interface configuration mode.

Step 3

cts dot1x

Configures the interface to perform NDAC authentication.

Step 4

sap mode-list

mode1

[

mode2

[

mode3

[

mode4

]]]

(Optional) Configures the SAP operation mode on the interface. The
interface negotiates with the peer for a mutually acceptable mode.
Enter the acceptable modes in your order of preference.

Choices for

mode

are:

•

gcm-encrypt

—Authentication and encryption

Note

Select this mode for MACsec authentication and encryption
if your software license supports MACsec encryption.

•

gmac

—Authentication, no encryption

•

no-encap

—No encapsulation

•

null

—Encapsulation, no authentication or encryption

Note

If the interface is not capable of data link encryption,

no-encap

is the default and the only available SAP

operating mode. SGT is not supported.

Note

Although visible in the CLI help, the

timer reauthentication

and

propagate sgt

keywords are not

supported.

Step 5

exit

Exits Cisco TrustSec 802.1x interface configuration mode.

Step 6

end

Returns to privileged EXEC mode.

«
...
373
374
375
376
377
...
»

Summary of Contents for Catalyst 3560-X Series

Page 1: ...sman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 3750 X and 3560 X Switch Software Configuration Guide Cisco IOS Release 15 0 2 SE and Later November 2013 Text Part Number OL 25303 03 ...

Page 2: ...XPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILI...

Page 3: ...f show and more Commands 1 9 Accessing the CLI 1 9 Understanding Cisco Configuration Engine Software 1 1 Understanding Cisco IOS Agents 1 5 Configuring Cisco IOS Agents 1 6 Displaying CNS Configuration 1 14 Understanding the Boot Process 1 1 Assigning Switch Information 1 2 Checking and Saving the Running Configuration 1 16 Modifying the Startup Configuration 1 18 Scheduling a Reload of the Softwa...

Page 4: ...ess with RADIUS 1 17 Controlling Switch Access with Kerberos 1 39 Configuring the Switch for Local Authentication and Authorization 1 43 Configuring the Switch for Secure Shell 1 44 Configuring the Switch for Secure Socket Layer HTTP 1 48 Configuring the Switch for Secure Copy Protocol 1 54 Understanding IEEE 802 1x Port Based Authentication 1 1 Configuring 802 1x Authentication 1 37 Displaying 80...

Page 5: ...onfiguring VLAN Trunks 1 14 Configuring VMPS 1 25 Understanding VTP 1 1 Configuring VTP 1 8 Monitoring VTP 1 18 Understanding Voice VLAN 1 1 Configuring Voice VLAN 1 3 Displaying Voice VLAN 1 7 Understanding Private VLANs 1 1 Configuring Private VLANs 1 6 Monitoring Private VLANs 1 15 Understanding IEEE 802 1Q Tunneling 1 1 Configuring IEEE 802 1Q Tunneling 1 4 Understanding Layer 2 Protocol Tunne...

Page 6: ... 18 Displaying IP Source Guard Information 1 26 Understanding DHCP Server Port Based Address Allocation 1 26 Configuring DHCP Server Port Based Address Allocation 1 27 Displaying DHCP Server Port Based Address Allocation 1 29 Understanding Dynamic ARP Inspection 1 1 Configuring Dynamic ARP Inspection 1 5 Displaying Dynamic ARP Inspection Information 1 14 Understanding IGMP Snooping 1 2 Configuring...

Page 7: ... Understanding SPAN and RSPAN 1 1 Understanding Flow Based SPAN 1 11 Configuring SPAN and RSPAN 1 12 Configuring FSPAN and FRSPAN 1 24 Displaying SPAN RSPAN FSPAN and FRSPAN Status 1 28 Understanding RMON 1 1 Configuring RMON 1 2 Displaying RMON Status 1 6 Understanding System Message Logging 1 1 Configuring System Message Logging 1 2 Configuring Smart Logging 1 14 Displaying the Logging Configura...

Page 8: ...23 Configuring Link State Tracking 1 25 Understanding TelePresence E911 IP Phone Support 1 1 Configuring TelePresence E911 IP Phone Support 1 2 Understanding IP Routing 1 2 Steps for Configuring Routing 1 5 Configuring IP Addressing 1 6 Enabling IP Unicast Routing 1 20 Configuring RIP 1 20 Configuring OSPF 1 27 Configuring EIGRP 1 37 Configuring BGP 1 45 Configuring ISO CLNS Routing 1 66 Configuri...

Page 9: ...figuring Advanced PIM Features 1 35 Configuring Optional IGMP Features 1 38 Configuring Optional Multicast Routing Features 1 44 Configuring Basic DVMRP Interoperability Features 1 49 Configuring Advanced DVMRP Interoperability Features 1 54 Monitoring and Maintaining IP Multicast Routing 1 63 Information About Implementing IPv6 Multicast 1 1 Implementing IPv6 Multicast 1 12 Understanding MSDP 1 1...

Page 10: ...stency Check Routines 1 26 Using On Board Failure Logging 1 26 Troubleshooting Tables 1 29 Understanding Online Diagnostics 1 1 Configuring Online Diagnostics 1 1 Running Online Diagnostic Tests 1 4 Working with the Flash File System 1 1 Working with Configuration Files 1 9 Working with Software Images 1 25 Access Control Lists 1 1 Archive Commands 1 2 ARP Commands 1 2 Boot Loader Commands 1 2 Deb...

Page 11: ...t 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Multicast 1 13 NetFlow Commands 1 13 Network Address Translation NAT Commands 1 13 QoS 1 14 RADIUS 1 14 SNMP 1 14 Spanning Tree 1 15 VLAN 1 15 VTP 1 15 ...

Page 12: ...Contents 10 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 13: ...Contents 11 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 14: ...Contents 12 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 15: ...Contents 13 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 16: ...Contents 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 17: ...Contents 15 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 18: ...Contents 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 19: ...Contents 17 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 20: ...Contents 18 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 21: ...Contents 19 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 22: ...Contents 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 23: ...Contents 21 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 24: ...Contents 22 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 25: ...Contents 23 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 26: ...Contents 24 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 27: ...Contents 25 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 28: ...Contents 26 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 29: ...Contents 27 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 30: ...Contents 28 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 31: ...Contents 29 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 32: ...Contents 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 33: ...Contents 31 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 34: ...Contents 32 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 35: ...Contents 33 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 36: ...Contents 34 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 37: ...Contents 35 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 38: ...Contents 36 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Page 39: ...co IOS commands see the Cisco IOS Master Command List All Releases from the Cisco IOS Software Releases 15 0 Mainline Master Index page on Cisco com http www cisco com en US products ps10591 products_product_indices_list html This guide does not provide detailed information on the GUIs for the embedded device manager or for Cisco Network Assistant hereafter referred to as Network Assistant that yo...

Page 40: ... materials not contained in this manual Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Related Publications Documents with complete information about the switch are available from these Cisco com sites Catalyst 3750 X http www cisco com en US products ps10745 tsd_products_support_series_home html Catalyst 3560 X http w...

Page 41: ...tports Configuration Guide Cisco EnergyWise IOS Configuration Guide Getting Started with Cisco Network Assistant Release Notes for Cisco Network Assistant Information about Cisco SFP and SFP modules is available from this Cisco com site http www cisco com en US products hw modules ps5455 prod_installation_guides_list html SFP compatibility matrix documents are available from this Cisco com site ht...

Page 42: ...56 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Preface ...

Page 43: ...port contract This image supports the IP Base and LAN Base feature sets Customers with a service contract receive a universal image with or without payload encryption which includes the LAN Base IP Base and IP Services feature sets On switches running payload encryption images management and data traffic can be encrypted On switches running nonpayload encryption images only management traffic such...

Page 44: ...ts enhancement to enable auto QoS on a CDP capable Cisco digital media player Auto Smartport features in Cisco IOS Release 15 0 1 SE with improved device classification capabilities and accuracy increased device visibility and enhanced macro management The device classifier is enabled by default and can classify devices based on DHCP options IP Base feature set Provides Layer 2 and basic Layer 3 f...

Page 45: ...ter and to identify link information between switches Monitoring real time status of a switch or multiple switches from the LEDs on the front panel images The system redundant power system RPS system and port LED colors on the images are similar to those used on the physical LEDs Cisco StackWise Plus technology on Catalyst 3750 X switches for Connecting up to nine switches through their StackWise ...

Page 46: ...matic generation of the imagelist file configurable file repository hostname changes transparent connection of the director to client and USB storage for image and seed configuration Smart Install enhancements in Cisco IOS Release 12 2 58 SE including the ability to manually change a client switch health state from denied to allowed or hold for on demand upgrades to remove selected clients from th...

Page 47: ...or IGMP devices IGMP snooping for efficiently forwarding multimedia and multicast traffic IGMP report suppression for sending only one IGMP report per multicast router query to the multicast devices supported only for IGMPv1 or IGMPv2 queries IGMP snooping querier support to configure switch to generate periodic IGMP General Query messages IIGMP Helper to allow the switch to forward a host request...

Page 48: ...rk Assistant is a network management application that can be downloaded from Cisco com You use it to manage a single switch a cluster of switches or a community of devices For more information about Network Assistant see Getting Started with Cisco Network Assistant available on Cisco com CLI The Cisco IOS software supports desktop and multilayer switching features You can access the CLI by connect...

Page 49: ...s from a TFTP server Address Resolution Protocol ARP for identifying a switch through its IP address and its corresponding MAC address Unicast MAC address filtering to drop packets with specific source or destination MAC addresses Configurable MAC address scaling that allows disabling MAC address learning on a VLAN to limit the size of the MAC address table Disabling MAC address learning on a VLAN...

Page 50: ...ement Protocol SNMP can be configured over IPv6 transport so that an IPv6 host can send SNMP queries and receive SNMP notifications from a device running IPv6 IPv6 supports stateless autoconfiguration to manage link subnet and site addressing changes such as management of host and mobile IP addresses IETF IP MIB and IP FORWARD MIB RFC4292 and RFC4293 updates to support the IP version 6 IPv6 only a...

Page 51: ...es IEEE 802 1s Multiple Spanning Tree Protocol MSTP for grouping VLANs into a spanning tree instance and for providing multiple forwarding paths for data traffic and load balancing and rapid per VLAN Spanning Tree plus rapid PVST based on the IEEE 802 1w Rapid Spanning Tree Protocol RSTP for rapid convergence of the spanning tree by immediately changing root and designated ports to the forwarding ...

Page 52: ...g VLAN 1 to be disabled on any individual VLAN trunk link With this feature enabled no user traffic is sent or received on the trunk The switch CPU continues to send and receive control protocol frames Private VLANs to address VLAN scalability problems to provide a more controlled IP address allocation and to allow Layer 2 ports to be isolated from other ports on the switch Port security on a PVLA...

Page 53: ...ionality to be authenticated using a web browser Password protected access read only and read write access to management interfaces device manager Network Assistant and the CLI for protection against unauthorized configuration changes Multilevel security for a choice of security level notification and resulting actions Static MAC addressing for ensuring security Protected port option for restricti...

Page 54: ...DA to allow both a data device and a voice device such as an IP phone Cisco or non Cisco to independently authenticate on the same IEEE 802 1x enabled switch port VLAN assignment for restricting IEEE 802 1x authenticated users to a specified VLAN Support for VLAN assignment on a port configured for multi auth mode The RADIUS server assigns a VLAN to the first host to authenticate on the port and s...

Page 55: ...ssion Control Software Configuration Guide IEEE 802 1x inaccessible authentication bypass For information about configuring this feature see the Configuring Inaccessible Authentication Bypass and Critical Voice VLAN section on page 1 63 Authentication authorization and accounting AAA down policy for a NAC Layer 2 IP validation of a host if the AAA server is not available when the posture validatio...

Page 56: ...ith MAC move the switch treats the reappearance of the same MAC address on another port in the same way as a completely new MAC address Support for 3DES and AES with version 3 of the Simple Network Management Protocol SNMPv3 This release adds support for the 168 bit Triple Data Encryption Standard 3DES and the 128 bit 192 bit and 256 bit Advanced Encryption Standard AES encryption algorithms to SN...

Page 57: ...n a QoS domain and with a port bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone trusting the CoS value received and ensuring port security Policing Traffic policing policies on the switch port for managing how much of the port bandwidth should be allocated to a specific traffic flow If you configure multiple class maps for a hierarchical policy map each ...

Page 58: ...ature set Full OSPF requires the IP Services feature set Starting with Cisco IOS Release 12 2 55 SE the IP Base feature set supports OSPF for routed access to enable customers to extend Layer 3 routing capabilities to the access or wiring closet Enhanced IGRP EIGRP requires the IP Services feature set Border Gateway Protocol BGP Version 4 requires the IP Services feature set IP routing between VLA...

Page 59: ...6 which utilizes IPv6 transport communicates with IPv6 peers and advertises IPv6 routes IP unicast reverse path forwarding unicast RPF for confirming source packet IP addresses Nonstop forwarding NSF awareness to enable the Layer 3 switch to continue forwarding packets from an NSF capable neighboring router when the primary route processor RP is failing and the backup RP is taking over or when the...

Page 60: ...d RADIUS accounting for tracking users on a network by storing the MAC addresses that the switch has learned or removed Switched Port Analyzer SPAN and Remote SPAN RSPAN for traffic monitoring on any port or VLAN SPAN and RSPAN support of Intrusion Detection Systems IDS to monitor repel and report network security violations Flow based Switch Port Analyzer FSPAN to define filters for capturing tra...

Page 61: ... Configuring Cisco IOS IP SLAs Video Operations document at http www cisco com en US docs ios xml ios ipsla configuration 12 2se Configuring_IP_SLAs_ Video_Operations html Flexible NetFlow to monitor user defined flows collect flow statistics perform per flow policing on uplink ports and export the flow statistics to a collector device supported only on the Catalyst 3750 X and 3560 X network servi...

Page 62: ...e specific and system and stack wide settings Note For information about assigning an IP address by using the browser based Express Setup program see the getting started guide For information about assigning an IP address by using the CLI based setup program see the hardware installation guide If you do not configure the switch at all the switch operates with these default settings Default switch ...

Page 63: ... VLANs Default VLAN is VLAN 1 For more information see Chapter 1 Configuring VLANs VLAN trunking setting is dynamic auto DTP For more information see Chapter 1 Configuring VLANs Trunk encapsulation is negotiate For more information see Chapter 1 Configuring VLANs VTP mode is server For more information see Chapter 1 Configuring VTP VTP version is Version 1 For more information see Chapter 1 Config...

Page 64: ...on see Chapter 1 Configuring Port Based Traffic Control CDP is enabled For more information see Chapter 1 Configuring CDP UDLD is disabled For more information see Chapter 1 Configuring UDLD SPAN and RSPAN are disabled For more information see Chapter 1 Configuring SPAN and RSPAN RMON is disabled For more information see Chapter 1 Configuring RMON Syslog messages are enabled and appear on the cons...

Page 65: ...ndwidth available to your network users Bandwidth alone is not the only consideration when designing your network As your network traffic profiles evolve consider providing network services that can support applications for voice and data integration multimedia integration application prioritization and security Table 1 2 describes some network demands and how you can meet them Table 1 1 Increasin...

Page 66: ...st and multicast and multimedia applications Use optional IP multicast routing to design networks better suited for multicast traffic Use MVR to continuously send multicast streams in a multicast VLAN but to isolate the streams from subscriber VLANs for bandwidth and security reasons High demand on network redundancy and availability to provide always on mission critical applications Use switch st...

Page 67: ...ch Software Configuration Guide OL 25303 03 Chapter 1 Overview Network Configuration Examples Figure 1 1 Cost Effective Wiring Closet Si Layer 2 StackWise Plus switch stack Catalyst Gigabit Ethernet multilayer switch Gigabit server 200851 ...

Page 68: ...st 3560 X switches in the access layer to provide Gigabit Ethernet to the desktop To prevent congestion use QoS DSCP marking priorities on these switches For high speed IP forwarding at the distribution layer connect the switches in the access layer to a Gigabit switch with routing capability or to a router The first illustration is of an isolated high performance workgroup where the Catalyst 3560...

Page 69: ... Chapter 1 Overview Network Configuration Examples Figure 1 3 High Performance Workgroup Gigabit to the Desktop with Catalyst 3560 X Standalone Switches 200853 Access layer standalone switches Stacking capable switches 200854 Cisco 2600 router Access layer standalone switches WAN ...

Page 70: ...of your network For high speed IP forwarding at the distribution layer connect the switches in the access layer to multilayer switches with routing capability The Gigabit interconnections minimize latency in the data flow QoS and policing on the switches provide preferential treatment for certain data streams They segment traffic streams into different paths for processing Security features on the...

Page 71: ...work Configuration Examples Figure 1 5 Server Aggregation 86931 Si Si Si Si Si Si Campus core Catalyst 6500 switches Catalyst 4500 multilayer switches StackWise Plus switch stacks Server racks 200857 Campus core Catalyst 6500 switches StackWise switch stacks Access layer standalone switches Server racks ...

Page 72: ...ices such as Cisco IP Phones The server farm includes a call processing server running Cisco CallManager software Cisco CallManager controls call processing routing and Cisco IP Phone features and configuration The switches are interconnected through Gigabit interfaces This network uses VLANs to logically segment the network into well defined broadcast groups and for security management Data and m...

Page 73: ...undant power when it is also connected to an AC power source Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power Cisco CallManager controls call processing routing and Cisco IP Phone features and configuration Users with workstations running Cisco SoftPhone software can place receive and control calls from their PCs Using Cisco IP Phones Ci...

Page 74: ...nonconforming traffic based on bandwidth limits are also configured on each switch stack or switch VLAN maps provide intra VLAN security and prevent unauthorized users from accessing critical pieces of the network QoS features can limit bandwidth on a per port or per user basis The switch ports are configured as either trusted or untrusted You can configure a trusted port to trust the CoS value th...

Page 75: ...ilayer switches Cisco IP Phones with workstations IEEE 802 3af compliant powered device such as a web cam Cisco IP Phones with workstations WAN IP IP IP IP IP IP 200861 Mixed hardware stack including the Catalyst 3750G Integrated Wireless LAN Controller IEEE 802 3af compliant powered device such as a web cam Aironet wireless access points Aironet wireless access points Mixed hardware stack includi...

Page 76: ... a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Standalone switches Standalone switches Cisco IP Phones with workstations WAN IP IP IP IEEE 802 3af compliant powered device such as a web cam Cisco IP Phones with workstations IP IP IP 200862 IEEE 802 3af compliant powered device such as a web cam Aironet wireless access points Aironet wireless access points ...

Page 77: ...3750 aggregation switch For more information about the Catalyst Long Reach Ethernet LRE switches see the documentation sets specific to these switches for LRE information All ports on the residential Catalyst 3750 X switches and Catalyst 2950 LRE switches if they are included are configured as IEEE 802 1Q trunks with protected port and STP root guard features enabled The protected port feature pro...

Page 78: ...el A common wavelength used for long distance transmissions is 1550 nm The CWDM SFP modules connect to CWDM optical add drop multiplexer OADM modules over distances of up to 393 701 feet 74 5 miles or 120 km The CWDM OADM modules combine or multiplex the different CWDM wavelengths allowing them to travel simultaneously on the same fiber optic cable The CWDM OADM modules on the receiving end separa...

Page 79: ...ections for startup information Chapter 1 Using the Command Line Interface Chapter 1 Assigning the Switch IP Address and Default Gateway To locate and download MIBs for a specific Cisco product and release use the Cisco MIB Locator http cisco com public sw center netmgmt cmtk mibs shtml 95750 Access layer Catalyst 4500 multilayer switches Eight 1 Gb s connections 8 Gb s Catalyst switches CWDM OADM...

Page 80: ...1 38 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Overview Where to Go Next ...

Page 81: ...rrently in Enter a question mark at the system prompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration s...

Page 82: ... global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file Int...

Page 83: ...s unique This example shows how to enter the show configuration privileged EXEC command in an abbreviated form Switch show conf Table 1 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command...

Page 84: ...that you might encounter while using the CLI to configure your switch Using Configuration Logging You can log and view changes to the switch configuration You can use the Configuration Change Logging and Notification feature to track changes on a per session and per user basis The logger tracks each configuration command that is applied the user who entered the command the time that the Table 1 3 ...

Page 85: ...and history feature is particularly useful for recalling long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size page 1 5 optional Recalling Commands page 1 6 optional Disabling the Command History Feature page 1 6 optional Changing the Command History Buffer Size By default...

Page 86: ...ting Command Lines that Wrap page 1 8 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing Table 1 4 Recalling Com...

Page 87: ...ommand line Press Esc B Move the cursor back one word Press Esc F Move the cursor forward one word Press Ctrl T Transpose the character to the left of the cursor with the character located at the cursor Recall commands from the buffer and paste them in the command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Pres...

Page 88: ... line the line is again shifted ten spaces to the left Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 Switch config 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 Press Esc L Change the word at the cursor to low...

Page 89: ...r exclude and an expression that you want to search for or filter out command begin include exclude regular expression Expressions are case sensitive For example if you enter exclude output the lines that contain output are not displayed but the lines that contain Output appear This example shows how to include in the output display only lines where the expression protocol appears Switch show inte...

Page 90: ... session but your switch must first be configured for this type of access For more information see the Setting a Telnet Password for a Terminal Line section on page 1 6 You can use one of these methods to establish a connection with the switch Connect the switch console port to a management station or dial up modem or connect the Ethernet management port to a PC For information about connecting to...

Page 91: ...NS Configuration page 1 14 Understanding Cisco Configuration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 1 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their con...

Page 92: ... Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration inf...

Page 93: ...que group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespac...

Page 94: ...onnection to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the s...

Page 95: ...the new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon suc...

Page 96: ... defer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Co...

Page 97: ...lt no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the ...

Page 98: ...the hostname or the IP address of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway is establi...

Page 99: ...guration mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout seconds ...

Page 100: ...y the point to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify more inte...

Page 101: ...address mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event and imag...

Page 102: ...e ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Opti...

Page 103: ...ng a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal ...

Page 104: ...show cns config connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Disp...

Page 105: ...se sections Understanding the Boot Process page 1 1 Assigning Switch Information page 1 2 Checking and Saving the Running Configuration page 1 16 Modifying the Startup Configuration page 1 18 Scheduling a Reload of the Software Image page 1 23 Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation page 1 25 Note Information in this chapter about configuring IP addresses and DHCP...

Page 106: ...system For more information see the Recovering from a Software Failure section on page 1 2 and the Recovering from a Lost or Forgotten Password section on page 1 3 Note You can disable password recovery For more information see the Disabling Password Recovery section on page 1 5 Before you can assign switch information make sure you have connected a PC or terminal to the console port or a PC to th...

Page 107: ... 3 Manually Assigning IP Information page 1 15 Default Switch Information Table 1 1 shows the default switch information Understanding DHCP Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices This protocol consists of two components one for delivering configuration parameters from a DHCP server to a device and a mechanism for allocating net...

Page 108: ... configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces the DHCP client is invoked and requests the IP address information for those interfaces Figure 1 1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server Figure 1 1 DHCP Client and Server Message Exchange The client S...

Page 109: ...er the ip address dhcp interface configuration command In this case if the client receives the DCHP hostname option from the DHCP interaction while acquiring an IP address for an interface the client accepts the DHCP hostname option and sets the flag to show that the system now has a hostname configured Understanding DHCP based Autoconfiguration and Image Update You can use the DHCP image upgrade ...

Page 110: ...Unless you configure a timeout the DHCP based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address The auto install process stops if a configuration file cannot be downloaded or it the configuration file is corrupted Note The configuration file that is downloaded from TFTP is merged with the existing configuration in the running configuration but is not...

Page 111: ...ver name are not found the switch might send broadcast instead of unicast TFTP requests Unavailability of other lease options does not affect autoconfiguration The switch can act as a DHCP server By default the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured These features are not operational If your DHCP server is a Cisco device for additional info...

Page 112: ... server name to an IP address You must configure the TFTP server name to IP address map on the DNS server The TFTP server contains the configuration files for the switch You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them You can enter up to two DNS server IP addresses in the lease database The DNS server can...

Page 113: ...address is reserved for the switch and provided in the DHCP reply The configuration filename is not provided two file read method The switch receives its IP address subnet mask and the TFTP server address from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the network confg or cisconet cfg default configuration file If the network confg file cannot be read the sw...

Page 114: ...server maps the TFTP server name tftpserver to IP address 10 0 0 3 Switch 1 00e0 9f1e 2001 Cisco router 111394 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server DNS server TFTP server tftpserver 10 0 0 1 10 0 0 10 10 0 0 2 10 0 0 3 Switch 4 00e0 9f1e 2004 Table 1 2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key hardware address 00e0 9f1e 2001 00e0 9f1e 2002 00e...

Page 115: ...h A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by indexing its IP address 10 0 0 21 to its hostname switcha It reads the configuration file that corresponds to its hostname for example it reads switch1 confg from the TFTP server Switches B through D retrieve their configuration fil...

Page 116: ...text file for example autoinstall_dhcp that will be uploaded to the switch In the text file put the name of the image that you want to download for example 3750x ipservices mz 122 53 3 SE2 tar This image must be a tar and not a bin file Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of...

Page 117: ...number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash Step 5 default router address Specify the IP address of the default router for a DHCP cli...

Page 118: ... path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER path list NVRAM Config file buffer size 32768 Timeout for Config Download 300 seconds Config Download via DHCP enabled next boot enabled Switch Note You should only configure and enable the Layer 3 interface Do not assign an IP address or DHCP based autoconfiguration with a ...

Page 119: ...ervices see Chapter 1 Administering the Switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assigned The range is 1 to 4094 Step 3 ip address ip address subnet mask Enter the IP address and subnet mask Step 4 exit Return to global configuration mode Step 5...

Page 120: ...ce VLAN1 ip address 172 20 137 50 255 255 255 0 no ip directed broadcast ip default gateway 172 20 137 1 snmp server community private RW snmp server community public RO snmp server community private es0 RW snmp server community public es0 RO snmp server chassis id 0x12 end To store the configuration or changes you have made to your startup configuration in flash memory enter this privileged EXEC ...

Page 121: ...s with the stack and reloads automatically Beginning in privileged EXEC mode follow these steps to configure the NVRAM buffer size This example shows how to configure the NVRAM buffer size Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config boot buffersize 524288 Switch config end Switch show boot BOOT path list Config file flash config text Private Co...

Page 122: ...omatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP based autoconfiguration feature For more information see the Understanding DHCP Based Autoconfiguration section on page 1 3 Table 1 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up the syste...

Page 123: ...igure it to manually boot up Note This command only works properly from a standalone switch Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot up during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to load during the next boot cycle For f...

Page 124: ...e Step 4 show boot Verify your entries The boot manual global command changes the setting of the MANUAL_BOOT environment variable The next time you reboot the system the switch is in boot loader mode shown by the switch prompt To boot up the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory...

Page 125: ...any environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name of a boot loader helper file which extends or patches the functionality of the boot loader can be stored as an environment variable Data that controls code which is responsible for reading th...

Page 126: ...bootable file that it can find in the flash file system boot system filesystem file url switch number all Note The switch number all keywords are supported only on Catalyst 3750 E switches Specifies the Cisco IOS image to load during the next boot cycle and the stack members on which the image is loaded This command changes the setting of the BOOT environment variable MANUAL_BOOT set MANUAL_BOOT y...

Page 127: ...ber number of a stack member switch current stack member number renumber new stack member number Changes the member number of a stack member Note This command is supported only on Catalyst 3750 X switches SWITCH_PRIORITY set SWITCH_PRIORITY stack member number Changes the priority value of a stack member switch stack member number priority priority number Changes the priority value of a stack memb...

Page 128: ... scheduled to take place at the specified time and date If you do not specify the month and day the reload takes place at the specified time on the current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has be...

Page 129: ...roceed with reload confirm To cancel a previously scheduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the time the reload is scheduled to occur a...

Page 130: ...ification Note If you upload a corrupt or unsigned image the following message appears during boot up Image verification failed Upgrade from a switch that is in the non FIPS mode to a Cisco IOS Release 15 0 2 SE1 image in the FIPS mode Configure the fips authoriza tion key authorization key global configuration command Reload the switch for the FIPS key to be operational By default the switch auto...

Page 131: ...erification Note If you upload a corrupt or unsigned image the following message appears during boot up WARNING Unable to determine image authentication Image is either unsigned or is signed but corrupted Downgrade from a Cisco IOS Release 15 0 2 SE1 image in FIPS mode to an older release Configure the no fips authoriza tion key authorization key global configuration command Reload the switch for ...

Page 132: ...talyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Assigning the Switch IP Address and Default Gateway Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation ...

Page 133: ...page 1 31 For other switch stack related information such as cabling the switches through their StackWise Plus ports and using the LEDs to display switch stack status see the hardware installation guide The Catalyst 3750 X stackable switch also supports StackPower where up to four switches can be connected with power stack cables to allow the switch power supplies to share the load across multiple...

Page 134: ...talyst 3750 X Catalyst 3750 E and Catalyst 3750 switches supporting different features as stack members For example a stack with the Catalyst 3750 X members running the IP services feature set and the Catalyst 3750 members running the IP services software image For information about Catalyst 3750 switches see the Managing Switch Stacks chapter in the Catalyst 3750 Switch Software Configuration Gui...

Page 135: ...s switch be the stack master Encryption features are unavailable if the stack master is running the IP base or IP services feature set and the noncryptographic software image Note In a mixed stack Catalyst 3750 or Catalyst 3750 E switches running Cisco IOS Release 12 2 53 SE and earlier could be running a noncryptographic image Catalyst 3750 X switches and Catalyst 3750 and 3750 E switches with Ci...

Page 136: ...tting Started with Cisco Network Assistant on Cisco com Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports A switch stack always has one stack master A standalone switch is a switch stack with one stack member that also operates as the stack master You can connect one standalone switch to another Figure 1 1 on page 1 5 to create a switc...

Page 137: ...figuration of the re elected stack master Removing powered on stack members causes the switch stack to divide partition into two or more switch stacks each with the same configuration This can cause an IP address configuration conflict in your network If you want the switch stacks to remain separate change the IP address or addresses of the newly created switch stacks If you did not intend to part...

Page 138: ...feature set and the cryptographic software image IP base feature set and the noncryptographic software image Note In a switch stacks running the LAN base feature set all switches in the stack must run the LAN base feature set During the stack master switch election differences in start up times between the feature sets determine the stack master The switch with the shorter start up time becomes th...

Page 139: ... period if the previous stack master rejoins the stack the stack continues to use its MAC address as the stack MAC address even if the switch is now a stack member and not a stack master If the previous stack master does not rejoin the stack during this period the switch stack takes the MAC address of the new stack master as the stack MAC address See Enabling Persistent MAC Address page 1 24 for m...

Page 140: ...witch that you prefer to be the stack master This ensures that the switch is re elected as stack master You can change the priority value for a stack member by using the switch stack member number priority new priority value global configuration command For more information see the Setting the Stack Member Priority Value section on page 1 26 Another way to change the member priority value is by ch...

Page 141: ... the switch stack compares the provisioned configuration with the provisioned switch Table 1 1 Results of Comparing the Provisioned Configuration with the Provisioned Switch Scenario Result The stack member numbers and the switch types match 1 If the stack member number of the provisioned switch matches the stack member number in the provisioned configuration on the stack and 2 If the switch type ...

Page 142: ...interface configuration The switch stack then adds to its running configuration a switch stack member number provision type global configuration command that matches the new switch The stack member number of the provisioned switch is in conflict with an existing stack member The stack master assigns a new stack member number to the provisioned switch The stack member numbers and the switch types m...

Page 143: ...e Management SDM templates All stack members use the SDM template configured on the stack master Version mismatch VM mode has priority over SDM mismatch mode If a VM mode condition and an SDM mismatch mode exist the switch stack first attempts to resolve the VM mode condition You can use the show switch privileged EXEC command to see if any stack members are in SDM mismatch mode For more informati...

Page 144: ... the same switch stack Minor Version Number Incompatibility Among Switches Switches with the same major version number but with a different minor version number are considered partially compatible When connected to a switch stack a partially compatible switch enters version mismatch VM mode and cannot join the stack as a fully functioning member The software detects the mismatched software and tri...

Page 145: ...the same type For example it does not automatically upgrade a switch in VM mode from IP services feature set to IP base feature set or the reverse Automatic advise auto advise occurs when the auto upgrade process cannot find appropriate stack member software to copy to the switch in VM mode This process tells you the command archive copy sw or archive download sw privileged EXEC command and the im...

Page 146: ...11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Stacking Version Number 1 4 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW System Type 0x00000000 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Ios Image File Size 0x004BA200 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Total Image File Size 0x00818A00 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Minimum Dram required 0x0...

Page 147: ...oftware process initiated for switch number s 1 Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW Systems with incompatible software Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW have been added to the stack The Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW storage devices on all of the stack Mar 1 00 04 22 537 IMAG...

Page 148: ... they are manually changed or they are already used by another member in the same switch stack If an interface specific configuration does not exist for that member number the stack member uses its default interface specific configuration If an interface specific configuration exists for that member number the stack member uses the interface specific configuration associated with that member numbe...

Page 149: ...LI SNMP Network Assistant and CiscoWorks network management applications You cannot manage stack members on an individual switch basis These sections provide switch stack connectivity information Connectivity to the Switch Stack Through an IP Address page 1 17 Connectivity to the Switch Stack Through an SSH Session page 1 18 Connectivity to the Switch Stack Through Console Ports or Ethernet Manage...

Page 150: ... master through the console port of one or more stack members You can connect a PC to the stack master through the Ethernet management ports of one or more Catalyst 3750 X stack members For more information about connecting to the switch stack through Ethernet management ports see the Using the Ethernet Management Port section on page 1 26 Be careful when using multiple CLI sessions to the stack m...

Page 151: ...the same time The stack member with the higher priority value is elected stack master Stack master election specifically determined by the configuration file Assuming that both stack members have the same priority value 1 Make sure that one stack member has a default configuration and that the other stack member has a saved nondefault configuration file 2 Restart both stack members at the same tim...

Page 152: ...k members have the same stack member number If necessary use the switch current stack member number renumber new stack member number global configuration command 2 Restart both stack members at the same time The stack member with the higher priority value retains its stack member number The other stack member has a new stack member number Add a stack member 1 Power off the new switch 2 Through the...

Page 153: ...nnections For configuration examples see the switch hardware installation guide The switch enables the persistent MAC address during the upgrade At least one redundant uplink is connected to the network The uplink has an active switch and a standby switch A member that has an interface with the active role is an active switch Another member that has an interface with the standby role is a standby ...

Page 154: ... active member is reached c It then upgrades the standby members that can be reached through Stack Port 2 on the first standby member until an active member is reached After the stack is upgraded save the stack configuration in the configuration file If you want the stack to keep the original master and not elect a new one reload the stack Upgrade Sequence Examples Figure 1 4 Stack Port 1 on Membe...

Page 155: ... Member 2 this is the upgrade sequence 1 Member 1 2 Member 2 3 Member 3 4 Member 9 5 Member 8 6 Member 7 7 Member 6 8 Member 5 9 Member 4 255140 Member 1 LACP cross stack Etherchannel Active switch Standby switch Member 2 Member 3 Member 4 Member 5 Member 6 Member 7 Member 8 Member 9 Dual attached host Network Stack Port 1 Stack Port 2 Stack Port 1 Stack Port 2 Stack Port 1 Stack Port 2 Stack Port...

Page 156: ...oes not rejoin the stack during this period the switch stack takes the MAC address of the new stack master as the stack MAC address You can also configure stack MAC persistency so that the stack never switches to the MAC address of the new stack master Note When you enter the command to configure this feature a warning message appears containing the consequences of your configuration You should us...

Page 157: ...p 2 stack mac persistent timer 0 time value Enable a time delay after a stack master change before the stack MAC address changes to that of the new stack master If the previous stack master rejoins the stack during this period the stack uses that MAC address as the stack MAC address Enter the command with no value to set the default delay of approximately 4 minutes We recommend that you always con...

Page 158: ...7 optional Assigning a Stack Member Number Note This task is available only from the stack master Beginning in privileged EXEC mode follow these steps to assign a member number to a stack member This procedure is optional Setting the Stack Member Priority Value Note This task is available only from the stack master Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sw...

Page 159: ...urrent stack master or switch stack resets Step 3 end Return to privileged EXEC mode Step 4 reload slot stack member number Reset the stack member and apply this configuration change Step 5 show switch stack member number Verify the stack member priority value Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 show switch Display s...

Page 160: ... 2 for the switch stack The show running config command output shows the interfaces associated with the provisioned switch Switch config switch 2 provision switch_PID Switch config end Switch show running config include switch 2 interface GigabitEthernet2 0 1 interface GigabitEthernet2 0 2 interface GigabitEthernet2 0 3 output truncated Running a Rolling Stack Update Beginning in privileged EXEC m...

Page 161: ... assigns the other role to the member interface active Sets the interface to active standby Sets the interface to standby Note If spanning tree protocol STP is enabled set the standby role to the blocked interface By default the role is not set To configure another pair repeat Step 3 to Step 6 Step 7 end Returns to privileged EXEC mode Step 8 archive download sw rolling stack upgrade Starts the ro...

Page 162: ...he system prompt For example the prompt for member 2 is Switch 2 and system prompt for the master is Switch Enter exit to return to the CLI session on the master Only the show and debug commands are available on a specific member Displaying Switch Stack Information To display saved configuration changes after resetting a specific member or the stack use these privileged EXEC commands Table 1 4 Com...

Page 163: ...l members are connected through the stack ports and are in the ready state The stack is in the partial ring state when All members are connected through the stack ports but some all are not in the ready state Some members are not connected through the stack ports When you enter the switch stack member number stack port port number disable privileged EXEC command and The stack is in the full ring s...

Page 164: ...t you might need to enter the switch 1 stack port 1 enable and the switch 4 stack port 2 enable privileged EXEC commands to bring up the link Understanding the show switch stack ports summary Output Only Port 1 on stack member 2 is disabled Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 OK 3 5...

Page 165: ...rom the port Yes The link partner receives valid protocol messages from the port Link Active This shows if the stack port is in the same state as its link partner No The port cannot send traffic to the link partner Yes The port can send traffic to the link partner Sync OK No The link partner does not send valid protocol messages to the stack port Yes The link partner sends valid protocol messages ...

Page 166: ...itch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 Absent None No cable No No No 1 No 1 2 OK 2 3 m Yes Yes Yes 1 No 2 1 OK 1 3 m Yes Yes Yes 1 No 2 2 OK 3 50 cm Yes Yes Yes 1 No 3 1 OK 2 50 cm Yes Yes Yes 1 No 3 2 Down None 50 cm No No No 1 No If you disconnect the stack cable from Port 2 on Switch 1 the stack ...

Page 167: ...s Software Loopback Examples Connected Stack Cables On Port 1 on Switch 1 the port status is Down and a cable is connected On Port 2 on Switch 1 the port status is Absent and no cable is connected Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 Down None 50 Cm No No No 1 No 1 2 Absent None No c...

Page 168: ...F00 86031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable On a Catalyst 3750 member If at least one stack port has an connected stack cable the Loopback HW value for both stack ports is No If neither stack port has an connected stack cable the Loopback HW value for both stack ports is Yes On a Catalyst 3750 E or Catalyst 3750 X member If a stack port has an connected stack cable the Loopback HW val...

Page 169: ...K OK Stack Port 2 0000000005 1 FF08FF00 0001FBD3 0801080B EFFFFFFF 0C100CE6 No No No cable 0000000005 2 FF08FF00 8603E4A9 5555FFFF FFFFFFFF 0C100CE6 No No 50 cm Event type RAC 0000000006 1 FF08FF00 0001FC14 08050204 EFFFFFFF 0C100CE6 No No No cable 0000000006 2 FF08FF00 8603E4A9 5555FFFF FFFFFFFF 0C100CE6 No No 50 cm Event type LINK NOT OK Stack Port 2 0000000939 1 FF08FF00 00016879 00010000 EFFFF...

Page 170: ...9CFFFF 0C140CE4 No No 50 cm 0000009732 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type RAC 0000009733 1 FF01FF00 00015B4A 5555FFFF A49CFFFF 0C140CE4 No No 50 cm 0000009733 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type LINK NOT OK Stack Port 2 0000010119 1 FF01FF00 00010E69 25953FFF FFFFFFFF 0C140C14 No Yes No cable 0000010119 2 FF01FF00 0001D98C 81AAC7FF 0...

Page 171: ...connection for Port 2 on Switch 1 Port 2 on Switch 1 has a port or cable problem if The In Loopback value is Yes or The Link OK Link Active or Sync OK value is No Fixing a Bad Connection Between Stack Ports Stack cables connect all members Port 2 on Switch 1 connects to Port 1 on Switch 2 This is the port status Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In P...

Page 172: ...1 40 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Managing Switch Stacks Troubleshooting Stacks ...

Page 173: ...ters and converting a switch cluster to a community see Getting Started with Cisco Network Assistant available on Cisco com This chapter focuses on Catalyst 3750 X and 3560 X switch clusters It also includes guidelines and limitations for clusters mixed with other cluster capable Catalyst switches but it does not provide complete descriptions of the cluster features for these other switches For co...

Page 174: ... switch as a Layer 3 router between the Layer 2 switches in the cluster network Cluster members are connected to the cluster command switch according to the connectivity guidelines described in the Automatic Discovery of Cluster Candidates and Members section on page 1 5 This section includes management VLAN considerations for the Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2950 and Cata...

Page 175: ...ected to all other cluster member switches except the cluster command and standby command switches through a common VLAN It is redundantly connected to the cluster so that connectivity to cluster member switches is maintained It is not a command or member switch of another cluster Catalyst 3550 12 1 4 EA1 or later Member or command switch Catalyst 2970 12 1 11 AX or later Member or command switch ...

Page 176: ...ted to every standby cluster command switch through at least one common VLAN The VLAN to each standby cluster command switch can be different The ip http server global configuration command must be configured on the switch It is connected to the cluster command switch through at least one common VLAN Note Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2940 Catalyst 2950 and Catalyst 3500 XL...

Page 177: ...information about CDP see Chapter 1 Configuring CDP Following these connectivity guidelines ensures automatic discovery of the switch cluster cluster candidates connected switch clusters and neighboring edge devices Discovery Through CDP Hops page 1 5 Discovery Through Non CDP Capable and Noncluster Capable Devices page 1 6 Discovery Through Different VLANs page 1 7 Discovery Through Different Man...

Page 178: ...it cannot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 1 2 shows that the cluster command switch discovers the switch that is connected to a third party hub However the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch Figure 1 2 Discovery Through Non CDP Capable and Noncluster Capable Devices Command de...

Page 179: ...luster command switch through their management VLAN For information about discovery through management VLANs see the Discovery Through Different Management VLANs section on page 1 7 For more information about VLANs see Chapter 1 Configuring VLANs Note For additional considerations about VLANs in switch stacks see the Switch Clusters and Switch Stacks section on page 1 14 Figure 1 3 Discovery Throu...

Page 180: ...use automatic discovery does not extend beyond a noncandidate device which is switch 7 Figure 1 4 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Discovery Through Routed Ports If the cluster command switch has a routed port RP configured it discovers only candidate and cluster member switches in the same VLAN as the routed port For more information about routed ...

Page 181: ...s to the VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 1 6 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port ar...

Page 182: ...group is the active cluster command switch AC The switch with the next highest priority is the standby cluster command switch SC The other switches in the cluster standby group are the passive cluster command switches PC If the active cluster command switch and the standby cluster command switch become disabled at the same time the passive cluster command switch with the highest priority becomes t...

Page 183: ...e 1 13 Other Considerations for Cluster Standby Groups Note For additional considerations about cluster standby groups in switch stacks see the Switch Clusters and Switch Stacks section on page 1 14 These requirements also apply Standby cluster command switches must be the same type of switches as the cluster command switch For example if the cluster command switch is a Catalyst 3750 E or Catalyst...

Page 184: ...d switch continually forwards cluster configuration information but not device configuration information to the standby cluster command switch This ensures that the standby cluster command switch can take over the cluster immediately after the active cluster command switch fails Automatic discovery has these limitations This limitation applies only to clusters that have Catalyst 2950 Catalyst 2960...

Page 185: ...ster command switch fails and the standby cluster command switch takes over you must either use the standby group virtual IP address or any of the IP addresses available on the new active cluster command switch to access the cluster You can assign an IP address to a cluster capable switch but it is not necessary A cluster member switch is managed and communicates with other cluster member switches...

Page 186: ...community strings command switch readonly community string esN where N is the member switch number command switch readwrite community string esN where N is the member switch number If the cluster command switch has multiple read only or read write community strings only the first read only and read write strings are propagated to the cluster member switch The switches support an unlimited number o...

Page 187: ...mand switch stack All stack members should have redundant connectivity to all VLANs in the switch cluster Otherwise if a new stack master is elected stack members connected to any VLANs not configured on the new stack master lose their connectivity to the switch cluster You must change the VLAN configuration of the stack master or the stack members and add the stack members back to the switch clus...

Page 188: ...ter must have that same public profile Before you add an LRE switch to a cluster make sure that you assign it the same public profile used by other LRE switches in the cluster A cluster can have a mix of LRE switches that use different private profiles Using the CLI to Manage Switch Clusters You can configure cluster member switches from the CLI by first logging into the cluster command switch Ent...

Page 189: ...nabled you can enable it as described in the Configuring SNMP section on page 1 6 On Catalyst 1900 and Catalyst 2820 switches SNMP is enabled by default When you create a cluster the cluster command switch manages the exchange of messages between cluster member switches and an SNMP application The cluster software on the cluster command switch appends the cluster member switch number esN where N i...

Page 190: ...are Configuration Guide OL 25303 03 Chapter 1 Clustering Switches Using SNMP to Manage Switch Clusters Figure 1 8 SNMP Management for a Cluster Trap T r a p T r a p Command switch Trap 1 Trap 2 Trap 3 Member 1 Member 2 Member 3 33020 SNMP Manager ...

Page 191: ...d Prompt page 1 7 Creating a Banner page 1 10 Managing the MAC Address Table page 1 12 Managing the ARP Table page 1 24 Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see th...

Page 192: ... packet per minute is necessary to synchronize two devices to within a millisecond of one another NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP aut...

Page 193: ...switches Switch B and Switch F respectively Figure 1 1 Typical NTP Network Configuration If the network is isolated from the Internet Cisco s implementation of NTP allows a device to act as if it is synchronized through NTP when in fact it has learned the time by using other means Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always co...

Page 194: ...Specific Interface section of the Implementing NTPv4 in IPv6 chapter of the Cisco IOS IPv6 Configuration Guide Release 12 4T For details about configuring NTPv4 see the Implementing NTPv4 in IPv6 chapter of the Cisco IOS IPv6 Configuration Guide Release 12 4T Configuring Time and Date Manually If no other source of time is available you can manually configure the time and date after the system is ...

Page 195: ... not authoritative blank Time is authoritative Time is authoritative but NTP is not synchronized Configuring the Time Zone Beginning in privileged EXEC mode follow these steps to manually configure the time zone Command Purpose Step 1 clock set hh mm ss day month year or clock set hh mm ss month day year Manually set the system clock using one of these formats For hh mm ss specify the time in hour...

Page 196: ...le shows how to specify that summer time starts on the first Sunday in April at 02 00 and ends on the last Sunday in October at 02 00 Switch config clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose S...

Page 197: ...ter than symbol is appended The prompt is updated whenever the system name changes If you are accessing a stack member through the stack master you must use the session stack member number privileged EXEC command The stack member number range is from 1 through 9 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privileged EXEC ...

Page 198: ...ed database with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the delimi...

Page 199: ...e Define a default domain name that the software uses to complete unqualified hostnames names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name mi...

Page 200: ...mmand Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also ...

Page 201: ...ple shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message ...

Page 202: ...es these types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For compl...

Page 203: ...t and adding the address and its associated port number to the address table As stations are added or removed from the network the switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured on a standalone switch or on the switch stack However the switch maintains an address table for each VLAN and STP can acceler...

Page 204: ...on all stack members When a switch joins a switch stack that switch receives the addresses for each VLAN learned on the other stack members When a stack member leaves the switch stack the remaining stack members age out or remove all addresses learned by the former stack member Default MAC Address Table Configuration Table 1 2 shows the default MAC address table configuration Changing the Address ...

Page 205: ...y storing the MAC address change activity When the switch learns or removes a MAC address an SNMP notification trap can be sent to the NMS If you have many users coming and going from the network you can set a trap interval time to bundle the notification traps to reduce network traffic The MAC notification history table stores MAC address activity for each port for which the trap is set MAC addre...

Page 206: ...command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification change Enable the switch to send MAC address change notification traps to the NMS Step 4 mac address table notification change Enable the MAC address change notification feature Step 5 mac address table notification change interval value history size value Enter the trap interval time an...

Page 207: ...added on the specified port Switch config snmp server host 172 20 10 10 traps private mac notification Switch config snmp server enable traps mac notification change Switch config mac address table notification change Switch config mac address table notification change interval 123 Switch config mac address table notification change history size 100 Switch config interface gigabitethernet1 0 2 Swi...

Page 208: ...ation an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server host host addr traps informs version 1 2c 3 community string notification type Specify the recipient of the trap message For host addr specify the name or addres...

Page 209: ... message For host addr specify the name or address of the NMS Specify traps the default to send SNMP traps to the host Specify informs to send SNMP informs to the host Specify the SNMP version to support Version 1 the default is not available with informs For community string specify the string to send with the notification operation Though you can set this string by using the snmp server host com...

Page 210: ...ary VLAN you should also configure the same static MAC address in all associated VLANs Static MAC addresses configured in a private VLAN primary or secondary VLAN are not replicated in the associated VLAN For more information about private VLANs see Chapter 1 Configuring Private VLANs Beginning in privileged EXEC mode follow these steps to add a static address To remove static entries from the add...

Page 211: ...ets with that MAC address depending on which command was entered last The second command that you entered overrides the first command For example if you enter the mac address table static mac addr vlan vlan id interface interface id global configuration command followed by the mac address table static mac addr vlan vlan id drop command the switch drops packets with the specified MAC address as a s...

Page 212: ...isable MAC address learning on a single VLAN ID for example no mac address table learning vlan 223 or on a range of VLAN IDs for example no mac address table learning vlan 1 20 15 We recommend that you disable MAC address learning only in VLANs with two ports If you disable MAC address learning on a VLAN with more than two ports every packet entering the switch is flooded in that VLAN domain You c...

Page 213: ...nter global configuration mode Step 2 no mac address table learning vlan vlan id Disable MAC address learning on the specified VLAN or VLANs You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma Valid VLAN IDs s are 1 to 4094 The VLAN cannot be an internal VLAN Step 3 end Return to privileged EXEC mode Step 4 show mac address table learning vlan vlan id Verify the ...

Page 214: ...ia or MAC addresses and the VLAN ID Using an IP address ARP finds the associated MAC address When a MAC address is found the IP MAC address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by t...

Page 215: ...twork You can select a template to provide maximum system usage for some functions for example use the default template to balance resources and use the access template to obtain maximum ACL usage The switch SDM templates allocate system hardware resources for different uses You can select SDM templates for IP Version 4 IPv4 to optimize these features on switches running the IP Base or IP Services...

Page 216: ... routes and the switch must be running the default template The table represents approximate hardware boundaries set when a template is selected If a section of a hardware resource is full all processing overflow is sent to the CPU seriously impacting switch performance In mixed stack scenarios with Catalyst 3750 3560 and Catalyst 3750 E 3560 E switches the default template will be enabled with IP...

Page 217: ...sic Layer 2 ACLs and QoS for IPv6 on the switch With the indirect IPv4 and IPv6 routing template introduced in Cisco IOS Release 12 2 58 SE the switch supports more IPv6 indirect routes for deployments that do not need much direct IPv6 host route connectivity Compared to the dual IPv4 and IPv6 routing template the indirect IPv4 and IPv6 routing template also provides more unicast MAC addresses and...

Page 218: ...M 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE System 2 is incompatible with the SDM 2d23h SDM 6 MISMATCH_ADVISE template currently running on the stack and 2d23h SDM 6 MISMATCH_ADVISE will not function unless the stack is 2d23h SDM 6 MISMATCH_ADVISE downgraded Issuing the following commands 2d23h SDM 6 MISMATCH_ADVISE will downgrade the stack to use a smaller 2d23h SD...

Page 219: ...feature set Although visible in the command line help the LAN Base feature set does not support the routing templates On switches running the LAN Base feature set none of the routing values shown for the templates are valid Beginning with Cisco IOS Release 12 2 58 SE the LAN Base feature set supports configuration of 16 static IPv4 routes on SVIs Use the default template when configuring static ro...

Page 220: ...ccess default dual ipv4 and ipv6 default routing vlan indirect ipv4 and ipv6 routing routing vlan Specifies the SDM template to be used on the switch The keywords have these meanings access Maximizes system resources for ACLs default Provides balance to all functions dual ipv4 and ipv6 Specifies a template that supports both IPv4 and IPv6 routing default Balances IPv4 and IPv6 Layer 2 and Layer 3 ...

Page 221: ...m prefer access default dual ipv4 and ipv6 default vlan indirect ipv4 and ipv6 routing routing vlan privileged EXEC command Note On switches running the LAN Base feature set routing values shown in all templates are not valid This is an example of output from the show sdm prefer command that displays the template in use Switch show sdm prefer The current template is desktop default template The se...

Page 222: ...e current template is desktop IPv4 and IPv6 routing template The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 1 5K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicast routes 2 75K number of directly connected IPv4 hosts 1 5K number of indirect IPv4 routes 1 25K numb...

Page 223: ... XPS 2200 can provide backup power to connected devices that experience a power supply failure or in a Catalyst 3750 X power stack it can supply additional power to the power stack budget For more information about the XPS 2000 see the configuration notes on Cisco com http www cisco com en US docs switches power_supplies xps2200 software configuration note ol24 241 html The XPS 2200 power ports an...

Page 224: ...ackPower Modes page 1 2 Power Priority page 1 3 Load Shedding page 1 4 StackPower Modes A power stack can run in one of two modes configured by using the command line interface In power sharing mode the default all input power is available to be used for power loads The total available power in all switches in the power stack up to four is treated as a single large power supply with power availabl...

Page 225: ... PoE ports on a switch You set port priority at the interface level for powered devices connected to a PoE port by entering the power inline port priority high low interface configuration command By default all ports are low priority This command is visible only on PoE ports Note Although the power inline port priority high low command is visible on the Catalyst 3560 X switch PoE ports it has no e...

Page 226: ...igured priority but occurs very quickly to prevent hardware damage caused by loss of power If a switch is shut down because of load shedding the output of the show stack power privileged EXEC command still includes the MAC address of the shut down switch as a neighbor switch even though the switch is down This command output shows the StackPower topology even if there is not enough power to power ...

Page 227: ...es in the power stack Switch show stack power Power stack name Powerstack1 Stack mode Power sharing Switch 1 Power budget 206 Low port priority value 17 High port priority value 16 Switch priority value 2 Port A status Not shut Port B status Not shut Neighbor on port A 0022 bdcf ab00 Neighbor on port B 0022 bdd0 4380 Switch 2 Power budget 206 Low port priority value 12 High port priority value 11 ...

Page 228: ...by the time priority 1 devices were reached The output from the show stack power load shedding order command shows the order in which devices would shut down in the event of load shedding Switch show stack power load shedding order powerstack 1 Power Stack Stack Stack Total Rsvd Alloc Unused Num Num Name Mode Topolgy Pwr W Pwr W Pwr W Pwr W SW PS Powerstack 1 SP PS Ring 2880 34 473 2373 2 4 Priori...

Page 229: ...d as a backup in case of power supply failure Switch config stack power stack power1 Switch config stackpower mode redundant Switch config stackpower exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 stack power stack power stack name Enter the stack power stack name and enter power stack configuration mode The name can be up to 31 characters Step 3 mode power s...

Page 230: ...switch number Enter the stack member number of the switch in the power stack and enter switch stack power configuration mode The range is from 1 to 9 Note Only four switches can belong to the same power stack Step 3 stack power stack name Enter the name of the power stack to which the switch belongs The name can be up to 31 characters If you do not enter a name and no other switches in the power s...

Page 231: ...ig if power inline port priority high Switch config if exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter the interface ID of the port in the stack and enter interface configuration mode The interface must be a PoE port Step 3 power inline port priority high low Set the power priority of the port to high or low Powered devices connect...

Page 232: ...1 10 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Catalyst 3750 X StackPower Configuring Cisco StackPower ...

Page 233: ... Typically you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security ...

Page 234: ...word protection restricts access to a network or network device Privilege levels define what commands users can enter after they have logged into a network device Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 4 These sections contain this configuration information Default Password and Privilege Level Con...

Page 235: ... any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new...

Page 236: ...nfiguration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is norm...

Page 237: ...boot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmodem proto...

Page 238: ...e switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port or attach a PC to the Ethernet management port The default data characteristics of the console port are 9600 8 1 no parity You might ...

Page 239: ...nformation Setting the Privilege Level for a Command page 1 8 Changing the Default Privilege Level for Lines page 1 9 Logging into and Exiting a Privilege Level page 1 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the us...

Page 240: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is t...

Page 241: ...g into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for th...

Page 242: ...CS Operation page 1 12 Configuring TACACS page 1 12 Displaying the TACACS Configuration page 1 17 Understanding TACACS TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should config...

Page 243: ...ontrol session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accountin...

Page 244: ...formation After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again contacted and it returns an ACCEPT or REJECT authorization response If an ACCEPT response is returne...

Page 245: ...host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a list of preferred hosts The software searches for hosts in the order in which ...

Page 246: ... named method list explicitly defined A defined method list overrides the default method list A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to...

Page 247: ...y using the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 1 13 line Use the line password for authentication Before you can use this authentication method you must...

Page 248: ...ters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through ...

Page 249: ...he router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Displaying the TACACS Configuration To display TACACS server statistics use the show tacacs privileged EXEC command Controlling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible ...

Page 250: ...ss security Networks with multiple vendor access servers each supporting RADIUS For example access servers from several vendors use a single RADIUS server based security database In an IP based network with multiple vendors access servers dial in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system Turnkey network security environments ...

Page 251: ...ety of services RADIUS generally binds a user to one service model Figure 1 2 Transitioning from RADIUS to TACACS Services RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server these events occur 1 The user is prompted to enter a username and password 2 The username and encrypted password are sent over the network to the RADIUS se...

Page 252: ...US Change of Authorization CoA extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication authorization and accounting AAA or policy servers Beginning with Cisco IOS Release 12 2 52 SE the switch supports these per session CoA requests Session reauthentication Session termination Session termination with...

Page 253: ...e 1 2 shows the IETF attributes are supported for this feature Table 1 3 shows the possible values for the Error Cause attribute Table 1 2 Supported IETF Attributes Attribute Number Attribute Name 24 State 31 Calling Station ID 44 Acct Session ID 80 Message Authenticator 101 Error Cause Table 1 3 Error Cause Values Value Explanation 201 Residual Session Context Removed 202 Invalid EAP Packet Ignor...

Page 254: ... match the session the switch returns a Disconnect NAK or CoA NAK with the Invalid Attribute Value error code attribute For disconnect and CoA requests targeted to a particular session any one of the following session identifiers can be used Calling Station ID IETF attribute 31 which should contain the MAC address Audit Session ID Cisco vendor specific attribute Accounting Session ID IETF attribut...

Page 255: ...t with an unknown identity or posture joins the network and is associated with a restricted access authorization profile such as a guest VLAN A reauthentication request allows the host to be placed in the appropriate authorization group when its credentials are known To initiate session authentication the AAA server sends a standard CoA Request message which contains a Cisco vendor specific attrib...

Page 256: ...e re transmitted command as a new command Session Termination There are three types of CoA requests that can trigger session termination A CoA Disconnect Request terminates the session without disabling the host port This command causes re initialization of the authenticator state machine for the specified host but does not restrict that host s access to the network To restrict a host s access to ...

Page 257: ...d in a standard CoA Request message that contains the following new VSA Cisco Avpair subscriber command bounce host port Because this command is session oriented it must be accompanied by one or more of the session identification attributes described in the Session Identification section on page 1 22 If the session cannot be located the switch returns a CoA NAK message with the Session Context Not...

Page 258: ... Configuring RADIUS This section describes how to configure your switch to support RADIUS At a minimum you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication You can optionally define method lists for RADIUS authorization and accounting A method list defines the sequence and methods to be used to authenticate to authorize or to...

Page 259: ...e same RADIUS server are configured for the same service for example accounting the second host entry configured acts as a fail over backup to the first one Using this example if the first host entry fails to provide accounting services the RADIUS 4 RADIUS_DEAD message appears and then the switch tries the second host entry configured on the same device for accounting services The RADIUS host entr...

Page 260: ... the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key st...

Page 261: ...erformed and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence ...

Page 262: ...he RADIUS server For more information see the Identifying the RADIUS Server Host section on page 1 27 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the user...

Page 263: ...ference Release 12 4 Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host ...

Page 264: ...ansmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as...

Page 265: ...r Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can...

Page 266: ... record which is the default condition In some situations users might be prevented from starting a session on the console or terminal connection until after the system reloads which can take more than 3 minutes To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Step 3 aaa authori...

Page 267: ...ttributes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared sec...

Page 268: ...ged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 4 Configuring the Switch for Vendor Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies ...

Page 269: ...hese steps to configure CoA on a switch This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address non standard Specify the IP address or hostname of the remote RADIUS server host and identify that it is using a vendor proprietary implementation of RADIUS Step 3 radius server key string Specify the shared secre...

Page 270: ... switch uses for RADIUS clients The client must match all the configured attributes for authorization Step 8 ignore session key Optional Configure the switch to ignore the session key For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com Step 9 ignore server key Optional Configure the switch to ignore the server key For more inf...

Page 271: ... the Security Server Protocols chapter of the Cisco IOS Security Command Reference Release 12 4 Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference Release 12 4 the trusted third party can be a switch that supports Kerberos that is configured as a network security server and that can authenticate users by using the Kerberos protocol Understanding Kerberos Ke...

Page 272: ...ce credentials Kerberos credentials verify the identity of a user or service If a network service decides to trust the Kerberos server that issued a ticket it can be used in place of re entering a username and password Credentials have a default lifespan of eight hours Instance An authorization level label for Kerberos principals Most Kerberos principals are of the form user REALM for example smit...

Page 273: ...ver A daemon that is running on a network host Users and network services register their identity with the Kerberos server Network services query the Kerberos server to authenticate to other network services KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and later Kerberos versions the network service authenticates an encrypted service credential by using the KEYTAB to...

Page 274: ...about how to authenticate to a KDC see the Obtaining a TGT from a KDC section in the Security Server Protocols chapter of the Cisco IOS Security Configuration Guide Release 12 4 Authenticating to Network Services This section describes the third layer of security through which a remote user must pass The user with a TGT must now authenticate to the network services in a Kerberos realm For instruct...

Page 275: ...tabase The default keyword applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username name privilege level password encryption type pass...

Page 276: ...nctions the same in IPv6 as in IPv4 For IPv6 SSH supports IPv6 addresses and enables secure encrypted connections with remote IPv6 nodes over an IPv6 transport Note For complete syntax and usage information for the commands used in this section see the command reference for this release and the Secure Shell Commands section of the Other Security Features chapter of the Cisco IOS Security Command R...

Page 277: ...SSH client are supported only on DES 56 bit and 3DES 168 bit data encryption software The switch supports the Advanced Encryption Standard AES encryption algorithm with a 128 bit key 192 bit key or 256 bit key However symmetric cipher AES to encrypt the keys is not supported Configuring SSH This section has this configuration information Configuration Guidelines page 1 45 Setting Up the Switch to ...

Page 278: ...e information see the Configuring the Switch for Local Authentication and Authorization section on page 1 43 Beginning in privileged EXEC mode follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration com...

Page 279: ...econds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns to the def...

Page 280: ...nd Client with SSL 3 0 feature description for Cisco IOS Release 12 2 15 T Understanding Secure HTTP Servers and Clients On a secure HTTP connection data to and from an HTTP server is encrypted before being sent over the Internet HTTP with SSL encryption provides a secure connection to allow such functions as configuring a switch from a Web browser Cisco s implementation of the secure HTTP server ...

Page 281: ... or client is automatically generated If the switch is not configured with a hostname and a domain name a temporary self signed certificate is generated If the switch reboots any temporary self signed certificate is lost and a new temporary new self signed certificate is assigned If the switch has been configured with a host and domain name a persistent self signed certificate is generated This ce...

Page 282: ... with RSA Public Key Cryptography MD2 MD5 RC2 CBC RC4 DES CBC and DES EDE3 CBC For the best possible encryption you should use a client browser that supports 128 bit encryption such as Microsoft Internet Explorer Version 5 5 or later or Netscape Communicator Version 4 76 or later The SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites as it does not offer 128 bi...

Page 283: ...igure a CA trustpoint Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 hostname hostname Specify the hostname of the switch required only if you have not previously configured a hostname The hostname is required for security keys and certificates Step 3 ip domain name domain name Specify the IP domain name of the switch required only if you have not previously confi...

Page 284: ...A Use the same name used in Step 5 Step 12 crypto ca enroll name Obtain the certificate from the specified CA trustpoint This command requests a signed certificate for each RSA key pair Step 13 end Return to privileged EXEC mode Step 14 show crypto ca trustpoints Verify the configuration Step 15 copy running config startup config Optional Save your entries in the configuration file Command Purpose...

Page 285: ...tificate and to authenticate the client certificate connection Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Step 8 ip http path path name Optional Set a base HTTP path for HTML files The path specifies the location of the HTTP server files on the local system usually located in system flash memory Step 9 ip http access class acces...

Page 286: ...tocol that provides a secure replacement for the Berkeley r tools Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip http client secure trustpoint name Optional Specify the CA trustpoint to be used if the remote HTTP server requests client authentication Using this command assumes that you have already configured a CA trustpoint by using the previous procedure The ...

Page 287: ... the password into the copy command You must enter the password when prompted Information About Secure Copy To configure the Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp which comes from the Berkeley r tools suite except that SCP relies on SSH for security SCP also requires that authentication authorization and accounting AAA au...

Page 288: ...1 56 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Page 289: ...ckets These switches operate as access layer switches in the Cisco TrustSec network Cisco IOS Release 15 0 1 SE supports SXP version 2 syslog messages and SNMP support for SXP For more information about Cisco TrustSec see the Cisco TrustSec Switch Configuration Guide at this URL http www cisco com en US docs switches lan trustsec configuration guide trustsec html The sections on SXP define the cap...

Page 290: ...1x Multiple Authentication Mode page 1 12 802 1x Readiness Check page 1 15 802 1x Authentication with Per User ACLs page 1 17 802 1x Authentication with Guest VLAN page 1 21 802 1x Authentication with Restricted VLAN page 1 22 802 1x Authentication with Inaccessible Authentication Bypass page 1 23 802 1x Critical Voice VLAN Configuration page 1 24 802 1x Authentication with Downloadable ACLs and R...

Page 291: ...cation Protocol EAP extensions is the only supported authentication server It is available in Cisco Secure Access Control Server Version 3 0 or later RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients Switch edge switch or wireless access point controls the physical access to the network based on...

Page 292: ...e the client MAC address for authorization If the client MAC address is valid and the authorization succeeds the switch grants the client access to the network If the client MAC address is invalid and the authorization fails the switch assigns the client to a guest VLAN that provides limited services if a guest VLAN is configured If the switch gets an invalid identity from an 802 1x capable client...

Page 293: ...nnectivity is lost during re authentication When the ReAuthenticate action is set the attribute value is RADIUS Request the session is not affected during re authentication You manually re authenticate the client by entering the dot1x re authenticate interface interface id privileged EXEC command 281594 Client identity is invalid All authentication servers are down All authentication servers are d...

Page 294: ...equest identity frame after three attempts to start authentication the client sends frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated For more information see the Ports in Authorized and Unauthorized States section on page 1 10 When the client supplies its identity the switch begins its role as the ...

Page 295: ...the MAC authentication bypass process and stops 802 1x authentication Figure 1 4 shows the message exchange during MAC authentication bypass Figure 1 4 Message Exchange During MAC Authentication Bypass Authentication Manager In Cisco IOS Release 12 2 46 SE and earlier you could not use the same authorization methods including CLI commands and messages on this switch and also on other network devic...

Page 296: ...ter VLAN assignment VLAN assignment Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 MAC authentication bypass VLAN assignment Per user ACL Filter ID attribute Downloadable ACL2 Redirect URL2 VLAN assignment VLAN assignment Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Per user ACL2 Filter Id ...

Page 297: ...lier 802 1x commands Table 1 2 Authentication Manager Commands and Earlier 802 1x Commands The authentication manager commands in Cisco IOS Release 12 2 50 SE or later The equivalent 802 1x commands in Cisco IOS Release 12 2 46 SE and earlier Description authentication control direction both in dot1x control direction both in Enable 802 1x authentication with the wake on LAN WoL feature and config...

Page 298: ...y If the port is configured as a voice VLAN port the port allows VoIP traffic and 802 1x protocol packets before the client is successfully authenticated Note CDP bypass is not supported and may cause a port go into err disabled state If a client that does not support 802 1x authentication connects to an unauthorized 802 1x port the switch requests the client s identity In this situation the clien...

Page 299: ...t If no response is received from the server after the specified number of attempts authentication fails and network access is not granted When a client logs off it sends an EAPOL logoff message causing the switch port to change to the unauthorized state If the link state of a port changes from up to down or if an EAPOL logoff frame is received the port returns to the unauthorized state 802 1x Aut...

Page 300: ... authorized for all clients to be granted network access If the port becomes unauthorized re authentication fails or an EAPOL logoff message is received the switch denies network access to all of the attached clients In this topology the wireless access point is responsible for authenticating the clients attached to it and it also acts as a client to the switch Figure 1 5 Multiple Host Mode Exampl...

Page 301: ...e and the server is not reachable all authorized hosts are reinitialized in the configured VLAN For more information about critical authentication mode and the critical VLAN see the 802 1x Authentication with Inaccessible Authentication Bypass section on page 1 23 For more information see the Configuring the Host Mode section on page 1 47 MAC Move When a MAC address is authenticated on one switch ...

Page 302: ...he authentication manager initiates the authentication process for the new MAC address If the authentication manager determines that the new host is a voice host the original voice host is removed If a port is in open authentication mode any new MAC address is immediately added to the MAC address table For more information see the Enabling MAC Replace section on page 1 52 802 1x Accounting The 802...

Page 303: ... You can use this feature to determine if the devices connected to the switch ports are 802 1x capable You use an alternate authentication such as MAC authentication bypass or web authentication for the devices that do not support 802 1x functionality Table 1 3 Accounting AV Pairs Attribute Number AV Pair Name START INTERIM STOP Attribute 1 User Name Always Always Always Attribute 4 NAS IP Address...

Page 304: ... All packets sent from or received on this port belong to this VLAN If 802 1x authentication is enabled but the VLAN information from the RADIUS server is not valid authorization fails and configured VLAN remains in use This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error Configuration errors could include specifying a VLAN for a routed port a m...

Page 305: ...x port it retrieves the ACL attributes based on the user identity and sends them to the switch The switch applies the attributes to the 802 1x port for the duration of the user session The switch removes the per user ACL configuration when the session is over if authentication fails or if a link down condition occurs The switch does not save RADIUS specified ACLs in the running configuration When ...

Page 306: ...figure per user ACLs Enable AAA authentication Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server Enable 802 1x authentication Configure the user profile and VSAs on the RADIUS server Configure the 802 1x port for single host mode Note Per user ACLs are supported only in single host mode 802 1x Authentication with Downloadable ACLs and Red...

Page 307: ...l traffic Policies are enforced with IP address insertion to prevent security breaches Web authentication is subject to the auth default ACL OPEN To control access for hosts with no authorization policy you can configure a directive The supported values for the directive are open and default When you configure the open directive all traffic is allowed The default directive subjects traffic to the ...

Page 308: ...r attribute The name is the ACL name The number is the version number for example 3f783768 If a downloadable ACL is configured for a client on the authentication server a default port ACL on the connected client switch port must also be configured If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to the switch it applies the policy to traffic from t...

Page 309: ...witch is trying to authorize an 802 1x capable voice device and the AAA server is unavailable the authorization attempt fails but the detection of the EAPOL packet is saved in the EAPOL history When the AAA server becomes available the switch authorizes the voice device However the switch no longer allows other devices access to the guest VLAN To prevent this situation use one of these command seq...

Page 310: ...ning tree blocking state With this feature you can configure the switch port to be in the restricted VLAN after a specified number of authentication attempts the default value is 3 attempts The authenticator counts the failed authentication attempts for the client When this count exceeds the configured maximum number of authentication attempts the port moves to the restricted VLAN The failed attem...

Page 311: ...l VLAN To support this inaccessible bypass on multiple authentication multiauth ports use the authentication event server dead action reinitialize vlan vlan id command When a new host tries to connect to the critical port that port is reinitialized and all the connected hosts are moved to the user specified access VLAN This command is supported on all host modes Authentication Results The behavior...

Page 312: ... compatible with voice VLAN but the RADIUS configured or user specified access VLAN and the voice VLAN must be different Remote Switched Port Analyzer RSPAN Do not configure an RSPAN VLAN as the RADIUS configured or user specified access VLAN for inaccessible authentication bypass In a switch stack the stack master checks the status of the RADIUS servers by sending keepalive packets When the statu...

Page 313: ...N for a port by entering the switchport voice vlan vlan id interface configuration command This feature is supported in multidomain and multi auth host modes Although you can enter the command when the switch in single host or multi host mode the command has no effect unless the device changes to multidomain or multi auth host mode Beginning in privileged EXEC mode follow these steps to configure ...

Page 314: ...t Disables testing on the RADIUS server authentication port For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note Always configure the key as the last item in the radius server host command syntax because leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in the key...

Page 315: ...igure the RADIUS server to send a VLAN group name for a user The VLAN group name can be sent as part of the response to the user You can search for the selected VLAN group name among the VLAN group names that you configured by using the switch CLI If the VLAN group name is found the corresponding VLANs under this VLAN group name are searched to find the least populated VLAN Load balancing is achie...

Page 316: ...od set to the default of five seconds A voice VLAN port becomes active when there is a link and the device MAC address appears after the first CDP message from the IP phone Cisco IP phones do not relay CDP messages from other devices As a result if several IP phones are connected in series the switch recognizes only the one directly connected to it When IEEE 802 1x authentication is enabled on a v...

Page 317: ... 1x authentication times out while waiting for an EAPOL response from the client the switch tries to authorize the client by using MAC authentication bypass When the MAC authentication bypass feature is enabled on an IEEE 802 1x port the switch uses the MAC address as the client identity The authentication server has a database of client MAC addresses that are allowed network access After detectin...

Page 318: ...an assign a client to a private VLAN Network admission control NAC Layer 2 IP validation This feature takes effect after an IEEE 802 1x port is authenticated with MAC authentication bypass including hosts in the exception list Network Edge Access Topology NEAT MAB and NEAT are mutually exclusive You cannot enable MAB when NEAT is enabled on an interface and you cannot enable NEAT when MAB is enabl...

Page 319: ...ic according to the access control list ACL defined on the port After the host is authenticated the policies configured on the RADIUS server are applied to that host You can configure open authentication with these scenarios Single host mode with open authentication Only one user is allowed network access before and after authentication MDA mode with open authentication Only one user in the voice ...

Page 320: ...unted towards the port security MAC address limit You can use dynamic VLAN assignment from a RADIUS server only for data devices MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect to devices that do not support IEEE 802 1x authentication For more information see the MAC Authentication Bypass section on page 1 41 When a data or a voice device is detect...

Page 321: ...dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes If authentication fails the supplicant port opens Entering the no dot1x supplicant controlled transient global configuration command opens the supplicant port during the authenticatio...

Page 322: ...d configurations on the authenticator switch port and to change the port mode from access to trunk For more information see the Auto Smartports Configuration Guide for this release For more information see the Configuring an Authenticator and a Supplicant Switch with NEAT section on page 1 69 Voice Aware 802 1x Security You use the voice aware 802 1x security feature to configure the switch to dis...

Page 323: ...sionID 160000050000000B288508E5 1w0d AUTHMGR 7 RESULT Authentication result success from mab for client 0000 0000 0203 on Interface Fa4 0 4 AuditSessionID 160000050000000B288508E5 The session ID is used by the NAD the AAA server and other report analyzing applications to identify the client The ID appears automatically No configuration is required Device Sensor Device Sensor uses protocols such as...

Page 324: ...TLV changes that is when a previously received TLV is received with a different value Device Sensor port security protects the switch from consuming memory and failing during deliberate or unintentional denial of service DoS type attacks Guidelines Device Sensor limits the maximum number of device monitoring sessions to 32 per port In the case of lack of activity from hosts the age session limit i...

Page 325: ...tication Number page 1 51 optional Enabling MAC Move page 1 52 optional Enabling MAC Replace page 1 52 Configuring 802 1x Accounting page 1 53 optional Configuring Device Sensor page 1 54 optional Configuring a Guest VLAN page 1 60 optional Configuring a Restricted VLAN page 1 62 optional Configuring Inaccessible Authentication Bypass and Critical Voice VLAN page 1 63 optional Configuring 802 1x A...

Page 326: ...authorized state Quiet period 60 seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number of times that the switch...

Page 327: ...appears and the port mode is not changed Dynamic ports A port in dynamic mode can negotiate with its neighbor to become a trunk port If you try to enable 802 1x authentication on a dynamic port an error message appears and 802 1x authentication is not enabled If you try to change the mode of an 802 1x enabled port to dynamic an error message appears and the port mode is not changed Dynamic access ...

Page 328: ...e 802 1x authentication on a private VLAN port but do not configure IEEE 802 1x authentication with port security a voice VLAN a guest VLAN a restricted VLAN or a per user ACL on private VLAN ports You can configure any VLAN except an RSPAN VLAN private VLAN or a voice VLAN as an 802 1x guest VLAN The guest VLAN feature is not supported on internal VLANs routed ports or trunk ports it is supported...

Page 329: ... use MAC authentication bypass to re authorize the port If the port is in the authorized state the port remains in this state until re authorization occurs Maximum Number of Allowed Devices Per Port This is the maximum number of devices allowed on an 802 1x enabled port In single host mode only one device is allowed on the access VLAN If the port is also configured with a voice VLAN an unlimited n...

Page 330: ... the voice aware 802 1x security feature on the switch to disable only the VLAN on which a security violation occurs whether it is a data or voice VLAN You can use this feature in IP phone deployments where a PC is connected to the IP phone A security violation found on the data VLAN results in the shutdown of only the data VLAN The traffic on the voice VLAN flows through the switch without interr...

Page 331: ...isable detect privileged EXEC command Configuring 802 1x Violation Modes You can configure an 802 1x port so that it shuts down generates a syslog error or discards packets from a new device when a device connects to an 802 1x enabled port the maximum number of allowed about devices have been authenticated on the port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 332: ...aa authentication dot1x default method1 Create an 802 1x authentication method list To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of ...

Page 333: ...ep 4 dot1x system auth control Enable 802 1x authentication globally on the switch Step 5 aaa authorization network default group radius Optional Configure the switch to use user RADIUS authorization for all network related service requests such as per user ACLs or VLAN assignment Note For per user ACLs single host mode must be configured This setting is the default Step 6 radius server host ip ad...

Page 334: ...nsmission and encryption key values for all RADIUS servers by using the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Configuring Settings for All RADIUS Servers section on page 1 35 Command Purpos...

Page 335: ...t control auto Switch config if authentication host mode multi host Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to which multiple hosts are indirectly attached and enter interface configuration mode Step 3 authentication host mode multi auth multi domain multi host single host Allow multiple hosts clients on an 802 1x aut...

Page 336: ...uthentication timer interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication periodic Enable periodic re authentication of the client which is disabled by default Note The default value is 3600 seconds To change the value of t...

Page 337: ...en tries again The authentication timer inactivity interface configuration command controls the idle period A failed authentication of the client might occur because the client provided an invalid password You can provide a faster response time to the user by entering a number smaller than the default Beginning in privileged EXEC mode follow these steps to change the quiet period This procedure is...

Page 338: ... request identity frame from the client before resending the request Switch config if authentication timer reauthenticate 60 Setting the Switch to Client Frame Retransmission Number In addition to changing the switch to client retransmission time you can change the number of times that the switch sends an EAP request identity frame assuming no response is received to the client before restarting t...

Page 339: ...e steps to set the re authentication number This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x max reauth req count Set the number of times that the switch sends an EAP request identity frame to the client before restarting the authen...

Page 340: ...e follow these steps to enable MAC replace on an interface This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 authentication mac move permit Enable MAC move on the switch Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configu...

Page 341: ...nterim update messages and time stamps To turn on these functions enable logging of Update Watchdog packets from this AAA client in your RADIUS server Network Configuration tab Next enable CVS RADIUS Accounting in your RADIUS server System Configuration tab Beginning in privileged EXEC mode follow these steps to configure 802 1x accounting after AAA is enabled on your switch This procedure is opti...

Page 342: ...tatus type and powernet event type types 28 and 29 LLDP filter organizationally specific type 127 DHCP filter message type type 53 Enabling Accounting Augmentation page 1 54 Creating a Cisco Discovery Protocol Filter page 1 55 Creating an LLDP Filter page 1 56 Creating a DHCP Filter page 1 56 Applying a Protocol Filter to the Device Sensor Output page 1 57 Tracking TLV Changes page 1 58 Verifying ...

Page 343: ...es the generation of additional accounting events when new sensor data is detected Step 3 end Example Switch config end Returns to privileged EXEC mode Command Purpose Step 1 configure terminal Example Switch configure terminal Enters global configuration mode Step 2 device sensor filter list cdp list tlv list name Example Switch config device sensor filter list cdp list cdp list Creates a TLV lis...

Page 344: ...ist tlv list name Example Switch config device sensor filter list lldp list lldp list Creates a TLV list and enters LLDP sensor configuration mode where you can configure individual TLVs Step 3 tlv name tlv name number tlv number Example Switch config sensor cdplist tlv number 10 Adds individual LLDP TLVs to the TLV list You can delete the TLV list without individually removing TLVs from the list ...

Page 345: ...ommand Step 4 end Example Switch config end Returns to privileged EXEC mode Command Purpose Command Purpose Step 1 configure terminal Example Switch configure terminal Enters global configuration mode Step 2 device sensor filter spec cdp dhcp lldp exclude all list list name include list list name Example Switch config device sensor filter spec cdp include list list1 Applies a specific protocol fil...

Page 346: ...type 16 00 1A 00 10 00 00 00 01 00 00 00 00 FF FF FF FF cdp 22 mgmt address type 17 00 16 00 11 00 00 00 01 01 01 CC 00 04 09 1B 65 0E Command Purpose Step 1 configure terminal Example Switch configure terminal Enters global configuration mode Step 2 device sensor notify all changes Example Switch config device sensor notify all changes Enables client notifications and accounting events for all TL...

Page 347: ...rload 3 34 01 03 dhcp 60 class identifier 11 3C 09 64 6F 63 73 69 73 31 2E 30 dhcp 55 parameter request list 8 37 06 01 42 06 03 43 96 dhcp 61 client identifier 27 3D 19 00 63 69 73 63 6F 2D 30 30 31 63 2E 30 66 37 34 2E 38 34 38 30 2D 56 6C 31 dhcp 57 max message size 4 39 02 04 80 Device 000f f7a7 234f on port GigabitEthernet2 1 Proto Type Name Len Value cdp 22 mgmt address type 8 00 16 00 08 00...

Page 348: ...N clients that are not 802 1x capable are put into the guest VLAN when the server does not receive a response to its EAP request identity frame Clients that are 802 1x capable but that fail authentication are not granted network access The switch supports guest VLANs in single host or multiple hosts mode Beginning in privileged EXEC mode follow these steps to configure a guest VLAN This procedure ...

Page 349: ... authorize vlan vlan id interface configuration command The port returns to the unauthorized state This example shows how to enable VLAN 2 as an 802 1x guest VLAN Switch config interface gigabitethernet2 0 2 Switch config if authentication event no response action authorize vlan 2 Step 7 show authentication interface interface id Verify your entries Step 8 copy running config startup config Option...

Page 350: ...xample shows how to enable VLAN 2 as an 802 1x restricted VLAN Switch config interface gigabitethernet2 0 2 Switch config if authentication event fail action authorize 2 You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the authentication event retry retry count interface configuration command The range of allowable au...

Page 351: ...ne is put in the configured voice VLAN for the port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuration Guidelines section on page 1 39 Step 3 switchport mode access or switchport mode private vlan host...

Page 352: ...The range for the UDP port number is from 0 to 65536 The default is 1646 auth port udp port Specify the UDP port for the RADIUS authentication server The range for the UDP port number is from 0 to 65536 The default is 1645 Note You should configure the UDP port for the RADIUS accounting server and the UDP port for the RADIUS authentication server to nondefault values test username name Enable auto...

Page 353: ...naccessible authentication bypass eapol Specify that the switch sends an EAPOL Success message when the switch successfully authenticates the critical port recovery delay milliseconds Set the recovery delay period during which the switch waits to re initialize a critical port when a RADIUS server that was unavailable becomes available The range is from 1 to 10000 milliseconds The default is 1000 m...

Page 354: ...tication control direction both in Enable 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional both Sets the port as bidirectional The port cannot receive packets from or send packets to the host By default the port is bidirectional in Sets the port as unidirectional The port can send packets to the host but cannot receive packe...

Page 355: ...t Group Name Vlans Mapped eng dept 10 switch show dot1x vlan group all Group Name Vlans Mapped eng dept 10 hr dept 20 This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added switch config vlan group eng dept vlan list 30 switch config show vlan group eng dept Group Name Vlans Mapped eng dept 10 30 This example shows how to remove a VLAN from a VLAN grou...

Page 356: ...NAC Layer 2 802 1x validation Switch configure terminal Switch config interface gigabitethernet2 0 1 Switch config if authentication periodic Switch config if authentication timer reauthenticate Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication event ...

Page 357: ...ntrol auto Switch config if dot1x pae authenticator Switch config if spanning tree portfast trunk Beginning in privileged EXEC mode follow these steps to configure a switch as a supplicant Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cisp enable Enable CISP Step 3 interface interface id Specify the port to be configured and enter interface configuration mode Ste...

Page 358: ... password Create a password for the new username Step 6 dot1x supplicant force multicast Force the switch to send only multicast EAPOL packets when it receives either unicast or multicast packets This also allows NEAT to work on the supplicant switch in all host modes Step 7 dot1x supplicant controlled transient Optional Configure the switch to block traffic exiting the supplicant port during the ...

Page 359: ...ication and the client IP address addition to the IP device tracking table The switch then applies the downloadable ACL to the port Beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip device tracking Sets the ip device tracking table Step 3 aaa new model Enables AAA Step 4 aaa authorization network default local group radius Sets th...

Page 360: ... Optional Enters log to cause an informational logging message about the packet that matches the entry to be sent to the console Step 3 interface interface id Enter interface configuration mode Step 4 ip access group acl id in Configure the default ACL on the port in the input direction Note The acl id is an access list name or number Step 5 exit Returns to global configuration mode Step 6 aaa new...

Page 361: ... debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32 For more information about this command see the Cisco IOS Debug Command Reference Release 12 4 This example shows how to globally enable VLAN ID based MAC authentication on a switch Switch config terminal Enter configuration commands one per line End with CNTL Z Switch config mab request format attribute 32 vlan ac...

Page 362: ...py running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication control direction both in Optional Configure the port control as unidirectional or bidirectional Step 4 authenticat...

Page 363: ...xy auth proxy banner C My Switch C Switch config end For more information about the ip auth proxy auth proxy banner command see the Authentication Proxy Commands section of the Cisco IOS Security Command Reference on Cisco com Disabling 802 1x Authentication on the Port You can disable 802 1x authentication on the port by using the no dot1x pae interface configuration command Beginning in privileg...

Page 364: ...and To display the 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the 802 1x administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command Beginning with Cisco IOS Release 12 2 55 SE you can use the no dot1x logging verbose global configura...

Page 365: ...he LAN base image All downlink ports on the switch can run Cisco TrustSec MACsec link layer switch to switch security Cisco TrustSec and Cisco SAP are meant only for switch to switch links and are not supported on switch ports connected to end hosts such as PCs or IP phones MKA is meant for switch to host facing links and is not supported on switch to switch links Host facing links typically use f...

Page 366: ...2 1x REV The MKA Protocol extends 802 1x to allow peer discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data exchanged by the peers The EAP framework implements MKA as a newly defined EAP over LAN EAPOL packet EAP authentication produces a master session key MSK shared by both partners in the data exchange Entering the EAP session ID generates a sec...

Page 367: ...se after the first successful client authentication is not required for other clients Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside the MKA Protocol A virtual port corresponds to a separate logical port ID Valid port IDs for a virtual port are 0x0002 to 0xFFFF Each virtual port receives a unique secure channel identifier SCI based on the...

Page 368: ... or closed based on a single authentication If one user the primary secured client services client host is authenticated the same level of network access is provided to any host connected to the same port If a secondary host is a MACsec supplicant it cannot be authenticated and traffic would no flow A secondary host that is a non MACsec host can send traffic to the network without authentication b...

Page 369: ...s Pairwise CAKs Derived 32 Pairwise CAK Rekeys 31 Group CAKs Generated 0 Group CAKs Received 0 SA Statistics SAKs Generated 32 SAKs Rekeyed 31 SAKs Received 0 SAK Responses Received 32 MKPDU Statistics MKPDUs Validated Rx 580 Distributed SAK 0 Distributed CAK 0 MKPDUs Transmitted 597 Distributed SAK 32 Distributed CAK 0 MKA Error Counter Totals Bring up Failures 0 Reauthentication Failures 0 SAK F...

Page 370: ...icy relay policy Switch config mka policy replay policy Switch config mka policy replay protection window size 300 Switch config mka policy end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mka policy policy name Identify an MKA policy and enter MKA policy configuration mode The maximum policy name length is 16 characters Step 3 replay protection window size fram...

Page 371: ...ure the session with MACsec if the peer is available If not set the default is should secure Step 9 authentication port control auto Enable 802 1x authentication on the port The port changes to the authorized or unauthorized state based on the authentication exchange between the switch and the client Step 10 authentication violation protect Configure the port to drop unexpected incoming MAC addres...

Page 372: ...nterface gigabitethernet1 0 25 Interface GigabitEthernet1 0 25 MAC Address 001b 2140 ec3c IP Address 1 1 1 103 User Name ms1 Status Authz Success Domain DATA Security Policy Must Secure ß New Security Status Secured ß New Oper host mode multi domain Oper control dir both Authorized By Authentication Server Vlan Policy 10 Session timeout 3600s server Remaining 3567s Timeout action Reauthenticate Id...

Page 373: ...ption Between MACsec capable devices packets are encrypted on egress from the sending device decrypted on ingress to the receiving device and in the clear within the devices This feature is only available between 802 1AE capable devices Network Device Admission Control NDAC NDAC is an authentication process by which each network device in the TrustSec domain can verify the credentials and trustwor...

Page 374: ... other TrustSec configurations Beginning in privilege EXEC mode follow these steps to configure Cisco TrustSec credentials To delete the Cisco TrustSec credentials enter the clear cts credentials privileged EXEC command This example shows how to create Cisco TrustSec credentials Switch cts credentials id trustsec password mypassword CTS device ID and password have been inserted in the local keysto...

Page 375: ...AN base service image If you select GCM without the required license the interface is forced to a link down state Beginning in privilege EXEC mode follow these steps to configure Cisco TrustSec switch to switch link layer security with 802 1x Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Note Enters interface configuration mode Step 3 cts ...

Page 376: ...c Encryption software license from Cisco If you select GCM without the required license the interface is forced to a link down state These protection levels are supported when you configure SAP pairwise master key sap pmk SAP is not configured no protection sap mode list gcm encrypt gmac no encap protection desirable but not mandatory sap mode list gcm encrypt gmac confidentiality preferred and in...

Page 377: ...ration mode options gcm encrypt Authentication and encryption Note Select this mode for MACsec authentication and encryption if your software license supports MACsec encryption gmac Authentication no encryption no encap No encapsulation null Encapsulation no authentication or encryption Note If the interface is not capable of data link encryption no encap is the default and the only available SAP ...

Page 378: ...tication dot1x default group cts radius Switch config aaa authentication network cts radius group radius Switch config aaa session id common Switch config cts authorization list cts radius Switch config dot1x system auth control Switch config interface gi1 1 2 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if cts dot1x Switch config if ct...

Page 379: ...nk encapsulation dot1q Switch config if switchport mode trunk Switch config if shutdown Switch config if cts manual Switch config if cts dot1x sap pmk 033445AABBCCDDEEFF mode list gcm encrypt gmac Switch config if cts dot1x no propagate sgt Switch config if cts dot1x exit Switch config if exit Switch config radius server vsa send authentication Switch config end Switch cts credentials id cts 72 pa...

Page 380: ...1 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring MACsec Encryption Configuring Cisco TrustSec MACsec ...

Page 381: ...interfaces Layer 3 interfaces are not supported on switches running the LAN base feature set When you initiate an HTTP session web based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users The users enter their credentials which the web based authentication feature sends to the authentication authorization and accounting AAA server for authenticat...

Page 382: ...h Controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client and the authentication server requesting identity information from the client verifying that information with the authentication server and relaying a response to the client Figure 1 1 shows the roles of these devices in a network Figure 1 1 Web...

Page 383: ... password and the switch sends the entries to the authentication server If the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success page is sent to the user If the authentication fails the switch sends the login fail page The user retries the login If the maximum number of attempts fails the switch sends the login expi...

Page 384: ...red You create a banner by using the ip admission auth proxy banner http global configuration command The default banner Cisco Systems and Switch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page as shown in Figure 1 2 Figure 1 2 Authentication Successful Banner You can also customize the banner as shown in Figure 1 3 Add a switch rout...

Page 385: ...d Web Banner If you do not enable a banner only the username and password dialog boxes appear in the web authentication login screen and no banner appears when you log into the switch as shown in Figure 1 4 Figure 1 4 Login Screen With No Banner For more information see the Cisco IOS Security Command Reference and the Configuring a Web Authentication Local Banner section on page 1 16 ...

Page 386: ...a hidden password or to confirm that the same page is not submitted twice The CLI command to redirect users to a specific URL is not available when the configured login form is enabled The administrator should ensure that the redirection is configured in the web page If the CLI command redirecting users to specific URL after authentication occurs is entered and then the command configuring web pag...

Page 387: ...ge 1 7 LAN Port IP page 1 8 Gateway IP page 1 8 ACLs page 1 8 Context Based Access Control page 1 8 802 1x Authentication page 1 8 EtherChannel page 1 8 Port Security You can configure web based authentication and port security on the same port Web based authentication authenticates the port and port security manages network access for all MAC addresses including that of the client You can then li...

Page 388: ...on host policy ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface the ACL is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a port ACL PACL as the default access policy for ingress traffic from hosts connected to the port After authentication the web based authentication host policy...

Page 389: ...ture You can configure web based authentication only on access ports Web based authentication is not supported on trunk ports EtherChannel member ports or dynamic trunk ports You must configure the default ACL on the interface before configuring web based authentication Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface You cannot authenticate hosts on Layer 2 ...

Page 390: ...rver page 1 13 Configuring the Web Based Authentication Parameters page 1 15 Removing Web Based Authentication Cache Entries page 1 16 Configuring the Authentication Rule and Interfaces This example shows how to enable web based authentication on Fast Ethernet port 5 1 Switch config ip admission name webauth1 proxy http Switch config interface fastethernet 5 1 Switch config if ip admission webauth...

Page 391: ... authentication login default group tacacs Switch config aaa authorization auth proxy default group tacacs Configuring Switch to RADIUS Server Communication RADIUS security servers identification Host name Host IP address Host name and specific UDP port numbers IP address and specific UDP port numbers Command Purpose Step 1 aaa new model Enables AAA functionality Step 2 aaa authentication login de...

Page 392: ...tion key values for all RADIUS servers by using with the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server transmit and the radius server key global configuration commands For more information see the Cisco IOS Security Configuration Guide Release 12 4 and the Cisco IOS Security Command Reference...

Page 393: ...ip http secure secure command the login page is always in HTTPS secure HTTP even if the user sends an HTTP request Customizing the Authentication Proxy Web Pages Specifying a Redirection URL for Successful Login Customizing the Authentication Proxy Web Pages You can configure web authentication to display four substitute HTML pages to the user in place of the switch default HTML pages during web b...

Page 394: ...sername and password and must show them as uname and pwd The custom login page should follow best practices for a web form such as page timeout hidden password and prevention of redundant submissions This example shows how to configure custom authentication proxy web pages Switch config ip admission proxy http login page file flash login htm Switch config ip admission proxy http success page file ...

Page 395: ...y webpage not configured HTTP Authentication success redirect to URL http www cisco com Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch list is disabled Authentication Proxy Max HTTP process is 7 Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Con...

Page 396: ...to remove the web based authentication session for the client at the IP address 209 165 201 1 Switch clear ip auth proxy cache 209 165 201 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip admission auth proxy banner http banner text file path Enable the local banner Optional Create a custom banner by entering C banner text C where C is a delimiting character or...

Page 397: ... to view only the global web based authentication status Switch show authentication sessions This example shows how to view the web based authentication settings for gigabit interface 3 27 Switch show authentication sessions interface gigabitethernet 3 27 Command Purpose Step 1 show authentication sessions interface type slot port Displays the web based authentication settings type fastethernet gi...

Page 398: ...1 18 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Web Based Authentication Displaying Web Based Authentication Status ...

Page 399: ...ure Cisco Trustsec on the switch see the Cisco TrustSec Switch Configuration Guide at the following URL http www cisco com en US docs switches lan trustsec configuration guide trustsec html Release notes for Cisco TrustSec General Availability releases are at the following URL http www cisco com en US docs switches lan trustsec release notes rn_cts_crossplat html Additional information about the C...

Page 400: ...orthiness of its peer device NDAC utilizes an authentication framework based on IEEE 802 1X port based authentication and uses EAP FAST as its EAP method Successful authentication and authorization in NDAC process results in Security Association Protocol negotiation for IEEE 802 1AE encryption Security Group Access Control List SGACL A Security Group Access Control List SGACL associates a Security...

Page 401: ...TrustSec enforcement is supported only on up to eight VLANs on a VLAN trunk link If there are more than eight VLANs configured on a VLAN trunk link and Cisco TrustSec enforcement is enabled on those VLANs the switch ports on those VLAN trunk links will be error disabled The switch can assign SGT and apply corresponding SGACL to end hosts based on SXP listening only if the end hosts are Layer2 adja...

Page 402: ...1 4 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Cisco TrustSec Configuration Guidelines and Limitations ...

Page 403: ...nfiguring the System MTU page 1 43 Configuring the Power Supplies page 1 46 Configuring the Cisco RPS 2300 in a Mixed Stack page 1 46 Configuring the Cisco eXpandable Power System XPS 2200 page 1 48 Monitoring and Maintaining the Interfaces page 1 51 Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the online...

Page 404: ... VLAN Trunking Protocol VTP learns of its existence from a neighbor on a trunk or when a user creates a VLAN VLANs can be formed with ports across the stack To configure VLANs use the vlan vlan id global configuration command to enter VLAN configuration mode The VLAN configurations for normal range VLANs VLAN IDs 1 to 1005 are saved in the VLAN database If VTP is version 1 or 2 to configure extend...

Page 405: ...Chapter 1 Configuring VLANs For more information about tunnel ports see Chapter 1 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling Access Ports An access port belongs to and carries the traffic of only one VLAN unless it is configured as a voice VLAN port Traffic is received and sent in native formats with no VLAN tagging Traffic arriving on an access port is assumed to belong to the VLAN as...

Page 406: ...TP learns of a new enabled VLAN that is not in the allowed list for a trunk port the port does not become a member of the VLAN and no traffic for the VLAN is forwarded to or from the port For more information about trunk ports see Chapter 1 Configuring VLANs Tunnel Ports Tunnel ports are used in IEEE 802 1Q tunneling to segregate the traffic of customers in a service provider network from other cu...

Page 407: ...re set supports static routing and the Routing Information Protocol RIP Starting with Cisco IOS Release 12 2 58 E the LAN Base feature set supports 16 user configured static routes on SVIs For full Layer 3 routing or for fallback bridging you must enable the IP Services feature set on the standalone switch or the active switch Switch Virtual Interfaces A switch virtual interface SVI represents a V...

Page 408: ...ces comes up when the first switch port belonging to the corresponding VLAN link comes up and is in STP forwarding state The default action when a VLAN has multiple ports is that the SVI goes down when all ports in the VLAN go down You can use the SVI autostate exclude feature to configure a port so that it is not included in the SVI line state up an down calculation For example if the only active...

Page 409: ... can insert a 10 Gigabit Ethernet network module a 1 Gigabit Ethernet network module or a blank module A 10 Gigabit Ethernet interface operates only in full duplex mode The interface can be configured as a switched or routed port For more information about the Cisco TwinGig Converter Module see the switch hardware installation guide and your transceiver module documentation Power over Ethernet Por...

Page 410: ...r classification For more information see the standard IEEE 802 3at The PoE standard increases the maximum power that can be drawn by a powered device from 15 4 W per port to 30 W per port The UPoE feature provides the capability to source up to 60 W of power 2 x 30 W over both signal and spare pairs of the RJ 45 Ethernet cable by using the Layer 2 power negotiation protocols such as CDP or LLDP A...

Page 411: ...d Power via MDA TLVs for negotiating power up to 30 W Cisco prestandard devices and Cisco IEEE powered devices can use CDP or the IEEE 802 3at power via MDI power negotiation mechanism to request power levels up to 30 W Note The initial allocation for Class 0 Class 3 and Class 4 powered devices is 15 4 W When a device starts up and uses CDP or LLDP to send a request for more than 15 4 W it can be ...

Page 412: ... allowed on the port If the IEEE class maximum wattage of the powered device is greater than the configured maximum value the switch does not provide power to the port If the switch powers a powered device but the powered device later requests through CDP messages more than the configured maximum value the switch removes power to the port The power that was allocated to the powered device is recla...

Page 413: ...power to the port or the switch can generate a syslog message and update the LEDs the port LED is now blinking amber while still providing power to the device based on the switch configuration By default power usage policing is disabled on all PoE ports If error recovery from the PoE error disabled state is enabled the switch automatically takes the PoE port out of the error disabled state after t...

Page 414: ...e sum of the rated power consumption of the powered device and the worst case power loss over the cable The actual amount of power consumed by a powered device on a PoE port is the cutoff power value plus a calibration factor of 500 mW 0 5 W The actual cutoff value is approximate and varies from the configured value by a percentage of the configured value For example if the configured cutoff power...

Page 415: ...ing CDP or LLDP and the enddevice requests for power to be enabled on the spare pair When the spare pair is powered the enddevice can negotiate up to 60 W of power from the switch using CDP or LLDP Enabling Power on Signal Spare Pairs If the enddevice is PoE capable on both signal and spare pairs but does not support the CDP or LLDP extensions required for UPoE a 4 pair forced mode configuration a...

Page 416: ...module are labeled Te1 Gi2 and Te2 Gi4 These ports can operate at either 1 Gigabit per second or 10 Gigabits per second They are identified in software as gigabitethernet x 1 2 and x 1 4 and tengigabitethernet x 1 1 and x 1 2 with x being the switch number on Catalyst 3750 X stacks The Catalyst 3560 X switch port numbers are the same with no switch number Network Services Module The Catalyst 3750 ...

Page 417: ...0 X Switch When the IP services feature set is running on the switch or the active switch the switch uses two methods to forward traffic between interfaces routing and fallback bridging If the IP base feature set is on the switch or the active switch only basic routing static routing and RIP is supported Whenever possible to maintain high performance forwarding is done by the switch hardware Howev...

Page 418: ...d device must include a terminal emulation application When the switch detects a valid USB connection to a powered on device that supports host functionality such as a PC input from the RJ 45 console is immediately disabled and input from the USB console is enabled Removing the USB connection immediately reenables input from the RJ 45 console connection An LED on the switch shows which console con...

Page 419: ...his point no switches in the stack allow a USB console to have input A log entry shows when a console cable is attached If a USB console cable is connected to switch 2 it is prevented from providing input Mar 1 00 34 27 498 USB_CONSOLE 6 CONFIG_DISALLOW Console media type USB is disallowed by system configuration media type remains RJ45 switch stk 2 This example reverses the previous configuration...

Page 420: ...a type reverted to RJ45 At this point the only way to reactivate the USB console is to disconnect and reconnect the cable When the USB cable on the switch has been disconnected and reconnected a log similar to this appears Mar 1 00 48 28 640 USB_CONSOLE 6 MEDIA_USB Console media type is USB USB Type A Port The USB Type A port provides access to external Cisco USB flash devices also known as thumb ...

Page 421: ...evice Host Controller 1 Address 0x1 Device Configured YES Device Supported YES Description STEC USB 1GB Manufacturer STEC Version 1 0 Serial Number STI 3D508232204731 Device Handle 0x1010000 USB Version Compliance 2 0 Class Code 0x0 Subclass Code 0x0 Protocol 0x0 Vendor ID 0x136b Product ID 0x918 Max Packet Size of Endpoint Zero 64 Number of Configurations 1 Speed High Selected Configuration 1 Sel...

Page 422: ...X switches module number and switch port number and enter interface configuration mode Type Gigabit Ethernet gigabitethernet or gi for 10 100 1000 Mb s Ethernet ports 10 Gigabit Ethernet tengigabitethernet or te for 10 000 Mb s or small form factor pluggable SFP module Gigabit Ethernet interfaces gigabitethernet or gi Stack member number The number that identifies the switch within the stack The s...

Page 423: ...face tengigabitethernet1 0 1 To configure 10 Gigabit Ethernet port on stack member 3 enter this command Switch config interface tengigabitethernet3 0 1 If the switch has SFP modules the port numbers continue consecutively To configure the first SFP module port on stack member 1 with 16 10 100 1000 ports enter this command Switch config interface gigabitethernet1 0 25 Procedures for Configuring Int...

Page 424: ...ese steps beginning in privileged EXEC mode When using the interface range global configuration command note these guidelines Valid entries for port range vlan vlan ID vlan ID where the VLAN ID is 1 to 4094 gigabitethernet module first port last port for 3560 X switches where the module is always 0 Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface range po...

Page 425: ...mmand The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used with the interface range command All interfaces defined in a range must be the same type all Gigabit Ethernet ports all 10 Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can enter multiple ranges in a comma...

Page 426: ...ethernet stack member module first port last port for 3750 X switches where the module is always 0 gigabitethernet stack member module first port last port where the module is always 0 tengigabitethernet stack member module first port last port where the module is always 0 port channel port channel number port channel number where the port channel number is 1 to 48 Note When you use the interface ...

Page 427: ...ys the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Gigabit Ethernet ports all 10 Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named ...

Page 428: ...d Switch configure terminal Switch config no define interface range enet_list Switch config end Switch show run include define Switch Using the Ethernet Management Port This section has this information Understanding the Ethernet Management Port page 1 26 Supported Features on the Ethernet Management Port page 1 28 Configuring the Ethernet Management Port page 1 29 TFTP and the Ethernet Management...

Page 429: ...ve link is from the active switch a Catalyst 3750 E or Catalyst 3750 X switch to the PC If the active switch fails and the elected active switch is not a Catalyst 3750 E or Catalyst 3750 X switch switch 2 the active link can be from a stack member to the PC Figure 1 3 Connecting a Switch Stack to a PC By default the Ethernet management port is enabled The switch cannot route packets from the Ether...

Page 430: ...raffic between these ports cannot be sent or received If this happens data packet loops occur between the ports which disrupt the switch and network operation To prevent the loops configure route filters to avoid routes between the Ethernet management port and the network ports Supported Features on the Ethernet Management Port The Ethernet management port supports these features Express Setup onl...

Page 431: ... fastethernet 0 privileged EXEC command TFTP and the Ethernet Management Port Use the commands in Table 1 2 when using TFTP to download or upload a configuration file to the boot loader Table 1 2 Boot Loader Commands Command Description arp ip_address Displays the currently cached ARP1 table when this command is entered without the ip_address parameter Enables ARP to associate a MAC address with t...

Page 432: ...s in Layer 3 mode you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode This shuts down the interface and then reenables it which might generate messages on the device to which the interface is connected When you put an interface that is in Layer 3 mode into Layer 2 mode the previous configuration information related to the affe...

Page 433: ... auto half and full However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode For SFP module ports the speed and duplex CLI options change depending on the SFP module type The 1000BASE x where x is BX CWDM LX SX and ZX SFP module ports support the nonegotiate keyword in the speed interface configuration command Duplex options are not supported Port blocking unknown mult...

Page 434: ... and Duplex Parameters To set the speed and duplex mode for a physical interface follow these steps beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Specifies the physical interface to be configured and enter interface configuration mode Step 3 speed 10 100 1000 auto 10 100 1000 nonegotiate This command is no...

Page 435: ...ort experiences congestion and cannot receive any more traffic it notifies the other port by sending a pause frame to stop sending until the condition clears Upon receipt of a pause frame the sending device stops sending any data packets which prevents any loss of data packets during the congestion period Note Catalyst 3750 X or 3560 X ports can receive but not send pause frames You use the flowco...

Page 436: ...itch config if flowcontrol receive on Switch config if end Configuring Auto MDIX on an Interface When automatic medium dependent interface crossover auto MDIX is enabled on an interface the interface automatically detects the required cable connection type straight through or crossover and configures the connection appropriately When connecting switches without the auto MDIX feature you must use s...

Page 437: ... powered devices on a port Catalyst 3750 X switches also support StackPower which allows switch power supplies to share the load across multiple systems in a stack by connecting up to four switches with power stack cables See Chapter 1 Configuring Catalyst 3750 X StackPower for information on StackPower Table 1 4 Link Conditions and Auto MDIX Settings Local Side Auto MDIX Remote Side Auto MDIX Wit...

Page 438: ...rface id Specifies the physical port to be configured and enter interface configuration mode Step 3 power inline auto max max wattage never static max max wattage Configures the PoE mode on the port The keywords have these meanings auto Enables powered device detection If enough power is available automatically allocate power to the PoE port after device detection This is the default setting Optio...

Page 439: ...tional devices You can then extend the switch power budget and use it more effectively Caution You should carefully plan your switch power budget enable the power monitoring feature and make certain not to oversubscribe the power supply Note When you manually configure the power budget you must also consider the power loss over the cable between the switch and the powered device When you enter the...

Page 440: ...s chapter of the software configuration guide for this release To enable policing of the real time power consumption of a powered device connected to a PoE port follow these steps beginning in privileged EXEC mode Step 5 show power inline consumption default Displays the power consumption status Step 6 copy running config startup config Optional Saves your entries in the configuration file Command...

Page 441: ...enable error detection for the PoE error disabled cause by using the errdisable detect cause inline power global configuration command You can also enable the timer to recover from the PoE error disabled state by using the errdisable recovery cause inline power interval interval global configuration command Generate a syslog message while still providing power to the port Enter the power inline po...

Page 442: ...N ID following the interface vlan global configuration command To delete an SVI use the no interface vlan global configuration command You cannot delete interface VLAN 1 Note When you create an SVI it does not become active until it is associated with a physical port For information about assigning Layer 2 ports to VLANs see Chapter 1 Configuring VLANs When configuring SVIs you can also configure ...

Page 443: ...re can support the VLANs are created but the routed ports are shut down and the switch sends a message that this was due to insufficient hardware resources All Layer 3 interfaces require an IP address to route traffic This procedure shows how to configure an interface as a Layer 3 interface and how to assign an IP address to an interface Note If the physical port is in Layer 2 mode the default you...

Page 444: ...and not excluded to keep the SVI state up You can use this command to exclude the monitoring port status when determining the status of the SVI To exclude a port from SVI state change calculations follow these steps beginning in privileged EXEC mode This example shows how to configure an access or trunk port in an SVI to be excluded from the line state status calculation Switch configure terminal ...

Page 445: ...t in these cases When you enter the system mtu command on a Catalyst 3750 X or 3560 X switch In a mixed stack when you enter the system mtu jumbo command for the Fast Ethernet ports on a Catalyst 3750 member When you enter the system mtu routing command on a switch on which only Layer 2 ports are configured Note This command is not supported on switches running the LAN base feature set When you us...

Page 446: ...mbo MTU value in bytes 2 2 The system routing MTU value is the applied value not the configured value Mixed hardware stack Use the system mtu bytes command which takes effect only on Catalyst 3750 members 1 The range is from 1500 to 1998 bytes Use the system mtu jumbo bytes command The range is from 1500 to 9000 bytes Use the system mtu routing bytes command The range is from 1500 to the system MT...

Page 447: ...ws the response when you try to set Gigabit Ethernet interfaces to an out of range number Switch config system mtu jumbo 25000 Invalid input detected at marker Step 4 system mtu bytes Optional In a mixed hardware stack change the MTU size for all Fast Ethernet interfaces on the Catalyst 3750 members The range is 1500 to 1998 bytes the default is 1500 bytes Note This command does not apply to Catal...

Page 448: ...ge an RPS 2300 connected to a Catalyst 3750 E switch in the stack Note The Catalyst 3750 X and 3560 X switches do not have RPS connectors These switches can be connected to an XPS 2200 expandable power supply not available at this time The Catalyst 3750 X switch also has stack power connectors See Chapter 1 Configuring Catalyst 3750 X StackPower for information on stack power Command Purpose Step ...

Page 449: ...ultiple switches connected to the RPS 2300 need power the RPS 2300 provides power to the switches with the highest priority If the RPS 2300 still has power available it can then provide power to the switches with lower priorities To configure and manage the RPS 2300 follow these steps beginning in user EXEC mode Command Purpose Step 1 power rps switch number name string serialnumber Specifies the ...

Page 450: ...upplies can operate in redundant power supply RPS mode or stack power SP mode For more information about the XPS 2000 see the configuration notes http preview cisco com en US docs switches power_supplies xps2200 software configuration note ol 24241 html Step 2 power rps switch number port rps port id mode active standby Specifies the mode of the RPS 2300 port The keywords have these meanings switc...

Page 451: ...lnumber Configures a name for the XPS 2200 system name Enter a name for the XPS 2000 port The name can have up to 20 characters serialnumber Use the serial number of the XPS 2200 as the system name The switch number appears only on Catalyst 3750 X switches and represents the switch number in the data stack a value from 1 to 9 Step 3 power xps switch number port name hostname serialnumber Configure...

Page 452: ...h connected to the port This is the default When a Catalyst 3560 X switch or Catalyst 3750 X switch running the LAN base image is connected the mode is RPS When a Catalyst 3750 X switch is connected the mode is stack power SP role RPS The XPS acts as a back up if the switch power supply fails At least one RPS power supply must be in RPS mode for this configuration The switch number appears only on...

Page 453: ...page 1 53 Command Purpose Step 1 power xps switch number supply A B mode rps sp Sets the XPS power supply mode supply A B Selects the power supply to configure Power supply A is on the left labeled PS1 and power supply B PS2 is on the right mode rps Sets the power supply mode to RPS to back up connected switches This is the default setting for power supply A PS1 mode sp Sets the power supply mode ...

Page 454: ...yst 3750 3560 2970 or 2960 switches RPS 2300 or Cisco RPS 675 Redundant Power System also referred to as the RPS 675 show env rps detail Optional Displays the details about the RPSs that are connected to the switch or switch stack show env rps switch switch number Optional Displays the RPSs that are connected to each switch in the stack or to the specified switch The range is 1 to 9 depending on t...

Page 455: ...h all dynamic routing protocols The interface is not mentioned in any routing updates show interfaces transceiver properties Optional Displays temperature voltage or amount of current on the interface show interfaces interface id transceiver properties detail module number Displays physical and operational status about an SFP module show running config interface interface id Displays the running c...

Page 456: ...t the interface To verify that an interface is disabled enter the show interfaces privileged EXEC command A disabled interface is shown as administratively down in the display Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface vlan vlan id gigabitethernet interface id port channel port channel number Selects the interface to be configured Step 3 shutdown Sh...

Page 457: ...Understanding VLANs A VLAN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are f...

Page 458: ...onfiguring Layer 3 Interfaces section on page 1 40 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm prefer vlan global configuration command to set the Switch Database Management sdm feature to the VLAN template which configures system resources to support the maximum number of unicast MAC addresses For more information on the SDM templates see C...

Page 459: ...not want VTP to globally propagate information set the VTP mode to transparent To participate in VTP there must be at least one trunk port on the switch or the switch stack connected to a trunk port of a second switch or switch stack Trunk ISL or IEEE 802 1Q A trunk port is a member of all VLANs by default including extended range VLANs but membership can be limited by configuring the allowed VLAN...

Page 460: ... dat file is stored in flash memory on the stack master Stack members have a vlan dat file that is consistent with the stack master Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan dat file If you want to modify the VLAN configuration use the commands described in these sections and in the command reference for this release To change the VTP confi...

Page 461: ...AN page 1 9 Assigning Static Access Ports to a VLAN page 1 9 Token Ring VLANs Although the switch does not support Token Ring connections a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches Switches running VTP Version 2 advertise information about these Token Ring VLANs Token Ring TrBRF VLANs Token Ring TrCRF VLANs ...

Page 462: ...t of spanning tree instances You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances If the number of VLANs on the switch exceeds the number of supported spanning tree instances we recommend that you configure the IEEE 802 1s Multiple STP MSTP on your switch to map multiple VLANs to a single spanning tre...

Page 463: ...uration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode or domain name in the startup configuration does not match the VLAN database the domain name and VTP mode and configuration for the VLAN IDs 1 to 1005 use the VLAN database information In VTP versions 1 and 2 if VTP mode is server the domain name and VLAN configuration for VLAN IDs 1 to 1...

Page 464: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter VLAN configuration mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding VLAN IDs greater than 1005 extended range VLANs see the Configuring Extended Range...

Page 465: ...associated with the VLAN and thus inactive until you assign them to a new VLAN Beginning in privileged EXEC mode follow these steps to delete a VLAN on the switch Assigning Static Access Ports to a VLAN You can assign a static access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP VTP transparent mode If you are assigning a port on a cluster mem...

Page 466: ... stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configuration in the startup configuration file by using the copy running config startup config privileged EXEC command Extended range VLANs created in VTP version 3 are stored in the VLAN database Note Although the switch supports 4094 VLAN IDs see the Sup...

Page 467: ... is enabled by default on extended range VLANs but you can disable it by using the no spanning tree vlan vlan id global configuration command When the maximum number of spanning tree instances are on the switch spanning tree is disabled on any newly created VLANs If the number of VLANs on the switch exceeds the maximum number of spanning tree instances we recommend that you configure the IEEE 802 ...

Page 468: ...t VLAN configuration mode and the extended range VLAN is not created In VTP version 1 and 2 extended range VLANs are not saved in the VLAN database they are saved in the switch running configuration file You can save the extended range VLAN configuration in the switch startup configuration file by using the copy running config startup config privileged EXEC command VTP version 3 saves extended ran...

Page 469: ...ps to release a VLAN ID that is assigned to an internal VLAN and to create an extended range VLAN with that ID Step 7 show vlan id vlan id Verify that the VLAN has been created Step 8 copy running config startup config Save your entries in the switch startup configuration file To save extended range VLAN configurations you need to save the VTP transparent mode configuration and the extended range ...

Page 470: ...on mode and return to global configuration mode Step 9 interface interface id Specify the interface ID for the routed port that you shut down in Step 4 and enter interface configuration mode Step 10 no shutdown Re enable the routed port It will be assigned a new internal VLAN ID Step 11 end Return to privileged EXEC mode Step 12 copy running config startup config Save your entries in the switch st...

Page 471: ...e Table 1 4 You can set an interface as trunking or nontrunking or to negotiate trunking with the neighboring interface To autonegotiate trunking the interfaces must be in the same VTP domain Trunk negotiation is managed by the Dynamic Trunking Protocol DTP which is a Point to Point Protocol However some internetworking devices might forward DTP frames improperly which could cause misconfiguration...

Page 472: ... Makes the interface actively attempt to convert the link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk desirable or auto mode switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link The interface becomes a trunk interface even if the neighboring interface is not a ...

Page 473: ...802 1Q trunk is the same on both ends of the trunk link If the native VLAN on one end of the trunk is different from the native VLAN on the other end spanning tree loops might result Disabling spanning tree on the native VLAN of an IEEE 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops We recommend that you leave spanning tree enabl...

Page 474: ...all trunks in the group must have the same configuration When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters the switch propagates the setting you entered to all ports in the group allowed VLAN list STP port priority for each VLAN STP Port Fast setting trunk status if one port in a ...

Page 475: ... VLANs from the allowed list Step 3 switchport trunk encapsulation isl dot1q negotiate Configure the port to support ISL or IEEE 802 1Q encapsulation or to negotiate the default with the neighboring interface for encapsulation type You must configure each end of the link with the same encapsulation type Step 4 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk ...

Page 476: ...es a member of the enabled VLAN When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port the trunk port does not become a member of the new VLAN Beginning in privileged EXEC mode follow these steps to modify the allowed list of a trunk To return to the default allowed VLAN list of all VLANs use the no switchport trunk allowed vlan interface configuration command This ex...

Page 477: ... information about IEEE 802 1Q configuration issues see the IEEE 802 1Q Configuration Considerations section on page 1 17 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter interface configuration mode Step 3 switchport trunk pruning vlan add except none remove vlan list vlan vlan ...

Page 478: ...the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a VLAN is forwarding traffic for that VLAN The trunk port with the lower priority higher values for the same VLAN remains in ...

Page 479: ...A Switch B Trunk 2 VLANs 3 6 priority 16 VLANs 8 10 priority 128 Trunk 1 VLANs 8 10 priority 16 VLANs 3 6 priority 128 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 vtp domain domain name Configure a VTP administrative domain The domain name can be 1 to 32 characters Step 3 vtp mode server Configure Switch A as the VTP server Step 4 end Return to priv...

Page 480: ...cond port in the switch or switch stack Step 14 Repeat Steps 7 through 11on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A Step 15 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verify that Switch B has learned the VLAN configuration Step 16 configure terminal Enter global configuration mode on Switch A Step ...

Page 481: ...s 2 through 5 on a second interface in Switch A for a Catalyst 3560 X switch or in the Switch A stack for a Catalyst 3750 X switch Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries In the display make sure that the interfaces are configured as trunk ports Step 9 show vlan When the trunk links come up Switch A receives the VTP information from the other switch...

Page 482: ... or not the server is in open or secure mode In secure mode the server shuts down the port when an illegal host is detected In open mode the server simply denies the host access to the port If the port is currently unassigned that is it does not yet have a VLAN assignment the VMPS provides one of these responses If the host is allowed on the port the VMPS sends the client a vlan assignment respons...

Page 483: ...link goes down on a dynamic access port the port returns to an isolated state and does not belong to a VLAN Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN Dynamic access ports can be used for direct host connections or they can connect to a network A maximum of 20 MAC addresses are allowed per port on the switch A d...

Page 484: ... Configuring the VMPS Client You configure dynamic VLANs by using the VMPS server The switch can be a VMPS client it cannot be a VMPS server Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client Note If the VMPS is being defined for a cluster of switches enter the address on the command switch Beginning in privileged EXEC mode fol...

Page 485: ...ort VLAN membership assignments that the switch has received from the VMPS Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS You can set the number of minutes after which reconfirmation occurs If you are configuring a member switch in a cluster this parameter must be equal to or greater than the reconfirmation setting on...

Page 486: ...ery the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it by entering the vmps re...

Page 487: ...S shuts down the port to prevent the host from connecting to the network More than 20 active hosts reside on a dynamic access port To re enable a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 1 5 shows a network with a VMPS server switch and VMPS client switches with dyna...

Page 488: ...6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switch G ...

Page 489: ... incorrect VLAN type specifications and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work i...

Page 490: ...n consists of one switch or several interconnected switches or switch stacks under the same administrative responsibility sharing the same VTP domain name A switch can be in only one VTP domain You make global VLAN configuration changes for the domain By default the switch is in the VTP no management domain state until it receives an advertisement for a domain over a trunk link a link that carries...

Page 491: ... configure a supported switch or switch stack to be in one of the VTP modes listed in Table 1 1 Table 1 1 VTP Modes VTP Mode Description VTP server In VTP server mode you can create modify and delete VLANs and specify other configuration parameters such as the VTP version for the entire VTP domain VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchron...

Page 492: ... 2 or version 3 transparent switches do forward VTP advertisements that they receive from other switches through their trunk interfaces You can create modify and delete VLANs on a switch in VTP transparent mode In VTP versions 1 and 2 the switch must be in VTP transparent mode when you create extended range VLANs VTP version 3 also supports creating extended range VLANs in client or server mode Se...

Page 493: ...n 2 transparent switch forwards a message only when the domain name matches Consistency Checks In VTP version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information through the CLI or SNMP Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM If the MD5 digest on a received ...

Page 494: ...all VTP instances for that port are disabled You cannot set VTP to off for the MST database and on for the VLAN database on the same port When you globally set VTP mode to off it applies to all the trunking ports in the system However you can specify on or off on a per VTP instance basis For example you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST dat...

Page 495: ...omain Making VLANs pruning eligible or pruning ineligible affects pruning eligibility for those VLANs on that trunk only not on all switches in the VTP domain See the Enabling VTP Pruning section on page 1 16 VTP pruning takes effect several seconds after you enable it VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 and VLANs 1002 to 1005 are always pruning ineligi...

Page 496: ...ster All VTP updates are carried across the stack When VTP mode is changed in a switch in the stack the other switches in the stack also change VTP mode and the switch VLAN database remains consistent VTP version 3 functions the same on a standalone switch or a stack except when the switch stack is the primary server for the VTP database In this case the MAC address of the stack master is used as ...

Page 497: ...selected as follows If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode...

Page 498: ...ion When you configure a VTP domain password the management domain does not function properly if you do not assign a management domain password to each switch in the domain VTP Version Follow these guidelines when deciding which VTP version to implement All switches in a VTP domain must have the same domain name but they do not need to run the same VTP version A VTP version 2 capable switch can op...

Page 499: ...gions can only communicate in transparent mode over a VTP version 1 or version 2 region Devices that are only VTP version 1 capable cannot interoperate with VTP version 3 devices Configuration Requirements When you configure VTP you must configure a trunk port so that the switch can send and receive VTP advertisements to and from other switches in the domain For more information see the Configurin...

Page 500: ... the switch resets and boots up in VTP server mode the default VTP version 3 supports extended range VLANs If extended VLANs are configured you cannot convert from VTP version 3 to VTP version 2 If you configure the switch for VTP client mode the switch does not create the VLAN database file vlan dat If the switch is then powered off it resets the VTP configuration to the default To keep the VTP c...

Page 501: ...sparent off vlan mst unknown Configure the switch for VTP mode client server transparent or off Optional Configure the database vlan the VLAN database is the default if none are configured mst the multiple spanning tree MST database unknown an unknown database type Step 4 vtp password password Optional Set the password for the VTP domain The password can be 8 to 64 characters If you configure a VT...

Page 502: ...64 characters Optional hidden Enter hidden to ensure that the secret key generated from the password string is saved in the nvam vlan dat file If you configure a takeover by configuring a VTP primary server you are prompted to reenter the password Optional secret Enter secret to directly configure the password The secret password must contain 32 hexadecimal characters Step 3 end Return to privileg...

Page 503: ...xist no private VLANs exist and no hidden password was configured Caution VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain Do not enable VTP version 2 unless every switch in the VTP domain supports version 2 In TrCRF and TrBRF Token ring environments you must enable VTP version 2 or VTP version 3 for Token Ring VLAN switching to function properly For Token R...

Page 504: ...iguring VTP on a Per Port Basis With VTP version 3 you can enable or disable VTP on a per port basis You can enable VTP only on ports that are in trunk mode Incoming and outgoing VTP traffic are blocked not forwarded Beginning in privileged EXEC mode follow these steps to enable VTP on a port To disable VTP on the interface use the no vtp interface configuration command Switch config interface gig...

Page 505: ...to disable VTP on the switch and then to change its VLAN information without affecting the other switches in the VTP domain Command Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue wit...

Page 506: ... Display counters about VTP messages that have been sent and received show vtp devices conflict Display information about all VTP version 3 devices in the domain Conflicts are VTP version 3 devices with conflicting primary servers The show vtp devices command does not display information when the switch is in transparent or off mode show vtp interface interface id Display VTP status and configurat...

Page 507: ...s connected to a Cisco 7960 IP Phone the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the ...

Page 508: ...d no Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 1 1 You can con...

Page 509: ...Ns The configuration of voice VLANs is not required on trunk ports The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Chapter 1 Configuring VLANs for information on how to create the voice VLAN Do not configur...

Page 510: ...diness Check section on page 1 41 for more information Note If you enable IEEE 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 1 6 for more information A source or destination port for a SPAN or RSPAN session Secu...

Page 511: ...e configuring the port trust state you must first globally enable QoS by using the mls qos global configuration command Step 4 switchport voice detect cisco phone full duplex vlan vlan id dot1p none untagged Configure how the Cisco IP Phone carries voice traffic detect Configure the interface to detect and recognize a Cisco IP phone cisco phone When you initially implement the switchport voice det...

Page 512: ...l duplex Cisco IP Phone Switch config if switchport voice detect cisco phone full duplex full duplex full duplex keyword Switch config if end This example shows how to disable switchport voice detect on a Cisco IP Phone Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 0 1 Switch config if no switchport voice detect cisco ...

Page 513: ...lay voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface connected to the Cisco IP Phone and enter interface configuration mode Step 3 switchport priority extend cos value trust Set the priority of data traffic re...

Page 514: ...1 8 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Voice VLAN Displaying Voice VLAN ...

Page 515: ...standing Private VLANs The private VLAN feature addresses two problems that service providers face when using VLANs Scalability When running the IP base or IP services feature set the switch supports up to 1005 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support To enable IP routing each VLAN is assigned a subnet ad...

Page 516: ...d with the primary VLAN Isolated An isolated port is a host port that belongs to an isolated secondary VLAN It has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous ports Private VLANs block all traffic to isolated ports except traffic from promiscuous ports Traffic received from an isolated port is forwarded only to promiscuous ports Community A ...

Page 517: ...tside the private VLAN You can use private VLANs to control access to end stations in these ways Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2 For example if the end stations are servers this configuration prevents Layer 2 communication between the servers Configure interfaces connected to default gateways and selected end station...

Page 518: ...s in the network the Layer 2 databases in these switches are not merged This can result in unnecessary flooding of private VLAN traffic on those switches Note When configuring private VLANs on the switch always use the default Switch Database Management SDM template to balance system resources between unicast routes and Layer 2 entries If another SDM template is configured use the sdm prefer defau...

Page 519: ...erface SVI represents the Layer 3 interface of a VLAN Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs Configure Layer 3 VLAN interfaces SVIs only for primary VLANs You cannot configure Layer 3 VLAN interfaces for secondary VLANs SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN If you try to configur...

Page 520: ...3 Tasks for Configuring Private VLANs To configure a private VLAN perform these steps Step 1 Set VTP mode to transparent Step 2 Create the primary and secondary VLANs and associate them See the Configuring and Associating VLANs in a Private VLAN section on page 1 10 Note If the VLAN is not created already the private VLAN configuration process creates it Step 3 Configure interfaces to be isolated ...

Page 521: ... the devices are running VTP version 3 You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs Extended VLANs VLAN IDs 1006 to 4094 can belong to private VLANs A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it An isolated or community VLAN can have only one primary VLAN associated with it Although a private VLAN contains more than one...

Page 522: ...osts can communicate with each other at Layer 3 Private VLANs support these Switched Port Analyzer SPAN features You can configure a private VLAN port as a SPAN source port You can use VLAN based SPAN VSPAN on primary isolated and community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic Private VLAN Port Configuration Follow these guidelines when configuring pri...

Page 523: ...Communication Protocol WCCP You can configure IEEE 802 1x port based authentication on a private VLAN port but do not configure 802 1x with port security voice VLAN or per user ACL on private VLAN ports A private VLAN host or promiscuous port cannot be a SPAN destination port If you configure a SPAN destination port as a private VLAN port the port becomes inactive If you configure a static MAC add...

Page 524: ...01 and 1006 to 4094 Step 7 private vlan isolated Designate the VLAN as an isolated VLAN Step 8 exit Return to global configuration mode Step 9 vlan vlan id Optional Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN The VLAN ID range is 2 to 1001 and 1006 to 4094 Step 10 private vlan community Designate the VLAN as a community VLAN Step 11 exit Return to glo...

Page 525: ...ty VLANs to associate them in a private VLAN and to verify the configuration Switch configure terminal Switch config vlan 20 Switch config vlan private vlan primary Switch config vlan exit Switch config vlan 501 Switch config vlan private vlan isolated Switch config vlan exit Switch config vlan 502 Switch config vlan private vlan community Switch config vlan exit Switch config vlan 503 Switch conf...

Page 526: ...VLAN 1 default Trunking Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association 20 501 Administrative private vlan mapping none Administrative private vlan trunk native VLAN none Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulation dot1q Administrative private vlan tr...

Page 527: ...ber of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it Switch configure terminal Switch config interface gigabitethernet1 0 2 Switch config if switchport mode private vlan promiscuous Switch config if switchport private vlan mapping 20 add 501 503 Switch config if end Use the show vlan private vlan or the show interface status privileged EXEC command to display primary and secondar...

Page 528: ..._list to clear the mapping between secondary VLANs and the primary VLAN This example shows how to map the interfaces of VLANs 501and 502 to primary VLAN 10 which permits routing of secondary VLAN ingress traffic from private VLANs 501 to 502 Switch configure terminal Switch config interface vlan 10 Switch config if private vlan mapping 501 502 Switch config if end Switch show interfaces private vl...

Page 529: ...imary Secondary Type Ports 10 501 isolated Gi2 0 1 Gi3 0 1 Gi3 0 2 10 502 community Gi2 0 11 Gi3 0 1 Gi3 0 4 10 503 non operational Table 1 1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces including the VLANs to which they belongs show vlan private vlan type Display the private VLAN information for the switch or switch stack show interface...

Page 530: ...1 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Private VLANs Monitoring Private VLANs ...

Page 531: ...d in this chapter see the command reference for this release This chapter contains these sections Understanding IEEE 802 1Q Tunneling page 1 1 Configuring IEEE 802 1Q Tunneling page 1 4 Understanding Layer 2 Protocol Tunneling page 1 8 Configuring Layer 2 Protocol Tunneling page 1 11 Monitoring and Maintaining Tunneling Status page 1 19 Understanding IEEE 802 1Q Tunneling Business customers of ser...

Page 532: ... 1Q tagged with the appropriate VLAN ID The the tagged packets remain intact inside the switch and when they exit the trunk port into the service provider network they are encapsulated with another layer of an IEEE 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer IEEE 802 1Q tag is preserved in the encapsulated packet Therefore packets ...

Page 533: ... by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered It is possible to have multiple levels of tunneling and tagging but the switch supports only one level in this release If traffic coming from a customer network is not tagged native VLAN frames these packets are bridged ...

Page 534: ...its MTUs are explained in these next sections Native VLANs When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks ISL trunks or nontrunking links When IEEE 802 1Q trunks are used in these core s...

Page 535: ...The default system MTU for traffic on the switch is 1500 bytes You can configure Fast Ethernet ports on the Catalyst 3750 members in the mixed hardware switch stack to support frames larger than 1500 bytes by using the system mtu global configuration command You can configure 10 Gigabit and Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global configu...

Page 536: ...s access is not needed you should not configure SVIs on VLANs that include tunnel ports Fallback bridging is not supported on tunnel ports Because all IEEE 802 1Q tagged packets received from a tunnel port are treated as non IP packets if fallback bridging is enabled on VLANs that have tunnel ports configured IP packets would be improperly bridged across VLANs Therefore you must not enable fallbac...

Page 537: ...tive dot1q native vlan tagging is enabled Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode for the interface to be configured as a tunnel port This should be the edge port in the service provider network that connects to the customer switch Valid interfaces include physical interfaces and port channel logical...

Page 538: ...throughout the customer network propagating to all switches through the service provider Note To provide interoperability with third party vendors you can use the Layer 2 protocol tunnel bypass feature Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling protocol tunneling You implement bypass mode by enabling Layer 2 protocol tunneling on the ...

Page 539: ...derstanding Layer 2 Protocol Tunneling Figure 1 4 Layer 2 Protocol Tunneling CustomerXSite2 VLANs1t o100 CustomerYSite2 VLANs1t o200 CustomerYSite1 VLANs1t o200 CustomerXSite1 VLANs1t o100 VLAN30 Trunk ports SwitchA Trunk ports VLAN30 VLAN40 Service provider 101822 Trunk Asymmetriclink VLAN30 VLAN40 Trunk ports SwitchB SwitchC SwitchD Trunk ports ...

Page 540: ...the automatic creation of EtherChannels For example in Figure 1 6 Customer A has two switches in the same VLAN that are connected through the SP network When the network tunnels PDUs switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines See the Configuring Layer 2 Tunneling for EtherChannels section on page 1 15 for instructio...

Page 541: ...point to point network topologies it also supports PAgP LACP and UDLD protocols The switch does not support Layer 2 protocol tunneling for LLDP Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tunneled packets to many ports could lead to a network failure When the Layer 2 PDUs that entered the service provider...

Page 542: ...tocol tunneling configuration is distributed among all stack members Each stack member that receives an ingress packet on a local port encapsulates or decapsulates the packet and forwards it to the appropriate destination port On a single switch ingress Layer 2 protocol tunneled traffic is sent across all local ports in the same VLAN on which Layer 2 protocol tunneling is enabled In a stack packet...

Page 543: ...access ports If you enable PAgP or LACP tunneling we recommend that you also enable UDLD on the interface for faster link failure detection Loopback detection is not supported on Layer 2 protocol tunneling of PAgP LACP or UDLD packets EtherChannel port groups are compatible with tunnel ports when the IEEE 802 1Q configuration is consistent within an EtherChannel port group If an encapsulated PDU w...

Page 544: ...The range is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured ...

Page 545: ...tion Drop Threshold Threshold Counter Counter Counter Gi0 11 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp 0 0 0 lacp 0 0 0 udld 0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configure Layer 2 point to point tunneling to facilitate the automatic creation of EtherChannels you need to configure both the SP edge switch and the customer switch Configuring the SP...

Page 546: ...Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a shutdown threshold on this interface the drop thresh...

Page 547: ... Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if switchport access vlan 18 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Command Purpose Step 1 configure terminal Enter global con...

Page 548: ...trunk encapsulation isl Switch config if switchport mode trunk This example shows how to configure the customer switch at Site 1 Fast Ethernet interfaces 1 2 3 and 4 are set for IEEE 802 1Q trunking UDLD is enabled EtherChannel group 1 is enabled and the port channel is shut down and then enabled to activate the EtherChannel configuration Switch config interface gigabitethernet1 0 1 Switch config ...

Page 549: ...r l2protocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display IEEE 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery timer from a Layer 2 pr...

Page 550: ...1 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status ...

Page 551: ...map multiple VLANs to the same spanning tree instance see Chapter 1 Configuring MSTP For information about other spanning tree features such as Port Fast UplinkFast root guard and so forth see Chapter 1 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of ...

Page 552: ...g tree topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is ...

Page 553: ...ttached LANs for which it is the designated switch If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is d...

Page 554: ...gnated switch for each LAN segment is selected The designated switch incurs the lowest path cost when forwarding packets from that LAN to the root switch The port through which the designated switch is attached to the LAN is called the designated port Figure 1 1 Spanning Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network ...

Page 555: ...ndary root switch and the switch priority of a VLAN For example when you change the switch priority value you change the probability that the switch will be elected as the root switch Configuring a higher value decreases the probability a lower value increases the probability For more information see the Configuring the Root Switch section on page 1 17 the Configuring a Secondary Root Switch secti...

Page 556: ...is process occurs 1 The interface is in the listening state while spanning tree waits for protocol information to move the interface to the blocking state 2 While spanning tree waits the forward delay timer to expire it moves the interface to the learning state and resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end stat...

Page 557: ... should participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding The interface enters the learning state from the list...

Page 558: ...warding interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 1 3 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the pat...

Page 559: ... forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on the switch or on each switch in the stack receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spanning tree is disabled the switch or each switch in the stack forwards those packets as unknown multicast addresses Accelerated Aging to Retain Connectivity The defaul...

Page 560: ...uration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode each VLAN runs its own spanning tree instance up to the maximum supported MSTP This span...

Page 561: ... switches running rapid PVST and switches running PVST we recommend that the rapid PVST switches and PVST switches be configured for different spanning tree instances In the rapid PVST spanning tree instances the root switch must be a rapid PVST switch In the PVST instances the root switch must be a PVST switch The PVST switches should be at the edge of the network All stack members run the same v...

Page 562: ...as DECnet between two or more VLAN bridge domains or routed ports The VLAN bridge spanning tree allows the bridge groups to form a spanning tree on top of the individual VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree To support VLA...

Page 563: ... page 1 14 Changing the Spanning Tree Mode page 1 15 required Disabling Spanning Tree page 1 16 optional Configuring the Root Switch page 1 17 optional Configuring a Secondary Root Switch page 1 18 optional Configuring Port Priority page 1 19 optional Configuring Path Cost page 1 21 optional Configuring the Switch Priority of a VLAN page 1 22 optional Configuring Spanning Tree Timers page 1 23 opt...

Page 564: ...reak all the loops in the network for example at least one switch on each loop in the VLAN must be running spanning tree It is not absolutely necessary to run spanning tree on all switches in the VLAN However if you are running spanning tree only on a minimal set of switches an incautious change to the network that introduces another loop into the VLAN can result in a broadcast storm Note If you h...

Page 565: ... a directly connected device that is running STP Changing the Spanning Tree Mode The switch supports three spanning tree modes PVST rapid PVST or MSTP By default the switch runs the PVST protocol Beginning in privileged EXEC mode follow these steps to change the spanning tree mode If you want to enable a mode that is different from the default mode this procedure is required Command Purpose Step 1...

Page 566: ... these steps to disable spanning tree on a per VLAN basis This procedure is optional To re enable spanning tree use the spanning tree vlan vlan id global configuration command Step 6 clear spanning tree detected protocols Recommended for rapid PVST mode only If any port on the switch is connected to a port on a legacy IEEE 802 1D switch restart the protocol migration process on the entire switch T...

Page 567: ...e 1 1 on page 1 5 Note The spanning tree vlan vlan id root global configuration command fails if the value necessary to be the root switch is less than 1 Note If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority v...

Page 568: ...oot switches Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree vlan vlan id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root primary diameter net diameter hello time seconds Configure a switch to become the root...

Page 569: ...tion command to select an interface to put in the forwarding state Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last For more information see the Configuring Path Cost section on page 1 21 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root secondary diameter net diamet...

Page 570: ...iguration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 and 240 All other values are rejected The lo...

Page 571: ...ace interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost rep...

Page 572: ...rivileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you ...

Page 573: ... Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that can ...

Page 574: ...ning states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup co...

Page 575: ...s one logical port You can clear spanning tree counters by using the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure th...

Page 576: ...1 26 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring STP Displaying the Spanning Tree Status ...

Page 577: ... provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based on the original IEEE 802 1D spanning tree with existing Cisco proprietary...

Page 578: ...o which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the switch for a region by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance MST ...

Page 579: ...thin an MST Region The IST connects all the MSTP switches in a region When the IST converges the root of the IST becomes the CIST regional root called the IST master before the implementation of the IEEE 802 1s standard as shown in Figure 1 1 on page 1 4 It is the switch within the region with the lowest switch ID and path cost to the CIST root The CIST regional root is also the CIST root if there...

Page 580: ... 1 1 MST Regions CIST Masters and CST Root Only the CST instance sends and receives BPDUs and MST instances add their spanning tree information into the BPDUs to interact with neighboring switches and compute the final spanning tree topology Because of this the spanning tree parameters related to BPDU transmission for example hello time forward time max age and max hops are configured only on the ...

Page 581: ...vant to the IST instance 0 Table 1 1 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spanning tree ms...

Page 582: ...egion to share a segment with a port belonging to a different region creating the possibility of receiving both internal and external messages on a port The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP compatible mode Note If there is a legacy STP switch on the segment messages are always considered ext...

Page 583: ...gured for prestandard BPDU transmission Figure 1 2 illustrates this scenario Assume that A is a standard switch and B a prestandard switch both configured to be in the same region A is the root switch for the CIST and thus B has a root port BX on segment X and an alternate port BY on segment Y If segment Y flaps and the port on BY becomes the alternate before sending out a single prestandard BPDU ...

Page 584: ...f the newly added switch contains a better root port for the switch stack or a better designated port for the LAN connected to the stack The newly added switch causes a topology change in the network if another switch connected to the newly added switch changes its root port or designated ports When a stack member leaves the stack spanning tree reconvergence occurs within the stack and possibly ou...

Page 585: ...on information see the Configuring MSTP Features section on page 1 14 Port Roles and the Active Topology The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active topology The RSTP builds upon the IEEE 802 1D STP to select the switch with the highest switch priority lowest numerical priority value as the root switch as described in the Spanning Tre...

Page 586: ... the old root port and immediately transitions the new root port to the forwarding state Point to point links If you connect a port to another port through a point to point link and the local port becomes a designated port it negotiates a rapid transition with the other port by using the proposal agreement handshake to ensure a loop free topology As shown in Figure 1 4 Switch A is connected to Swi...

Page 587: ...lt setting that is controlled by the duplex setting by using the spanning tree link type interface configuration command Figure 1 4 Proposal and Agreement Handshaking for Rapid Convergence Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port the RSTP forces all other ports to synchronize with the new root infor...

Page 588: ...uring Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Version 1 Length field is set to zero which means that no version 1 protocol information is present Table 1 3 shows the RSTP flag fields 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Designa...

Page 589: ...to the blocking state but does not send the agreement message The designated port continues sending BPDUs with the proposal flag set until the forward delay timer expires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher switch ID higher path cost and so forth than currently stored for the port with...

Page 590: ... the RSTP switch is using IEEE 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections contain this configuration information Default MSTP Configuration page 1 14 MSTP Configuration Guidelines page 1 15 Specifying the MST Region Configuration and Enabling MSTP page 1 16 requ...

Page 591: ...time For example all VLANs run PVST all VLANs run rapid PVST or all VLANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 1 11 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 1 18 All stack members run the same version of spanning tree all PVST rapid PVST or MSTP For ...

Page 592: ...he Optional Spanning Tree Configuration Guidelines section on page 1 12 When the switch is in MST mode it uses the long path cost calculation method 32 bits to compute the path cost values With the long path cost calculation method these path cost values are supported Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region they must have the ...

Page 593: ...o an MST instance For instance id the range is 0 to 4094 For vlan vlan range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN...

Page 594: ...lowest switch priority 4096 is the value of the least significant bit of a 4 bit switch priority value as shown in Table 1 1 on page 1 5 If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority value every time the VL...

Page 595: ...s Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root primary diameter net diameter hello time seconds Configure a switch as the root switch For ...

Page 596: ...a port to put in the forwarding state Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last For more information see the Configuring Path Cost section on page 1 21 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root secondary diameter net diameter hello time seconds ...

Page 597: ...st If all interfaces have the same cost value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel log...

Page 598: ...ry and the spanning tree mst instance id root secondary global configuration commands to modify the switch priority Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The port channel range is 1 to ...

Page 599: ...stance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch will be chosen as the root switch Priority values are 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 and 61440 All o...

Page 600: ...ard time seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config ...

Page 601: ...ansitions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional To return the port to its default setting use the no spanning tree link type interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max hops hop count Specify the numbe...

Page 602: ...switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is th...

Page 603: ...keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 1 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information for...

Page 604: ...1 28 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring MSTP Displaying the MST Configuration and Status ...

Page 605: ...Chapter 1 Configuring STP For information about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 1 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features p...

Page 606: ...reating a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 1 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the global le...

Page 607: ...mand prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its Port...

Page 608: ...meter is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provid...

Page 609: ...kFast CSUF provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a switch stack During the fast transition an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbone With this feature you can have a redundant and resilient net...

Page 610: ...ate stack root port on Switch 2 or Switch 3 and puts it into the forwarding state in less than 1 second Figure 1 5 Cross Stack UplinkFast Topology When certain link loss or spanning tree events occur described in Events that Cause Fast Convergence section on page 1 7 the Fast Uplink Transition Protocol uses the neighbor list to send fast transition requests to stack members The switch sending the ...

Page 611: ...s under these circumstances The stack root port link fails If two switches in the stack have alternate paths to the root only one of the switches performs the fast transition The failed link which connects the stack root to the spanning tree root recovers A network reconfiguration causes a new stack root switch to be selected A network reconfiguration causes a new port on the current stack root sw...

Page 612: ...e paths to send a root link query RLQ request The Catalyst 3750 X switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack TCatalyst 3560 X switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in the network Wh...

Page 613: ...rding state providing a path from Switch B to Switch A The root switch election takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 1 7 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 1 7 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a shared med...

Page 614: ... shown in Figure 1 9 You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root switch or bein...

Page 615: ...ing designated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration informa...

Page 616: ...the MSTP but the feature remains disabled inactive until you change the spanning tree mode to PVST Enabling Port Fast An interface with the Port Fast feature enabled is moved directly to the spanning tree forwarding state without waiting for the standard forward time delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on an interfa...

Page 617: ...r disabled state When this happens the switch shuts down the entire port on which the violation occurred To prevent the port from shutting down you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 inte...

Page 618: ...portfast bpduguard default global configuration command by using the spanning tree bpduguard enable interface configuration command Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast enabled interfaces it prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins t...

Page 619: ...ace configuration command Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority To enable UplinkFast on a VLAN with switch priority configured first restore the switch priority on the VLAN to the default value by using the no spanning tree vlan vlan id priority global configuration command Note When you enable Uplink...

Page 620: ...ing tree uplinkfast command Enabling Cross Stack UplinkFast When you enable or disable the UplinkFast feature by using the spanning tree uplinkfast global configuration command CSUF is automatically globally enabled or disabled on nonstack port interfaces For more information see the Enabling UplinkFast for Use with Redundant Links section on page 1 15 To disable UplinkFast on the switch and all i...

Page 621: ...therChannel guard feature use the no spanning tree etherchannel guard misconfig global configuration command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration A...

Page 622: ...rd You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the same time Y...

Page 623: ...ning tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 1 2 Commands for Displayin...

Page 624: ...1 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Optional Spanning Tree Features Displaying the Spanning Tree Status ...

Page 625: ...he IP Services license REP is not supported on the LAN Base license Understanding REP One REP segment is a chain of ports connected to each other and configured with a segment ID Each segment consists of standard non edge segment ports and two user configured edge ports A switch can have no more than two ports that belong to the same segment and each segment port can have only one external neighbo...

Page 626: ...with both edge ports located on the same switch is a ring segment In this configuration there is connectivity between the edge ports through the segment With this configuration you can create a redundant connection between any two switches in the segment Figure 1 2 REP Ring Segment REP segments have these characteristics If all ports in the segment are operational one port referred to as the alter...

Page 627: ... port within the segment multiple port failures within the REP segment cause loss of network connectivity You should configure REP only in networks with redundancy Configuring REP in a network without redundancy causes loss of connectivity Link Integrity REP does not use an end to end polling function between edge ports to verify link integrity It implements local link failure detection The REP Li...

Page 628: ...e on fiber interfaces is between 50 ms and 200 ms for the local segment with 200 VLANs configured Convergence for VLAN load balancing is 300 ms or less VLAN Load Balancing One edge port in the REP segment acts as the primary edge port the other as the secondary edge port It is the primary edge port that always participates in VLAN load balancing in the segment REP VLAN balancing is achieved by blo...

Page 629: ... is configured it does not start working until triggered by either manual intervention or a link failure and recovery When VLAN load balancing is triggered the primary edge port sends out a message to alert all interfaces in the segment about the preemption When the secondary port receives the message it is reflected into the network to notify the alternate port to block the set of VLANs specified...

Page 630: ...s to the open state forwarding all VLANs A regular segment port converted to an edge port or an edge port converted to a regular segment port does not always result in a topology change If you convert an edge port into a regular segment port VLAN load balancing is not implemented unless it has been configured For VLAN load balancing you must configure two edge ports in the segment A segment port t...

Page 631: ... on the alternate port election operation REP ports must be Layer 2 trunk ports Be careful when configuring REP through a Telnet connection Because REP blocks all VLANs until another REP interface sends a message to unblock it you might lose connectivity to the switch if you enable REP in a Telnet session that accesses the switch through the same interface You cannot run REP and STP or REP and Fle...

Page 632: ...ts per switch Configuring the REP Administrative VLAN To avoid the delay introduced by relaying messages in software for link failure or VLAN blocking notification during load balancing REP floods packets at the hardware flood layer HFL to a regular multicast address These messages are flooded to the whole network not just the REP segment You can control flooding of these messages by configuring a...

Page 633: ... none STCN Propagate to none LSL PDU rx 3322 tx 1722 HFL PDU rx 32 tx 5 BPA TLV rx 16849 tx 508 BPA STCN LSL TLV rx 0 tx 0 BPA STCN HFL TLV rx 0 tx 0 EPA ELECTION TLV rx 118 tx 118 EPA COMMAND TLV rx 0 tx 0 EPA INFO TLV rx 4214 tx 4190 Configuring REP Interfaces For REP operation you need to enable it on each segment interface and identify the segment ID This step is required and must be done befo...

Page 634: ...he same as any edge port Note Although each segment can have only one primary edge port if you configure edge ports on two different switches and enter the primary keyword on both switches the configuration is allowed However REP selects only one of these ports as the segment primary edge port You can identify the primary edge port for a segment by entering the show rep topology privileged EXEC co...

Page 635: ...eam neighbor from an edge port The range is from 256 to 256 with negative numbers indicating the downstream neighbor from the secondary edge port A value of 0 is invalid Enter 1 to identify the secondary edge port as the alternate port See Figure 1 4 on page 1 5 for an example of neighbor offset numbering Note Because you enter this command at the primary edge port offset number 1 you would never ...

Page 636: ...ort is the neighbor with neighbor offset number 4 After manual preemption VLANs 100 to 200 are blocked at this port and all other VLANs are blocked at the primary edge port E1 Gigabit Ethernet port 1 1 Switch configure terminal Switch conf interface gigabitethernet1 1 Switch conf if rep segment 1 edge primary Switch conf if rep block port 4 vlan 100 200 Switch conf if end Figure 1 5 Example of VLA...

Page 637: ...onfigure terminal Enters global configuration mode Step 2 snmp mib rep trap rate value Enables the switch to send REP traps and set the number of traps sent per second The range is from 0 to 1000 The default is 0 no limit imposed a trap is sent at every occurrence Step 3 end Returns to privileged EXEC mode Step 4 show running config Displays the REP trap configuration Step 5 copy running config st...

Page 638: ...1 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Resilient Ethernet Protocol Monitoring REP ...

Page 639: ...s chapter see the command reference for this release The chapter consists of these sections Understanding Flex Links and the MAC Address Table Move Update page 1 1 Configuring Flex Links and MAC Address Table Move Update page 1 7 Monitoring Flex Links and the MAC Address Table Move Update page 1 14 Understanding Flex Links and the MAC Address Table Move Update This section contains this informatio...

Page 640: ...d starts forwarding traffic to switch C When port 1 comes back up it goes into standby mode and does not forward traffic port 2 continues forwarding traffic You can also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic For example in the example in Figure 1 1 you can configure the Flex Links pair with preemption mode In the scenario shown when port 1 ...

Page 641: ...orts are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port Both Flex Link ports are always part of multicast groups Though both Flex Link ports are part of the groups in normal operation mode all traffic on the backup port is blocked So the normal multicast data flow is not affected by the addition of the backup port as an mrouter port When the changeover happe...

Page 642: ...up port which became the forwarding port Configuration Examples These are configuration examples for learning the other Flex Link port as the mrouter port when Flex Link is configured on GigabitEthernet1 0 11 and GigabitEthernet1 0 12 and output for the show interfaces switchport backup command Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interf...

Page 643: ...ackup interface gigabitEthernet 1 0 12 multicast fast convergence command This example shows turning on this feature Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitEthernet 1 0 11 Switch config if switchport backup interface gigabitEthernet 1 0 12 multicast fast convergence Switch config if exit Switch show interfaces switchport b...

Page 644: ... address of the PC has been learned on port 3 of switch C Traffic from the server to the PC is forwarded from port 3 to port 1 If the MAC address table move update feature is not configured and port 1 goes down port 2 starts forwarding traffic However for a short time switch C keeps forwarding traffic from the server to the PC through port 3 and the PC does not get the traffic because port 1 is do...

Page 645: ...sections contain this information Configuration Guidelines page 1 7 Default Configuration page 1 8 Configuring Flex Links page 1 8 Configuring VLAN Load Balancing on Flex Links page 1 10 Configuring the MAC Address Table Move Update Feature page 1 12 Configuration Guidelines You can configure up to 16 backup links You can configure only one Flex Link backup link for any active link and it must be ...

Page 646: ...deline to configure VLAN load balancing on the Flex Links feature For Flex Link VLAN load balancing you must choose the preferred VLANs on the backup interface You cannot configure a preemption mechanism and VLAN load balancing for the same Flex Links pair Follow these guidelines to configure MAC address table move update feature You can enable and configure this feature on the access switch to se...

Page 647: ...tup config Optional Save your entries in the switch startup configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport ba...

Page 648: ...t Gi1 0 1 100000 Kbit Gi1 0 2 Mac Address Move Update Vlan auto Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode follow these steps to configure VLAN load balancing on Flex Links To disable the VLAN load balancing feature use the no switchport backup interface interface id prefer vlan vlan range interface configuration command Step 7 show interface interface id switc...

Page 649: ...f the Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet2 0 6 GigabitEthernet2 0 8 Active Down Backup Up Vlans Preferred on Active Interface 1 50 Vlans Preferred on Backup Interface 60 100 120 When a Flex Link interface comes up VLANs preferred on this interface are blocked on the peer interface and moved to...

Page 650: ...witch conf end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport backup interface interface id or switchport backup interface interface id mmu prim...

Page 651: ... unavail cnt 0 Xmt last interface None Beginning in privileged EXEC mode follow these steps to configure a switch to get and process MAC address table move update messages To disable the MAC address table move update feature use the no mac address table move update receive configuration command To display the MAC address table move update information use the show mac address table move update priv...

Page 652: ...C commands for monitoring the Flex Links configuration and the MAC address table move update information Table 1 1 Flex Links and MAC Address Table Move Update Monitoring Commands Command Purpose show interface interface id switchport backup Displays the Flex Link backup interface configured for an interface or all the configured Flex Links and the state of each active and backup interface up or s...

Page 653: ...age 1 1 Configuring DHCP Features page 1 8 Displaying DHCP Snooping Information page 1 16 Understanding IP Source Guard page 1 16 Configuring IP Source Guard page 1 18 Displaying IP Source Guard Information page 1 26 Understanding DHCP Server Port Based Address Allocation page 1 26 Configuring DHCP Server Port Based Address Allocation page 1 27 Displaying DHCP Server Port Based Address Allocation ...

Page 654: ...g untrusted DHCP messages and by building and maintaining a DHCP snooping binding database also referred to as a DHCP snooping binding table For more information about this database see the Displaying DHCP Snooping Information section on page 1 16 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate between untrusted interfaces connecte...

Page 655: ...cannot build a complete DHCP snooping binding database When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow untrusted global configuration command the aggregation switch accepts packets with option 82 information from the edge switch The aggregation switch learns the bindings for hosts connected thr...

Page 656: ...ver The DHCP server receives the packet If the server is option 82 capable it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the reque...

Page 657: ...2 Suboption Packet Formats Figure 1 3 shows the packet formats for user configured remote ID and circuit ID suboptions The switch uses these packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option format remote id global configuration command and the ip dhcp snooping vlan information option format type circuit id string interface configuration command...

Page 658: ...ing has an IP address an associated MAC address the lease time in hexadecimal format the interface to which the binding applies and the VLAN to which the interface belongs The database agent stores the bindings in a file at a configured location At the end of each entry is a checksum that accounts for all the bytes from the start of the file through all the bytes associated with the entry Each ent...

Page 659: ...h a previous file update This is an example of a binding file 2bb4c2a1 TYPE DHCP SNOOPING VERSION 1 BEGIN 192 1 168 1 3 0003 47d8 c91f 2BB6488E Gi0 4 21ae5fbb 192 1 168 3 3 0003 44d6 c52f 2BB648EB Gi0 4 1bdb223f 192 1 168 2 3 0003 47d9 c8f1 2BB648AB Gi0 4 584a38f0 END When the switch starts and the calculated checksum value equals the stored checksum value the switch reads entries from the binding...

Page 660: ...HCP Relay Agent page 1 11 Specifying the Packet Forwarding Address page 1 11 Enabling DHCP Snooping and Option 82 page 1 12 Enabling DHCP Snooping on Private VLANs page 1 14 Enabling the Cisco IOS DHCP Server Database page 1 14 Enabling the DHCP Snooping Binding Database Agent page 1 15 Default DHCP Configuration Table 1 1 Default DHCP Configuration Feature Default Setting DHCP server Enabled in C...

Page 661: ...eature is not supported If a switch port is connected to a DHCP server configure a port as trusted by entering the ip dhcp snooping trust interface configuration command If a switch port is connected to a DHCP client configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command Follow these guidelines when configuring the DHCP snooping binding database Bec...

Page 662: ...art logging see the Configuring Smart Logging section on page 1 14 Note Do not enable Dynamic Host Configuration Protocol DHCP snooping on RSPAN VLANs If DHCP snooping is enabled on RSPAN VLANs DHCP packets might not reach the RSPAN destination port Configuring the DHCP Server The switch can act as a DHCP server By default the Cisco IOS DHCP server and relay agent features are enabled on your swit...

Page 663: ...e destination network segment Using the network address enables any DHCP server to respond to requests Beginning in privileged EXEC mode follow these steps to specify the packet forwarding address Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service dhcp Enable the DHCP server and relay agent on your switch By default this feature is enabled Step 3 end Return to...

Page 664: ...e VLAN as configured in Step 2 Step 9 end Return to privileged EXEC mode Step 10 show running config Verify your entries Step 11 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp snooping Enable DHCP snooping globally Step 3 ip dhcp snooping vlan vlan range...

Page 665: ...VLAN and port identifier using a VLAN ID in the range of 1 to 4094 The default circuit ID is the port identifier in the format vlan mod port You can configure the circuit ID to be a string of 3 to 63 ASCII characters no spaces Optional Use the override keyword when you do not want the circuit ID suboption inserted in TLV format to define subscriber information Step 9 ip dhcp snooping trust Optiona...

Page 666: ...nooping is enabled the configuration is propagated to both a primary VLAN and its associated secondary VLANs If DHCP snooping is enabled on the primary VLAN it is also configured on the secondary VLANs If DHCP snooping is already configured on the primary VLAN and you configure DHCP snooping with different settings on a secondary VLAN the configuration for the secondary VLAN does not take effect Y...

Page 667: ...ilename tftp host filename Specify the URL for the database agent or the binding file by using one of these forms flash number filename Optional Use the number parameter to specify the stack member number of the stack master The range for number is 1 to 9 ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filename Step ...

Page 668: ...rt ACL takes precedence over any router ACLs or VLAN maps that affect the same interface The IP source binding table has bindings that are learned by DHCP snooping or are manually configured static IP source bindings An entry in this table has an IP address its associated MAC address and its associated VLAN number The switch uses the IP source binding table only when IP source guard is enabled IPS...

Page 669: ...ts The switch uses port security to filter source MAC addresses The interface can shut down when a port security violation occurs IP Source Guard for Static Hosts Note Do not use IPSG IP source guard for static hosts on uplink ports or trunk ports IPSG for static hosts extends the IPSG capability to non DHCP and static environments The previous IPSG used the entries created by DHCP snooping to val...

Page 670: ... out dynamically learned IP address bindings This feature can be used with DHCP snooping Multiple bindings are established on a port that is connected to both DHCP and static hosts For example bindings are stored in both the device tracking database as well as in the DHCP snooping binding database Configuring IP Source Guard Default IP Source Guard Configuration page 1 18 IP Source Guard Configura...

Page 671: ...that smart logging is globally enabled For more information about smart logging see the Configuring Smart Logging section on page 1 14 In a switch stack if IP source guard is configured on a stack member interface and you remove the the configuration of that switch by entering the no switch stack member number provision global configuration command the interface static bindings are removed from th...

Page 672: ...rd for Static Hosts on a Private VLAN Host Port page 1 24 or ip verify source port security Enable IP source guard with source IP and MAC address filtering When you enable both IP source guard and port security by using the ip verify source port security interface configuration command there are two caveats The DHCP server must support option 82 or the client is not assigned an IP address The MAC ...

Page 673: ...4 switchport mode access Configure a port as access Step 5 switchport access vlan vlan id Configure the VLAN for this port Step 6 ip verify source tracking port security Enable IPSG for static hosts with MAC address filtering Note When you enable both IP source guard and port security by using the ip verify source port security interface configuration command The DHCP server must support option 82...

Page 674: ...ess Vlan Gi1 0 3 ip trk active 40 1 1 24 10 Gi1 0 3 ip trk active 40 1 1 20 10 Gi1 0 3 ip trk active 40 1 1 21 10 This example shows how to enable IPSG for static hosts with IP MAC filters on a Layer 2 access port to verify the valid IP MAC bindings on the interface Gi1 0 3 and to verify that the number of bindings on this interface has reached the maximum Switch configure terminal Enter configura...

Page 675: ... 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 9 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 10 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 1 0001 0600 0000 9 GigabitEthernet1 0 2 ACTIVE 200 1 1 1 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 2 0001 0600 0000 9 GigabitEthernet1 0 2 ACTIVE 200 1 1 2 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 3 000...

Page 676: ...ll IP device tracking host entries for all interfaces Switch show ip device tracking all count Total IP Device Tracking Host entries 5 Interface Maximum Limit Number of Entries Gi1 0 3 5 Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port Note You must globally configure the ip device tracking maximum limit number interface configuration command globally for IPSG for static ho...

Page 677: ...0 0000 0000 0305 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 21 0000 0000 0306 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 22 0000 0000 0307 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 23 0000 0000 0308 200 GigabitEthernet1 0 3 ACTIVE Step 10 exit Exit VLAN configuration mode Step 11 interface fastEthernet interface id Enter interface configuration mode Step 12 switchport mode private vlan host Optional Establis...

Page 678: ...ronments such as on a factory floor if a device fails the replacement device must be working immediately in the existing network With the current DHCP implementation there is no guarantee that DHCP would offer the same IP address to the replacement device Control monitoring and other software expect a stable IP address associated with each device If a device is replaced the address assignment shou...

Page 679: ...pool to preconfigured reservations unreserved addresses are not offered to the client and other clients are not served by the pool you can enter the reserved only DHCP pool configuration command Enabling DHCP Server Port Based Address Allocation Beginning in privileged EXEC mode follow these steps to globally enable port based address allocation and to automatically generate a subscriber identifie...

Page 680: ... pool use the no address ip address client id string DHCP pool configuration command To change the address pool to nonrestricted enter the no reserved only DHCP pool configuration command In this example a subscriber identifier is automatically generated and the DHCP server ignores any client identifier fields in the DHCP messages and uses the subscriber identifier instead The subscriber identifie...

Page 681: ...otal addresses 254 Leased addresses 0 Excluded addresses 4 Pending event none 1 subnet is currently in the pool Current index IP address range Leased Excluded Total 10 1 1 1 10 1 1 1 10 1 1 254 0 4 254 1 reserved address is currently in the pool Address Client 10 1 1 7 Et1 0 For more information about configuring the DHCP server port based address allocation feature go to Cisco com and enter Cisco...

Page 682: ...1 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port Based Address Allocation ...

Page 683: ...derstanding Dynamic ARP Inspection ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host...

Page 684: ...It intercepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a va...

Page 685: ...itch bypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 1 2 assume that both Switc...

Page 686: ...d to prevent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains in that st...

Page 687: ... the Configuring the Log Buffer section on page 1 13 Configuring Dynamic ARP Inspection Default Dynamic ARP Inspection Configuration page 1 5 Dynamic ARP Inspection Configuration Guidelines page 1 6 Configuring Dynamic ARP Inspection in DHCP Environments page 1 7 required in DHCP environments Configuring ARP ACLs for Non DHCP Environments page 1 9 required in non DHCP environments Limiting the Rat...

Page 688: ...RSPAN destination port A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match Otherwise the physical port remains suspended in the port channel A port channel inherits its trust state from the first physical port that joins the channel Consequently the trust state of the first physical port need not match the trust state of t...

Page 689: ... logging the contents of all packets in the log buffer by default all dropped packets are sent to a NetFlow collector If you configure this feature make sure that smart logging is globally enabled For more information about smart logging see the Configuring Smart Logging section on page 1 14 Configuring Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP i...

Page 690: ...s are logged Step 5 interface interface id Specify the interface connected to the other switch and enter interface configuration mode Step 6 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the trusted interface It simply forwards the packets For u...

Page 691: ...rmit ip host sender ip mac host sender mac log Permit ARP packets from the specified host Host 2 For sender ip enter the IP address of Host 2 For sender mac enter the MAC address of Host 2 Optional Specify log to log a packet in the log buffer when it matches the access control entry ACE Matches are logged if you also configure the matchlog keyword in the ip arp inspection vlan logging global conf...

Page 692: ...tate The port remains in that state until you enable error disabled recovery so that ports automatically emerge from this state after a specified timeout period Step 6 ip arp inspection smartlog Specify that whatever packets are currently being logged are also smart logged By default all dropped packets are logged Step 7 interface interface id Specify the Switch A interface that is connected to Sw...

Page 693: ...terface configuration mode Step 3 ip arp inspection limit rate pps burst interval seconds none Limit the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an upper limit for the number of incoming packets processed pe...

Page 694: ...ngs For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped For dst mac check the destination MAC address in the Ethernet header against the target MAC address in ARP body This check is performe...

Page 695: ...logs number entries and generates system messages at the configured rate For example if the interval rate is one entry per second up to five system messages are generated per second in a five member switch stack Beginning in privileged EXEC mode follow these steps to configure the log buffer This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 696: ...l match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets that match DHCP bindings For dhcp bindings none do not...

Page 697: ...r this release Table 1 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC validation failure IP validation failure ACL permitted and denied and DHCP permitted and denied packets for the s...

Page 698: ...1 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Page 699: ...e same function as IGMP snooping for IPv4 traffic For information about MLD snooping see Chapter 1 Configuring IPv6 MLD Snooping Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the IP Multicast Routing Commands section in the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 4 This chapter co...

Page 700: ...ich it receives an IGMP join request The switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 0 0 xxx the command fails Because the switch uses IP multicast groups there ar...

Page 701: ...osts It constrains traffic to approximately the same set of ports as the IGMP snooping feature on IGMPv2 or IGMPv1 hosts Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature Joining a Multicast Group When a host connected to the sw...

Page 702: ...nformation in the IGMP report to set up a forwarding table entry as shown in Table 1 1 that includes the port numbers connected to Host 1and the router The switch hardware can distinguish IGMP information packets from other packets for the multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets...

Page 703: ... VLAN wishes to receive multicast traffic the router continues forwarding the multicast traffic to the VLAN The switch forwards multicast group traffic only to those hosts listed in the forwarding table for that IP multicast group maintained by IGMP snooping When hosts want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave message ...

Page 704: ...red from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 1 11 IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This feature is no...

Page 705: ... converge if the stack master is removed Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on the content These sections contain this configuration information Default IGMP Snooping Configuration page 1 7 Enabling or Disabling IGMP Snooping page 1 8 Setting the Snooping Method page 1 8 Configuring a Multicast Router Port page 1 9 Co...

Page 706: ...nd for the specified VLAN number Setting the Snooping Method Multicast capable router ports are added to the forwarding table for every Layer 2 multicast entry The switch learns of such ports through one of these methods Snooping on IGMP queries Protocol Independent Multicast PIM packets and Distance Vector Multicast Routing Protocol DVMRP packets Listening to Cisco Group Management Protocol CGMP ...

Page 707: ... to alter the method in which a VLAN interface dynamically accesses a multicast router To return to the default learning method use the no ip igmp snooping vlan vlan id mrouter learn cgmp global configuration command This example shows how to configure IGMP snooping to use CGMP packets as the learning method Switch configure terminal Switch config ip igmp snooping vlan 1 mrouter learn cgmp Switch ...

Page 708: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter interface interface id Specify the multicast router VLAN ID and the interface to the multicast router The VLAN ID range is 1 to 1001 and 1006 to 4094 The interface can be a physical interface or a port channel The port channel range is 1 to 48 Step 3 end Return to privileged EXEC ...

Page 709: ...ediate Leave on VLAN 130 Switch configure terminal Switch config ip igmp snooping vlan 130 immediate leave Switch config end Configuring the IGMP Leave Timer Follows these guidelines when configuring the IGMP leave timer You can configure the leave time globally or on a per VLAN basis Configuring the leave time on a VLAN overrides the global setting The default leave time is 1000 milliseconds The ...

Page 710: ...and when a port went down without sending a leave message If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command the flooding stops after receiving 1 general query If you set the count to 7 the flooding until 7 general queries are received Groups are relearned based on the general queries received during the TCN event Beginning in privileged EXEC mode...

Page 711: ...tion command Disabling Multicast Flooding During a TCN Event When the switch receives a TCN multicast traffic is flooded to all the ports until 2 general queries are received If the switch has many ports with attached hosts that are subscribed to different multicast groups this flooding might exceed the capacity of the link and cause packet loss You can use the ip igmp snooping tcn flood interface...

Page 712: ...ooping querier supports IGMP Versions 1 and 2 When administratively enabled the IGMP snooping querier moves to the nonquerier state if it detects the presence of a multicast router in the network When it is administratively enabled the IGMP snooping querier moves to the operationally disabled state under these conditions IGMP snooping is disabled in the VLAN PIM is enabled on the SVI of the corres...

Page 713: ... supported when the query includes IGMPv3 reports IGMP report suppression is enabled by default When it is enabled the switch forwards only one IGMP report per multicast router query When report suppression is disabled all IGMP reports are forwarded to the multicast routers Step 4 ip igmp snooping querier query interval interval count Optional Set the interval between IGMP queriers The range is 1 ...

Page 714: ...laying IGMP Snooping Information Command Purpose show ip igmp snooping vlan vlan id Display the snooping configuration information for all VLANs on the switch or for a specified VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ip igmp snooping groups count dynamic count user count Display multicast table information for ...

Page 715: ...he other feature However if IGMP snooping and MVR are both enabled MVR reacts only to join and leave messages from multicast groups configured under MVR Join and leave messages from all other multicast groups are managed by IGMP snooping The switch CPU identifies the MVR IP multicast streams and their associated IP multicast group in the switch forwarding table intercepts the IGMP messages and mod...

Page 716: ... switch stack is supported Receiver ports and source ports can be on different switches in a switch stack Multicast data sent on the multicast VLAN is forwarded to all MVR receiver ports across the stack When a new switch is added to a stack by default it has no receiver ports If a switch fails or is removed from the stack only those receiver ports belonging to that switch will not receive the mul...

Page 717: ...figured time period the receiver port is removed from multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave was received As soon as the leave message is received the receiver port is removed from multicast group membership which speeds up leave latency Enable the Immediate Leave feature only on receiver ports to which a single rece...

Page 718: ... maximum number of multicast entries MVR group addresses that can be configured on a switch that is the maximum number of television channels that can be received is 256 Because MVR on the switch uses IP multicast addresses instead of MAC multicast addresses aliased IP multicast addresses are allowed on the switch However if the switch is interoperating with Catalyst 3550 or Catalyst 3500 XL switc...

Page 719: ... a contiguous series of MVR group addresses the range for count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address Each multicast address would correspond to one television channel Step 4 mvr querytime value Optional Define the maximum time to wait for IGMP...

Page 720: ...t be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Configure a port as a receiver port if it is a subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLAN...

Page 721: ...n Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 1 6 Commands for Displaying MVR Information Command Purpose show mvr Displays MVR status and values for the switch whether MVR is enabled or disabled the multicast VLAN the maximum 256 and current 0 through 256 number of multicast groups the query response time and the MVR mode sh...

Page 722: ...2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic IGMP filtering i...

Page 723: ...figured When a profile is configured if neither the permit nor deny keyword is included the default is to deny access to the range of IP addresses Beginning in privileged EXEC mode follow these steps to create an IGMP profile To delete a profile use the no ip igmp profile profile number global configuration command To delete an IP multicast address or range of IP multicast addresses use the no ran...

Page 724: ...pply profiles to ports that belong to an EtherChannel port group You can apply a profile to multiple interfaces but each interface can have only one profile applied to it Beginning in privileged EXEC mode follow these steps to apply an IGMP profile to a switch port To remove a profile from an interface use the no ip igmp filter profile number interface configuration command This example shows how ...

Page 725: ...um number of IGMP groups that a Layer 2 interface can join you can configure an interface to replace the existing group with the new group for which the IGMP report was received by using the ip igmp max groups action replace interface configuration command Use the no form of this command to return to the default which is to drop the IGMP join report Follow these guidelines when configuring the IGM...

Page 726: ... can configure the IGMP throttling action before an interface adds entries to the forwarding table Beginning in privileged EXEC mode follow these steps to configure the throttling action when the maximum number of entries is in the forwarding table To return to the default action of dropping the report use the no ip igmp max groups action interface configuration command Command Purpose Step 1 conf...

Page 727: ...u can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface Table 1 8 Commands for Displaying IGMP Filtering and Throttling Configuration Command Purpose show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running config interface interface id Displays the configuration of...

Page 728: ...1 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 729: ...Configuring SDM Templates For information about IPv6 on the switch see Chapter 1 Configuring IPv6 Unicast Routing Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release or the Cisco IOS documentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 1 1 Configuring IP...

Page 730: ...nhanced snooping MESS which sets up IPv6 source and destination multicast address based forwarding MLD snooping can be enabled or disabled globally or per VLAN When MLD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then performs IPv6 multicast address based br...

Page 731: ...sing From the received query MLD snooping builds the IPv6 multicast address database It detects multicast router ports maintains timers sets report response time learns the querier IP source address for the VLAN learns the querier port in the VLAN and maintains multicast address aging Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 t...

Page 732: ...up within the VLAN is forwarded using this address When MLD snooping is disabled reports are flooded in the ingress VLAN When MLD snooping is enabled MLD report suppression called listener message suppression is automatically enabled With report suppression the switch forwards the first MLDv1 report received by a group to IPv6 multicast routers subsequent reports for the group are not sent to the ...

Page 733: ...nooping tcn flood query count global configuration command The default is to send two queries The switch also generates MLDv1 global Done messages with valid link local IPv6 source addresses when the switch becomes the STP root in the VLAN or when it is configured by the user This is same as done in IGMP snooping MLD Snooping in Switch Stacks The MLD IPv6 group and MAC address databases are mainta...

Page 734: ...u can enable both features at the same time on the switch The maximum number of multicast entries allowed on the switch or switch stack is determined by the configured SDM template The maximum number of address entries allowed for the switch or switch stack is 1000 Table 1 1 Default MLD Snooping Configuration Feature Default Setting MLD snooping Global Disabled MLD snooping per VLAN Enabled MLD sn...

Page 735: ...outer is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 to 4094 IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750 X or 3560 X switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping ...

Page 736: ...eries and PIMv6 queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Command Purpose Step 1 configure terminal Enter ...

Page 737: ...ve on a VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interface int...

Page 738: ...o 7 the default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener query inte...

Page 739: ...val 2000 Switch config exit Disabling MLD Listener Message Suppression MLD snooping listener message suppression is enabled by default When it is enabled the switch forwards only one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable MLD listener ...

Page 740: ...g the switch automatically learns the interface to which a multicast router is connected These are dynamically learned interfaces Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most recently received MLD query message...

Page 741: ...y known devices With CDP network management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer onl...

Page 742: ...DP discovers the switch stack not the individual stack members The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership such as stack members being added or removed Configuring CDP Default CDP Configuration page 1 2 Configuring the CDP Characteristics page 1 2 Disabling and Enabling CDP page 1 3 Disabling and Enabling CDP on an Interf...

Page 743: ...uch as Cisco IP Phones regularly exchange CDP messages Disabling CDP can interrupt cluster discovery and device connectivity For more information see Chapter 1 Clustering Switches and see Getting Started with Cisco Network Assistant available on Cisco com Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp timer seconds Optional Set the transmission frequency of CD...

Page 744: ...d may cause a port go into err disabled state Beginning in privileged EXEC mode follow these steps to disable CDP on a port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no cdp run Disable CDP Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP after disabling it Step 3 end ...

Page 745: ...traffic counters to zero clear cdp table Delete the CDP table of information about neighbors show cdp Display global information such as frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Display information about a specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about whic...

Page 746: ...1 6 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring CDP Monitoring and Maintaining CDP ...

Page 747: ...Configuring Storm Control Understanding Storm Control page 1 1 Default Storm Control Configuration page 1 3 Configuring Storm Control and Threshold Levels page 1 3 Default Protected Port Configuration page 1 6 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when p...

Page 748: ...Cisco Discovery Protocol CDP frames are blocked However the switch does not differentiate between routing updates such as OSPF and regular multicast data traffic so both types of traffic are blocked The graph in Figure 1 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traffic In this example the broadcast traff...

Page 749: ...ver because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported on physical interfaces You can also configure storm control on a...

Page 750: ...ising threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic...

Page 751: ...r disabled if small frames arrive at a specified rate threshold You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global configuration...

Page 752: ...annot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwarding behavior between a protected port and a nonprotected port proceeds as usual Because a switch stack represents a sing...

Page 753: ... interface gigabitethernet1 0 1 Switch config if switchport protected Switch config if end Configuring Port Blocking By default the switch floods packets with unknown destination MAC addresses out of all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to...

Page 754: ...ck multicast Switch config if switchport block unicast Switch config if end Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port When you assign secure MAC addresses to a secure port the port does not forward packets with source addresses outside the group of defined ad...

Page 755: ...MAC addresses These are manually configured by using the switchport port security mac address mac address interface configuration command stored in the address table and added to the switch running configuration Dynamic secure MAC addresses These are dynamically configured stored only in the address table and removed when the switch restarts Sticky secure MAC addresses These can be dynamically lea...

Page 756: ...s are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses You are not notified that a security violation has occurred Note We do not recommend configuring the protect violation mode on a trunk port The protect mode disables learning when any VLAN reaches its maximum limit even if the port has not...

Page 757: ... The Cisco IP phone address is learned on the voice Table 1 1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses Sends SNMP trap Sends syslog message Displays error message2 2 The switch returns an error message if you manually configure an address that would cause a s...

Page 758: ...ue overwrites the previously configured value If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not support port security aging of sticky secure MAC addresses Table 1 3 summarizes port security compatibility with other port based features Table 1 3 Port Security Compatibility...

Page 759: ...ss voice Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system This number is set by the active Switch Database Management SDM template See Chapter 1 Configuring the Switch SDM Template This number is the tot...

Page 760: ... not reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is error ...

Page 761: ...configured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC addresses ...

Page 762: ...nd followed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the no switchport port security command all secure addresses on the interface except those that were manually configured ar...

Page 763: ...ddresses on a per port basis Beginning in privileged EXEC mode follow these steps to configure port security aging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 switchport port security aging static time time type absolute inactivity Enable or disable stati...

Page 764: ...itch joins a stack the new switch will get the configured secure addresses All dynamic secure addresses are downloaded by the new stack member from the other stack members When a switch either the stack master or a stack member leaves the stack the remaining stack members are notified and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table Fo...

Page 765: ...ser configured on a secure port Configuring Protocol Storm Protection Understanding Protocol Storm Protection page 1 19 Default Protocol Storm Protection Configuration page 1 20 Enabling Protocol Storm Protection page 1 20 Understanding Protocol Storm Protection When a switch is flooded with Address Resolution Protocol ARP or control packets high CPU utilization can cause the CPU to overload These...

Page 766: ...psp global configuration command To manually re enable an error disabled virtual port use the errdisable recovery cause psp global configuration command To disable auto recovery of error disabled ports use the no errdisable recovery cause psp global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 psp arp dhcp igmp pps value Configure protocol ...

Page 767: ...tatus and Configuration Command Purpose show interfaces interface id switchport Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the s...

Page 768: ...1 22 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 769: ...P MED and Wired Location Service page 1 5 Monitoring and Maintaining LLDP LLDP MED and Wired Location Service page 1 11 Understanding LLDP LLDP MED and Wired Location Service LLDP page 1 1 LLDP MED page 1 2 Wired Location Service page 1 3 LLDP The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges...

Page 770: ... location information to the switch For information go to http www cisco com en US docs ios netmgmt configuration guide nm_cdp_discover html LLDP MED LLDP for Media Endpoint Devices LLDP MED is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as switches It specifically provides support for voice over IP VoIP applications and provides additiona...

Page 771: ...t to send detailed inventory information about itself to the switch including information hardware revision firmware version software version serial number manufacturer name model name and asset ID TLV Location TLV Provides location information from the switch to the endpoint device The location TLV can send this information Civic location information Provides the civic address information and pos...

Page 772: ...e if applicable Device category is specified as a wired station State is specified as new Serial number UDI Model number Time in seconds since the switch detected the association Depending on the device capabilities the switch obtains this client information at link down Slot and port that was disconnected MAC address IP address 802 1X username if applicable Device category is specified as a wired...

Page 773: ...erface If the switchport voice vlan vlan id is already configured on an interface you can apply a network policy profile on the interface This way the interface has the voice or voice signaling VLAN network policy profile applied on the interface You cannot configure static secure MAC addresses on an interface that has a network policy profile You cannot configure a network policy profile on a pri...

Page 774: ...rding it and the initialization delay time You can also select the LLDP and LLDP MED TLVs to send and receive Beginning in privileged EXEC mode follow these steps to configure the LLDP characteristics Note Steps 2 through 5 are optional and can be performed in any order Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp run Enable LLDP globally on the switch Step...

Page 775: ...isted in Table 1 2 Step 3 lldp reinit delay Optional Specify the delay time in seconds for LLDP to initialize on an interface The range is 2 to 5 seconds the default is 2 seconds Step 4 lldp timer rate Optional Set the sending frequency of LLDP updates in seconds The range is 5 to 65534 seconds the default is 30 seconds Step 5 lldp tlv select Optional Specify the LLDP TLVs to send or receive Step ...

Page 776: ...ow these steps to create a network policy profile configure the policy attributes and apply it to an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are configuring an LLDP MED TLV and enter interface configuration mode Step 3 lldp med tlv select tlv Specify the TLV to enable Step 4 end Return to p...

Page 777: ...application type vlan Specify the native VLAN for voice traffic vlan id Optional Specify the VLAN for voice traffic The range is 1 to 4094 cos cvalue Optional Specify the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 5 dscp dvalue Optional Specify the differentiated services code point DSCP value for the configured VLAN The range is 0 to 63 the de...

Page 778: ...rmation civic location Specify civic location information elin location Specify emergency location information ELIN identifier id Specify the ID for the civic location string Specify the site or location information in alphanumeric format Step 3 exit Return to global configuration mode Step 4 interface interface id Specify the interface on which you are configuring the location information and ent...

Page 779: ...attachment Specify the attachment notification interval location Specify the location notification interval interval seconds Duration in seconds before the switch sends the MSE the location or attachment updates The range is 1 to 30 the default is 30 Step 4 end Return to privileged EXEC mode Step 5 show network policy profile Verify the configuration Step 6 copy running config startup config Optio...

Page 780: ...d the display for more detailed information show lldp traffic Display LLDP counters including the number of packets sent and received number of packets discarded and number of unrecognized TLVs show location admin tag string Display the location information for the specified administrative tag or site show location civic location identifier id Display the location information for a specific global...

Page 781: ...UDLD detects a unidirectional link it disables the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation page 1 1 Methods to Detect Unidirectional Links page 1 2 Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to mis...

Page 782: ...inks one of the ports is down while the other is up One of the fiber strands in the cable is disconnected In these cases UDLD disables the affected port In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidi...

Page 783: ... the port is disabled If UDLD in normal mode is in the advertisement or in the detection phase and all the neighbor cache entries are aged out UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up seque...

Page 784: ...al link if it is connected to a UDLD incapable port of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 1 1 Default UDLD Configuration Feature Default Setting UDLD glo...

Page 785: ...ber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 1 1 message time message timer interval Configures the period of time betwee...

Page 786: ...mand enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface configuration...

Page 787: ...Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release ...

Page 788: ...1 8 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring UDLD Displaying UDLD Status ...

Page 789: ...ed to a network analyzer or other monitoring or security device SPAN copies or mirrors traffic received or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ...

Page 790: ...within one switch all source ports or source VLANs and destination ports are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis For example in Figure 1 1 all traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10 receives all network ...

Page 791: ...B The traffic for each RSPAN session is carried over a user specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as RSP...

Page 792: ...re ports or one or more VLANs and send the monitored traffic to one or more destination ports A local SPAN session is an association of a destination port with source ports or source VLANs all on a single network device Local SPAN does not have separate source and destination sessions Local SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stream o...

Page 793: ...e requirements of the RSPAN VLAN see the RSPAN VLAN section on page 1 9 Traffic monitoring in a SPAN session has these restrictions Sources can be ports or VLANs but you cannot mix source ports and source VLANs in the same session The switch supports up to two local SPAN or RSPAN source sessions You can run both a local SPAN and an RSPAN source session in the same switch or switch stack The switch...

Page 794: ... session you can also monitor a port or VLAN for both received and sent packets This is the default The default configuration for local SPAN session ports is to send all packets untagged SPAN also does not normally monitor bridge protocol data unit BPDU packets and Layer 2 protocols such as Cisco Discovery Protocol CDP VLAN Trunk Protocol VTP Dynamic Trunking Protocol DTP Spanning Tree Protocol ST...

Page 795: ...outed port or voice VLAN port It cannot be a destination port Source ports can be in the same or different VLANs You can monitor multiple source ports in a single session Source VLANs VLAN based SPAN VSPAN is the monitoring of the network traffic in one or more VLANs The SPAN or RSPAN source interface in VSPAN is a VLAN ID and traffic is monitored on all the ports for that VLAN VSPAN has these cha...

Page 796: ...configuration When the SPAN destination configuration is removed the port reverts to its previous configuration If a configuration change is made to the port while it is acting as a SPAN destination port the change does not take effect until the SPAN destination configuration had been removed Note Exception When QoS is configured on the SPAN destination port QoS takes effect immediately If the por...

Page 797: ...king Protocol VTP the VLAN ID and its associated RSPAN characteristic are propagated by VTP If you assign an RSPAN VLAN ID in the extended VLAN range 1006 to 4094 you must manually configure all intermediate switches It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining a network wide RSPAN session That is multiple RSPAN source sessions anywhere in t...

Page 798: ...If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group is a source the port is removed from the EtherChannel group and from the list of monitored ports Multicast traffic can be monitored For egress and ingress port monitoring only a single unedited packet is sent to the SPAN destination port It does not reflect the number of times the multicast pa...

Page 799: ... also true for an RSPAN session You can attach three types of FSPAN ACLs to the SPAN session IPv4 FSPAN ACL filters only IPv4 packets IPv6 FSPAN ACL filters only IPv6 packets MAC FSPAN ACL filters only non IP packets The security ACLs have higher priority than the FSPAN ACLs on a switch If FSPAN ACLs are applied and you later add more security ACLs that cannot fit in the hardware memory the FSPAN ...

Page 800: ... or VLANs for each session You cannot mix source ports and source VLANs within a single SPAN session The destination port cannot be a source port a source port cannot be a destination port You cannot have two SPAN sessions using the same destination port When you configure a switch port as a SPAN destination port it is no longer a normal switch port only monitored traffic passes through the SPAN d...

Page 801: ...ing SPAN configuration for the session For session_number the range is 1 to 66 Specify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port For session_number the range is 1 to 66 For inter...

Page 802: ...0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet1 0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Step 4 monitor session session_number destination interface inter...

Page 803: ...r all local remote Remove any existing SPAN configuration for the session Step 3 monitor session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port Step 4 monitor session session_number destination interface interface id encapsulation replicate ingress dot1q vlan vlan id isl untagged vlan vlan id vlan vlan id Specify the...

Page 804: ...an 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Step 5 end Return to privileged EXEC mode Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose Comm...

Page 805: ...PAN Configuration Guidelines section on page 1 12 apply to RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches Step 5 monitor sess...

Page 806: ... trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005 Configuring a VLAN as an RSPAN VLAN First create a new VLAN to be the RSPAN VLAN for the RSPAN session You must create the RSPAN VLAN in all switches that will participate in RSPAN If the RSPAN VLAN ID is in the normal range lower than 1005 and VTP is enabled in the network you can cr...

Page 807: ...nter a source port or source VLAN for the RSPAN session For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A single session can include multiple source...

Page 808: ... configure the RSPAN source session to limit RSPAN source traffic to specific VLANs Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_numb...

Page 809: ...r session session_number destination remote vlan vlan id Specify the RSPAN session and the destination remote VLAN RSPAN VLAN For session_number enter the session number specified in Step 3 For vlan id specify the RSPAN VLAN to carry the monitored traffic to the destination port rt group a b c to specify the ports that carry RSPAN traffic Step 6 end Return to privileged EXEC mode Step 7 show monit...

Page 810: ... an RSPAN Destination Session section on page 1 21 This procedure assumes that the RSPAN VLAN has already been configured Step 6 monitor session session_number source remote vlan vlan id Specify the RSPAN session and the source RSPAN VLAN For session_number the range is 1 to 66 For vlan id specify the source RSPAN VLAN to monitor Step 7 monitor session session_number destination interface interfac...

Page 811: ... id Specify the SPAN session the destination port the packet encapsulation and the incoming VLAN and encapsulation For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Thoug...

Page 812: ...ts as source ports If the session has any Catalyst 3750 or Catalyst 3750 E ports as source ports the FSPAN ACL command is rejected If the session has FSPAN ACL configured any commands including Catalyst 3750 or Catalyst 3750 E ports as source ports are rejected The Catalyst 3750 or Catalyst 3750 E ports can be added as destination ports in an FSPAN session VLAN based FSPAN sessions cannot be confi...

Page 813: ...SPAN session and the source port monitored port For session_number the range is 1 to 66 For interface id specify the source port or the source VLAN to monitor For source interface id specify the source port to monitor Only physical interfaces are valid For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A single session can include multiple sources p...

Page 814: ...replicates the source interface encapsulation method If not selected the default is to send packets in native form untagged Note You can use monitor session session_number destination command multiple times to configure multiple destination ports Step 5 monitor session session_number filter ip ipv6 mac access group access list number name Specify the SPAN session the types of packets to filter and...

Page 815: ...fic both Monitor both received and sent traffic rx Monitor received traffic tx Monitor sent traffic Step 4 monitor session session_number destination remote vlan vlan id Specify the RSPAN session and the destination RSPAN VLAN For session_number enter the number defined in Step 3 For vlan id specify the source RSPAN VLAN to monitor Step 5 vlan vlan id Enter the VLAN sub mode For vlan id specify th...

Page 816: ...PAN and RSPAN Displaying SPAN RSPAN FSPAN and FRSPAN Status Displaying SPAN RSPAN FSPAN and FRSPAN Status To display the current SPAN RSPAN FSPAN or FRSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured sessions ...

Page 817: ...hensive network fault diagnosis planning and performance tuning information Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 4 Understanding RMON page 1 1 Configuring RMON page 1 2 Displaying RMON Status page 1 6 Understanding RMON RMON is an Inter...

Page 818: ...ecified interval triggers an alarm at a specified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches sup...

Page 819: ...rivileged EXEC mode follow these steps to enable RMON alarms and events This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to ...

Page 820: ...d can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this comman...

Page 821: ...llection history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is ...

Page 822: ...tion stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 show rmon statistics Display the contents of the switch ...

Page 823: ...e 1 17 Caution Logging messages to the console at a high rate can cause high CPU utilization and adversely affect how the switch operates Understanding System Message Logging By default a switch sends the output from system messages and debug privileged EXEC commands to a logging process Stack members can trigger system messages A stack member that generates a system message appends its hostname i...

Page 824: ...stem messages by viewing the logs on a syslog server or by accessing the switch through Telnet through the console port or through the Ethernet management port In a switch stack all stack member consoles provide the same console output Configuring System Message Logging System Log Message Format page 1 2 Default System Message Logging Configuration page 1 4 Disabling Message Logging page 1 4 optio...

Page 825: ...otocol on Interface Vlan1 changed state to down Switch 2 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet2 0 1 changed state to down 2 Switch 2 Table 1 1 System Log Message Elements Element Description seq no Stamps log messages with a sequence number only if the service sequence numbers global configuration command is configured For more information see the Enabling and Disa...

Page 826: ...essage Logging Message logging is enabled by default It must be enabled to send messages to any destination other than the console When enabled log messages are sent to a logging process which logs messages to designated locations asynchronously to the processes that generated the messages Beginning in privileged EXEC mode follow these steps to disable message logging This procedure is optional Ta...

Page 827: ...e messages This procedure is optional Step 4 show running config or show logging Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging buffered size Log messages to an internal buffer on the switch or on a standalone switch or in the ...

Page 828: ...sages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solicited device output and prompts After the unsol...

Page 829: ... line numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 logging synchronous level severity level all limit number...

Page 830: ...at more than one log message can have the same time stamp you can display messages with sequence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global conf...

Page 831: ... global configuration command To disable logging to syslog servers use the no logging trap global configuration command Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logg...

Page 832: ...ck messages displayed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the swi...

Page 833: ...0 You can clear the log at any time by entering the no logging enable command followed by the logging enable command to disable and re enable logging Use the show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that con...

Page 834: ...4 interface GigabitEthernet4 0 1 43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface GigabitEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility Logging Messages to a UNIX Syslog Daemon Befo...

Page 835: ... Create the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid For more information see the man syslog conf and man syslogd commands on your UNIX system Configuring the UNIX System Logging Facility When sending system log messages to an external device ...

Page 836: ...art logging for these events DHCP snooping violations Dynamic ARP inspection violations IP source guard denied traffic ACL permitted or denied traffic To use smart logging you must first configure a NetFlow exporter that you identify when you enable smart logging For information on configuring Cisco Flexible NetFlow see the Cisco IOS Flexible NetFlow Configuration Guide Release 12 4T http www cisc...

Page 837: ...g Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging smartlog Turn on the smart logging feature Step 3 logging smartlog exporter exporter_name Identify the smart log exporter You must have already configured the exporter by using the flexible NetFlow CLI If the exporter name does not exist you receive an error message By default the switch sends data to the co...

Page 838: ...e address other than the specified address or addresses learned through DHCP snooping are denied You can enable IP source guard smart logging to send the contents of the denied packets to the NetFlow collector Beginning in privileged EXEC mode follow these steps to enable IP source guard smart logging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip arp inspectio...

Page 839: ...o determines the type of logging If you attach an ACL with smart log configured to a router or a VLAN the ACL is attached but smart logging does not take affect If you configure logging on an ACL attached to a Layer 2 port the logging keyword is ignored You add the smart log configuration option when you create the permit and deny conditions for an ACL This example enables smart logging on a numbe...

Page 840: ...1 18 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring System Message Logging and Smart Logging Displaying the Logging Configuration ...

Page 841: ...ship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respond to a manager s requests to get or set data An agent can send uns...

Page 842: ...packets over the network and includes these security features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword Both SNMPv1 and SNMPv2C use a community based fo...

Page 843: ... on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv MD5 or SHA Data Encryption Standard DES or Advanced Encryption Standard AES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Allows specifying the User based Security Model USM with these encryption algorithms DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard 3DES 168 bit encryption A...

Page 844: ...write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application The Network Assistant software appends the member switch number esN where N is the switch number to the first...

Page 845: ...teristics that make informs more reliable than traps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher over...

Page 846: ...P2 module interfaces based on type and port numbers 10000 14500 Null 10501 nonstackable switches 14501 stackable switches Loopback and Tunnel 24567 1 SVI switch virtual interface 2 SFP small form factor pluggable Table 1 3 ifIndex Values continued Interface Type ifIndex Range Table 1 4 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1 1 This is the default when the switch sta...

Page 847: ...t the configuration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has im...

Page 848: ...to configure a community string on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server community string view view name ro rw access list number Configure the community string Note The symbol is used for delimiting the context information Avoid using the symbol as part of the SNMP community string when configuring this command For string specify a...

Page 849: ...ws and you can add new users to the SNMP group Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then create the list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The per...

Page 850: ... priv read readview write writeview notify notifyview access access list Configure a new SNMP group on the remote device For groupname specify the name of the group Specify a security model v1 is the least secure of the possible security models v2c is the second least secure model It allows transmission of informs and integers twice the normal width v3 the most secure requires you to select an aut...

Page 851: ...ble only when the v3 keyword is specified auth is an authentication level setting session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v3 you can also configure a private priv encryption algorithm and password string priv password not to exceed 64 characters priv specifies th...

Page 852: ...anges config Generates a trap for SNMP configuration changes copy config Generates a trap for SNMP copy configuration changes cpu threshold Allow CPU related traps entity Generates a trap for SNMP entity changes envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown status supply temperature flash Generates SNMP FLASH notifications In a swi...

Page 853: ...ication type port security configure the port security trap first and then configure the port security trap rate snmp server enable traps port security snmp server enable traps port security trap rate rate rtr Generates a trap for the SNMP Response Time Reporter RTR snmp Generates a trap for SNMP type notifications for authentication cold start warm start link up or link down storm control Generat...

Page 854: ... Internet address of the host the targeted recipient Optional Enter informs to send SNMP informs to the host Optional Enter traps the default to send SNMP traps to the host Optional Specify the SNMP version 1 2c or 3 SNMPv1 does not support informs Optional For Version 3 select authentication level auth noauth or priv For community string when version 1 or version 2c is specified enter the passwor...

Page 855: ... informs global configuration command To disable a specific trap type use the no snmp server enable traps notification types global configuration command Step 7 snmp server trap source interface id Optional Specify the source interface which provides the IP address for the trap message This command also sets the source IP address for informs Step 8 snmp server queue length length Optional Establis...

Page 856: ...lization rising percentage the percentage 1 to 100 of CPU resources that when exceeded for the configured interval sends a CPU threshold notification interval seconds the duration of the CPU threshold violation in seconds 5 to 86400 that when met sends a CPU threshold notification falling fall percentage the percentage 1 to 100 of CPU resources that when usage falls below this level for the config...

Page 857: ...ftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list n...

Page 858: ...er host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled The second line specifies the destination of these traps and overwrites any previous snmp server host commands for the host cisco com Switch config snmp ser...

Page 859: ...and Reference Table 1 6 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP group on the network show snmp pending Displays information on pending SNMP requests ...

Page 860: ...1 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring SNMP Displaying SNMP Status ...

Page 861: ...mand Reference For the complete EEM document set see these documents in the Cisco IOS Network Management Configuration Guide Embedded Event Manager Overview http www cisco com en US docs ios netmgmt configuration guide nm_eem_overview html Writing Embedded Event Manager Policies Using the Cisco IOS CLI http www cisco com en US docs ios netmgmt configuration guide nm_eem_policy_cli html Writing Emb...

Page 862: ...occurs The EEM policies then implement recovery based on the current state of the system and the actions specified in the policy for the given event Figure 1 1 Embedded Event Manager Core Event Detectors See the EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment Event Detectors page 1 3 Embedded Event Manager Actions page 1 4 Embedded Event Manage...

Page 863: ... also publishes an event about an interface based on the rate of change for the entry and exit values None event detector Publishes an event when the event manager run CLI command executes an EEM policy EEM schedules and runs policies on the basis on an event specification within the policy itself An EEM policy must be manually identified and registered before the event manager run command execute...

Page 864: ...Cisco IOS process crosses a threshold Memory utilization for a Cisco IOS process crosses a threshold Two events can be monitored at the same time and the event publishing criteria requires that one or both events cross their specified thresholds Embedded Event Manager Actions These actions occur in response to an event Modifying a named counter Publishing an application specific event Generating a...

Page 865: ... in variables available in EEM applets Defined by Cisco and can be read only or read write The read only variables are set by the system before an applet starts to execute The single read write variable _exit_status allows you to set the exit status for policies triggered from synchronous events Cisco defined environment variables and Cisco system defined environment variables might apply to one s...

Page 866: ...7 For complete information about configuring embedded event manager see the Cisco IOS Network Management Configuration Guide Release 12 4T Note To configure EEM you must have the IP services feature set installed on the switch Registering and Defining an Embedded Event Manager Applet Beginning in privileged EXEC mode perform this task to register an applet with EEM and to define the EEM applet usi...

Page 867: ...l msg msg text Specify the action when an EEM applet is triggered Repeat this action to add other CLI commands to the applet Optional The priority keyword specifies the priority level of the syslog messages If selected you need to define the priority level argument For msg text the argument can be character text an environment variable or a combination of the two Step 5 end Exit applet configurati...

Page 868: ... every hour of every day Switch config event manager environment_cron_entry 0 59 2 0 23 1 0 6 This example shows the sample EEM policy named tm_cli_cmd tcl registered as a system policy The system policies are part of the Cisco IOS image User defined TCL scripts must first be copied to flash memory Switch config event manager policy tm_cli_cmd tcl type system Displaying Embedded Event Manager Info...

Page 869: ...witches running the IP base or IP services feature set also support Cisco TrustSec Security Group Tag SCT Exchange Protocol SXP This feature supports security group access control lists SGACLs which define ACL policies for a group of devices instead of an IP address The SXP control protocol allows tagging packets with SCTs without a hardware upgrade and runs between access layer devices at the Cis...

Page 870: ...cess lists on a router or Layer 3 switch to provide basic security for your network If you do not configure ACLs all packets passing through the switch could be allowed onto all parts of the network You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces For example you can allow e mail traffi...

Page 871: ... ACL Other packets are filtered by the VLAN map When an input router ACL and input port ACL exist in an switch virtual interface SVI incoming packets received on ports to which a port ACL is applied are filtered by the port ACL Incoming routed IP packets received on other ports are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SV...

Page 872: ...s way ACLs control access to a network or to part of a network Figure 1 1 is an example of using port ACLs to control access to a network when all workstations are in the same VLAN ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network but prevent Host B from accessing the same network Port ACLs can only be applied to Layer 2 interfaces in the inbound direction ...

Page 873: ...s the switch examines ACLs associated with features configured on a given interface However router ACLs are supported in both directions As packets enter the switch on an interface ACLs associated with all inbound features configured on that interface are examined After packets are routed and before they are forwarded to the next hop all ACLs associated with outbound features configured on the egr...

Page 874: ... as TCP UDP and so on are considered to match the fragment regardless of what the missing Layer 4 information might have been Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information Consider access list 102 configured with these commands applied to three fragmented packets Switch config access list 102 permit tcp any host 10 1 1 1 eq smtp Sw...

Page 875: ...ring the Switch Stack The stack master performs these ACL functions It processes the ACL configuration and propagates the information to all stack members It distributes the ACL information to any switch that joins the stack If packets must be forwarded by software for any reason for example not enough hardware resources the master switch forwards the packets only after applying ACLs on the packet...

Page 876: ...s page 1 24 Creating Standard and Extended IPv4 ACLs This section describes IP ACLs An ACL is a sequential collection of permit and deny conditions One by one the switch tests packets against the conditions in an access list The first match determines whether the switch accepts or rejects the packet Because the switch stops testing after the first match the order of the conditions is critical If n...

Page 877: ...s list That is any packet that matches the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log ke...

Page 878: ...cess list number deny permit source source wildcard log smartlog Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify whether to deny or permit access if conditions are matched The source is the source address of the network or host from which the packet is being sent specif...

Page 879: ...ACL to a Terminal Line section on page 1 20 to interfaces see the Applying an IPv4 ACL to an Interface section on page 1 21 or to VLANs see the Configuring VLAN Maps section on page 1 32 Creating a Numbered Extended ACL Although standard ACLs use only source addresses for matching you can use extended ACL source and destination addresses for matching operations and optional protocol type informati...

Page 880: ...ng Network Security with ACLs Configuring IPv4 ACLs Note The switch does not support dynamic or reflexive access lists It also does not support filtering based on the type of service ToS minimize monetary cost bit Supported parameters can be grouped into these categories TCP UDP ICMP IGMP or other IP ...

Page 881: ... The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can be specified as The 32 bit quantity in dotted decimal format ...

Page 882: ...mission Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a ...

Page 883: ...precedence tos tos fragments log log input smartlog time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings...

Page 884: ...s list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advant...

Page 885: ... end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and enter access list configuration mo...

Page 886: ...set the times and the dates or the days of the week in the time range Then enter the time range name when applying an ACL to set restrictions to the access list You can use the time range to define when the permit or deny statements in the ACL are in effect for example during a specified time period or on specified days of the week The time range keyword and argument are referenced in the named an...

Page 887: ...tended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp any any ti...

Page 888: ...rmit or deny statements and some remarks after the associated statements To include a comment for IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command To remove the remark use the no form of this command In this example the workstation that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed ...

Page 889: ...ly an ACL to a Layer 3 interface and routing is not enabled on the switch the ACL only filters packets that are intended for the CPU such as SNMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces When private VLANs are configured you can apply router ACLs only on the primary VLAN SVIs The ACL is applied to both primary and secondary VLAN Layer 3 traffic Wh...

Page 890: ...ithin a VLAN For inbound ACLs after receiving a packet the switch checks the packet against the ACL If the ACL permits the packet the switch continues to process the packet If the ACL rejects the packet the switch discards the packet For outbound ACLs after receiving and routing a packet to a controlled interface the switch checks the packet against the ACL If the ACL permits the packet the switch...

Page 891: ...e done by software Because of the difference in packet handling capacity between hardware and software if the sum of all flows being logged both permitted flows and denied flows is of great enough bandwidth not all of the packets that are forwarded can be logged If router ACL configuration cannot be applied in hardware packets arriving in a VLAN that must be routed are routed in software but are b...

Page 892: ...ion destination wildcard range 115 1660 permit tcp source source wildcard destination destination wildcard And if this message appears ACLMGR 2 NOVMR Cannot generate hardware representation of access list chars The flag related operators are not available To avoid this issue Move the fourth ACE before the first ACE by using ip access list resequence global configuration command permit tcp source s...

Page 893: ... Create a standard ACL and filter traffic coming to the server from Port 1 Create an extended ACL and filter traffic coming from the server into Port 1 Figure 1 3 Using Router ACLs to Control Traffic This example uses a standard ACL to filter traffic coming into Server B from a port permitting traffic only from Accounting s source addresses 172 20 128 64 to 172 20 128 95 The ACL is applied to traf...

Page 894: ...gigabitethernet2 0 1 Switch config if ip access group 2 in Extended ACLs In this example the first line permits any incoming TCP connections with destination ports greater than 1023 The second line permits incoming TCP connections to the Simple Mail Transfer Protocol SMTP port of host 128 88 1 2 The third line permits incoming ICMP messages for error feedback Switch config access list 102 permit t...

Page 895: ...MP traffic denies UDP traffic from any source to the destination address range 171 69 0 0 through 179 69 255 255 with a destination port less than 1024 denies any other IP traffic and provides a log of the result Switch config ip access list extended marketing_group Switch config ext nacl permit tcp any 171 69 0 0 0 0 255 255 eq telnet Switch config ext nacl deny tcp any any Switch config ext nacl...

Page 896: ...Do not allow Jones subnet through Switch config std nacl deny 171 69 0 0 0 0 255 255 In this example of a named ACL the Jones subnet is not allowed to use outbound Telnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet out Switch config ext nacl deny tcp 171 69 0 0 0 0 255 255 any eq telnet ACL Logging Two variations of logging are...

Page 897: ...255 0 1 packet 01 31 33 SEC 6 IPACCESSLOGP list ext1 denied udp 0 0 0 0 0 255 255 255 255 0 8 packets Note that all logging entries for IP ACLs start with SEC 6 IPACCESSLOG with minor variations in format depending on the kind of ACL and the access entry that has been matched This is an example of an output message when the log input keyword is entered 00 04 21 SEC 6 IPACCESSLOGDP list inputlog pe...

Page 898: ...pe mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address with a mask or a specific host source MAC address and any destination MAC address destinati...

Page 899: ...terface configuration command This example shows how to apply MAC access list mac1 to a port to filter packets entering the port Switch config interface gigabitethernet1 0 2 Router config if mac access group mac1 in Note The mac access group interface configuration command is only valid when applied to a physical Layer 2 interface You cannot use the command on EtherChannel port channels After rece...

Page 900: ...ep 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN See the Creating Standard and Extended IPv4 ACLs section on page 1 8 and the Creating a VLAN Map section on page 1 34 Step 2 Enter the vlan access map global configuration command to create a VLAN ACL map entry Step 3 In access map configuration mode optionally enter an action forward the d...

Page 901: ...rface and you apply a VLAN map to a VLAN that the port belongs to the port ACL takes precedence over the VLAN map If VLAN map configuration cannot be applied in hardware all packets in that VLAN must be bridged and routed by software You can configure VLAN maps on primary and secondary VLANs However we recommend that you configure the same VLAN maps on private VLAN primary and secondary VLANs When...

Page 902: ...s to drop any IP packet that does not match any of the match clauses Switch config ip access list extended ip1 Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map map_1 10 Switch config access map match ip address ip1 Switch config access map action drop Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan access map ...

Page 903: ...igmp match Switch config ext nacl permit igmp any any Switch config ip access list extended tcp match Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map drop ip default 10 Switch config access map match ip address 101 Switch config access map action forward Switch config access map exit Switch config vlan access map drop ip default 20 Switch config ...

Page 904: ...s map match ip address tcp match Switch config access map action forward Switch config access map exit Switch config vlan access map drop all default 20 Switch config access map match mac address good hosts Switch config access map action forward Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode follow these steps to apply a VLAN map to one or more VLANs To remove the VLAN map use th...

Page 905: ...o Host Y IP address 10 1 1 34 at Switch A and not bridge it to Switch B First define the IP access list http that permits matches any TCP traffic on the HTTP port Switch config ip access list extended http Switch config ext nacl permit tcp host 10 1 1 32 host 10 1 1 34 eq www Switch config ext nacl exit Next create VLAN access map map2 so that traffic that matches the http access list is dropped a...

Page 906: ...p SERVER1 to VLAN 10 Step 1 Define the IP ACL that will match the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 8 host 10 1 1 100 Switch config ext nacl exit Step 2 Define a VLAN map using this ACL that w...

Page 907: ...number of the entry within the map The sequence number range is from 0 to 65535 When you create VLAN maps with the same name numbers are assigned sequentially in increments of 10 When modifying or deleting maps you can enter the number of the map entry that you want to modify or delete Specifying the map name and optionally a number enters the access map configuration mode Step 3 action drop log S...

Page 908: ... use VLAN maps only or a combination of router ACLs and VLAN maps You can define router ACLs on both input and output routed VLAN interfaces and you can define a VLAN map to access control the bridged traffic If a packet flow matches a VLAN map deny clause in the ACL regardless of the router ACL configuration the packet flow is denied Note When you use router ACLs with VLAN maps packets that requi...

Page 909: ...ull flow source IP address destination IP address protocol and protocol ports It is also helpful to use don t care bits in the IP address whenever possible If you need to specify the full flow mode and the ACL contains both IP ACEs and TCP UDP ICMP ACEs with Layer 4 information put the Layer 4 ACEs at the end of the list This gives priority to the filtering of traffic based on IP addresses Example...

Page 910: ...pplied on fallback bridged packets For bridged packets only Layer 2 ACLs are applied to the input VLAN Only non IP non ARP packets can be fallback bridged Figure 1 7 Applying ACLs on Bridged Packets VLAN 10 map Frame Input router ACL Output router ACL Routing function or fallback bridge VLAN 10 VLAN 20 Host C VLAN 10 Host A VLAN 10 VLAN 20 map Packet 101357 Frame Fallback bridge VLAN 10 Host A VLA...

Page 911: ...t kinds of filters applied one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed The packet might be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in som...

Page 912: ...N 20 VLAN 20 map Packet 101360 Table 1 2 Commands for Displaying Access Lists and Access Groups Command Purpose show access lists number name Display the contents of one or all current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Display the contents of all current IP access lists or a specific IP access list numbered or named show ip...

Page 913: ...access maps or VLAN filters Use the privileged EXEC commands in Table 1 3 to display VLAN map information Table 1 3 Commands for Displaying VLAN Map Information Command Purpose show vlan access map mapname Show information about all VLAN access maps or the specified access map show vlan filter access map name vlan vlan id Show information about all VLAN filters or about a specified VLAN or VLAN ac...

Page 914: ...1 46 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 915: ... to apply policy maps you configure the QoS settings such as classification queueing and scheduling the same way on physical ports and SVIs When configuring QoS on a physical port you apply a nonhierarchical policy map When configuring QoS on an SVI you apply a nonhierarchical or a hierarchical policy map Nonhierarchical policy maps are referred to as nonhierarchical single level policy maps and h...

Page 916: ...Layer 2 frame or a Layer 3 packet are described here and shown in Figure 1 1 Prioritization bits in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p class of service CoS value in the three least significant bits On ports configured as Layer 2 ISL trunks all traffic is in ISL frames Layer 2 802 1Q frame headers have a 2 byte Tag Control...

Page 917: ... allocated per traffic class The behavior of an individual device when handling traffic in the DiffServ architecture is called per hop behavior If all devices along a path provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the traf...

Page 918: ... be taken when a packet is out of profile and determines what to do with the packet pass through a packet without modification mark down the QoS label in the packet or drop the packet For more information see the Policing and Marking section on page 1 9 Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet Queueing...

Page 919: ...in Figure 1 3 Trust the CoS value in the incoming frame configure the port to trust CoS Then use the configurable CoS to DSCP map to generate a DSCP value for the packet Layer 2 ISL frame headers carry the CoS value in the 3 least significant bits of the 1 byte User field Layer 2 802 1Q frame headers carry the CoS value in the 3 most significant bits of the Tag Control Information field CoS values...

Page 920: ...t to trust IP precedence and generate a DSCP value for the packet by using the configurable IP precedence to DSCP map The IP Version 4 specification defines the 3 most significant bits of the 1 byte ToS field as the IP precedence IP precedence values range from 0 for low priority to 7 for high priority You can also classify IP traffic based on IPv6 precedence Trust the CoS value if present in the ...

Page 921: ...tion map Use the DSCP value to generate the QoS label Read ingress interface configuration for classification Assign DSCP identical to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as spec...

Page 922: ...map is a mechanism that you use to name a specific traffic flow or class and isolate it from all other traffic The class map defines the criteria used to match against a specific traffic flow to further classify it The criteria can include matching the access group defined by the ACL or matching a specific list of DSCP or IP precedence values If you have more than one type of traffic that you want...

Page 923: ...fies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label For information on the policed DSCP map see the Mapping Tables sectio...

Page 924: ...h verifies that there is enough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average rate The size of the bucket imposes an upper l...

Page 925: ...rface level of the hierarchical policy map A hierarchical policy map has two levels The first level the VLAN level specifies the actions to be taken against a traffic flow on an SVI The second level the interface level specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface level policy map 86835 Yes Yes No No Pass throu...

Page 926: ...licy map only supports individual policers and does not support aggregate policers You can configure different interface level policy maps for each class defined in the VLAN level policy map See the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 1 63 for an example of a hierarchical policy map Figure 1 5 shows the policing and marking process whe...

Page 927: ...his map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or through the CoS input and output queue threshold...

Page 928: ...andwidth of all ports can exceed the bandwidth of the stack or internal ring ingress queues are located after the packet is classified policed and marked and before packets are forwarded into the switch fabric Because multiple ingress ports can simultaneously send packets to an egress port and cause congestion outbound queues are located after the stack or internal ring Marker Policer Marker Polic...

Page 929: ...ull state CoS values 4 and 5 are assigned to the 60 percent threshold and CoS values 0 to 3 are assigned to the 40 percent threshold Suppose the queue is already filled with 600 frames and a new frame arrives It contains CoS values 4 and 5 and is subjected to the 60 percent threshold If this frame is added to the queue the threshold will be exceeded so the switch drops it Figure 1 8 WTD and Queue ...

Page 930: ... per interface Each interface can be uniquely configured For more information see the Allocating Bandwidth Between the Ingress Queues section on page 1 81 the Configuring SRR Shaped Weights on Egress Queues section on page 1 88 and the Configuring SRR Shared Weights on Egress Queues section on page 1 89 Queueing and Scheduling on Ingress Queues Figure 1 9 and Figure 1 10 show the queueing and sche...

Page 931: ...ring Drop packet Start Yes No Table 1 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network and stack operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flows You can use the mls qos srr queue input threshold the mls qos srr ...

Page 932: ...with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a percentage by using the mls qos srr queue input bandwidth weight1 weight2 g...

Page 933: ... services it until it is empty before servicing the other three queues Figure 1 11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750 X Switches 86694 Receive packet from the stack ring Read QoS label DSCP or CoS value Determine egress queue number and threshold based on the label Are thresholds being exceeded Send the packet out the port Queue the packet Service the queue accordi...

Page 934: ...The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue to prevent any queue or port from consuming all the buffers and depriving other queues and to control whether to grant buffer space to a requesting queue The switch detects whether the target queue has not consumed more buffers than its reserved amount under limit whether it has consumed all of ...

Page 935: ...ace is 400 you can allocate 70 percent of it to queue 1 and 10 percent to queues 2 through 4 Queue 1 then has 280 buffers allocated to it and queues 2 through 4 each have 40 buffers allocated to them You can guarantee that the allocated buffers are reserved for a specific queue in a queue set For example if there are 100 buffers for a queue you can reserve 50 percent 50 buffers The switch returns ...

Page 936: ...s not used in the ratio calculation The expedite queue is a priority queue and it is serviced until empty before the other queues are serviced You enable the expedite queue by using the priority queue out interface configuration command You can combine the commands described in this section to prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues by allocating a l...

Page 937: ...behavior The switch offers best effort service to each packet regardless of the packet contents or size and sends it from a single queue When you enable auto QoS it automatically classifies traffic based on the traffic type and ingress packet label The switch uses the classification results to choose the appropriate egress queue Auto QoS supports IPv4 and IPv6 traffic when you configure the dual I...

Page 938: ...Phone the ingress classification is set to not trust the QoS label in the packet The policing is applied to the traffic matching the policy map classification before the switch enables the trust boundary feature When you enter the auto qos voip cisco softphone interface configuration command on a port at the network edge that is connected to a device running the Cisco SoftPhone the switch uses pol...

Page 939: ...oip generated commands that you configured on the interface before Cisco IOS Release 12 2 55 SE migrate to the enhanced commands Global values change with the migration of enhanced commands For a complete list of the generated commands that are applied to the running configuration see Table 1 5 Auto QoS Configuration Migration Auto QoS configuration migration from legacy auto QoS to enhanced auto ...

Page 940: ...ations from the interface Global Auto QoS Configuration Table 1 5 Generated Auto QoS Configuration Description Automatically Generated Command voip Enhanced Automatically Generated Command Video Trust Classify The switch automatically enables standard QoS and configures the CoS to DSCP map maps CoS values in incoming packets to a DSCP value Switch config mls qos Switch config mls qos map cos dscp ...

Page 941: ... Switch config mls qos srr queue input dscp map queue 1 threshold 2 9 10 11 12 13 14 15 Switch config mls qos srr queue input dscp map queue 1 threshold 3 0 1 2 3 4 5 6 7 Switch config mls qos srr queue input dscp map queue 1 threshold 3 32 Switch config mls qos srr queue input dscp map queue 2 threshold 1 16 17 18 19 20 21 22 23 Switch config mls qos srr queue input dscp map queue 2 threshold 2 3...

Page 942: ...p queue 4 threshold 2 9 10 11 12 13 14 15 Switch config mls qos srr queue output dscp map queue 4 threshold 3 0 1 2 3 4 5 6 7 Switch config no mls qos srr queue output dscp map Switch config mls qos srr queue output dscp map queue 1 threshold 3 32 33 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 1 16 17 18 19 20 21 22 23 Switch config mls qos srr queue o...

Page 943: ...3 Switch config no mls qos srr queue input priority queue 1 Switch config no mls qos srr queue input priority queue 2 Switch config mls qos srr queue input bandwidth 70 30 Switch config mls qos srr queue input threshold 1 80 90 Switch config mls qos srr queue input priority queue 2 bandwidth 30 The switch automatically configures the egress queue buffer sizes It configures the bandwidth and the SR...

Page 944: ...h config class map match all AutoQoS VoIP Control Trust Switch config cmap match ip dscp cs3 af31 Switch config policy map AutoQoS Police CiscoPhone Switch config pmap class AutoQoS VoIP RTP Trust Switch config pmap c set dscp ef Switch config pmap c police 320000 8000 exceed action policed dscp transmit Switch config pmap class AutoQoS VoIP Control Trust Switch config pmap c set dscp cs3 Switch c...

Page 945: ...onfig pmap c set dscp af21 Switch config pmap class AUTOQOS_SCAVANGER_CLASS Switch config pmap c set dscp cs1 Switch config pmap class AUTOQOS_SIGNALING_CLASS Switch config pmap c set dscp cs3 Switch config pmap class AUTOQOS_DEFAULT_CLASS Switch config pmap c set dscp default Switch config if service policy input AUTOQOS SRND4 CLASSIFY POLICY If you entered the auto qos classify police command th...

Page 946: ...g pmap c police 32000 8000 exceed action policed dscp transmit Switch config pmap class AUTOQOS_DEFAULT_CLASS Switch config pmap c set dscp default Switch config pmap c police 10000000 8000 exceed action policed dscp transmit Switch config if service policy input AUTOQOS SRND4 CISCOPHONE POLICY This is the enhanced configuration for the auto qos voip cisco softphone command Switch config mls qos m...

Page 947: ...nds were entered from the CLI An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands These actions occur without warning If all the generated commands are successfully applied any user entered configuration that was not overridden remains in the running configuration Any user entered configuration that was overridden...

Page 948: ...figuration command is generated as a result of enhanced auto QoS configuration If the legacy auto qos voip commands are executed on the switch and the mls qos command is disabled the enhanced auto QoS configuration is generated Otherwise legacy auto QoS commands are executed Enabling Auto QoS For optimum QoS performance enable auto QoS on all the devices in your network Beginning in privileged EXE...

Page 949: ...ot changed Traffic is switched in pass through mode packets are switched without any rewrites and classified as best effort without any policing auto qos video cts ip camera media player or Enable auto QoS for a video device cts A port connected to a Cisco Telepresence system ip camera A port connected to an IP camera media player A port connected to a CDP capable Cisco digital media player QoS la...

Page 950: ...t these commands see the command reference for this release Configuring Standard QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requirements a...

Page 951: ... Configuration section on page 1 37 and the Default Egress Queue Configuration section on page 1 38 Default Ingress Queue Configuration Table 1 6 shows the default ingress queue configuration when QoS is enabled Table 1 7 shows the default CoS input queue threshold map when QoS is enabled Table 1 8 shows the default DSCP input queue threshold map when QoS is enabled Table 1 6 Default Ingress Queue...

Page 952: ...e 3 Queue 4 Buffer allocation 25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 1 A shaped weight of zero mea...

Page 953: ...tion on page 1 40 Policing Guidelines section on page 1 41 General QoS Guidelines section on page 1 41 QoS ACL Guidelines These are the guidelines with for configuring QoS with access control lists ACLs It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS IP fragments are sent as best effort IP fragments are denoted by fields in the IP header Only one ACL per...

Page 954: ...ierarchical policy map The switch does not support aggregate policers in hierarchical policy maps After the hierarchical policy map is attached to an SVI the interface level policy map cannot be modified or removed from the hierarchical policy map A new interface level policy map also cannot be added to the hierarchical policy map If you want these changes to occur the hierarchical policy map must...

Page 955: ...he same nonhierarchical policy map However you cannot use the aggregate policer across different policy maps On a port configured for QoS all traffic received through the port is classified policed and marked according to the policy map attached to the port On a trunk port configured for QoS traffic in all VLANs received through the port is classified policed and marked according to the policy map...

Page 956: ...erface level of a hierarchical policy map on an SVI Use the no mls qos vlan based interface configuration command to disable VLAN based QoS on the physical port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS globally QoS runs with the default settings described in the Default Standard QoS Configuration section on page 1 37 the Queueing and Sched...

Page 957: ...e page 1 44 Configuring a Trusted Boundary to Ensure Port Security page 1 45 Enabling DSCP Transparency Mode page 1 46 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 1 47 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the switch port withi...

Page 958: ...erfaces are physical ports Step 3 mls qos trust cos dscp ip precedence Configure the port trust state By default the port is not trusted If no keyword is specified the default is dscp The keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress pac...

Page 959: ...sses the telephone and connects the PC directly to the switch Without trusted boundary the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting By contrast trusted boundary uses CDP to detect the presence of a Cisco IP Phone such as the Cisco IP Phone 7910 7935 7940 and 7960 on a switch port If the telephone is not detected the trusted boundary feature disabl...

Page 960: ...ip dscp command the switch does not modify the DSCP field in the incoming packet and the DSCP field in the outgoing packet is the same as that in the incoming packet Note Enabling DSCP transparency does not affect the port trust settings on IEEE 802 1Q tunneling ports Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP globally By default CDP is enab...

Page 961: ...transparency is still enabled Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic you can configure the switch ports bordering the domains to a DSCP trusted state as shown in Figure 1 15 Then the receiving port accepts the DSCP trusted value and avoids the classific...

Page 962: ...n Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map The default DSCP to DSCP mutation map is a null map which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map b...

Page 963: ...s You can classify non IP traffic by using Layer 2 MAC ACLs Note IPv6 ACLs are not supported on switches running the LAN base feature set Creating an IP Standard ACL Beginning in privileged EXEC mode follow these steps to create an IP standard ACL for IPv4 traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source sour...

Page 964: ...ng the command as many times as necessary For access list number enter the access list number The range is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of ...

Page 965: ...IM traffic from any source to a destination group address of 224 0 0 2 with a DSCP set to 32 Switch config access list 102 permit pim any 224 0 0 2 dscp 32 Creating an IPv6 ACL Note IPv6 ACLs are not supported on switches running the LAN base feature set Beginning in privileged EXEC mode follow these steps to create an IPv6 ACL for IPv6 traffic Note Before creating IPv6 ACLs you must enable a dual...

Page 966: ...For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix prefix length argument it must match the destination port Optional Th...

Page 967: ... are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0 0 For mask enter the wildcard bits by placing ones in the bit...

Page 968: ...ation command For more information see the Classifying Policing and Marking Traffic on Physical Ports by Using Policy Maps section on page 1 58 and the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 1 63 Beginning in privileged EXEC mode follow these steps to create a class map and to define the match criterion to classify traffic Command Purpose...

Page 969: ...lt is match all Note Because only one match command per class map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 1 16 for limitations when using the match all and the match any keywords Step 4 match protocol ip ipv6 Optional Specify the IP protocol to which the class map applies Use the argument ip to specify IP...

Page 970: ...config cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Step 5 match access group acl index or name ip dscp dscp list ip precedence ip precedence list Define the match criterion to classify traffic ...

Page 971: ...figuration mode Step 2 class map match all class map name Create a class map and enter class map configuration mode By default no class maps are defined When you use the match protocol command only the match all keyword is supported For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Step 3 match protocol ip ipv6 ...

Page 972: ...lass map that applies to both IPv4 and IPv6 traffic Switch config ip access list 101 permit ip any any Switch config ipv6 access list ipv6 any permit ip any any Switch config Class map cm 1 Switch config cmap match access group 101 Switch config cmap exit Switch config class map cm 2 Switch config cmap match access group name ipv6 any Switch config cmap exit Switch config Policy map pm1 Switch con...

Page 973: ...e IP precedence to DSCP map If you want the egress DSCP value to be different than the ingress value use the set dscp new dscp policy map class configuration command If you enter or have used the set ip dscp command the switch changes this command to set dscp in its configuration You can use the set ip precedence or the set precedence policy map class configuration command to change the packet IP ...

Page 974: ...ss map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 1 16 for limitations when using the match all and the match any keywords Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode By default no policy maps are defined The default behavior o...

Page 975: ...alue for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 1 73 Step 6 set dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For dscp new dscp enter a new DSCP v...

Page 976: ... config pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet2 0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address 0001 ...

Page 977: ...config pmap c set dscp 4 Switch config pmap c exit Switch config pmap class cm 2 Switch config pmap c set dscp 6 Switch config pmap c exit Switch config pmap class class default Switch config pmap c set dscp 10 Switch config pmap c exit Switch config pmap exit Switch config interface G0 1 Switch config if switch mode access Switch config if service policy input pm1 Classifying Policing and Marking...

Page 978: ...recedence value This setting appears as set ip precedence in the switch configuration If VLAN based QoS is enabled the hierarchical policy map supersedes the previously configured port based policy map The hierarchical policy map is attached to the SVI and affects all traffic in the VLAN The actions specified in the VLAN level policy map affect the traffic belonging to the SVI The police action on...

Page 979: ...atch any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same See the Creat...

Page 980: ...all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified t...

Page 981: ...when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet For more information see the Configuring the Policed DSCP Map section on page 1 75 Step 14 exit Return to policy map configuration mode Step 15 exit Return to global configuration mod...

Page 982: ...e ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 1 73 Step 19...

Page 983: ...ccess 101 Switch config cmap exit Switch config exit Switch Switch This example shows how to attach the new map to an SVI Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config class map cm interface 1 Switch config cmap match input gigabitethernet3 0 1 gigabitethernet3 0 2 Switch config cmap exit Switch config policy map port plcmap Switch config pmap cl...

Page 984: ... configure a class map to match IP DSCP and IPv6 Switch config class map cm 1 Switch config cmap match ip dscp 10 Switch config cmap match protocol ipv6 Switch config cmap exit Switch config class map cm 2 Switch config cmap match ip dscp 20 Switch config cmap match protocol ip Switch config cmap exit Switch config policy map pm1 Switch config pmap class cm 1 Switch config pmap c set dscp 4 Switch...

Page 985: ...l Enter global configuration mode Step 2 mls qos aggregate policer aggregate policer name rate bps burst byte exceed action drop policed dscp transmit Define the policer parameters that can be applied to multiple traffic classes within the same policy map By default no aggregate policer is defined For information on the number of policers supported see the Standard QoS Configuration Guidelines sec...

Page 986: ...g cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Step 4 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode For more information see the Classifying Policing and Mar...

Page 987: ...DSCP Map page 1 73 optional Configuring the IP Precedence to DSCP Map page 1 74 optional Configuring the Policed DSCP Map page 1 75 optional unless the null settings in the map are not appropriate Configuring the DSCP to CoS Map page 1 76 optional Configuring the DSCP to DSCP Mutation Map page 1 77 optional unless the null settings in the map are not appropriate All the maps except the DSCP to DSC...

Page 988: ...o map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 1 13 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map cos dscp dscp1 dscp8 Modify the CoS to DSCP ma...

Page 989: ...ow these steps to modify the policed DSCP map This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map ip prec dscp dscp1 dscp8 Modify the IP precedence to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space The DSCP range is 0 to 63 Step 3 end Return...

Page 990: ...8 49 5 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of 53 ...

Page 991: ... map a DSCP value of 08 corresponds to a CoS value of 0 Configuring the DSCP to DSCP Mutation Map If two QoS domains have different DSCP definitions use the DSCP to DSCP mutation map to translate one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With ingress ...

Page 992: ... 00 00 00 00 00 10 10 1 10 10 10 10 14 15 16 17 18 19 2 20 20 20 23 24 25 26 27 28 29 3 30 30 30 30 30 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mutation nam...

Page 993: ... need to perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by DSCP or CoS value to each queue What drop percentage thresholds apply to each queue and which CoS or DSCP values map to each threshold How much of the available buffer space is allocated between the queues How much of the available bandwidth is allocated ...

Page 994: ... to queue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separate each val...

Page 995: ...default setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated betw...

Page 996: ... mls qos srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr qu...

Page 997: ...xt sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth of the port ...

Page 998: ... disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the availability o...

Page 999: ... the WTD thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 400 percen...

Page 1000: ...the maximum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet1 0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particul...

Page 1001: ... 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop threshold per...

Page 1002: ...h is 12 5 percent Switch config interface gigabitethernet2 0 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the egress queu...

Page 1003: ... the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 and one and a third times the bandwidth of queue 3 Switch config interface gigabitethernet2 0 1 Switch config if srr ...

Page 1004: ... your QoS solution Beginning in privileged EXEC mode follow these steps to limit the bandwidth on an egress port This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on a switch Step 3 interface interface id Specify the egress port and enter interface configuration mode Step 4 priority queue out Enable the egress expedite qu...

Page 1005: ...class maps which define the match criteria to classify traffic show mls qos Display global QoS configuration information show mls qos aggregate policer aggregate policer name Display the aggregate policer configuration show mls qos input queue Display QoS settings for the ingress queues show mls qos interface interface id buffers policers queueing statistics Display QoS information at the port lev...

Page 1006: ...1 92 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring QoS Displaying Standard QoS Information ...

Page 1007: ... and to a Catalyst 3750 X switch stack Note To use IPv6 you must configure the dual IPv4 and IPv6 Switch Database Management SDM template on the switch You select the template by entering the sdm prefer dual ipv4 and ipv6 default routing vlan global configuration command For related information see these chapters For more information about SDM templates see Chapter 1 Configuring SDM Templates For ...

Page 1008: ...ace As with IPv4 ACLs IPv6 port ACLs take precedence over router ACLs When an input router ACL and input port ACL exist in an SVI packets received on ports to which a port ACL is applied are filtered by the port ACL Routed IP packets received on other ports are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SVI packets received on...

Page 1009: ...supported only on switch stacks Switches support only control plane incoming IPv6 ACLs When configuring an ACL there is no restriction on keywords entered in the ACL regardless of whether or not they are supported on the platform When you apply the ACL to an interface that requires hardware forwarding physical ports or SVIs the switch checks to determine whether or not the ACL can be supported on ...

Page 1010: ...igured or applied Interaction with Other Features and Switches If an IPv6 router ACL is configured to deny a packet the packet is not routed A copy of the packet is sent to the Internet Control Message Protocol ICMP queue to generate an ICMP unreachable message for the frame If a bridged frame is to be dropped due to a port ACL the frame is not bridged You can create both IPv4 and IPv6 ACLs on a s...

Page 1011: ... ipv6 address or destination ipv6 address enter the source or destination IPv6 host address for which to set deny or permit conditions specified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator f...

Page 1012: ...tor port number dscp value log log input neq port protocol range port protocol routing sequence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that the operator port port number or name must be a UDP port number or name and the established parameter is not v...

Page 1013: ... to inbound management traffic on Layer 3 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface Step 5 show ipv6 access list Verify the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 in...

Page 1014: ...w access lists privileged EXEC command The output shows all access lists that are configured on the switch or switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 access lists configured on the ...

Page 1015: ...he failed link to the remaining links in the channel without intervention Note Layer 3 EtherChannels are not supported on switches running the LAN base feature set This chapter also describes how to configure link state tracking Unless otherwise noted the term switch refers to a Catalyst 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack Note For complete syntax and usage inf...

Page 1016: ... host Each EtherChannel can consist of up to eight compatibly configured Ethernet ports All ports in each EtherChannel must be configured as either Layer 2 or Layer 3 ports The number of EtherChannels is limited to 48 For more information see the EtherChannel Configuration Guidelines section on page 1 12 The EtherChannel Layer 3 ports are made up of routed ports Routed ports are physical ports con...

Page 1017: ...gure an EtherChannel in the on mode no negotiations take place The switch forces all compatible ports to become active in the EtherChannel The other end of the channel on the other switch must also be configured in the on mode otherwise packet loss can occur You can create an EtherChannel on a standalone switch on a single switch in the stack or on multiple switches in the stack known as cross sta...

Page 1018: ...ber can be the same as the port channel number or you can use a new number If you use a new number the channel group command dynamically creates a new port channel With Layer 3 ports you should manually create the logical interface by using the interface port channel global configuration command followed by the no switchport interface configuration command Then you manually assign an interface to ...

Page 1019: ...sco switches and on those switches licensed by vendors to support PAgP PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports You can use PAgP only in single switch EtherChannel configurations PAgP cannot be enabled on cross stack EtherChannels For more information see the EtherChannel Configuration Guidelines section on page 1 12 By using PAgP t...

Page 1020: ...artner is a file server or a packet analyzer that is not generating traffic In this case running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational However the silent setting allows PAgP to operate to attach the port to a channel group and to use the port for transmission PAgP Interaction with Virtual Switches and Dual Active Detection A ...

Page 1021: ...ble mode Link Aggregation Control Protocol The LACP is defined in IEEE 802 3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802 3ad protocol LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports By using LACP the switch or switch stack learns the identity of partners capable of supporting LACP ...

Page 1022: ...hout negotiations The on mode can be useful if the remote device does not support PAgP or LACP In the on mode a usable EtherChannel exists only when the switches at both ends of the link are configured in the on mode Ports that are configured in the on mode in the same channel group must have compatible port characteristics such as speed and duplex Ports that are not compatible are suspended even ...

Page 1023: ...ncoming packet Therefore to provide load balancing packets from the same IP source address sent to different IP destination addresses could be sent on different ports in the channel But packets sent from different source IP addresses to the same destination IP address are always sent on the same port in the channel With source and destination IP address based forwarding when packets are forwarded ...

Page 1024: ...ee detects this condition and acts accordingly Any PAgP or LACP configuration on a winning switch stack is not affected but the PAgP or LACP configuration on the losing switch stack is lost after the stack reboots With PAgP if the stack master fails or leaves the stack a new stack master is elected A spanning tree reconvergence is not triggered unless there is a change in the EtherChannel bandwidt...

Page 1025: ...re information see the EtherChannel Configuration Guidelines section on page 1 12 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical ports assigned to the port channel interface and configuration changes applied to the physical port affect only the port where you apply the configuration Default EtherChannel Configuration T...

Page 1026: ...one EtherChannel group Do not configure an EtherChannel in both the PAgP and LACP modes EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack Individual EtherChannel groups can run either PAgP or LACP but they cannot interoperate Do not configure a Switched Port Analyzer SPAN destination port as part of an EtherChannel Do not configure a pri...

Page 1027: ...rChannels You configure Layer 2 EtherChannels by assigning ports to a channel group with the channel group interface configuration command This command automatically creates the port channel logical interface If you enabled PAgP on a port in the auto or desirable mode you must reconfigure it for either the on mode or the LACP mode before adding this port to a cross stack EtherChannel PAgP does not...

Page 1028: ...k on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is...

Page 1029: ...ports on stack member 2 and one port on stack member 3 as static access ports in VLAN 10 to channel 5 Switch configure terminal Switch config interface range gigabitethernet2 0 4 5 Switch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode active Switch config if range exit Switch config interface gigabitethernet3 0 3 ...

Page 1030: ...gical interface and enter interface configuration mode For port channel number the range is 1 to 48 Step 3 no switchport Put the interface into Layer 3 mode Step 4 ip address ip address mask Assign an IP address and subnet mask to the EtherChannel Step 5 end Return to privileged EXEC mode Step 6 show etherchannel channel group number detail Verify your entries Step 7 copy running config startup co...

Page 1031: ...tches in the switch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not spec...

Page 1032: ...tchport Switch config if channel group 7 mode active Switch config if exit Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 1 8 Beginning in privileged EXEC mode follow these steps to configure Et...

Page 1033: ...up for all transmissions and use other ports for hot standby The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely ...

Page 1034: ...r global configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on ...

Page 1035: ...he LACP port priority to affect how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 1 21 and the Configuring the LACP Port Priority section on page 1 22 Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system priority global...

Page 1036: ...ure is optional To return the LACP port priority to the default value use the no lacp port priority interface configuration command Displaying EtherChannel PAgP and LACP Status Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 lacp port priority priority Configure t...

Page 1037: ... relationship known as teaming and the link is lost on the primary interface connectivity transparently changes to the secondary interface Figure 1 6 on page 1 24 shows a network configured with link state tracking To enable link state tracking create a link state group and specify the interfaces that are assigned to the link state group An interface can be an aggregation of ports an EtherChannel ...

Page 1038: ...provides primary links to server 1 and server 2 through link state group 1 Port 1 is connected to server 1 and port 2 is connected to server 2 Port 1 and port 2 are the downstream interfaces in link state group 1 Port 5 and port 6 are connected to distribution switch 1 through link state group 1 Port 5 and port 6 are the upstream interfaces in link state group 1 141680 Network Layer 3 link Server ...

Page 1039: ...t These are the interactions between the downstream and upstream interfaces when link state tracking is enabled If any of the upstream interfaces are in the link up state the downstream interfaces can change to or remain in the link up state If all of the upstream interfaces become unavailable link state tracking automatically puts the downstream interfaces in the error disabled state Connectivity...

Page 1040: ...e Step 1 configure terminal Enter global configuration mode Step 2 link state track number Create a link state group and enable link state tracking For Catalyst 3560 X switches the group number can be 1 to 2 For Catalyst 3750 X switches the group number can be 1 to 10 The default is 1 Step 3 interface interface id Specify a physical interface or range of interfaces to configure and enter interface...

Page 1041: ...tion command Displaying Link State Tracking Status Use the show link state group command to display the link state group information Enter this command without keywords to display information about all link state groups Enter the group number to display information specific to the group Enter the detail keyword to display detailed information about the group This is an example of output from the s...

Page 1042: ...1 28 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring EtherChannels and Link State Tracking Configuring Link State Tracking ...

Page 1043: ...ormation Understanding TelePresence E911 IP Phone Support page 1 1 Configuring TelePresence E911 IP Phone Support page 1 2 Understanding TelePresence E911 IP Phone Support You can use a Cisco IP phone as a user interface in a Cisco TelePresence System See in Figure 1 In this configuration the IP phone must always be on and available for emergency calls If the power to the codec in the Cisco TelePr...

Page 1044: ...ugh the IP network If power to the codec fails is disrupted or if the codec fails the IP phone is still connected to the IP network and is available for emergency calls The switch forwards all CDP packets received on the ingress port to the egress port If multiple IP phones are connected to the codec through a single port on the switch only one phone communicates with it through the IP network Thi...

Page 1045: ...igabitEthernet2 0 2 egress GigabitEthernet2 0 13 Switch show cdp forward Ingress Egress packets packets Port Port forwarded dropped Gi2 0 1 Gi2 0 12 0 0 Gi2 0 2 Gi2 0 13 0 0 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config no cdp forward ingress gigabitethernet2 0 1 Switch config end Switch Mar 1 13 39 14 120 SYS 5 CONFIG_I Configured from console b...

Page 1046: ... Configuration Guide OL 25303 03 Chapter 1 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Switch show cdp forward Ingress Egress packets packets Port Port forwarded dropped Gi2 0 2 Gi2 0 13 0 0 Switch ...

Page 1047: ...bled on the standalone switch or on the stack master Note In addition to IPv4 traffic you can also enable IP Version 6 IPv6 unicast routing and configure interfaces to forward IPv6 traffic if the switch or switch stack is running the IP base or IP services feature set For information about configuring IPv6 on the switch see Chapter 1 Configuring IPv6 Unicast Routing For more detailed IP unicast co...

Page 1048: ...subnetwork is mapped to an individual VLAN Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local However network devices in different VLANs cannot communicate with one another without a Layer 3 device router to route traffic between the VLAN referred to as inter VLAN routing You configure one or more routers to route traffic to the appropriate destination V...

Page 1049: ...r calculating the best routes These protocols are easy to configure and use Routers using link state protocols maintain a complex database of network topology based on the exchange of link state advertisements LSAs between routers LSAs are triggered by an event in the network which speeds up the convergence time or time required to respond to these changes Link state protocols respond quickly to t...

Page 1050: ...rding NSF to detect a switchover to continue forwarding network traffic and to recover route information from peer devices NSF aware routers tolerate neighboring router failures After the neighbor router restarts an NSF aware router supplies information about its state and route adjacencies on request NSF capable routers support NSF When they detect a stack master change they rebuild routing infor...

Page 1051: ...ce Note If the switch is running the LAN base feature set static routes are supported only on SVIs An EtherChannel port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Layer 3 EtherChannels section o...

Page 1052: ... only assign an IP address to an SVI and configure a static unicast route on the interface Other configurations are not supported Default Addressing Configuration page 1 6 Assigning IP Addresses to Network Interfaces page 1 7 Configuring Address Resolution Methods page 1 10 Routing Assistance When IP Routing is Disabled page 1 12 Configuring Broadcast Packet Handling page 1 15 Monitoring and Maint...

Page 1053: ...s defined or User Datagram Protocol UDP flooding is configured UDP forwarding is enabled on default ports Any local broadcast Disabled Spanning Tree Protocol STP Disabled Turbo flood Disabled IP helper address Disabled IP host Disabled IRDP Disabled Defaults when enabled Broadcast IRDP advertisements Maximum interval between advertisements 600 seconds Minimum interval between advertisements 0 75 t...

Page 1054: ... behavior is enabled on the switch when it is configured to route With classless routing if a router receives packets for a subnet of a network with no default route the router forwards the packet to the best supernet route A supernet consists of contiguous blocks of Class C address spaces used to simulate a single larger address space and is designed to relieve the pressure on the rapidly depleti...

Page 1055: ...s Routing To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible you can disable classless routing behavior Beginning in privileged EXEC mode follow these steps to disable classless routing Host 128 20 1 0 128 20 2 0 128 20 3 0 128 20 4 1 128 0 0 0 8 128 20 4 1 IP classless 45749 128 20 0 0 Host 128 20 1 0 128 20 2 0 128 20 3 0 128 20 4 ...

Page 1056: ...RP learns the associated MAC address and then stores the IP address MAC address association in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests or replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP Proxy ARP helps hosts with no routin...

Page 1057: ...capsulation By default Ethernet ARP encapsulation represented by the arpa keyword is enabled on an IP interface You can change the encapsulation methods to SNAP if required by your network Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp ip address hardware address type Globally associate an IP address with a MAC hardware address in the ARP cache and specify enc...

Page 1058: ... Discovery Protocol IRDP page 1 13 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork Address Protocol Step 4 end Return to privileged EXEC mode Step 5 show i...

Page 1059: ...s of detecting when the default router has gone down or is unavailable Beginning in privileged EXEC mode follow these steps to define a default gateway router when IP routing is disabled Use the no ip default gateway global configuration command to disable this function ICMP Router Discovery Protocol IRDP Router discovery allows the switch to dynamically learn about routes to other networks using ...

Page 1060: ...th Sun Microsystems Solaris which requires IRDP packets to be sent out as multicasts Many implementations cannot receive these multicasts ensure end host ability before using this command Step 5 ip irdp holdtime seconds Optional Set the IRDP period for which advertisements are valid The default is three times the maxadvertinterval value It must be greater than maxadvertinterval and cannot be great...

Page 1061: ...ou can set the address to be used as the broadcast address Many implementations including the one in the switch support several addressing schemes for forwarding broadcast messages Perform the tasks in these sections to enable these schemes Enabling Directed Broadcast to Physical Broadcast Translation page 1 15 Forwarding UDP Broadcast Packets and Protocols page 1 16 Establishing an IP Broadcast A...

Page 1062: ...s been defined for an interface The description for the ip forward protocol interface configuration command in the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 4lists the ports that are forwarded by default if you do not specify any UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring the router to ...

Page 1063: ...mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip helper address address Enable forwarding and specify the destination address for forwarding UDP broadcast packets including BOOTP Step 4 exit Return to global configuration mode Step 5 ip forward protocol udp port nd sdns Specify which protocols the router forwards when fo...

Page 1064: ... UDP datagram is given the destination address specified with the ip broadcast address interface configuration command on the output interface The destination address can be set to any address Thus the destination address might change as the datagram propagates through the network The source address is never changed The TTL value is decremented When a flooded UDP datagram is sent out an interface ...

Page 1065: ...d Return to privileged EXEC mode Step 4 show running config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Table 1 2 Commands to Clear Caches Tables and Databases Command Purpose clear arp cache Clear the IP ARP cache and the fast switching cache clear host name Remove one or all entries from the hostname and the address cache clear i...

Page 1066: ... Path Forwarding page 1 91 Configuring Protocol Independent Features page 1 91 optional Configuring RIP The Routing Information Protocol RIP is an interior gateway protocol IGP created for use in small homogeneous networks It is a distance vector routing protocol that uses broadcast User Datagram Protocol UDP data packets to exchange routing information The protocol is documented in RFC 1058 You c...

Page 1067: ...0 0 0 0 network does not exist it is treated by RIP as a network to implement the default routing feature The switch advertises the default network if a default was learned by RIP or if the router has a gateway of last resort and RIP is configured with a default metric RIP sends updates to the interfaces in specified networks If an interface s network is not specified it is not advertised in any R...

Page 1068: ...1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing Required only if IP routing is disabled Step 3 router rip Enable a RIP routing process and enter router configuration mode Step 4 network network number Associate a network with a RIP routing process You can specify multiple network commands RIP routing updates are sent and received through interfaces only on ...

Page 1069: ...e default is 240 seconds Step 8 version 1 2 Optional Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets By default the switch receives Version 1 and 2 but sends only Version 1 You can also use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending and receiving on interfaces Step 9 no auto summary Optional Disable ...

Page 1070: ...d This feature usually optimizes communication among multiple routers especially when links are broken Note In general disabling split horizon is not recommended unless you are certain that your application requires it to properly advertise routes If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial up clients use the...

Page 1071: ...rizon Switch config if exit Switch config router rip Switch config router network 10 0 0 0 Switch config router neighbor 2 2 2 2 peer group mygroup Switch config router end Configuring Split Horizon Routers connected to broadcast type IP networks and using distance vector routing protocols normally use the split horizon mechanism to reduce the possibility of routing loops Split horizon blocks info...

Page 1072: ...mand Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to configure Step 3 ip address ip address subnet mask Configure the IP address and IP subnet Step 4 no ip split horizon Disable split horizon on the interface Step 5 end Return to privileged EXEC mode Step 6 show ip interface inte...

Page 1073: ...ough any IP routing protocol can be redistributed into another IP routing protocol At the intradomain level this means that OSPF can import routes learned through EIGRP and RIP OSPF routes can also be exported into RIP Plain text and MD5 authentication among neighboring routers within an area is supported Configurable routing interface parameters include interface output cost retransmission interv...

Page 1074: ...d the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from other routing domains 110 OSPF database filter Disabled All outgoing link state advertisements LSAs are flooded to the interface IP OSPF name lo...

Page 1075: ...s all nonlocal traffic to the distribution layer the wiring closet switch need not hold a complete routing table A best practice design where the distribution switch sends a default route to the wiring closet switch to reach interarea and external routes OSPF stub or totally stub area configuration should be used when OSPF for Routed Access is used in the wiring closet For more details see the Hig...

Page 1076: ...F neighbors on the network without resetting the neighbor relationship Reacquire the contents of the link state database for the network After a stack master change the new master sends an OSPF NSF signal to neighboring NSF aware devices A device recognizes this signal to mean that it should not reset the neighbor relationship with the stack As the NSF capable stack master receives signals from ot...

Page 1077: ...ation mode The process ID is an internally used identification parameter that is locally assigned and can be any positive integer Each OSPF routing process has a unique value Note OSPF for Routed Access supports only one OSPFv2 and one OSPFv3 instance with a maximum number of 200 dynamically learned routes Step 3 nsf cisco enforce global or nsf ietf restart interval seconds Optional Enable Cisco N...

Page 1078: ...o 65535 seconds The default is 1 second Step 6 ip ospf priority number Optional Set priority to help find the OSPF designated router for a network The range is from 0 to 255 The default is 1 Step 7 ip ospf hello interval seconds Optional Set the number of seconds between hello packets sent on an OSPF interface The value must be the same for all nodes on a network The range is 1 to 65535 seconds Th...

Page 1079: ...gure the ABR to advertise a summary route that covers all networks in the range Note The OSPF area router configuration commands are all optional Beginning in privileged EXEC mode follow these steps to configure area parameters Step 14 show ip ospf neighbor detail Display NSF awareness status of neighbor switch The output matches one of these examples Options is 0x52 LLS Options is 0x1 LR When bot...

Page 1080: ... routing domain Domain Name Server DNS names for use in all OSPF show privileged EXEC command displays makes it easier to identify a router than displaying it by router ID or neighbor ID Default Metrics OSPF calculates the OSPF metric for an interface according to the bandwidth of the interface The metric is calculated as ref bw divided by bandwidth where ref is 10 by default and bandwidth bw is s...

Page 1081: ...iguration mode Step 3 summary address address mask Optional Specify an address and IP subnet mask for redistributed routes so that only one summary route is advertised Step 4 area area id virtual link router id hello interval seconds retransmit interval seconds trans authentication key key message digest key keyid md5 key Optional Establish a virtual link and set its parameters See the Configuring...

Page 1082: ... If a loopback interface is configured with an IP address OSPF uses this IP address as its router ID even if other interfaces have higher IP addresses Because loopback interfaces never fail this provides greater stability OSPF automatically prefers a loopback interface over other interfaces and it chooses the highest IP address among all loopback interfaces Beginning in privileged EXEC mode follow...

Page 1083: ...pology change to synchronize at the same time Routers that are not affected by topology changes are not involved in recomputations Step 4 end Return to privileged EXEC mode Step 5 show ip interface Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 1 6 Show IP OSPF Statistics Commands Command Purpose show ip ospf...

Page 1084: ...d not be For efficiency reliability is provided only when necessary For example on a multiaccess network that has multicast capabilities such as Ethernet it is not necessary to send hellos reliably to all neighbors individually Therefore EIGRP sends a single multicast hello with an indication in the packet informing the receivers that the packet need not be acknowledged Other types of packets such...

Page 1085: ...efault metric Only connected routes and interface static routes can be redistributed without a default metric The metric includes Bandwidth 0 or greater kb s Delay tens of microseconds 0 or any positive number that is a multiple of 39 1 nanoseconds Reliability any number between 0 and 255 255 means 100 percent reliability Loading effective bandwidth as a number between 0 and 255 255 is 100 percent...

Page 1086: ...SF Awareness for IPv4 When the neighboring router is NSF capable the Layer 3 switch continues to forward packets from the neighboring router during the interval between the primary Route Processor RP in a router failing and the backup RP taking over or while the primary RP is manually reloaded for a nondisruptive software upgrade This feature cannot be disabled For more information on this feature...

Page 1087: ... at least one of the stack peer neighbors is NSF aware the stack master receives updates and rebuilds its database Each NSF aware neighbor sends an end of table EOT marker in the last update packet to mark the end of the table content The stack master recognizes the convergence when it receives the EOT marker and it then begins sending updates When the stack master has received all EOT markers fro...

Page 1088: ...it the offset list with an access list or an interface Step 8 no auto summary Optional Disable automatic summarization of subnet routes into network level routes Step 9 ip summary address eigrp autonomous system number address mask Optional Configure a summary aggregate Step 10 end Return to privileged EXEC mode Step 11 show ip protocols Verify your entries Step 12 show ip protocols Verify your en...

Page 1089: ...djust the hold time without consulting Cisco technical support Step 7 no ip split horizon eigrp autonomous system number Optional Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated Step 8 end Return to privileged EXEC mode Step 9 show ip eigrp interface Display which interfaces EIGRP is active on and information ab...

Page 1090: ... routes are propagated from the switch The switch responds to all queries for summaries connected routes and routing updates Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes and a router that has a stub peer does not query that peer The stub router depends on the distribution router to send the proper updates to all peers In Figure 1...

Page 1091: ...e up of routers that operate under the same administration and that run Interior Gateway Protocols IGPs such as RIP or OSPF within their boundaries and that interconnect by using an Exterior Gateway Protocol EGP BGP Version 4 is the standard EGP for interdomain routing in the Internet The protocol is defined in RFCs 1163 1267 and 1771 You can find detailed information about BGP in Internet Routing...

Page 1092: ...l TCP as its transport protocol specifically port 179 Two BGP speakers that have a TCP connection to each other for exchanging routing information are known as peers or neighbors In Figure 1 5 Routers A and B are BGP peers as are Routers B and C and Routers C and D The routing information is a series of AS numbers that describe the full path to the destination network BGP uses this information to ...

Page 1093: ...es within BGP and supports the advertising of IP prefixes These sections contain this configuration information Default BGP Configuration page 1 47 Enabling BGP Routing page 1 50 Managing Routing Policy Changes page 1 52 Configuring BGP Decision Attributes page 1 54 Configuring BGP Filtering with Route Maps page 1 56 Configuring BGP Filtering by Neighbor page 1 56 Configuring Prefix Lists for BGP ...

Page 1094: ...ng Disabled by default When enabled Half life is 15 minutes Re use is 750 10 second increments Suppress is 2000 10 second increments Max suppress time is 4 times half life 60 minutes BGP router ID The IP address of a loopback interface if one is configured or the highest IP address configured for a physical interface on the router Default information originate protocol or network redistribution Di...

Page 1095: ...op router as next hop for BGP neighbor Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defined Private AS number removal Disabled Route maps None applied to a peer Send community attributes None sent to neighbors Shutdown or soft reconfiguration Not enabled Timers keepalive 60 seconds holdtime 180 ...

Page 1096: ... passed to an external neighbor if the AS path includes private AS numbers these numbers are dropped If your AS will be passing traffic through it from another AS to a third AS it is important to be consistent about the routes it advertises If BGP advertised a route before all routers in the network had learned about the route through the IGP the AS might receive traffic that some routers could no...

Page 1097: ...onnection For IBGP the IP address can be the address of any of the router interfaces Step 6 neighbor ip address peer group name remove private as Optional Remove private AS numbers from the AS path in outbound routing updates Step 7 no synchronization Optional Disable synchronization between BGP and an IGP Step 8 no auto summary Optional Disable automatic network summarization By default when a su...

Page 1098: ...crements A table version number that continually increments means that a route is flapping causing continual routing updates For exterior protocols a reference to an IP network from the network router configuration command controls only which networks are advertised This is in contrast to Interior Gateway Protocols IGPs such as EIGRP which also use the network command to specify where to send upda...

Page 1099: ...P and FIB tables provided by the neighbor are lost Not recommended Outbound soft reset No configuration no storing of routing table updates Does not reset inbound routing table updates Dynamic inbound soft reset Does not clear the BGP session and cache Does not require storing of routing table updates and has no memory overhead Both BGP routers must support the route refresh capability in Cisco IO...

Page 1100: ... routing updates By default the weight attribute is 32768 for paths that the router originates and zero for other paths Routes with the largest weight are preferred You can use access lists route maps or the neighbor weight router configuration command to set weights 3 Prefer the route with the highest local preference Local preference is part of the routing update and exchanged among routers in t...

Page 1101: ...nge is 1 to 4294967295 The lowest value is the most desirable Step 7 bgp bestpath med missing as worst Optional Configure the switch to consider a missing MED as having a value of infinity making the path without a MED value the least desirable path Step 8 bgp always compare med Optional Configure the switch to compare MEDs for paths from neighbors in different autonomous systems By default MED co...

Page 1102: ...nd Processing in Routing Updates section on page 1 104 for information about the distribute list command You can use route maps on a per neighbor basis to filter updates and to modify various attributes A route map can be applied to either inbound or outbound updates Only the routes that pass the route map are sent or accepted in updates On both inbound and outbound updates matching is supported b...

Page 1103: ... Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enable a BGP routing process assign it an AS number and enter router configuration mode Step 3 neighbor ip address peer group name distribute list access list number name in out Optional Filter BGP routing updates to or from neighbors as specified in an access list Note You can also use the neigh...

Page 1104: ...eed to specify a sequence number when removing a configuration entry Show commands include the sequence numbers in their output Before using a prefix list in a command you must set up the prefix list Beginning in privileged EXEC mode follow these steps to create a prefix list or to add an entry to a prefix list To delete a prefix list and all of its entries use the no ip prefix list list name glob...

Page 1105: ...ccept prefer or distribute to other neighbors A BGP speaker can set append or modify the community of a route when learning advertising or redistributing routes When routes are aggregated the resulting aggregate has a COMMUNITIES attribute that contains all communities from all the initial routes You can use community lists to create groups of communities to use in a match clause of a route map As...

Page 1106: ... all the configuration information by using the neighbor shutdown router configuration command Beginning in privileged EXEC mode use these commands to configure BGP peers Step 5 set comm list list num delete Optional Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map Step 6 exit Return to global...

Page 1107: ...he default is 75 percent Step 14 neighbor ip address peer group name next hop self Optional Disable next hop processing on the BGP updates to a neighbor Step 15 neighbor ip address peer group name password string Optional Set MD5 authentication on a TCP connection to a BGP peer The same password must be configured on both BGP peers or the connection between them is not made Step 16 neighbor ip add...

Page 1108: ...ommand Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the AS and the atomic aggregate attribute is set to indicate that information might be missing Step 4...

Page 1109: ... to all internal neighbors To prevent a routing information loop all IBGP speakers must be connected The internal neighbors do not send routes learned from internal neighbors to other internal neighbors With route reflectors all IBGP speakers need not be fully meshed because another method is used to pass learned routes to neighbors When you configure an internal BGP peer to be a route reflector i...

Page 1110: ... available then unavailable then available then unavailable and so on When route dampening is enabled a numeric penalty value is assigned to a route when it flaps When a route s accumulated penalties reach a configurable limit BGP suppresses advertisements of the route even if the route is running The reuse limit is a configurable value that is compared with the penalty If the penalty is less than...

Page 1111: ...Protocols Release 12 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 bgp dampening Enable BGP route dampening Step 4 bgp dampening half life reuse suppress max suppress route map map Optional Change the default values of route dampening factors Step 5 end Return to privileged EXEC mode Step 6...

Page 1112: ...s not in peer groups to which the prefix has been advertised Also display prefix attributes such as the next hop and the local prefix show ip bgp cidr only Display all BGP routes that contain subnet and supernet network masks show ip bgp community community number exact Display routes that belong to the specified communities show ip bgp community list community list number exact match Display rout...

Page 1113: ...nce of the IS IS routing process Small IS IS networks are built as a single area that includes all the routers in the network As the network grows larger it is usually reorganized into a backbone area made up of the connected set of all Level 2 routers from all areas which is in turn connected to local areas Within a local area routers know how to reach all system IDs Between areas routers know ho...

Page 1114: ...00 ms LSP maximum lifetime without a refresh 1200 seconds 20 minutes before t he LSP packet is deleted LSP refresh interval Send LSP refreshes every 900 seconds 15 minutes Maximum LSP packet size 1497 bytes NSF Awareness1 1 NSF Nonstop Forwarding Enabled2 Allows Layer 3 switches to continue forwarding packets from a neighboring NSF capable router during hardware or software changes 2 IS IS NSF awa...

Page 1115: ...outing on the switch Step 3 router isis area tag Enable the IS IS routing for the specified routing process and enter IS IS routing configuration mode Optional Use the area tag argument to identify the area to which the IS IS router is assigned You must enter a value if you are configuring multiple IS IS areas The first IS IS instance configured is Level 1 2 by default Later instances are automati...

Page 1116: ...1 0000 0000 000b 00 Switch config router exit Switch config interface gigabitethernet1 0 1 Switch config if ip router isis Switch config if clns router isis Switch config interface gigabitethernet1 0 2 Switch config if ip router isis Switch config if clns router isis Switch config router exit Router C Switch config clns routing Switch config router isis Switch config router net 49 0001 0000 0000 0...

Page 1117: ...work has a maximum transmission unit MTU size of less than 1500 bytes you can lower the LSP MTU so that routing will still occur The partition avoidance router configuration command prevents an area from becoming partitioned when full connectivity is lost among a Level1 2 border router adjacent Level 1 routers and end hosts Beginning in privileged EXEC mode follow these steps to configure IS IS pa...

Page 1118: ...he default is to send LSP refreshes every 900 seconds 15 minutes Step 11 max lsp lifetime seconds Optional Set the maximum time that LSP packets remain in the router database without being refreshed The range is from 1 to 65535 seconds The default is 1200 seconds 20 minutes After the specified time interval the LSP packet is deleted Step 12 lsp gen interval level 1 level 2 lsp max wait lsp initial...

Page 1119: ...er hello packet before declaring the neighbor down This determines how quickly a failed link or neighbor is detected so that routes can be recalculated Change the hello multiplier in circumstances where hello packets are lost Step 14 prc interval prc max wait prc initial wait prc second wait Optional Sets IS IS partial route computation PRC throttling timers prc max wait the maximum interval in se...

Page 1120: ...se Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode If the interface is not already configured as a Layer 3 interface enter the no switchport command to put it into Layer 3 mode Step 3 isis metric default metric level 1 level 2 Optional Configure the metric or cost for the specified...

Page 1121: ...mber of milliseconds between packets at which IS IS LSPs will be re sent on point to point links The range is from 0 to 65535 The default is determined by the isis lsp interval command Step 9 isis priority value level 1 level 2 Optional Configure the priority to use for designated router election The range is from 0 to 127 The default is 64 Step 10 isis circuit type level 1 level 1 2 level 2 only ...

Page 1122: ...clear clns route Remove dynamically derived CLNS routing information show clns Display information about the CLNS network show clns cache Display the entries in the CLNS routing cache show clns es neighbors Display ES neighbor entries including the associated areas show clns filter expr Display filter expressions show clns filter set Display filter sets show clns interface interface id Display the...

Page 1123: ...ices Customer edge CE devices provide customers access to the service provider network over a data link to one or more provider edge routers The CE device advertises the site s local routes to the router and learns the remote VPN routes from it A Catalyst 3750 X or 3560 X switch can be a CE Provider edge PE routers exchange routing information with CE devices by using static routing or a routing p...

Page 1124: ...h are used to distinguish the VRFs during processing For each new VPN route learned the Layer 3 setup function retrieves the policy label by using the VLAN ID of the ingress port and inserts the policy label and new route to the multi VRF CE routing section If the packet is received from a routed port the port internal VLAN ID number is used if the packet is received from an SVI the VLAN number is...

Page 1125: ... services or advanced IP services feature set enabled on your switch A switch with multi VRF CE is shared by multiple customers and each customer has its own routing table Because customers use different VRF tables the same IP addresses can be reused Overlapped IP addresses are allowed in different VPNs Multi VRF CE lets multiple customers share the same physical link between the PE and the CE Tru...

Page 1126: ... enabled on an interface and the reverse Configuring VRFs Beginning in privileged EXEC mode follow these steps to configure one or more VRFs For complete syntax and usage information for the commands see the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 i...

Page 1127: ...he user can ping a host in a user specified VRF ARP entries are learned in separate VRFs The user can display Address Resolution Protocol ARP entries for specific VRFs These services are VRF Aware ARP Ping Simple Network Management Protocol SNMP Hot Standby Router Protocol HSRP Unicast Reverse Path Forwarding uRPF Syslog Traceroute FTP and TFTP Note The switch does not support VRF aware services f...

Page 1128: ...ease 12 4 Command Purpose ping vrf vrf name ip host Display the ARP table in the specified VRF Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server trap authentication vrf Enable SNMP traps for packets on a VRF Step 3 snmp server engineID remote host vrf vpn instance engine id string Configure a name for the remote SNMP engine on a switch Step 4 snmp server ...

Page 1129: ...mation for the commands refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 4 Step 6 standby 1 ip ip address Enable HSRP and configure the virtual IP address Step 7 end Return to privileged EXEC mode Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter inter...

Page 1130: ...icular interface even if no VRF is configured on that interface To specify the source IP address for FTP connections use the ip ftp source interface show mode command To use the address of the interface where the connection is made use the no form of this command To specify the IP address of an interface as the source address for TFTP connections use the ip tftp source interface show mode command ...

Page 1131: ...ode Step 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an AS number and an arbitrary number xxx y or an IP address and an arbitrary number A B C D y Step 5 route target export import both route target ext community Create a list of import export or import and export route target communities for the specified VRF Enter either an AS system number and an...

Page 1132: ...efine a network address and mask on which OSPF runs and the area ID for that network address Step 6 end Return to privileged EXEC mode Step 7 show ip ospf process id Verify the configuration of the OSPF network Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp au...

Page 1133: ...ration Example Configuring Switch A On Switch A enable routing and configure VRF Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config ip vrf v11 Switch config vrf rd 800 1 Switch config vrf route target export 800 1 Switch config vrf route target import 800 1 Switch config vrf exit Switch config ip vrf v12 Switch config vrf rd 8...

Page 1134: ...n Switch A VLAN 10 is used by VRF 11 between the CE and the PE VLAN 20 is used by VRF 12 between the CE and the PE VLANs 118 and 208 are used for the VPNs that include Switch F and Switch D respectively Switch config interface vlan10 Switch config if ip vrf forwarding v11 Switch config if ip address 38 0 0 8 255 255 255 0 Switch config if exit Switch config interface vlan20 Switch config if ip vrf...

Page 1135: ...gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 208 0 0 20 255 255 255 0 Switch config if exit Switch config router ospf 101 Switch config router network 208 0 0 0 0 0 0 255 area 0 Switch config router end Configuring Switch F Switch F belongs to VPN 2 Configure the connection to Switch A by using these commands Switch configure terminal Enter configuration commands...

Page 1136: ...capsulation dot1q 20 Router config if ip vrf forwarding v2 Router config if ip address 83 0 0 3 255 255 255 0 Router config if exit Router config router bgp 100 Router config router address family ipv4 vrf v2 Router config router af neighbor 83 0 0 8 remote as 800 Router config router af neighbor 83 0 0 8 activate Router config router af network 3 3 2 0 mask 255 255 255 0 Router config router af e...

Page 1137: ...the Other Security Features chapter in the Cisco IOS Security Configuration Guide Release 12 4 Configuring Protocol Independent Features This section describes how to configure IP routing protocol independent features These features are available on switches running the IP base or the IP services feature set except that with the IP base feature set protocol related features are available only for ...

Page 1138: ...or dCEF forwarding applies only to the software forwarding path that is traffic that is forwarded by the CPU CEF or distributed CEF is enabled globally by default If for some reason it is disabled you can re enable it by using the ip cef or ip cef distributed global configuration command The default configuration is CEF or dCEF enabled on all Layer 3 interfaces Entering the no ip route cache cef i...

Page 1139: ...o change the maximum number of parallel paths installed in a routing table from the default Use the no maximum paths router configuration command to restore the default value Step 7 show cef linecard detail or show cef linecard slot number detail Display CEF related interface information on a Catalyst 3560 X switch or Display CEF related interface information on a Catalyst 3750 X switch by stack m...

Page 1140: ...ve distance values Each dynamic routing protocol has a default administrative distance as listed in Table 1 16 If you want a static route to be overridden by information from a dynamic routing protocol set the administrative distance of the static route higher than that of the dynamic protocol Static routes that point to an interface are advertised through RIP IGRP and other dynamic routing protoc...

Page 1141: ...ating the default for a network also might need a default of its own One way a router can generate its own default is to specify a static route to the network 0 0 0 0 through the appropriate device Beginning in privileged EXEC mode follow these steps to define a static route to a network as the static default route Use the no ip default network network number global configuration command to remove...

Page 1142: ...ommands nothing is done other than the match Therefore you need at least one match or set command Note A route map with no set route map configuration commands is sent to the CPU which could cause high CPU utilization You can also identify route map statements as permit or deny If the statement is marked as a deny the packets meeting the match criteria are sent back through the normal forwarding c...

Page 1143: ... access list number access list name Match a standard access list by specifying the name or number It can be an integer from 1 to 199 Step 6 match metric metric value Match the specified route metric The metric value can be an EIGRP metric with a specified value from 0 to 4294967295 Step 7 match ip next hop access list number access list name access list number access list name Match a next hop ro...

Page 1144: ...outes for EIGRP only bandwidth Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between 0 and 255 where 255 means 100 percent reliability and 0 means no reliability loading Effective bandwidth of the rou...

Page 1145: ...nt routing policies that allow or deny paths based on Identity of a particular end system Application Protocol You can use PBR to provide equal access and source sensitive routing routing based on interactive versus batch traffic or routing based on dedicated links For example you could transfer stock records to a corporate office on a high bandwidth high cost link for a short time while transmitt...

Page 1146: ...details about PBR commands and keywords see the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 4 For a list of PBR commands that are visible but not supported by the switch see Appendix 1 Unsupported Commands in Cisco IOS Release 15 0 2 SE and Later PBR configuration is applied to the whole stack and all switches use the stack master configuration Note This software rele...

Page 1147: ...tion maps and PBR route maps to the same interface You cannot configure DSCP transparency and PBR DSCP route maps on the same switch When you configure PBR with QoS DSCP you can set QoS to be enabled by entering the mls qos global configuration command or disabled by entering the no mls qos command When QoS is enabled to ensure that the DSCP value of the traffic is unchanged you should configure D...

Page 1148: ...ed by one or more standard or extended access lists Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address If you do not specify a match command the route map applies to all packets Step 4 set ip next hop ip address ip address Specify the action to take on the packets that match the criteria Set next hop to which to route the packet the next hop must ...

Page 1149: ...sent nor received through the specified router interface In networks with many interfaces to avoid having to manually set them as passive you can set all interfaces to be passive by default by using the passive interface default router configuration command and manually setting interfaces where adjacencies are desired Beginning in privileged EXEC mode follow these steps to configure passive interf...

Page 1150: ...XEC mode follow these steps to control the advertising or processing of routing updates Use the no distribute list in router configuration command to change or cancel a filter To cancel suppression of network advertisements in updates use the no distribute list out router configuration command Filtering Sources of Routing Information Because some routing information might be more accurate than oth...

Page 1151: ...configuration command which is stored locally The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 MD5 authentication key in use You can configure multiple keys with life times Only one authentication packet is sent regardless of how many valid keys exist The software examines the key numbers in or...

Page 1152: ...e key can be received The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 6 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be ...

Page 1153: ...nitoring and Maintaining the IP Network show ip route supernets only Display supernets show ip cache Display the routing table used to switch IP traffic show route map map name Display all route maps configured or only the one specified Table 1 17 Commands to Clear IP Routes or Display Route Status continued Command Purpose ...

Page 1154: ...1 108 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network ...

Page 1155: ...upport only IPv6 host functionality Unless otherwise noted the term switch refers to a Catalyst 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation referenced in the procedures This chapter consists of these sections Understanding IPv6 section on page 1 1 Config...

Page 1156: ...n the format n n n n n n n n This is an example of an IPv6 address 2031 0000 130F 0000 0000 09C0 080F 130B For easier implementation leading zeros in each field are optional This is the same address without leading zeros 2031 0 130F 0 0 9C0 80F 130B You can also use two colons to represent successive hexadecimal fields of zeros but you can use this short version only once in each address 2031 0 13...

Page 1157: ...s The switch supports aggregatable global unicast addresses and link local unicast addresses It does not support site local unicast addresses Aggregatable global unicast addresses are IPv6 addresses from the aggregatable global unicast prefix The address structure enables strict aggregation of routing prefixes and limits the number of routing table entries in the global routing table These address...

Page 1158: ...ocess uses ICMP messages and solicited node multicast addresses to determine the link layer address of a neighbor on the same network local link to verify the reachability of the neighbor and to keep track of neighboring routers The switch supports ICMPv6 redirect for routes with mask lengths less than 64 bits ICMP redirect is not supported for host routes or for summarized routes with mask length...

Page 1159: ...y that enables most of the features available with FHS in IPv6 For more information see the Configuring an IPv6 Snooping Policy section on page 1 20 IPv6 First Hop Security Binding Table A database table of IPv6 neighbors connected to the switch is created from multiple sources of information For example Neighbor Discovery Protocol NDP snooping and Dynamic Host Configuration Protocol DHCP snooping...

Page 1160: ... table requires re resolution SEARCH The feature creating the entry does not have the L2 address and requests the binding table to search for the L2 address VERIFY The L2 and Layer 3 L3 addresses are known and a duplicate address detection DAD Neighbor solicitation NS unicast message is sent to the L2 and L3 destinations to verify the addresses DOWN The interface from which the entry was learnt is...

Page 1161: ...tch on regular basis in order to revoke network access privileges as they become inactive IPv6 Port Based Access List Support The IPv6 port based access lists PACL feature provides the ability to provide access control permit or deny on L2 switch ports for IPv6 traffic IPv6 PACLs are similar to IPv4 PACLs which provide access control on L2 switch ports for IPv4 traffic With Catalyst 3750 E 3750X 3...

Page 1162: ...eived on ports that are not explicitly configured as facing a DHCP server or DHCP relay To use this feature configure a policy and attach it to a DHCP guard To debug DHCP guard packets use the debug ipv6 snooping dhcp guard privileged EXEC command IPv6 Source Guard A source guard programs the hardware to allow or deny traffic based on source or destination addresses It deals exclusively with data ...

Page 1163: ...unknown or suspect For reachable or probably reachable routers NDP can either select the same router every time or cycle through the router list By using DRP you can configure an IPv6 host to prefer one router over another provided both are reachable or probably reachable For more information about DRP for IPv6 see the Implementing IPv6 Addresses and Basic Connectivity chapter in the Cisco IOS IPv...

Page 1164: ...Pv6 packets are not supported In dual IPv4 and IPv6 environments the switch routes both IPv4 and IPv6 packets and applies IPv4 QoS in hardware The switch supports QoS for both IPv4and IPv6 traffic If you do not plan to use IPv6 do not use the dual stack template because this template results in less hardware memory capacity for each resource For more information about IPv4 and IPv6 protocol stacks...

Page 1165: ...functions see the Implementing DHCP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Static Routes for IPv6 Static routes are manually configured and define an explicit route between two networking devices Static routes are useful for smaller networks with only one path to an outside network or to provide security for certain types of traffic in a larger network For more i...

Page 1166: ...isticated SPF and LSA rate limiting method can react quickly to changes and also provide stability and protection during prolonged periods of instability For more information see the Implementing OSPFv3 chapter of the Cisco IOS IPv6 Configuration Library on Cisco com Authentication Support with IPsec To ensure that OSPF for IPv6 OSPFv3 packets are not altered and resent to the switch OSPFv3 packet...

Page 1167: ...gement requires both IPv6 and IPv4 transports Syslog over IPv6 supports address data types for these transports SNMP and syslog over IPv6 provide these features Support for both IPv4 and IPv6 IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host SNMP and syslog related MIBs to support IPv6 addressing Configuration of IPv6 hosts as trap receivers For support over IP...

Page 1168: ...S IS routing IPv6 packets destined to site local addresses Tunneling protocols such as IPv4 to IPv6 or IPv6 to IPv4 The switch as a tunnel endpoint supporting IPv4 to IPv6 or IPv6 to IPv4 tunneling protocols IPv6 unicast reverse path forwarding IPv6 general prefixes Limitations Because IPv6 is implemented in switch hardware some limitations occur due to the IPv6 compressed addresses in the hardwar...

Page 1169: ...ceive the tables and create hardware IPv6 routes for forwarding The stack master also runs all IPv6 applications Note To route IPv6 packets in a stack all switches in the stack should be running the IP services feature set If a new switch becomes the stack master it recomputes the IPv6 routing tables and distributes them to the member switches While the new stack master is being elected and is res...

Page 1170: ...ng DHCP for IPv6 Address Assignment page 1 26 Configuring IPv6 ICMP Rate Limiting page 1 30 Configuring CEF and dCEF for IPv6 page 1 30 Configuring Static Routing for IPv6 page 1 31 Configuring RIP for IPv6 page 1 32 Configuring OSPF for IPv6 page 1 33 Tuning LSA and SPF Timers for OSPFv3 Fast Convergence page 1 35 Configuring LSA and SPF Throttling for OSPFv3 Fast Convergence page 1 35 Configurin...

Page 1171: ...ed node multicast group FF02 0 0 0 0 1 ff00 104 for each unicast address assigned to the interface this address is used in the neighbor discovery process all nodes link local multicast group FF02 1 all routers link local multicast group FF02 2 For more information about configuring IPv6 routing see the Implementing Addressing and Basic Connectivity for IPv6 chapter in the Cisco IOS IPv6 Configurat...

Page 1172: ...s with an extended unique identifier EUI in the low order 64 bits of the IPv6 address Specify only the network prefix the last 64 bits are automatically computed from the switch MAC address This enables IPv6 processing on the interface Manually configure an IPv6 address on the interface Specify a link local address on the interface to be used instead of the link local address that is automatically...

Page 1173: ...otocol is up IPv6 is enabled link local address is FE80 20B 46FF FE2F D940 Global unicast address es 2001 0DB8 c18 1 20B 46FF FE2F D940 subnet is 2001 0DB8 c18 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 mil...

Page 1174: ...owed per target Optional no Negates a command or set its defaults Optional protocol all dhcp ndp Specifies which protocol should be redirected to the snooping feature for analysis The default is all To change the default use the no protocol command Optional security level glean guard inspect Specifies the level of security enforced by the feature glean Gleans addresses from messages and populates ...

Page 1175: ...ion Step 6 show ipv6 neighbors binding Displays the binding table entries populated by the snooping policy Action or Command Purpose Step 1 enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Enters the global configuration mode Step 3 ipv6 dhcp guard policy policy name Creates a policy in global configuration mode and enters the DHCP guard policy global c...

Page 1176: ...uration vlan id Attaches the DHCP guard policy to an interface or VLAN Step 8 show ipv6 dhcp guard policy policy name Displays the DHCP guard policy configuration Action or Command Purpose Step 1 enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Enters the global configuration mode Step 3 ipv6 source guard policy policy name Specifies the source guard po...

Page 1177: ...6 snooping limit address count 1 Switch config ipv6 snooping protocol dhcp Switch config ipv6 snooping security level glean Switch config ipv6 snooping tracking enable Switch config ipv6 snooping no trusted port Switch config ipv6 snooping exit This example shows you how to configure snooping policy Test enable data address gleaning on the policy and enable source guard where link local addresses ...

Page 1178: ...per your needs If you enable the feature without creating a policy then the default policy configuration is applied Switch config interface GigabitEthernet1 0 9 Switch config if ipv6 nd inspection Switch config if ipv6 nd raguard Switch config if ipv6 snooping Switch config if ipv6 dhcp guard Switch config if ipv6 source guard Switch config if end OR Switch config vlan configuration 1 Switch confi...

Page 1179: ...must reload the switch by using the reload privileged EXEC command so that the template takes effect Beginning in privileged EXEC mode follow these steps to configure a Layer 3 interface to support both IPv4 and IPv6 and to enable IPv6 routing Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Lay...

Page 1180: ...e fastethernet1 0 11 Switch config if no switchport Switch config if ip address 192 168 99 1 244 244 244 0 Switch config if ipv6 address 2001 0DB8 c18 1 64 eui 64 Switch config if end Configuring DHCP for IPv6 Address Assignment Default DHCPv6 Address Assignment Configuration page 1 27 DHCPv6 Address Assignment Configuration Guidelines page 1 27 Enabling DHCPv6 Server Function page 1 27 Enabling D...

Page 1181: ...n there is a stack master re election the new master switch retains the DHCPv6 configuration However the local RAM copy of the DHCP server database lease information is not retained Enabling DHCPv6 Server Function Beginning in privileged EXEC mode follow these steps to enable the DHCPv6 server function on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 1182: ...suboption parameters Step 7 exit Return to DHCP pool configuration mode Step 8 exit Return to global configuration mode Step 9 interface interface id Enter interface configuration mode and specify the interface to configure Step 10 ipv6 dhcp server poolname automatic rapid commit preference value allow hint Enable DHCPv6 server function on an interface poolname Optional User defined name for the I...

Page 1183: ...isable the DHCPv6 client function use the no ipv6 address dhcp interface configuration command To remove the DHCPv6 client request use the no ipv6 address dhcp client request interface configuration command This example shows how to acquire an IPv6 address and to enable the rapid commit option Switch config interface gigabitethernet2 0 1 Switch config if ipv6 address dhcp rapid commit This documen...

Page 1184: ...lt but automatically enabled when you configure IPv6 routing To route IPv6 unicast packets you must first globally configure forwarding of IPv6 unicast packets by using the ipv6 unicast routing global configuration command and you must configure an IPv6 address and IPv6 processing on an interface by using the ipv6 address interface configuration command To disable IPv6 CEF or distributed CEF use t...

Page 1185: ...precede the decimal value ipv6 address The IPv6 address of the next hop that can be used to reach the specified network The IPv6 address of the next hop need not be directly connected recursion is done to find the IPv6 address of the directly connected next hop The address must be in the form documented in RFC 2373 specified in hexadecimal using 16 bit values between colons interface id Specify di...

Page 1186: ...e id recursive detail or show ipv6 route static updated Verify your entries by displaying the contents of the IPv6 routing table interface interface id Optional Display only those static routes with the specified interface as an egress interface recursive Optional Display only recursive static routes The recursive keyword is mutually exclusive with the interface keyword but it can be used with or ...

Page 1187: ... the defaults might adversely affect OSPF for the IPv6 network Before you enable IPv6 OSPF on an interface you must enable routing by using the ip routing global configuration command enable the forwarding of IPv6 packets by using the ipv6 unicast routing global configuration command and enable IPv6 on Layer 3 interfaces on which you are enabling IPv6 OSPF Step 7 ipv6 rip name default information ...

Page 1188: ...ional Set the address range status to advertise and generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for this summary route which is used during OSPF SPF calculation to determine the shortest path...

Page 1189: ... Implementing OSPFv3 chapter of the Cisco IOS IPv6 Configuration Library on Cisco com Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 ipv6 router ospf process id Enables OSPFv3 router configuration mode Step 3 timers lsa arrival milliseconds Sets the minimum interval at which the software accepts the same LSA from OSPFv3 neighbors Step 4 timers pacing flood millis...

Page 1190: ...icit router ID use the show ipv6 eigrp command to see the configured router IDs and then use the router id command As with EIGRP IPv4 you can use EIGRPv6 to specify your EIGRP IPv4 interfaces and to select a subset of those as passive interfaces Use the passive interface default command to make all interfaces passive and then use the no passive interface command on selected interfaces to make them...

Page 1191: ...obal configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to specify the standby version Step 3 standby version 1 2 Enter 2 to change the HSRP version The default is 1 Step 4 end Return to privileged EXEC mode Step 5 show standby Verify the configuration Step 6 copy running config startup config Optional Save your ent...

Page 1192: ...mpt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional delay Set to cause the local router to postpone taking over the active role for the shown number of seconds The range is 0 to 3600 1 hour The default is 0 no delay before taking over Optional rel...

Page 1193: ... IPv6 static routes show ipv6 traffic Display IPv6 traffic statistics Table 1 3 Commands for Displaying EIGRP IPv6 Information Command Purpose show ipv6 eigrp as number interface Displays information about interfaces configured for EIGRP IPv6 show ipv6 eigrp as number neighbor Displays the neighbors discovered by EIGRP IPv6 show ipv6 eigrp as number traffic Displays the number of EIGRP IPv6 packet...

Page 1194: ... Global unicast address es 3FFE C000 0 1 20B 46FF FE2F D940 subnet is 3FFE C000 0 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retrans...

Page 1195: ...ents Switch command reference for this release Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 4 http www cisco com en US docs ios 12_2 ipaddr command reference fipras_r html Hot Standby Router Protocol Version 2 feature module http www cisco com en US docs ios 12_3t 12_3t4 feature guide gthsrpv2 html This chapter consists of these sections Understanding HSRP page 1...

Page 1196: ...er is also selected at that time Devices running HSRP send and receive multicast UDP based hello packets to detect router failure and to designate active and standby routers When HSRP is configured on an interface Internet Control Message Protocol ICMP redirect messages are automatically enabled for the interface You can configure multiple Hot Standby groups among switches and switch stacks that a...

Page 1197: ...sive HSRPv2 Version 2 of the HSRP has these features To match the HSRP group number to the VLAN ID of a subinterface HSRPv2 can use a group number from 0 to 4095 and a MAC address from 0000 0C9F F000 to 0000 0C9F FFFF HSRPv2 uses the multicast address 224 0 0 102 to send hello packets HSRPv2 and CGMP leave processing are no longer mutually exclusive and both can be enabled at the same time HSRPv2 ...

Page 1198: ...ration for Routers A and B establishes two HSRP groups For group 1 Router A is the default active router because it has the assigned highest priority and Router B is the standby router For group 2 Router B is the default active router because it has the assigned highest priority and Router A is the standby router During normal operation the two routers share the IP traffic load When either router ...

Page 1199: ...delines page 1 6 Enabling HSRP page 1 6 Configuring HSRP Priority page 1 8 Configuring MHSRP page 1 10 Configuring HSRP Authentication and Timers page 1 10 Enabling HSRP Support for ICMP Redirect Messages page 1 12 Configuring HSRP Groups and Clustering page 1 12 Troubleshooting HSRP for Mixed Stacks of Catalyst 3750 X 3750 E and 3750 Switches page 1 12 Default HSRP Configuration Table 1 1 Default...

Page 1200: ...witches HSRP for IPv4 and HSRP for IPv6 are mutually exclusive You cannot enable both at the same time HSRP groups can be configured up to 32 instances Configure only one instance of a First Hop Redundancy Protocol FHRP The switches support HSRPv1 HSRPv2 and HSRP for IPv6 When configuring group numbers for HSRPv2 and HSRP you must use group numbers in ranges that are multiples of 256 Valid ranges ...

Page 1201: ...rsion on the interface 1 Select HSRPv1 2 Select HSRPv2 If you do not enter this command or do not specify a keyword the interface runs the default HSRP version HSRP v1 Step 4 standby group number ip ip address secondary Create or enable the HSRP group using its number and virtual IP address Optional group number The group number on the interface for which HSRP is being enabled The range is 0 to 25...

Page 1202: ...andby priority of the configured device For each interface configured for hot standby you can configure a separate list of interfaces to be tracked The standby track interface priority interface configuration command specifies how much to decrement the hot standby priority when a tracked interface goes down When the interface comes back up the priority is incremented by the same amount When multip...

Page 1203: ... range is 0 to 36000 seconds 1 hour the default is 0 no delay before taking over Optional delay reload Set to cause the local router to postpone taking over the active role after a reload for the number of seconds shown The range is 0 to 36000 seconds 1 hour the default is 0 no delay before taking over after a reload Optional delay sync Set to cause the local router to postpone taking over the act...

Page 1204: ...priority 110 Switch config if standby 1 preempt Switch config if standby 2 ip 10 0 0 4 Switch config if standby 2 preempt Switch config if end Router B Configuration Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if no switchport Switch config if ip address 10 0 0 2 255 255 255 0 Switch config if standby 1 ip 10 0 0 3 Switch config if standby 1 preempt Switch ...

Page 1205: ... no switchport Switch config if standby 1 ip Switch config if standby 1 timers 5 15 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on which you want to set authentication Step 3 standby group number authentication string Optional authentication string Enter ...

Page 1206: ...ch and routing redundancy If you create a cluster with the same HSRP standby group name without entering the routing redundancy keyword HSRP standby routing is disabled for the group This example shows how to bind standby group my_hsrp to the cluster and enable the same HSRP group to be used for command switch redundancy and router redundancy The command can only be executed on the cluster command...

Page 1207: ...tandby virtual mac address is 0000 0c07 ac01 Name is bbb VLAN1 Group 100 Local state is Active priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 262 Hot standby IP address is 172 20 138 51 configured Active router is local Standby router is unknown expired Standby virtual mac address is 0000 0c07 ac64 Name is test Configuring VRRP VRRP is an election protocol that dynami...

Page 1208: ...1 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring HSRP and VRRP Configuring VRRP ...

Page 1209: ...t 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack Beginning with Cisco IOS 12 2 58 SE the switch also supports the Built in Traffic Simulator using Cisco IOS IP SLAs video operations to generate synthetic traffic for a variety of video applications such as Telepresence IPTV and IP video surveillance camera You can use the simulator tool for network assessment before deploy...

Page 1210: ...to best reflect the metrics that an end user is likely to experience IP SLAs collects a unique subset of these performance metrics Delay both round trip and one way Jitter directional Packet loss directional Packet sequencing packet ordering Path per hop Connectivity directional Server or website download time Because Cisco IOS IP SLAs is SNMP accessible it can also be used by performance monitori...

Page 1211: ... operation it responds with time stamp information for the source to make the calculation on performance metrics An IP SLAs operation performs a network measurement from the source device to a destination in the network using a specific protocol such as UDP Figure 1 1 Cisco IOS IP SLAs Operation To implement IP SLAs network performance measurement you need to perform these tasks 1 Enable the IP SL...

Page 1212: ...res MD5 authentication for control messages is available for added security You do not need to enable the responder on the destination device for all IP SLAs operations For example a responder is not required for services that are already provided by the destination router such as Telnet or HTTP You cannot configure the IP SLAs responder on non Cisco devices and Cisco IOS IP SLAs can send operatio...

Page 1213: ...h SNMP The pending state is also used when an operation is a reaction threshold operation waiting to be triggered You can schedule a single IP SLAs operation or a group of operations at one time You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the CISCO RTTMON MIB Scheduling the operations to run at evenly distributed times allows you to control th...

Page 1214: ...ng other operations see he Cisco IOS IP SLAs Configuration Guide http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html This section includes this information Default Configuration page 1 6 Configuration Guidelines page 1 6 Configuring the IP SLAs Responder page 1 7 Analyzing IP Service Levels by Using the UDP Jitter Operation page 1 8 Analyzing IP Service Levels by ...

Page 1215: ...m jitter Type of Operation to Perform pathEcho Type of Operation to Perform pathJitter Type of Operation to Perform tcpConnect Type of Operation to Perform udpEcho IP SLAs low memory water mark 21741224 Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software based devices including some Layer 2 switches that do not support full IP SLAs functionality such as ...

Page 1216: ...operations measure this data Per direction jitter source to destination and destination to source Per direction packet loss Per direction delay one way delay Round trip delay average round trip time Because the paths for the sending and receiving of data can be different asymmetric you can use the per direction data to more readily identify where congestion or other problems are occurring in the n...

Page 1217: ... from 1 to 65535 Optional source ip ip address hostname Specify the source IP address or hostname When a source IP address or hostname is not specified IP SLAs chooses the IP address nearest to the destination Optional source port port number Specify the source port number in the range from 1 to 65535 When a port number is not specified IP SLAs chooses an available port Optional control Enable or ...

Page 1218: ...onfigure the scheduling parameters for an individual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter t...

Page 1219: ...The IP SLAs ICMP echo operation conforms to the same specifications as ICMP ping testing and the two methods result in the same response times Note This operation does not require the IP SLAs responder to be enabled Beginning in privileged EXEC mode follow these steps to configure an ICMP echo operation on the source device Command Purpose Step 1 configure terminal Enter global configuration mode ...

Page 1220: ...vidual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter the hour minute second in 24 hour notation and ...

Page 1221: ... including all defaults for all IP SLAs operations or a specific operation show ip sla enhanced history collection statistics distribution statistics entry number Display enhanced history statistics for collected history buckets or distribution statistics for all IP SLAs operations or a specific operation show ip sla ethernet monitor configuration entry number Display IP SLAs automatic Ethernet co...

Page 1222: ...1 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations ...

Page 1223: ...ommand Reference http www cisco com en US docs ios fnetflow command reference fnf_book html Note Not all of the Flexible NetFlow commands in the command reference are available on the switch Unsupported commands are either not visible or generate an error message if entered Understanding Flexible NetFlow With Flexible NetFlow traffic is processed and packets are classified into flows New flows are...

Page 1224: ...flow records ISL Policy based NetFlow Cisco TrustSec monitoring Although other modules that can be installed in the Catalyst 3750 X and 3560 X have 1 Gigabit and 10 Gigabit uplink interfaces NetFlow is supported only on the network services module Configuring Flexible NetFlow These are some basic Flexible NetFlow configurations Configuring a Customized Flow Record page 1 2 Configuring the Flow Exp...

Page 1225: ...ning in privileged EXEC mode follow these steps to configure the customized flow record Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 flow record record name Creates a flow record and enters Flexible NetFlow flow record configuration mode You can also use this command to modify an existing flow record Step 3 description description Optional Creates a description...

Page 1226: ...ch transport source port match transport destination port collect interface input snmp collect interface output snmp collect counter flows collect counter bytes collect counter packets collect timestamp sys uptime first collect timestamp sys uptime last flow record L2L4ipv6 Description User defined No of users 1 Total field space 81 bytes Fields match datalink mac source address match datalink mac...

Page 1227: ...e Specifies the IP address or hostname of the destination system for the exporter Step 5 dscp dscp Optional Configures differentiated services code point DSCP parameters for datagrams sent by the exporter The DSCP range is from 0 to 63 The default is 0 Step 6 source interface id Optional Specifies the local interface from which the exporter uses the IP address as the source IP address for exported...

Page 1228: ...mmand Purpose Step 1 configure terminal Enters global configuration mode Step 2 flow monitor monitor name Creates a flow monitor and enters Flexible NetFlow flow monitor configuration mode You can also use this command to modify an existing flow monitor Step 3 description description Optional Configures a description for the flow monitor Step 4 record record name Specifies the record for the flow ...

Page 1229: ...eout 1800 secs 1800 secs Update Timeout 1800 secs Applying a Flow Monitor to an Interface Beginning in privileged EXEC mode follow these steps to apply a NetFlow monitor to an interface Step 8 Repeat step 5 to configure additional exporters Step 9 end Returns to privileged EXEC mode Step 10 show running config flow monitor monitor name Optional Verifies the flow monitor configuration Step 11 show ...

Page 1230: ...nter in records matching IPv4 IP addresses ipv6 Enter in records matching IPv6 IP addresses Note This keyword is visible only when the dual IPv4 and IPv6 Switch Database Management SDM template is configured on the switch layer2 switched Optional Apply the flow monitor on Layer 2 switched traffic multicast Optional Apply the flow monitor on multicast traffic sampler Optional Apply the flow monitor...

Page 1231: ...de Step 2 sampler sampler name Creates a flow monitor and enters Flexible NetFlow sampler configuration mode You can also use this command to modify an existing sampler Step 3 description description Optional Configures a description for the sampler Step 4 mode random 1 out of window size Specifies the mode and window size from which to select packets The window size range is from 2 to 32768 Note ...

Page 1232: ...1 10 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Flexible NetFlow Configuring Flexible NetFlow ...

Page 1233: ... not supported on switches running the LAN base feature set Unless otherwise noted the term switch refers to a Catalyst 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack The chapter includes these sections Understanding Enhanced Object Tracking page 1 1 Configuring Enhanced Object Tracking Features page 1 2 Monitoring Enhanced Object Tracking page 1 12 Understanding Enhanced...

Page 1234: ...not met the IP routing state is down Beginning in privileged EXEC mode follow these steps to track the line protocol state or IP routing state of an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number interface interface id line protocol Optional Create a tracking list to track the line protocol state of an interface and enter tracking con...

Page 1235: ...her AND or OR operators When you measure the tracked list state by a weight threshold you assign a weight number to each object in the tracked list The state of the tracked list is determined by whether or not the threshold was met The state of each object is determined by comparing the total weight of all objects against a threshold weight for each object When you measure the tracked list by a pe...

Page 1236: ... Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list boolean and or Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 boolean Specify the state of the tracked list based on a Boolean calculation and Specify that the list is up if all objects are up or down if one or more objects are down ...

Page 1237: ...wo small bandwidth connections and object 3 represents one large bandwidth connection The configured down 10 value means that once the tracked object is up it will not go down until the threshold value is equal to or lower than 10 which in this example means that all connections are down Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list thresh...

Page 1238: ...rcentage up 51 down 10 Switch config track exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list threshold percentage Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based on...

Page 1239: ...up threshold is 254 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Configuring a Tracked List with a Boolean Expression section on page 1 4 For threshold weight see the Configuring a Tracked List with a Weight Threshold section on page 1 5 For threshold percentage see the Configuring a Tr...

Page 1240: ...se for network troubleshooting design and analysis For more information about Cisco IP SLAs on the switch see Chapter 1 Configuring Cisco IOS IP SLAs Operations For IP SLAs command information see the Cisco IOS IP SLAs Command Reference Release 12 4T Object tracking of IP SLAs operations allows clients to track the output from IP SLAs objects and use this information to trigger an action Every IP ...

Page 1241: ...lobal configuration mode Step 2 track object number rtr operation number state Enter tracking configuration mode to track the state of an IP SLAs operation The object number range is from 1 to 500 The operation number range is from 1 to 2147483647 Step 3 delay up seconds down seconds up seconds down seconds Optional Specify a period of time in seconds to delay communicating state changes of a trac...

Page 1242: ...monitor the state of the connection to the primary gateway For more information about Cisco IP SLAs support on the switch see Chapter 1 Configuring Cisco IOS IP SLAs Operations For more information about static route object tracking see http www cisco com en US docs ios 12_3 12_3x 12_3xe feature guide dbackupx html You use this process to configure static route object tracking Step 1 Configure a p...

Page 1243: ...co IP SLAs operation and enter IP SLA configuration mode Step 3 icmp echo destination ip address destination hostname source ipaddr ip address hostname source interface interface id Configure a Cisco IP SLAs end to end ICMP echo response time operation and enter IP SLAs ICMP echo configuration mode Step 4 timeout milliseconds Set the amount of time for which the operation waits for a response from...

Page 1244: ... on packets You can enter multiple numbers or names Step 5 set ip next hop dynamic dhcp For DHCP networks only Set the next hop to the gateway that was most recently learned by the DHCP client Step 6 set interface interface id For static routing networks only Indicate where to send output packets that pass a match clause of a route map for policy routing Step 7 exit Exit route map configuration mo...

Page 1245: ...pter 1 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking show track resolution Display the resolution of tracked parameters show track timers Display tracked polling interval timers Table 1 1 Commands for Displaying Tracking Information continued Command Purpose ...

Page 1246: ...1 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...

Page 1247: ...uccessive requests for the same content eliminating repetitive transmissions of identical content from servers Application engines accelerate content delivery and ensure maximum scalability and availability of content In a service provider network you can deploy the WCCP and application engine solution at the points of presence POPs In an enterprise network you can deploy the WCCP and application ...

Page 1248: ...information the application engine forwards it to the requesting client and also caches it to fulfill future requests With WCCP the application engine cluster a series of application engines can service multiple routers or switches as shown Figure 1 1 Figure 1 1 Cisco Cache Engine and WCCP Network Configuration WCCP Message Exchange This sequence of events describes the WCCP message exchange 1 The...

Page 1249: ...gine does not intercept the reconnection attempt In this way the application engine effectively cancels the redirection of a packet to the application engine and creates a bypass flow If the return method is Layer 2 rewrite the packets are forwarded in hardware to the target server When the server responds with the information the switch uses normal Layer 3 forwarding to return the information to ...

Page 1250: ...CP network You can use a router group list to validate the protocol packets received from the application engine Packets matching the address in the group list are processed packets not matching the group list address are dropped To disable caching for specific clients servers or client server pairs you can use a WCCP redirect access control list ACL Packets that do not match the redirect ACL bypa...

Page 1251: ...Before configuring WCCP on your switch make sure to follow these configuration guidelines The application engines and switches in the same service group must be in the same subnetwork directly connected to the switch that has WCCP enabled Configure the switch interfaces that are connected to the clients the application engines and the server as Layer 3 interfaces routed ports and switch virtual in...

Page 1252: ...nterface You cannot configure WCCP and PBR on the same switch interface You cannot configure WCCP and a private VLAN PVLAN on the same switch interface Enabling the Cache Service For WCCP packet redirection to operate you must configure the switch interface connected to the client to redirect inbound packets This procedure shows how to configure these features on routed ports To configure these fe...

Page 1253: ... the connection between the switch and the application engine By default no password is configured and no authentication is performed You must configure the same password on each application engine When authentication is enabled the switch discards messages that are not authenticated Step 3 interface interface id Specify the interface connected to the application engine or the server and enter int...

Page 1254: ...1 Switch config interface gigabitethernet1 0 1 Switch config if no switchport Switch config if ip address 172 20 10 30 255 255 255 0 Switch config if no shutdown Switch config if ip wccp web cache group listen Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if no shutdown Switch c...

Page 1255: ...h configure terminal Switch config ip wccp web cache 80 group list 15 Switch config access list 15 permit host 171 69 198 102 Switch config access list 15 permit host 171 69 198 104 Switch config access list 15 permit host 171 69 198 106 Switch config vlan 299 Switch config vlan exit Switch config interface vlan 299 Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if exit Switc...

Page 1256: ...ntaining WCCP Command Purpose clear ip wccp web cache Removes statistics for the web cache service show ip wccp web cache Displays global information related to WCCP show ip wccp web cache detail Displays information for the switch and all application engines in the WCCP cluster show ip interface Displays status about any IP WCCP redirection commands that are configured on an interface for example...

Page 1257: ... this feature the switch or stack master must be running the IP services feature set To use the PIM stub routing feature the switch or stack master can be running the IP base image Note Multicast routing is not supported on switches running the LAN base feature set Unless otherwise noted the term switch refers to a Catalyst 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack N...

Page 1258: ...isco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP Figure 1 1 shows where these protocols operate within the IP multicast environment Figure 1 1 IP Multicast Routing Protocols According to IPv4 multicast standards the MAC destination multicast address begins with 0100 5e and is appended by the last 23 bits of the IP addre...

Page 1259: ...ses which are class D addresses The high order bits of a Class D address are 1110 Therefore host group addresses can be in the range 224 0 0 0 through 239 255 255 255 Multicast addresses in the range 224 0 0 0 to 224 0 0 255 are reserved for use by routing protocols and other network control traffic The address 224 0 0 0 is guaranteed not to be assigned to any group IGMP packets are sent using the...

Page 1260: ...discovery and distribution mechanism that enables routers and multilayer switches to dynamically learn the group to RP mappings Sparse mode and dense mode are properties of a group as opposed to an interface We strongly recommend sparse dense mode as opposed to either sparse mode or dense mode only PIM join and prune messages have more flexible encoding for multiple address families A more flexibl...

Page 1261: ...s to be torn down when they are no longer needed When the number of PIM enabled interfaces exceeds the hardware capacity and PIM SM is enabled with the SPT threshold is set to infinity the switch does not create S G entries in the multicast routing table for the some directly connected interfaces if they are not already in the table The switch might not correctly forward traffic from these interfa...

Page 1262: ...n allows the directly connected hosts to receive traffic from multicast source 200 1 1 3 See the Configuring PIM Stub Routing section on page 1 22 for more information Figure 1 2 PIM Stub Router Configuration IGMP Helper PIM stub routing moves routed traffic closer to the end user and reduces network traffic You can also reduce traffic by configuring a stub router switch with the IGMP helper featu...

Page 1263: ...er method to distribute group to RP mapping information to all PIM routers and multilayer switches in the network It eliminates the need to manually configure RP information in every router and switch in the network However instead of using IP multicast to distribute group to RP mapping information BSR uses hop by hop flooding of special BSR messages to distribute the mapping information The BSR i...

Page 1264: ...rrived on an interface that is on the reverse path back to the source 2 If the packet arrives on the interface leading back to the source the RPF check is successful and the packet is forwarded to all interfaces in the outgoing interface list which might not be all interfaces on the router 3 If the RPF check fails the packet is discarded Some multicast routing protocols such as DVMRP maintain a se...

Page 1265: ...g information to make the packet forwarding decision The software does not implement the complete DVMRP However it supports dynamic discovery of DVMRP routers and can interoperate with them over traditional media such as Ethernet and FDDI or over DVMRP specific tunnels DVMRP neighbors build a route table by periodically exchanging source network routing information in route report messages The rou...

Page 1266: ...tandby devices and are ready to take over if there is a stack master failure If the stack master fails all stack members delete their multicast routing tables The newly elected stack master starts building the routing tables and distributes them to the stack members Note If a stack master running the IP services feature set fails and if the newly elected stack master is running the IP base feature...

Page 1267: ...IM domain PIMv1 together with the Auto RP feature can perform the same tasks as the PIMv2 BSR However Auto RP is a standalone protocol separate from PIMv1 and is a proprietary Cisco protocol PIMv2 is a standards track protocol in the IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and BS...

Page 1268: ...prevents these messages from reaching all routers and multilayer switches in your network Therefore if your network has a PIMv1 device in it and only Cisco routers and multilayer switches it is best to use Auto RP If you have a network that includes non Cisco routers configure the Auto RP mapping agent and the BSR on a Cisco PIMv2 router or multilayer switch Ensure that no PIMv1 device is on the p...

Page 1269: ... interface on which you want to enable multicast routing and enter interface configuration mode The specified interface must be one of the following A routed port a physical port that has been configured as a Layer 3 port by entering the no switchport interface configuration command An SVI a VLAN interface created by using the interface vlan vlan id global configuration command These interfaces mu...

Page 1270: ...SM is the routing protocol that supports the implementation of SSM and is derived from PIM sparse mode PIM SM Internet Group Management Protocol version 3 IGMPv3 To run SSM with IGMPv3 SSM must be supported in the Cisco IOS router the host where the application is running and the application itself How SSM Differs from Internet Standard Multicast The current IP multicast infrastructure in the Inte...

Page 1271: ...o suppress MSDP signalling registering or PIM SM shared tree operations from occurring within the SSM range Use the ip pim ssm global configuration command to configure the SSM range and to enable SSM This configuration has the following effects For groups within the SSM range S G channel subscriptions are accepted through IGMPv3 include mode membership reports PIM operations within the SSM range ...

Page 1272: ...nce for re use of a single address within the SSM range between different applications For example an application service providing a set of television channels should even with SSM use a different group for each television S G channel This setup guarantees that multiple receivers to different channels within the same application service never experience traffic aliasing in networks that include L...

Page 1273: ... guidelines Before you configure SSM mapping enable IP multicast routing enable PIM sparse mode and configure SSM For information on enabling IP multicast routing and PIM sparse mode see the Default Multicast Routing Configuration section on page 1 11 Before you configure static SSM mapping you must configure access control lists ACLs that define the group ranges to be mapped to source addresses F...

Page 1274: ...r translates this report into one or more channel memberships for the well known sources associated with this group When the router receives an IGMPv1 or IGMPv2 membership report for a group the router uses SSM mapping to determine one or more source IP addresses for the group SSM mapping then translates the membership report as an IGMPv3 report and continues as if it had received an IGMPv3 report...

Page 1275: ...side switchover mechanism One video source is active and the other backup video source is passive The passive source waits until an active source failure is detected before sending the video traffic for the TV channel Thus the server side switchover mechanism ensures that only one of the servers is actively sending video traffic for the TV channel To look up one or more source addresses for a grou...

Page 1276: ... the configured SSM range Note By default this command enables DNS based SSM mapping Step 3 no ip igmp ssm map query dns Optional Disable DNS based SSM mapping Note Disable DNS based SSM mapping if you only want to rely on static SSM mapping By default the ip igmp ssm map global configuration command enables DNS based SSM mapping Step 4 ip igmp ssm map static access list source address Configure s...

Page 1277: ... Specify the address of one or more name servers to use for name and address resolution Step 6 Repeat Step 5 to configure additional DNS servers for redundancy if required Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 confi...

Page 1278: ...gured on the uplink interface of the stub router The PIM stub router does not route the transit traffic between the distribution routers Unicast EIGRP stub routing enforces this behavior You must configure unicast stub routing to assist the PIM stub router behavior For more information see the EIGRP Stub Routing section on page 1 44 Only directly connected multicast IGMP receivers and sources are ...

Page 1279: ... pim passive Switch config if exit Switch config interface vlan100 Switch config if ip address 100 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if exit Switch config interface GigabitEthernet3 0 20 Switch config if no switchport Switch config if ip address 10 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if end To verify that PIM stub is enabled for each in...

Page 1280: ...ol in the Internet Engineering Task Force IETF You can use auto RP BSR or a combination of both depending on the PIM version that you are running and the types of routers in your network For more information see the PIMv1 and PIMv2 Interoperability section on page 1 11 and the Auto RP and BSR Configuration Guidelines section on page 1 12 Manually Assigning an RP to Multicast Groups This section ex...

Page 1281: ...he access list conditions specify for which groups the device is an RP For ip address enter the unicast address of the RP in dotted decimal notation Optional For access list number enter an IP standard access list number from 1 to 99 If no access list is configured the RP is used for all groups Optional The override keyword means that if there is a conflict between the RP configured with this comm...

Page 1282: ... with a manual RP address for the Auto RP groups If routed interfaces are configured in sparse mode and you enter the ip pim autorp listener global configuration command Auto RP can still be used even if all devices are not configured with a manual RP address for the Auto RP groups These sections describe how to configure Auto RP Setting up Auto RP in a New Internetwork page 1 26 optional Adding A...

Page 1283: ...e candidate RP for local groups For interface id enter the interface type and number that identifies the RP address Valid interfaces include physical ports port channels and VLANs For scope ttl specify the time to live value in hops Enter a hop count that is high enough so that the RP announce messages reach all mapping agents in the network There is no default setting The range is 1 to 255 For gr...

Page 1284: ...faces are in sparse mode use a default configured RP to support the two well known groups 224 0 1 39 and 224 0 1 40 Auto RP uses these two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ip pim accept rp command accepting the RP must be configured as follows Switch config ip pim accept rp 172 10...

Page 1285: ...pted for the group ranges supplied in the group list access list number variable If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to ensure that no conflicts occur in the Group to RP mapping information Step 3 access list access list number deny permit source source wildcard Create...

Page 1286: ...r As IP multicast becomes more widespread the chance of one PIMv2 domain bordering another PIMv2 domain is increasing Because these two domains probably do not share the same set of RPs BSR candidate RPs and candidate BSRs you need to constrain PIMv2 BSR messages from flowing into or out of the domain Allowing these messages to leak across the domain borders could adversely affect the normal BSR e...

Page 1287: ...tch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 which car...

Page 1288: ...10 Switch config interface gigabitethernet1 0 2 Switch config if ip address 172 21 24 18 255 255 255 0 Switch config if ip pim sparse dense mode Switch config if ip pim bsr candidate gigabitethernet1 0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your switch to be a candidate BSR For i...

Page 1289: ...ration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group list acc...

Page 1290: ...te BSRs as the RP mapping agents for Auto RP For more information see the Configuring Auto RP section on page 1 26 and the Configuring Candidate BSRs section on page 1 32 For group prefixes advertised through Auto RP the PIMv2 BSR mechanism should not advertise a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the same group...

Page 1291: ...n 1 Verify RP mapping with the show ip pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features Understa...

Page 1292: ...ource At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tree 8 The R...

Page 1293: ...l groups Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard acc...

Page 1294: ...these steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Configuring Optional IGMP Features Default IGMP Configuration page 1 39 Configuring the Switch as a Member of a Group page 1 39 optional Controlling Access to IP Multicast Groups page 1 40 optional Changing the ...

Page 1295: ...ast group pinging that group causes all these devices to respond The devices respond to ICMP echo request packets addressed to a group of which they are members Another example is the multicast trace route tools provided in the software Caution Performing this procedure might impact the CPU performance because the CPU will receive all data traffic for the group address Table 1 4 Default IGMP Confi...

Page 1296: ...low these steps to filter multicast groups allowed on an interface This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp join group group address Configure the switch to join a multicast group By default no group memberships are d...

Page 1297: ...tional Step 5 access list access list number deny permit source source wildcard Create a standard access list For access list number specify the access list created in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group that hosts on the subnet can join Optional For source wildcar...

Page 1298: ...egister and PIM join messages toward the RP router Beginning in privileged EXEC mode follow these steps to modify the host query interval This procedure is optional To return to the default setting use the no ip igmp query interval interface configuration command Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2 you can specify the period of time before the switch takes over as th...

Page 1299: ...to the default setting use the no ip igmp query max response time interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp querier timeout seconds Specify the IGMP query timeout The default is 60 seconds twice the query interval...

Page 1300: ...gure the switch itself to be a statically connected member of a group and enable fast switching This procedure is optional To remove the switch as a member of the group use the no ip igmp static group group address interface configuration command Configuring Optional Multicast Routing Features These sections describe how to configure optional multicast routing features Features for Layer 2 connect...

Page 1301: ... Step 2 interface interface id Specify the interface that is connected to the Layer 2 Catalyst switch and enter interface configuration mode Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfaces Enabling CGMP triggers a CGMP join message Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches Optional When you enter the proxy keyword ...

Page 1302: ...on the time the session is active its IP multicast group addresses media format contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in the SDR Session Announcement window Enabling sdr Listener Support By default the switch does not listen to session directory advertisements Beginning in privileged EXEC mode follow these steps ...

Page 1303: ...t boundaries and TTL thresholds control the scoping of multicast domains however TTL thresholds are not supported by the switch You should use multicast boundaries instead of TTL thresholds to limit the forwarding of multicast traffic outside of a domain or a subdomain Figure 1 7 shows that Company XYZ has an administratively scoped boundary set for the multicast address range 239 0 0 0 8 on all r...

Page 1304: ...ompany XYZ Engineering Marketing 239 128 0 0 16 239 0 0 0 8 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched The permi...

Page 1305: ...n attached networks by listening to DVMR probe messages When a DVMRP neighbor has been discovered the PIM device periodically sends DVMRP report messages advertising the unicast sources reachable in the PIM domain By default directly connected subnets and networks are advertised The device forwards multicast packets that have been forwarded by DVMRP routers and in turn forwards multicast packets t...

Page 1306: ...e packet is being sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything Step 3 interface interface id Specify the interface connected to the MBONE and enabled for multicast routing and enter ...

Page 1307: ...0 0 255 255 Switch config access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 255 Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP The software then sends and receives multicast packets through the tunnel This strategy enables ...

Page 1308: ...estination ip address Specify the destination address of the tunnel interface Enter the IP address of the mrouted router Step 6 tunnel mode dvmrp Configure the encapsulation mode for the tunnel to DVMRP Step 7 ip address address mask or ip unnumbered type number Assign an IP address to the interface or Configure the interface as unnumbered Step 8 ip pim dense mode sparse mode Configure the PIM mod...

Page 1309: ... interface gigabitethernet1 0 1 Switch config if ip address 172 16 2 1 255 255 255 0 Switch config if ip pim dense mode Switch config exit Switch config access list 1 permit 198 92 37 0 0 0 0 255 Advertising Network 0 0 0 0 to DVMRP Neighbors If your switch is a neighbor of an mrouted Version 3 6 device you can configure the software to advertise network 0 0 0 0 the default route to the DVMRP neig...

Page 1310: ...pim 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0 pim 171 69 214 18 171 69 214 17 mm1 45a cisco com 1 0 pim Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders It is also possible to propagate DVMRP routes into and through a PIM cloud PIM uses this information how...

Page 1311: ...ters and multilayer switches However if there is a DVMRP capable multicast router the Cisco device can do PIM DVMRP multicast routing Beginning in privileged EXEC mode follow these steps to enable DVMRP unicast routing This procedure is optional To disable this feature use the no ip dvmrp unicast routing interface configuration command Rejecting a DVMRP Nonpruning Neighbor By default Cisco devices...

Page 1312: ...re the switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 1 9 In this case when the switch receives DVMRP probe or report message without the prune capable flag set the switch logs a syslog message and discards the message 101244 Router A Router ...

Page 1313: ...ure is optional To disable this function use the no ip dvmrp reject non pruners interface configuration command 101245 Router A Router B RP Multicast traffic gets to receiver not to leaf DVMRP device Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Layer 3 switch Command Purpose Step 1 configure terminal Enter global conf...

Page 1314: ...C mode follow these steps to change the DVMRP route limit This procedure is optional To configure no route limit use the no ip dvmrp route limit global configuration command Changing the DVMRP Route Threshold By default 10 000 DVMRP routes can be received per interface within a 1 minute interval When that rate is exceeded a syslog message is issued warning that there might be a route surge occurri...

Page 1315: ... tunnel shares the same IP address as Fast Ethernet port 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router is able to poison reverse only these two routes to the directly connected subnets and is able to only RPF properly for multicast traffic sent by sources on these two Ethernet se...

Page 1316: ...RP Report 159888 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered gigabitethernet1 0 1 interface gigabitethernet1 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface gigabitethernet1 0 2 ip addr 176 32 15 1 255 255 255 0 ip pim dense mode Network Intf Metric Dist 176 13 10 0 24 Gi0 1 10514432 90 176 32 15 0 24 Gi0 2 10512012 90 176 32 20 0 24 Gi0...

Page 1317: ...better paths to individual subnets inside the PIM cloud If you configure the ip dvmrp summary address interface configuration command and did not configure no ip dvmrp auto summary you get both custom and autosummaries Beginning in privileged EXEC mode follow these steps to disable DVMRP autosummarization This procedure is optional Command Purpose Step 1 configure terminal Enter global configurati...

Page 1318: ...ommand Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip dvmrp metric offset in out increment Change...

Page 1319: ...isplay information about node reachability and discover the routing path that packets of your device are taking through the network You can use any of the privileged EXEC commands in Table 1 6 to display various routing statistics Table 1 5 Commands for Clearing Caches Tables and Databases Command Purpose clear ip cgmp Clear all group entries the Catalyst switches have cached clear ip dvmrp route ...

Page 1320: ...w ip pim neighbor type number List the PIM neighbors discovered by the switch This command is available in all software images show ip pim rp group name group address Display the RP routers associated with a sparse mode multicast group This command is available in all software images show ip rpf source address name Display how the switch is doing Reverse Path Forwarding that is from the unicast ro...

Page 1321: ...ss Switching and Fast Switching page 1 11 Multiprotocol BGP for the IPv6 Multicast Address Family page 1 12 NSF and SSO Support In IPv6 Multicast page 1 12 Bandwidth Based CAC for IPv6 Multicast page 1 12 IPv6 Multicast Overview An IPv6 multicast group is an arbitrary group of receivers that want to receive a particular data stream This group has no physical or geographical boundaries receivers ca...

Page 1322: ...ocol IGMP for IPv4 and MLD version 2 is based on version 3 of the IGMP for IPv4 IPv6 multicast for Cisco IOS software uses both MLD version 2 and MLD version 1 MLD version 2 is fully backward compatible with MLD version 1 described in RFC 2710 Hosts that support only MLD version 1 will interoperate with a switch running MLD version 2 Mixed LANs with both MLD version 1 and MLD version 2 hosts are l...

Page 1323: ...owed to support the use of IPv6 multicast in the Neighbor Discovery Protocol For stateless autoconfiguration a node is required to join several IPv6 multicast groups in order to perform duplicate address detection DAD Prior to DAD the only address the reporting node has for the sending interface is a tentative one which cannot be used for communication Therefore the unspecified address must be use...

Page 1324: ...r from the access switch In order for you to track resource consumption on a per stream basis these accounting records provide information about the multicast source and group The start record is sent when the last hop switch receives a new MLD report and the stop record is sent upon MLD leave or if the group or channel is deleted for any reason IPv6 MLD Proxy The MLD proxy feature provides a mech...

Page 1325: ...hing all the receivers for that multicast group The process of encapsulating data packets to the RP is called registering and the encapsulation packets are called PIM register packets Designated Switch Cisco switches use PIM SM to forward multicast traffic and follow an election process to select a designated switch when there is more than one switch on a LAN segment The designated switch is respo...

Page 1326: ...group membership You must configure the RP address on all switches including the RP switch A PIM switch can be an RP for more than one group Only one RP address can be used at a time within a PIM domain for a certain group The conditions specified by the access list determine for which groups the switch is an RP IPv6 multicast supports the PIM accept register feature which is the ability to perfor...

Page 1327: ... RP Adv message includes the address of the advertising C RP and an optional list of group addresses and mask length fields indicating the group prefixes for which the candidacy is advertised The BSR then includes a set of these C RPs along with their corresponding group prefixes in bootstrap messages BSMs it periodically originates BSMs are distributed hop by hop throughout the domain Bidirection...

Page 1328: ...ee 1 Receiver joins a group leaf Switch C sends a join message toward the RP 2 RP puts the link to Switch C in its outgoing interface list 3 Source sends the data Switch A encapsulates the data in the register and sends it to the RP 4 RP forwards the data down the shared tree to Switch C and sends a join message toward the source At this point data may arrive twice at Switch C once encapsulated an...

Page 1329: ... a PIM switch finds an upstream switch for some address the result of RPF calculation is compared with the addresses in this option in addition to the PIM neighbor s address itself Because this option includes all the possible addresses of a PIM switch on that link it always includes the RPF calculation result if it refers to the PIM switch supporting this option Because of size restrictions on PI...

Page 1330: ...uting protocols MFIB The MFIB is a platform independent and routing protocol independent library for IPv6 software Its main purpose is to provide a Cisco IOS platform with an interface with which to read the IPv6 multicast forwarding table and notifications when the forwarding table changes The information provided by the MFIB has clearly defined forwarding semantics and is designed to make it eas...

Page 1331: ... Layer 2 frame is then rewritten with the next hop destination address and sent to the outgoing interface The RP also computes the cyclic redundancy check CRC This switching method is the least scalable method for switching IPv6 packets IPv6 multicast fast switching allows switches to provide better packet forwarding performance than process switching Information conventionally stored in a route c...

Page 1332: ...y usable for IP unicast but not IP multicast Because of this functionality BGP routes in the IPv6 unicast RIB must be ignored in the IPv6 multicast RPF lookup A separate BGP routing table is maintained to configure incongruent policies and topologies for example IPv6 unicast and multicast by using IPv6 multicast RPF lookup Multicast RPF lookup is very similar to the IP unicast route lookup No MRIB...

Page 1333: ... and Profile Support page 1 16 Enabling MLD Proxy in IPv6 page 1 18 Resetting the MLD Traffic Counters page 1 19 Clearing the MLD Interface Counters page 1 19 Customizing and Verifying MLD on an Interface Beginning in privileged EXEC mode follow these steps Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 multicast routing vrf vrf name Example Switch config ipv...

Page 1334: ...conds Example Switch config if ipv6 mld query max response time 20 Configures the maximum response time advertised in MLD queries Step 7 ipv6 mld query timeout seconds Example Switch config if ipv6 mld query timeout 130 Configures the timeout value before the switch takes over as the querier for the interface Step 8 exit Example Switch config if exit Enter this command twice to exit interface conf...

Page 1335: ...ty Step 13 debug ipv6 mld explicit group name group address Example Switch debug ipv6 mld explicit Displays information related to the explicit tracking of hosts Step 14 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld vrf vrf name state limit number Exam...

Page 1336: ...ffic Resetting Authorization Status on an MLD Interface Enabling AAA Access Control for IPv6 Multicast Beginning in privileged EXEC mode follow these steps Specifying Method Lists and Enabling Multicast Accounting Perform this task to specify the method lists used for AAA authorization and accounting and how to enable multicast accounting on specified groups or channels on an interface Command Pur...

Page 1337: ...that restrict user access to an IPv6 multicast network Step 3 aaa accounting multicast default start stop stop only broadcast method1 method2 method3 method4 Example Switch config aaa accounting multicast default Enables AAA accounting of IPv6 multicast services for billing or security purposes when you use RADIUS Step 4 interface type number Example Switch config interface FastEthernet 1 0 Specif...

Page 1338: ...eature Step 3 ipv6 mld host proxy interface group acl Example Switch config ipv6 mld host proxy interface Ethernet 0 0 Enables the MLD proxy feature on a specified interface on an RP Step 4 show ipv6 mld host proxy interface type interface number group group address Example Switch config show ipv6 mld host proxy Ethernet0 0 Displays IPv6 MLD host proxy information Step 5 copy running config startu...

Page 1339: ... traffic Resets all MLD traffic counters Step 2 show ipv6 mld vrf vrf name traffic Example Switch show ipv6 mld traffic Displays the MLD traffic counters Step 3 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 4 clear ipv6 mld vrf vrf name counters interface type Example Switch clear ipv6 mld counters Ethernet1 0 Clears the MLD interface ...

Page 1340: ...able Step 6 show ipv6 pim vrf vrf name neighbor detail interface type interface number count Example Switch show ipv6 pim neighbor Displays the PIM neighbors discovered by the Cisco IOS software Step 7 show ipv6 pim vrf vrf name range list config rp address rp name Example Switch show ipv6 pim range list Displays information about IPv6 multicast range lists Step 8 show ipv6 pim vrf vrf name tunnel...

Page 1341: ... an interface type and number and places the switch in interface configuration mode Step 5 ipv6 pim dr priority value Example Switch config if ipv6 pim dr priority 3 Configures the DR priority on a PIM switch Step 6 ipv6 pim hello interval seconds Example Switch config if ipv6 pim hello interval 45 Configures the frequency of PIM hello messages on an interface Step 7 ipv6 pim join prune interval s...

Page 1342: ...dir Configures the address of a PIM RP for a particular group range Use of the bidir keyword means that the group range will be used for bidirectional shared tree forwarding Step 3 exit Example Switch config if exit Exits global configuration mode and returns the switch to privileged EXEC mode Step 4 show ipv6 pim vrf vrf name df interface type interface number rp address Example Switch show ipv6 ...

Page 1343: ...ple Switch show ipv6 mrib route Displays the MRIB route information Step 4 show ipv6 pim vrf vrf name topology groupname or address sourcename or address link local route count detail Example Switch show ipv6 pim topology Displays PIM topology table information for a specific group or all groups Step 5 debug ipv6 mrib vrf vrf name client Example Switch debug ipv6 mrib client Enables debugging on M...

Page 1344: ...rity 10 Configures a switch to be a candidate BSR Step 3 interface type number Example Switch config interface FastEthernet 1 0 Specifies an interface type and number and places the switch in interface configuration mode Step 4 ipv6 pim bsr border Example Switch config if ipv6 pim bsr border Configures a border for all BSMs of any scope on a specified interface Step 5 exit Example Switch config if...

Page 1345: ...interface configuration mode Step 4 ipv6 pim bsr border Example Switch config if ipv6 pim bsr border Configures a border for all BSMs of any scope on a specified interface Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 pim vrf vrf name bsr candidate bsr ipv6 address...

Page 1346: ... SSM mapping depending on your switch configuration If you choose to use static SSM mapping you can configure multiple static SSM mappings If multiple static SSM mappings are configured the source addresses of all matching access lists will be used Note To use DNS based SSM mapping the switch needs to find at least one correctly configured DNS server to which the switch may be directly attached St...

Page 1347: ... name ssm map query dns Example Switch config no ipv6 mld ssm map query dns Disables DNS based SSM mapping Step 4 ipv6 mld vrf vrf name ssm map static access list source address Example Switch config ipv6 mld ssm map static SSM_MAP_ACL_2 2001 DB8 1 1 Configures static SSM mappings Step 5 exit Example Switch config if exit Exits global configuration mode and returns the switch to privileged EXEC mo...

Page 1348: ...active Displays the active multicast streams on the switch Step 6 show ipv6 rpf vrf vrf name ipv6 prefix Example Switch show ipv6 rpf 2001 DB8 1 1 2 Checks RPF information for a given unicast host address and prefix Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 show ipv6 mfib vrf vrf name link local verbose gro...

Page 1349: ...mary Example Switch show ipv6 mfib summary Displays summary information about the number of IPv6 MFIB entries and interfaces Step 7 debug ipv6 mfib vrf vrf name group name group address adjacency db fs init interface mrib detail nat pak platform ppr ps signal table Example Switch debug ipv6 mfib FF04 10 pak Enables debugging output on the IPv6 MFIB Step 8 copy running config startup config Optiona...

Page 1350: ...1 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Implementing IPv6 Multicast Implementing IPv6 Multicast ...

Page 1351: ... switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 4 This chapter consists of these sections Understanding MSDP page 1 1 Configuring MSDP page 1 3 Monitoring and Maintaining MSDP page 1 19 Understanding MSDP MSDP allows multicast sources for a group to be known to all rendezvou...

Page 1352: ... all MSDP peers The SA message identifies the source the group the source is sending to and the address of the RP or the originator ID the IP address of the interface used as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover which ...

Page 1353: ...eases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving memory Configuring MSDP Default MSDP Configuration page 1 4 Configuring a Default MSDP Peer page 1 4 required Caching Source Active State page 1 6 option...

Page 1354: ... from that peer Figure 1 2 shows a network in which default MSDP peers might be used In Figure 1 2 a customer who owns Switch B is connected to the Internet through two Internet service providers ISPs one owning Router A and the other owning Router C They are not running BGP or MBGP between them To learn about sources in the ISP s domain or in other domains Switch B at the customer site identifies...

Page 1355: ...sages For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the prefix li...

Page 1356: ...after a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network length Option...

Page 1357: ...cached For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are mat...

Page 1358: ...icast traffic This procedure is optional To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA request messages to the MSDP peer at 171 69 1 1 Switch config ip msdp sa request 171 69 1 1 Controlling Source Information that Your Switch Originates You can control the multicast source infor...

Page 1359: ...re which S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of an IP standard or extended access list The range is 1 to 99 for standard access lists and 100 to 199 for extended lists The access list controls which local sources are advertised and to whi...

Page 1360: ...ess if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore For destination e...

Page 1361: ...request 171 69 2 2 list 1 Switch config access list 1 permit 192 4 22 0 0 0 0 255 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for gro...

Page 1362: ...privileged EXEC mode follow these steps to apply a filter This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the specified pe...

Page 1363: ...necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to b...

Page 1364: ... messages that its MSDP RPF peers send to it However you can control the source information that you receive from MSDP peers by filtering incoming SA messages In other words you can configure the switch to not accept them You can perform one of these actions Filter all incoming SA messages from an MSDP peer Specify an IP extended access list to pass certain source group pairs Filter based on match...

Page 1365: ...ose SA messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For a...

Page 1366: ... address name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it and later bring it up When a peer is shut down the TCP connection is terminated and is not restarted You can also shut down an MSDP session without losing configuration information f...

Page 1367: ...s This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config Ver...

Page 1368: ...e sources to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in the SA mes...

Page 1369: ... system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message counts Tab...

Page 1370: ...1 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 1371: ... page 1 3 Fallback Bridging Overview With fallback bridging the switch bridges together two or more VLANs or routed ports essentially connecting multiple VLANs within one bridge domain Fallback bridging forwards traffic that the switch does not route and forwards traffic belonging to a nonroutable protocol such as DECnet A VLAN bridge domain is represented with switch virtual interfaces SVIs A set...

Page 1372: ...idge table the packet is flooded on all forwarding interfaces in the bridge group A source MAC address is learned on a bridge group only when the address is learned on a VLAN the reverse is not true Any address that is learned on a stack member is learned by all switches in the stack To participate in the spanning tree algorithm by receiving and in some cases sending BPDUs on the LANs to which the...

Page 1373: ...f stacks merge or if a switch is added to the stack any new VLANs that are part of a bridge group and become active are included in the VLAN bridge STP When a stack member fails the addresses learned from this member are deleted from the bridge group MAC address table For more information about switch stacks see Chapter 1 Managing Switch Stacks Configuring Fallback Bridging Default Fallback Bridgi...

Page 1374: ... on the same switch if the ports are in different VLANs Beginning in privileged EXEC mode follow these steps to create a bridge group and to assign an interface to it This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to r...

Page 1375: ...f bridge group 10 Switch config if exit Adjusting Spanning Tree Parameters You might need to adjust certain spanning tree parameters if the default values are not suitable You configure parameters affecting the entire spanning tree by using variations of the bridge global configuration command You configure interface specific parameters by using variations of the bridge group interface configurati...

Page 1376: ... with the lowest interface value is elected Beginning in privileged EXEC mode follow these steps to change the interface priority This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group priority number Change the VLAN bridge spanning tree priority of the switch For bridge group specify the bridge group number The range is 1 to...

Page 1377: ... 0 1 Switch config if bridge group 10 path cost 20 Adjusting BPDU Intervals Adjusting the Interval between Hello BPDUs page 1 8 optional Changing the Forward Delay Interval page 1 8 optional Changing the Maximum Idle Interval page 1 9 optional Step 5 show running config Verify your entry Step 6 copy running config startup config Optional Save your entry in the configuration file Command Purpose Co...

Page 1378: ... activated for switching and before forwarding actually begins Beginning in privileged EXEC mode follow these steps to change the forward delay interval This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group hello time seconds Specify the interval between hello BPDUs For bridge group specify the bridge group number The range ...

Page 1379: ...ted in one switching subnetwork from impacting devices in the other switching subnetwork yet still permit switching throughout the network as a whole For example when switched LAN subnetworks are separated by a WAN BPDUs can be prevented from traveling across the WAN link Beginning in privileged EXEC mode follow these steps to disable spanning tree on a port This procedure is optional Command Purp...

Page 1380: ... by using the session stack member number global configuration command Enter the show bridge bridge group interface id mac address verbose privileged EXEC command at the stack member prompt For information about the fields in these displays see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 12 4 Step 5 show running config Verify your entry Step 6 copy running con...

Page 1381: ...or complete syntax and usage information for the commands used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 4 Recovering from a Software Failure page 1 2 Recovering from a Lost or Forgotten Password page 1 3 Preventing Switch Stack Problems page 1 8 Recovering from a Command Switch Failure page 1 9 Recovering from Lost Cluster Member Conne...

Page 1382: ...ract the bin file from the tar file If you are using Windows use a zip program that can read a tar file Use the zip program to navigate to and extract the bin file If you are using UNIX follow these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filen...

Page 1383: ...e flash image_filename bin file from the switch Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power on and by entering a new password These recovery procedures require that you have physical access to the switch Note On these switches...

Page 1384: ...Step 4 Reconnect the power cord to the switch or the stack master Within 15 seconds press the Mode button while the System LED is still flashing green Continue pressing the Mode button until the System LED turns briefly amber and then solid green then release the Mode button Several lines of information about the software appear with instructions informing you if the password recovery procedure ha...

Page 1385: ... Display the contents of flash memory switch dir flash The switch file system appears Directory of flash 13 drwx 192 Mar 01 1993 22 30 48 switch_image 11 rwx 5825 Mar 01 1993 22 31 59 config text 18 rwx 720 Mar 01 1993 02 21 30 vlan dat 16128000 bytes total 10003456 bytes free Step 5 Rename the configuration file to config text old This file contains the password definition switch rename flash con...

Page 1386: ...likely to leave your switch virtual interface in a shutdown state You can see which interface is in this state by entering the show running config privileged EXEC command To re enable the interface enter the interface vlan vlan id global configuration command and specify the VLAN ID of the shutdown interface With the switch in interface configuration mode enter the no shutdown command Step 14 Relo...

Page 1387: ...le system appears Directory of flash 13 drwx 192 Mar 01 1993 22 30 48 switch_image 16128000 bytes total 10003456 bytes free Step 4 Boot up the system Switch boot You are prompted to start the setup program To continue with password recovery enter N at the prompt Continue with the configuration dialog yes no N Step 5 At the switch prompt enter privileged EXEC mode Switch enable Step 6 Enter global ...

Page 1388: ... session when managing the switch stack Be careful when using multiple CLI sessions to the stack master Commands that you enter in one session are not displayed in the other sessions Therefore it is possible that you might not be able to identify the session from which you entered a command Manually assigning stack member numbers according to the placement of the switches in the stack can make it ...

Page 1389: ...mmand capable making a note of the command switch password and cabling your cluster to provide redundant connectivity between the member switches and the replacement command switch These sections describe two solutions for replacing a failed command switch Replacing a Failed Command Switch with a Cluster Member page 1 9 Replacing a Failed Command Switch with Another Switch page 1 11 These recovery...

Page 1390: ...ry depending on the member switch that you selected to be the command switch Continue with configuration dialog yes no y or Configuring global parameters If this prompt does not appear enter enable and press Return Enter setup and press Return to start the setup program Step 11 Respond to the questions in the setup program When prompted for the hostname recall that on a command switch the hostname...

Page 1391: ... Using the Ethernet Management Port section on page 1 26 and the hardware configuration guide Step 3 At the switch prompt enter privileged EXEC mode Switch enable Switch Step 4 Enter the password of the failed command switch Step 5 Use the setup program to configure the new switch IP information This program prompts you for IP address information and passwords From privileged EXEC mode enter setup...

Page 1392: ...at Step 9 Step 13 Start your browser and enter the IP address of the new command switch Step 14 From the Cluster menu select Add to Cluster to display a list of candidate switches to add to the cluster Recovering from Lost Cluster Member Connectivity Some configurations can prevent the command switch from maintaining contact with member switches If you are unable to maintain management contact wit...

Page 1393: ... the duplex settings on the two ports to match The speed parameter can adjust itself even if the connected port does not autonegotiate Troubleshooting Power over Ethernet Switch Ports Disabled Port Caused by Power Loss page 1 13 Disabled Port Caused by False Link Up page 1 14 Disabled Port Caused by Power Loss If a powered device such as a Cisco IP Phone 7910 that is connected to a PoE switch port...

Page 1394: ...ugh the error message text refers to GBIC interfaces and modules the security messages actually refer to the SFP modules and module interfaces For more information about error messages see the system message guide for this release If you are using a non Cisco SFP module remove the SFP module from the switch and replace it with a Cisco module After inserting a Cisco SFP module use the errdisable re...

Page 1395: ... for a reply Ping returns one of these responses Normal response The normal response hostname is alive occurs in 1 to 10 seconds depending on network traffic Destination does not respond If the host does not respond a no answer message is returned Unknown host If the host does not exist an unknown host message is returned Destination unreachable If the default gateway cannot reach the specified ne...

Page 1396: ...route The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It finds the path by using the MAC address tables of the switches in the path When the switch detects a device in the path that does not support Layer 2 traceroute the swit...

Page 1397: ... multiple VLANs you must specify the VLAN to which both the source and destination MAC addresses belong If the VLAN is not specified the path is not identified and an error message appears The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses belong to the same subnet When you specify the IP addresses the switch uses the Address Resoluti...

Page 1398: ...e of 1 or 0 it drops the datagram and sends an Internet Control Message Protocol ICMP time to live exceeded message to the sender Traceroute finds the address of the first hop by examining the source address field of the ICMP time to live exceeded message To identify the next hop traceroute sends a UDP packet with a TTL value of 2 The first router decrements the TTL field by 1 and sends the datagr...

Page 1399: ...ce in progress enter the escape sequence Ctrl X by default Simultaneously press and release the Ctrl Shift and 6 keys and then press the X key Using TDR Understanding TDR page 1 19 Running TDR and Displaying the Results page 1 20 Understanding TDR You can use the Time Domain Reflector TDR feature to diagnose and resolve cabling problems When running TDR a local device sends a signal through a cabl...

Page 1400: ...ir cable or is in series with a solid core cable The link is a 10 Megabit or a 100 Megabit link The cable is a stranded cable The link partner is a Cisco IP Phone The link partner is not IEEE 802 3 compliant Running TDR and Displaying the Results When you run TDR on an interface you can run it on the stack master or a stack member To run TDR enter the test cable diagnostics tdr interface interface...

Page 1401: ...e the show running config command to check its configuration Even if the switch is properly configured it might not generate the type of traffic you want to monitor during the particular period that debugging is enabled Depending on the feature you are debugging you can use commands such as the TCP IP ping command to generate network traffic To disable debugging of SPAN enter this command in privi...

Page 1402: ...ing see Chapter 1 Configuring System Message Logging and Smart Logging Using the show platform forward Command The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system Depending upon the parameters entered about the packet the output provides lookup table results and ...

Page 1403: ...ped due to failed DEJA_VU Check on Gi0 2 This is an example of the output when the packet coming in on port 1 in VLAN 5 is sent to an address already learned on the VLAN on another port It should be forwarded from the port on which the address was learned Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 0009 43a8 0145 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5...

Page 1404: ...ing table It should be forwarded as specified in the routing table Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 03 e319 ee44 ip 110 1 5 5 16 1 10 5 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index Hit A Data InptACL 40_10010A05_0A010505 00_41000014_000A0000 01FFA 03000000 L3Local 00_00000000_00000000 90_00001400_10010A05 010F0 ...

Page 1405: ...C command to rename it but the contents of the renamed file will not be displayed by the show stacks or the show tech support privileged EXEC command You can delete crashinfo files by using the delete privileged EXEC command You can display the most recent basic crashinfo file that is the file with the highest sequence number at the end of its filename by entering the show stacks or the show tech ...

Page 1406: ...detected on the switch This example shows the output of the show platform tcam errors command Switch show platform tcam errors TCAM Memory Consistency Checker Errors TCAM Space Values Masks Fixups Retries Failures HFTM 0 0 0 0 0 HQATM 0 0 0 0 0 For more information about the show platform tcam errors privileged EXEC command see the command reference for this release Using On Board Failure Logging ...

Page 1407: ...of time the switch has been running since it last restarted Voltage System voltages of a standalone switch or a stack member You should manually set the system clock or configure it by using Network Time Protocol NTP When the switch is running you can retrieve the OBFL data by using the show logging onboard privileged EXEC commands If the switch fails contact your Cisco technical support represent...

Page 1408: ...ing the commands in Table 1 4 and for examples of OBFL data see the command reference for this release Table 1 4 Commands for Displaying OBFL Information Command Purpose show logging onboard module switch number clilog Displays the OBFL CLI commands that were entered on a standalone switch or the specified stack members show logging onboard module switch number environment Display the UDI informat...

Page 1409: ...hannel links brought down due to loss of communication Failure to respond to management requests ICMP ping SNMP timeouts slow Telnet or SSH sessions UDLD flapping IP SLAs failures because of SLAs responses beyond an acceptable threshold DHCP or IEEE 802 1x failures if the switch does not forward or respond to requests Layer 3 switches Note Layer 3 functions are not supported on switches running th...

Page 1410: ...ms see the Troubleshooting High CPU Utilization document on Cisco com Table 1 5 Troubleshooting CPU Utilization Problems Type of Problem Cause Corrective Action Interrupt percentage value is almost as high as total CPU utilization value The CPU is receiving too many packets from the network Determine the source of the network packet Stop the flow or change the switch configuration See the section ...

Page 1411: ... is good Connect a known good non PoE Ethernet device to the Ethernet cable and make sure that the powered device establishes a link and exchanges traffic with another host Verify that the total cable length from the switch front panel to the powered device is not more than 100 meters Disconnect the Ethernet cable from the switch port Use a short Ethernet cable to connect a known good Ethernet dev...

Page 1412: ...e the existing distribution cables Enter the shut and no shut interface configuration commands and verify that an Ethernet link is established If this connection is good use a short patch cord to connect a powered device to this port and verify that it powers on If the device powers on verify that all intermediate patch panels are correctly connected Disconnect all but one of the Ethernet cables f...

Page 1413: ... correctly If a non PoE device has link problems or a high error rate the problem might be an unreliable cable connection between the switch port and the powered device For more information see Cisco Phone Disconnects or Resets on Cisco com Non Cisco powered device does not work on Cisco PoE switch A non Cisco powered device is connected to a Cisco PoE switch but never powers on or powers on and t...

Page 1414: ...witch see Configuration Mismatch StackWise port frequently or rapidly changing up down states flapping Error messages report stack link problems Possible traffic disruption Unreliable StackWise cable connection or interface see StackWise Port Flapping Switch member port not coming up Enter the show switch detail privileged EXEC command Unreliable StackWise cable connection or interface see StackWi...

Page 1415: ...ems off Verify port numbering see Stack Master Election and Port Number Assignment Enter the show switch privileged EXEC command Interpret state messages see Joining a Stack Typical Sequence States and Rules Stack members need to be upgraded Stack members running different major or minor versions of the Cisco IOS software Defective StackWise switch interface or cable see Quick and Easy Catalyst 37...

Page 1416: ...1 36 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Troubleshooting Troubleshooting Tables ...

Page 1417: ...nnected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet ports and so forth Solder joints Online diagnostics are categorized as on demand scheduled or health monitoring diagnostics On demand di...

Page 1418: ...e for this release Configuring Health Monitoring Diagnostics You can configure health monitoring diagnostic testing on a switch while it is connected to a live network You can configure the execution interval for each health monitoring test enable the switch to generate a syslog message because of a test failure and enable a specific test Command Purpose diagnostic schedule switch number test name...

Page 1419: ...how diagnostic content command output all All of the diagnostic tests When specifying the interval set these parameters hh mm ss Monitoring interval in hours minutes and seconds The range for hh is 0 to 24 and the range for mm and ss is 0 to 60 milliseconds Monitoring interval in milliseconds ms The range is from 0 to 999 day Monitoring interval in the number of days The range is from 0 to 20 Step...

Page 1420: ...Loopback Running Online Diagnostic Tests After you configure online diagnostics you can manually start diagnostic tests or display the test results You can also see which tests are configured for the switch or switch stack and the diagnostic tests that have already run Starting Online Diagnostic Tests page 1 5 Displaying Online Diagnostic Tests and Test Results page 1 5 Step 5 diagnostic monitor s...

Page 1421: ... switch number keyword is supported only on Catalyst 3750 X switches The range is from 1 to 9 You can specify the tests by using one of these options name Enter the name of the test Use the show diagnostic content privileged EXEC command to display the test ID list test id Enter the ID number of the test Use the show diagnostic content privileged EXEC command to display the test ID list test id ra...

Page 1422: ...on of the show diagnostic command in the command reference for this release show diagnostic schedule switch number all 1 Display the online diagnostics test schedule show diagnostic post Display the POST results The output is the same as the show post command output 1 The switch number all parameter is supported only on Catalyst 3750 X switches Table 1 1 Commands for Diagnostic Test Configuration ...

Page 1423: ... single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash As viewed from the stack master or any stack member flash refers to the local flash device which is the device attached to the same switch on which the file system is being viewed In a switch stack e...

Page 1424: ...8976 5135872 flash rw flash opaque rw bs opaque rw vb 524288 520138 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem opaque ro ymodem This example shows a switch stack In this example the stack master is stack member 2 therefore flash2 is aliased to flash The file system on stack member 5 is displayed as flash5 on the stack master Switch show file systems File System...

Page 1425: ...onfiguration file to flash memory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM devic...

Page 1426: ...y Beginning in privileged EXEC mode follow these steps to change directories and to display the working directory Table 1 2 Commands for Displaying Information About Files Command Description dir all filesystem filename Display a list of files on a file system show file systems Display more information about each of the files on a file system show file information file url Display information abou...

Page 1427: ...be recovered Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used as the co...

Page 1428: ...e at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive download sw command but are no longer needed If you omit the filesystem option the switch uses the default device specified by the cd command For file url you specify the path directory and the name of the file to be deleted When you attempt to ...

Page 1429: ...filename TFTP syntax tftp location directory filename For flash file url specify the location on the local flash file system in which the new file is created You can also specify an optional list of files or directories within the source directory to add to the new file If none are specified all files and directories at this level are written to the newly created file Step 2 archive table source u...

Page 1430: ...const htm 556 bytes html xhome htm 9373 bytes html menu css 1654 bytes output truncated This example shows how to extract the contents of a file located on the TFTP server at 172 20 10 30 Switch archive xtract tftp 172 20 10 30 saved flash new configs Step 3 archive xtract source url flash file url dir file Extract a file into a directory on the flash file system For source url specify the source ...

Page 1431: ...rform this for one of these reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the same configuration commands...

Page 1432: ...ration files on the switch as if you were entering the commands at the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular comm...

Page 1433: ...ch by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File By Using TFTP page 1 11 Downloading the Configuration File By Using TFTP page 1 12 Uploading the Configuration File By Us...

Page 1434: ...a TFTP server follow these steps Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation Step 2 Verify that the TFTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page 1 11 Step 3 Log into the switch through the console port the Ethernet management port or a Telnet session Step 4 Downl...

Page 1435: ...3750 E switches The file is uploaded to the TFTP server This example shows how to upload a configuration file from a switch to a TFTP server Switch copy system running config tftp 172 16 2 155 tokyo confg Write file tokyo confg on host 172 16 2 155 confirm y Writing tokyo confg OK Copying Configuration Files By Using FTP You can copy configuration files to or from an FTP server The FTP protocol re...

Page 1436: ...f you do not have a router to route traffic between subnets Check connectivity to the FTP server by using the ping command If you are accessing the switch through the console or a Telnet session and you do not have a valid username make sure that the current FTP username is the one that you want to use for the FTP download You can enter the show users privileged EXEC command to view the valid user...

Page 1437: ...erver with an IP address of 172 16 101 101 to the switch startup configuration Switch configure terminal Switch config ip ftp username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Con...

Page 1438: ...p ftp password mypass Switch config end Switch copy nvram startup config ftp Remote host 172 16 101 101 Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page 1 14 Step 2 ...

Page 1439: ...ame as the remote username The switch hostname For a successful RCP copy request you must define an account on the network server for the remote username If the server has a directory structure the configuration file is written to or copied from the directory associated with the remote username on the server For example if the configuration file is in the home directory of a user on the server spe...

Page 1440: ...directory on the remote server with an IP address of 172 16 101 101 and load and run those commands on the switch Switch copy rcp netadmin1 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host1 confg OK Switch SYS 5 CONFIG Configured from host1 config by rcp from 172 16 101 101 Command Purpo...

Page 1441: ...ad a configuration file by using RCP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config rcp netadmin1 172 16 101 101 switch2 confg Write file switch confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101 Switch Comma...

Page 1442: ...r the erase startup config privileged EXEC command Caution You cannot restore the startup configuration file after it has been deleted Deleting a Stored Configuration File To delete a saved configuration from flash memory use the delete flash filename privileged EXEC command Depending on the setting of the file prompt global configuration command you might be prompted for confirmation before you d...

Page 1443: ...the configuration files saved in the configuration archive The Cisco IOS configuration archive in which the configuration files are stored and available for use with the configure replace command is in any of these file systems FTP HTTP RCP TFTP Replacing a Configuration The configure replace privileged EXEC command replaces the running configuration with any saved configuration file When you ente...

Page 1444: ...ack Make sure that the switch has free memory larger than the combined size of the two configuration files the running configuration and the saved replacement configuration Otherwise the configuration replacement operation fails Make sure that the switch also has sufficient free memory to execute the configuration replacement or rollback configuration commands Certain configuration commands such a...

Page 1445: ...Set the maximum number of archive files of the running configuration to be saved in the configuration archive number Maximum files of the running configuration file in the configuration archive Valid values are from 1 to 14 The default is 10 Note Before using this command you must first enter the path archive configuration command to specify the location and filename prefix for the files in the co...

Page 1446: ... time seconds Specify the time in seconds within which you must enter the configure confirm command to confirm replacement of the running configuration file If you do not enter the configure confirm command within the specified time limit the configuration replacement operation is automatically stopped In other words the running configuration file is restored to the configuration that existed befo...

Page 1447: ...PC or workstation by using a web browser HTTP and then by using the device manager or Cisco Network Assistant to upgrade your switch For information about upgrading your switch by using a TFTP server or a web browser HTTP see the release notes You can replace the current image with the new one or keep the current image in flash memory after a download You can use the archive download sw allow feat...

Page 1448: ...loaded instead of specifying complete paths with each tar file For example in a mixed hardware stack you can enter archive download sw directory tftp 10 1 1 10 c3750 ipservices tar 122 35 SE tar c3750e universal tar 122 35 SE2 tar File Format of Images on a Server or Cisco com Software images on a server or downloaded from Cisco com are in a file format which contains these files An info file whic...

Page 1449: ...embers To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using TFTP page 1 ...

Page 1450: ...sing the ping command Ensure that the image to be downloaded is in the correct directory on the TFTP server usually tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an empty file enter the...

Page 1451: ...nt image The allow feature upgrade option allows installation of a software images with different feature sets Optional The directory option specifies a directory for the images The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For...

Page 1452: ...tch of the same type Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and th...

Page 1453: ...y reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using FTP page 1 31 Downloading an Image File By Using FTP page 1 32 Uploading an Image File By Using FTP page 1 34 Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server The FTP pro...

Page 1454: ...username by using the ip ftp username username global configuration command This new name will be used during all archive operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privilege...

Page 1455: ...not been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page 1 31 For location specify the IP address of the FTP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directo...

Page 1456: ...e url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using FTP You can upload an image from the switch to an FTP server You can later download this image to the same switch or to another switch of the same type Use ...

Page 1457: ...r switch stacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member t...

Page 1458: ...The switch hostname For the RCP copy request to execute successfully an account must be defined on the network server for the remote username If the server has a directory structure the image file is written to or copied from the directory associated with the remote username on the server For example if the image file resides in the home directory of a user on the server specify that user s name a...

Page 1459: ...ote username see Steps 4 and 5 Step 4 ip rcmd remote username username Optional Specify the remote username Step 5 end Return to privileged EXEC mode Step 6 archive download sw allow feature upgrade directory overwrite reload tftp location directory image name1 tar image name2 tar image name3 tar image name4 tar Download the images file from the RCP server to the switch and overwrite the current i...

Page 1460: ...force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using RCP You can upload an image fr...

Page 1461: ... to copy the software image from an existing stack member to the one that has incompatible software That switch automatically reloads and joins the stack as a fully functioning member Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page 1 36 Step 2 Log into the switch through the cons...

Page 1462: ... version in the service module is compatible with the software running on the switch When you download software by entering the archive download sw privileged EXEC command the switch also runs a version check to verify software compatibility if applicable If the switch is in a switch stack it checks the compatibility of the stack protocol and the switches in the stack If a network services module ...

Page 1463: ...32 341 PLATFORM_SM10G 6 LICENSE FRULink 10G Service Module C3KX SM 10G features are not supported with this license level Module is in pass thru mode You can use the show switch service module user EXEC command to view a service module on the switch or any service modules in the stack and the service module software version supported by the switch This is an example of output when the software ver...

Page 1464: ...1 42 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Appendix 1 Working with the Cisco IOS File System Configuration Files and Software Images Working with Software Images ...

Page 1465: ...nds are listed by software feature and command mode Note In addition to those listed Layer 3 commands are not supported on switches running the LAN base feature set Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic ...

Page 1466: ...ommands Unsupported Privileged EXEC Commands archive config logging persistent show archive config show archive log ARP Commands Unsupported Global Configuration Commands arp ip address hardware address smds arp ip address hardware address srp a arp ip address hardware address srp b Unsupported Interface Configuration Commands arp probe ip probe proxy Boot Loader Commands Unsupported User EXEC Com...

Page 1467: ...ository url location Parameters are not supported for this command event manager run policy name paramater1 paramater15 show event manager detector show event manager version Unsupported Global Configuration Commands event manager detector rpc no event manager directory user repository url location event manager applet applet name maxrun Unsupported Commands in Applet Configuration Mode attribute ...

Page 1468: ... Commands clear bridge bridge group multicast router ports groups counts group address interface unit counts clear vlan statistics show bridge bridge group circuit group circuit group src mac address dst mac address show bridge bridge group multicast router ports groups group address show bridge vlan show interfaces crb show interfaces ethernet fastethernet interface slot port irb show subscriber ...

Page 1469: ...list access list number bridge group bridge group input lat service deny group list bridge group bridge group input lat service permit group list bridge group bridge group input lsap list access list number bridge group bridge group input pattern list access list number bridge group bridge group input type list access list number bridge group bridge group lat compression bridge group bridge group ...

Page 1470: ...nterface Multilink interface Virtual Template interface Virtual Tokenring Unsupported Interface Configuration Commands mtu standby mac refresh seconds standby use bia IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping tcn Interface Commands Unsupported Privileged EXEC Commands show interfaces interface id vlan vlan id crb fair queue irb mac accounting precedence irb ...

Page 1471: ...d 3560 X Switch Software Configuration Guide OL 25303 03 Appendix 1 Unsupported Commands in Cisco IOS Release 15 0 2 SE and Later Interface Commands Unsupported Interface Configuration Commands transmit interface type number ...

Page 1472: ...kets are switched in hardware without CPU involvement you can use this command but multicast packet information is not displayed The show ip mpacket commands are supported but are only useful for packets received at the switch CPU If the route is hardware switched the command has no effect because the CPU does not receive the packet and cannot display it show ip pim vc group address name type numb...

Page 1473: ...gp address flap statistics clear ip bgp prefix list debug ip cef stats show cef drop not cef switched show ip accounting checkpoint output packets access violations show ip bgp dampened paths show ip bgp inconsistent as show ip bgp regexp regular expression Unsupported Global Configuration Commands ip accounting precedence input output ip accounting list ip address wildcard ip accounting transits ...

Page 1474: ...ommands Unsupported BGP Router Configuration Commands address family vpnv4 default information originate neighbor advertise map neighbor allowas in neighbor default originate neighbor description network backdoor table map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route type for policy based routing PBR set automatic tag set dampening half life reuse suppress ...

Page 1475: ...ow mac address table aging time show mac address table count show mac address table dynamic show mac address table interface show mac address table multicast show mac address table notification show mac address table static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entrie...

Page 1476: ... unicast flood l2protocol tunnel global drop threshold memory reserve critical service compress config stack mac persistent timer supported on Catalyst 3750 X switches only track object number rtr MSDP Unsupported Privileged EXEC Commands show access expression show exception show location show pm LINE show smf interface id show subscriber policy policy number show template template name Unsupport...

Page 1477: ...upported Multicast Routing Manager Commands All Unsupported IP Multicast Rate Limiting Commands All Unsupported UDLR Commands All Unsupported Multicast Over GRE Commands All NetFlow Commands Unsupported Global Configuration Commands ip flow aggregation cache ip flow cache entries ip flow export Network Address Translation NAT Commands Unsupported Privileged EXEC Commands show ip nat statistics sho...

Page 1478: ...lass default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authentication feature default line radius server attribute nas port radius server configure radius server extended portnames SNMP Unsupported Global Configuration Commands snmp server enable informs snmp server ifindex persist logging discriminato...

Page 1479: ...ree pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported User EXEC Commands show running config vlan show vlan ifindex VTP Unsupported Privileged EXEC Command vtp password password pruning version number Note This command has been replaced by the...

Page 1480: ...1 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Appendix 1 Unsupported Commands in Cisco IOS Release 15 0 2 SE and Later VTP ...

Page 1481: ... 13 switch clusters 1 13 accessing stack members 1 30 access lists See ACLs access ports and Layer 2 protocol tunneling 1 12 defined 1 3 in switch clusters 1 9 access template 1 2 accounting with 802 1x 1 53 with IEEE 802 1x 1 14 with RADIUS 1 34 with TACACS 1 11 1 17 ACEs and QoS 1 8 defined 1 2 Ethernet 1 2 IP 1 2 ACLs ACEs 1 2 applying on bridged packets 1 42 on multicast packets 1 43 on routed...

Page 1482: ...v4 1 16 IPv6 1 3 names 1 4 number per QoS class map 1 39 port 1 3 1 2 precedence of 1 3 QoS 1 7 1 49 resequencing entries 1 16 router 1 3 1 2 router ACLs and VLAN map configuration guidelines 1 40 standard IP configuring for QoS classification 1 49 1 51 standard IPv4 creating 1 10 matching criteria 1 8 support for 1 11 support in hardware 1 23 time ranges 1 18 types supported 1 2 unsupported featu...

Page 1483: ... 14 maximum for MSTP 1 24 1 25 for STP 1 24 1 25 alarms RMON 1 3 allowed VLAN list 1 19 application engines redirecting traffic to 1 1 area border routers See ABRs area routing IS IS 1 67 ISO IGRP 1 67 ARP configuring 1 11 defined 1 7 1 24 1 10 encapsulation 1 11 static cache configuration 1 11 table address resolution 1 24 managing 1 24 ASBRs 1 27 AS path filters BGP 1 56 asymmetrical links and I...

Page 1484: ...ades auto upgrade in switch stacks 1 12 auto MDIX configuring 1 35 described 1 34 autonegotiation duplex mode 1 4 interface configuration guidelines 1 32 mismatches 1 13 autonomous system boundary routers See ASBRs autonomous systems in BGP 1 50 Auto RP described 1 7 autosensing port speed 1 4 autostate exclude 1 6 auxiliary VLAN See voice VLAN availability features 1 9 B BackboneFast described 1 ...

Page 1485: ...ot process 1 2 manually 1 19 specific image 1 20 boot loader accessing 1 21 described 1 2 environment variables 1 21 prompt 1 21 trap door mechanism 1 2 Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation 1 25 bootstrap router BSR described 1 7 Border Gateway Protocol See BGP BPDU error disabled state 1 2 filtering 1 3 RSTP format 1 12 BPDU filtering described 1 3 disabling 1...

Page 1486: ...Suites 1 50 Cisco 7960 IP Phone 1 1 Cisco Discovery Protocol See CDP Cisco Express Forwarding See CEF Cisco Group Management Protocol See CGMP Cisco intelligent power management 1 8 Cisco IOS DHCP server See DHCP Cisco IOS DHCP server Cisco IOS File System See IFS Cisco IOS IP SLAs 1 2 Cisco Redundant Power System 2300 configuring 1 46 managing 1 46 Cisco Secure ACS attribute value pairs for downl...

Page 1487: ...scribed 1 1 LRE profile considerations 1 16 managing through CLI 1 16 through SNMP 1 17 planning 1 4 planning considerations automatic discovery 1 5 automatic recovery 1 10 CLI 1 16 host names 1 13 IP addresses 1 13 LRE profiles 1 16 passwords 1 14 RADIUS 1 16 SNMP 1 14 1 17 switch stacks 1 14 TACACS 1 16 See also candidate switch command switch cluster standby group member switch and standby comm...

Page 1488: ...lity feature 1 12 compatibility software See stacks switch configurable leave timer IGMP 1 6 configuration initial defaults 1 20 Express Setup 1 2 configuration conflicts recovering from lost member connectivity 1 12 configuration examples network 1 23 configuration files archiving 1 21 clearing the startup configuration 1 20 creating and using guidelines for 1 10 creating using a text editor 1 11...

Page 1489: ...ority 1 6 trust priority 1 6 CoS input queue threshold map for QoS 1 18 CoS output queue threshold map for QoS 1 21 CoS to DSCP map for QoS 1 73 counters clearing interface 1 53 CPU utilization troubleshooting 1 29 crashinfo file 1 24 critical authentication IEEE 802 1x 1 63 critical VLAN 1 23 cross stack EtherChannel configuration guidelines 1 13 configuring on Layer 2 interfaces 1 13 on Layer 3 ...

Page 1490: ...C address table move update 1 8 MSDP 1 4 MSTP 1 14 multi VRF CE 1 79 MVR 1 20 optional spanning tree configuration 1 12 OSPF 1 28 password and privilege level 1 2 PIM 1 11 private VLANs 1 6 RADIUS 1 27 REP 1 7 RIP 1 21 RMON 1 3 RSPAN 1 12 SDM template 1 5 SNMP 1 6 SPAN 1 12 SSL 1 51 standard QoS 1 37 STP 1 13 switch stacks 1 24 system message logging 1 4 system name and prompt 1 8 TACACS 1 13 UDLD...

Page 1491: ...d image update configuring 1 11 to 1 14 understanding 1 5 to 1 6 DHCP binding database See DHCP snooping binding database DHCP binding table See DHCP snooping binding database DHCP object tracking configuring primary interface 1 11 DHCP option 82 circuit ID suboption 1 5 configuration guidelines 1 9 default configuration 1 8 displaying 1 16 forwarding address specifying 1 11 helper address 1 11 ov...

Page 1492: ...L 1 37 directed unicast requests 1 7 directories changing 1 4 creating and removing 1 5 displaying the working 1 4 discovery clusters See automatic discovery Distance Vector Multicast Routing Protocol See DVMRP distance vector protocols 1 3 distribute list command 1 104 DNS and DHCP based autoconfiguration 1 8 default configuration 1 9 displaying the configuration 1 10 in IPv6 1 4 overview 1 8 set...

Page 1493: ...obe messages 1 49 displaying information 1 54 prevent peering with nonpruning 1 57 rejecting nonpruning 1 55 overview 1 9 routes adding a metric offset 1 62 advertising all 1 61 advertising the default route to neighbors 1 53 caching DVMRP routes learned in report messages 1 55 changing the threshold for syslog messages 1 58 favoring one over another 1 62 limiting the number injected into MBONE 1 ...

Page 1494: ...oting 1 31 types of connections 1 29 dynamic routing 1 3 ISO CLNS 1 66 Dynamic Trunking Protocol See DTP E EAC 1 2 EBGP 1 46 editing features enabling and disabling 1 6 keystrokes used 1 7 wrapped lines 1 8 EEM 3 2 1 5 EIGRP authentication 1 43 components 1 38 configuring 1 41 default configuration 1 39 definition 1 37 interface parameters configuring 1 42 monitoring 1 45 stub routing 1 44 support...

Page 1495: ...configuration 1 11 described 1 2 displaying status 1 22 forwarding methods 1 8 1 18 IEEE 802 3ad described 1 7 interaction with STP 1 12 with VLANs 1 12 LACP described 1 7 displaying status 1 22 hot standby ports 1 20 interaction with other features 1 8 modes 1 7 port priority 1 22 system priority 1 21 Layer 3 interface 1 5 load balancing 1 8 1 18 logical interfaces described 1 4 PAgP aggregate po...

Page 1496: ...ee EBGP external neighbors BGP 1 50 F Fa0 port See Ethernet management port failover support 1 9 fallback bridging and protected ports 1 4 bridge groups creating 1 4 described 1 2 function of 1 2 number supported 1 4 removing 1 5 configuration guidelines 1 4 connecting interfaces with 1 15 default configuration 1 3 described 1 1 frame forwarding flooding packets 1 2 forwarding packets 1 2 overview...

Page 1497: ...configuring 1 74 overview 1 31 Flexible NetFlow components 1 1 configuring a flow monitor 1 6 configuring flow records 1 3 configuring the exported 1 3 configuring the exporter 1 5 interface configuration 1 7 purpose 1 1 sampling 1 9 unsupported features 1 2 Flex Link Multicast Fast Convergence 1 3 Flex Links configuring 1 8 1 9 configuring preferred VLAN 1 11 configuring VLAN load balancing 1 10 ...

Page 1498: ...tory table level and number of syslog messages 1 10 host modes MACsec 1 4 host names in clusters 1 13 host ports configuring 1 11 kinds of 1 2 hosts limit on dynamic ports 1 31 Hot Standby Router Protocol See HSRP HP OpenView 1 6 HSRP authentication string 1 10 automatic cluster recovery 1 12 binding to cluster group 1 12 cluster standby group considerations 1 11 command switch redundancy 1 1 1 2 ...

Page 1499: ...scribed 1 1 tunnel ports with other features 1 6 IEEE 802 1s See MSTP IEEE 802 1w See RSTP IEEE 802 1x See port based authentication IEEE 802 3ad See EtherChannel IEEE 802 3af See PoE IEEE 802 3x flow control 1 33 ifIndex values SNMP 1 5 IFS 1 7 IGMP configurable leave timer described 1 6 enabling 1 11 configuring the switch as a member of a group 1 39 statically connected member 1 44 controlling ...

Page 1500: ...inition 1 2 enabling and disabling 1 8 1 7 global configuration 1 8 Immediate Leave 1 6 in the switch stack 1 7 method 1 8 monitoring 1 16 1 12 querier configuration guidelines 1 14 configuring 1 14 supported versions 1 3 support for 1 5 VLAN configuration 1 8 IGMP throttling configuring 1 27 default configuration 1 25 described 1 24 displaying action 1 29 IGP 1 27 Immediate Leave IGMP described 1...

Page 1501: ...named 1 16 undefined 1 23 IP addresses 128 bit 1 2 candidate or member 1 4 1 13 classes of 1 7 cluster access 1 2 command switch 1 3 1 11 1 13 default configuration 1 6 discovering 1 24 for IP routing 1 6 IPv6 1 2 MAC address association 1 10 monitoring 1 19 redundant clusters 1 11 standby command switch 1 11 1 13 See also IP information IP base feature set 1 1 1 2 IP base software image 1 1 IP br...

Page 1502: ...y 1 11 protocol interaction 1 2 reverse path check RPF 1 8 RP assigning manually 1 24 configuring Auto RP 1 26 configuring PIMv2 BSR 1 30 monitoring mapping information 1 35 using Auto RP and BSR 1 34 stacking stack master functions 1 10 stack member functions 1 10 statistics displaying system and network 1 63 See also CGMP See also DVMRP See also IGMP See also PIM IP phones and QoS 1 1 automatic ...

Page 1503: ...ult configuration 1 18 described 1 16 disabling 1 20 displaying bindings 1 26 configuration 1 26 enabling 1 19 1 21 filtering source IP address 1 17 source IP and MAC address 1 17 source IP address filtering 1 17 source IP and MAC address filtering 1 17 static bindings adding 1 19 1 21 deleting 1 20 static hosts 1 21 IP traceroute executing 1 18 overview 1 18 IP unicast routing address resolution ...

Page 1504: ...3 matching criteria 1 3 port 1 2 precedence 1 2 router 1 2 supported 1 2 addresses 1 2 address formats 1 2 and switch stacks 1 15 applications 1 9 assigning address 1 17 autoconfiguration 1 9 CEFv6 1 30 default configuration 1 16 default router preference DRP 1 9 defined 1 1 Enhanced Interior Gateway Routing Protocol EIGRP IPv6 1 12 EIGRP IPv6 Commands 1 13 Router ID 1 12 feature limitations 1 14 ...

Page 1505: ... configuring 1 42 credentials 1 39 described 1 39 KDC 1 39 operation 1 41 realm 1 40 server 1 41 support for 1 13 switch as trusted third party 1 39 terms 1 40 TGT 1 41 tickets 1 39 key distribution center See KDC L l2protocol tunnel command 1 14 LACP Layer 2 protocol tunneling 1 10 See EtherChannel Layer 2 frames classification with CoS 1 2 Layer 2 interfaces default configuration 1 30 Layer 2 pr...

Page 1506: ... characteristics 1 6 default configuration 1 5 enabling 1 6 monitoring and maintaining 1 11 overview 1 1 supported TLVs 1 2 switch stack considerations 1 2 transmission timer and holdtime setting 1 6 LLDP MED configuring procedures 1 5 TLVs 1 7 monitoring and maintaining 1 11 overview 1 1 1 2 supported TLVs 1 2 LLDP Media Endpoint Discovery See LLDP MED load balancing 1 4 local SPAN 1 2 location T...

Page 1507: ... switch security 1 1 MACsec Key Agreement Protocol See MKA magic packet 1 28 manageability features 1 7 management access in band browser session 1 8 CLI session 1 8 device manager 1 8 SNMP 1 8 out of band console port connection 1 8 management address TLV 1 2 management options CLI 1 1 clustering 1 4 CNS 1 1 Network Assistant 1 3 overview 1 6 switch stacks 1 3 management VLAN considerations in sw...

Page 1508: ...uring policies 1 6 defined 1 2 policies 1 2 replay protection 1 3 statistics 1 5 virtual ports 1 3 module number 1 20 monitoring access groups 1 44 BGP 1 65 cables for unidirectional links 1 1 CDP 1 5 CEF 1 92 EIGRP 1 45 fallback bridging 1 10 features 1 18 Flex Links 1 14 HSRP 1 13 IEEE 802 1Q tunneling 1 19 IGMP snooping 1 16 1 12 interfaces 1 51 IP address tables 1 19 multicast routing 1 63 rou...

Page 1509: ... peering relationship overview 1 1 requesting source information from 1 8 shutting down 1 16 source active messages caching 1 6 defined 1 2 filtering from a peer 1 11 filtering incoming 1 14 filtering to a peer 1 12 limiting data with TTL 1 14 restricting advertised sources 1 9 support for 1 17 MSTP boundary ports configuration guidelines 1 16 described 1 6 BPDU filtering described 1 3 enabling 1 ...

Page 1510: ...tances 1 2 optional features supported 1 9 overview 1 2 Port Fast described 1 2 enabling 1 12 preventing root switch selection 1 10 root guard described 1 10 enabling 1 18 root switch configuring 1 18 effects of extended system ID 1 18 unexpected behavior 1 18 shutdown Port Fast enabled port 1 2 stack changes effects of 1 8 status displaying 1 27 MTU system 1 43 system jumbo 1 43 system routing 1 ...

Page 1511: ...tion using a RADIUS server 1 68 IEEE 802 1x validation using RADIUS server 1 68 inaccessible authentication bypass 1 13 1 63 Layer 2 IEEE 802 1x validation 1 13 1 68 Layer 2 IP validation 1 13 named IPv4 ACLs 1 16 named IPv6 ACLs 1 3 NameSpace Mapper See NSM native VLAN and IEEE 802 1Q tunneling 1 4 configuring 1 21 default 1 21 NDAC 1 9 1 2 defined 1 9 MACsec 1 1 NEAT configuring 1 69 overview 1 ...

Page 1512: ...range VLANs 1 4 configuration guidelines 1 5 configuring 1 4 defined 1 1 no switchport command 1 5 not so stubby areas See NSSA NSAPs as ISO IGRP addresses 1 67 NSF Awareness IS IS 1 69 NSM 1 3 NSSA OSPF 1 33 NTP associations defined 1 2 overview 1 2 stratum 1 2 support for 1 7 time services 1 2 synchronizing 1 2 O OBFL configuring 1 27 described 1 27 displaying 1 28 object tracking HSRP 1 7 IP SL...

Page 1513: ...path cost MSTP 1 21 STP 1 21 path MTU discovery 1 4 payload encryption 1 1 PBR defined 1 99 enabling 1 101 fast switched policy based routing 1 102 local policy based routing 1 102 PC passive command switch 1 10 peers BGP 1 60 percentage thresholds in tracked lists 1 6 performance network design 1 23 performance features 1 4 persistent self signed certificate 1 49 per user ACLs and Filter Ids 1 8 ...

Page 1514: ... power negotiation extensions to CDP 1 8 standards supported 1 8 static mode 1 10 troubleshooting 1 13 policed DSCP map for QoS 1 75 policers configuring for each matched traffic class 1 58 for more than one traffic class 1 71 described 1 4 number of 1 41 types of 1 10 policing described 1 4 hierarchical See hierarchical policy maps token bucket algorithm 1 10 policy based routing See PBR policy m...

Page 1515: ... 1 21 1 22 described 1 21 host mode 1 12 inaccessible authentication bypass configuring 1 63 described 1 23 guidelines 1 40 initiation and message exchange 1 6 magic packet 1 28 maximum number of allowed devices per port 1 41 method lists 1 44 multiple authentication 1 12 multiple hosts mode described 1 12 per user ACLs AAA authorization 1 44 configuration tasks 1 18 described 1 17 RADIUS server a...

Page 1516: ...nes 1 11 configuring 1 13 default configuration 1 11 described 1 8 on trunk ports 1 14 sticky learning 1 9 violations 1 10 port shutdown response VMPS 1 26 port VLAN ID TLV 1 2 power inline consumption command 1 14 power management TLV 1 3 Power over Ethernet See PoE power supply configuring 1 46 managing 1 46 preempt delay time REP 1 5 preemption default configuration 1 8 preemption delay default...

Page 1517: ...promiscuous ports configuring 1 13 defined 1 2 protected ports 1 11 1 6 protocol dependent modules EIGRP 1 38 Protocol Independent Multicast Protocol See PIM protocol storm protection 1 19 provider edge devices 1 77 provisioning new members for a switch stack 1 8 proxy ARP configuring 1 12 definition 1 10 with IP routing disabled 1 13 proxy reports 1 3 pruning VTP disabling in VTP domain 1 16 on a...

Page 1518: ...s within the domain 1 43 trusted boundary 1 45 default auto configuration 1 24 default standard configuration 1 37 DSCP transparency 1 46 egress queues allocating buffer space 1 84 buffer allocation scheme described 1 20 configuring shaped weights for SRR 1 88 configuring shared weights for SRR 1 89 described 1 4 displaying the threshold map 1 87 flowchart 1 19 mapping DSCP or CoS values 1 86 sche...

Page 1519: ... SRR described 1 15 WTD described 1 15 rewrites 1 22 support for 1 15 trust states bordering another domain 1 47 described 1 5 trusted device 1 45 within the domain 1 43 quality of service See QoS queries IGMP 1 4 query solicitation IGMP 1 13 R RADIUS attributes vendor proprietary 1 36 vendor specific 1 35 configuring accounting 1 34 authentication 1 29 authorization 1 33 communication global 1 27...

Page 1520: ...4 port priority 1 22 redundant links and UplinkFast 1 15 redundant power system See Cisco Redundant Power System 2300 reliable transport protocol EIGRP 1 38 reloading software 1 23 Remote Authentication Dial In User Service See RADIUS Remote Copy Protocol See RCP Remote Network Monitoring See RMON Remote SPAN See RSPAN remote SPAN 1 3 REP administrative VLAN 1 8 administrative VLAN configuring 1 8...

Page 1521: ...es 1 7 1253 OSPF 1 27 1267 BGP 1 45 1305 NTP 1 2 1587 NSSAs 1 27 1757 RMON 1 2 1771 BGP 1 45 1901 SNMPv2C 1 2 1902 to 1907 SNMPv2 1 2 2236 IP multicast and IGMP 1 2 2273 2275 SNMPv3 1 2 RFC 5176 Compliance 1 21 RIP advertisements 1 21 authentication 1 23 configuring 1 22 default configuration 1 21 described 1 21 for IPv6 1 11 hop counts 1 21 split horizon 1 24 summary addresses 1 24 support for 1 ...

Page 1522: ...itch stack 1 3 interaction with other features 1 9 monitored ports 1 7 monitoring ports 1 8 overview 1 18 1 1 received traffic 1 6 session limits 1 12 sessions creating 1 18 defined 1 4 limiting source traffic to specific VLANs 1 20 specifying monitored ports 1 18 with ingress traffic enabled 1 22 source ports 1 7 transmitted traffic 1 6 VLAN based 1 7 RSTP active topology 1 9 BPDU format 1 12 pro...

Page 1523: ...ket Layer See SSL security port 1 8 Security Exchange Protocol See SXP Security Exchange Protocol See SAP Security Exchange Protocol SXP 1 2 security features 1 10 Security Group Access Control List SGACL 1 2 Security Group Tag SGT 1 2 See SCP sequence numbers in log messages 1 8 server mode VTP 1 3 service provider network MSTP and RSTP 1 1 service provider networks and customer VLANs 1 2 and IEE...

Page 1524: ...1 4 configuration examples 1 17 default configuration 1 6 engine ID 1 7 groups 1 7 1 9 host 1 7 ifIndex values 1 5 in band management 1 8 in clusters 1 14 informs and trap keyword 1 12 described 1 5 differences from traps 1 5 disabling 1 15 enabling 1 15 limiting access by TFTP servers 1 17 limiting system log messages to NMS 1 10 manager functions 1 6 1 3 managing clusters with 1 17 notifications...

Page 1525: ...VLANs 1 16 removing destination monitoring ports 1 14 specifying monitored ports 1 13 1 25 with ingress traffic enabled 1 15 source ports 1 7 transmitted traffic 1 6 VLAN based 1 7 spanning tree and native VLANs 1 17 Spanning Tree Protocol See STP SPAN traffic 1 6 split horizon RIP 1 24 SRR configuring shaped weights on egress queues 1 88 shared weights on egress queues 1 89 shared weights on ingr...

Page 1526: ...e log 1 2 VLANs 1 6 VTP 1 8 stacking and MACsec 1 3 stack master bridge ID MAC address 1 7 defined 1 2 election 1 6 IPv6 1 15 re election 1 6 See also stacks switch stack member accessing CLI of specific member 1 30 configuring member number 1 26 priority value 1 26 defined 1 2 displaying information of 1 30 IPv6 1 15 number 1 7 priority value 1 8 provisioning a new member 1 27 replacing 1 16 See ...

Page 1527: ...f replacing a provisioned switch 1 11 provisioned configuration defined 1 8 provisioned switch defined 1 8 provisioning a new member 1 27 partitioned 1 5 1 8 provisioned switch adding 1 9 removing 1 11 replacing 1 11 replacing a failed member 1 16 software compatibility 1 11 software image version 1 11 stack protocol version 1 12 STP bridge ID 1 3 instances supported 1 10 root port selection 1 3 s...

Page 1528: ...stics 802 1X 1 17 CDP 1 5 IEEE 802 1x 1 76 interface 1 52 IP multicast routing 1 63 MKA 1 5 OSPF 1 37 RMON group Ethernet 1 5 RMON group history 1 5 SNMP input and output 1 19 VTP 1 18 sticky learning 1 9 storm control configuring 1 3 described 1 1 disabling 1 5 support for 1 5 thresholds 1 1 STP accelerating root port selection 1 4 and REP 1 6 BackboneFast described 1 7 disabling 1 17 enabling 1 ...

Page 1529: ... keepalive messages 1 2 Layer 2 protocol tunneling 1 8 limitations with IEEE 802 1Q trunks 1 12 load sharing overview 1 22 using path costs 1 24 using port priorities 1 22 loop guard described 1 11 enabling 1 18 modes supported 1 10 multicast addresses effect of 1 9 optional features supported 1 9 overview 1 2 path costs 1 24 1 25 Port Fast described 1 2 enabling 1 12 port priorities 1 23 preventi...

Page 1530: ...atures 1 1 switch virtual interface See SVI SXP 1 2 synchronization BGP 1 50 syslog See system message logging system capabilities TLV 1 2 system clock configuring daylight saving time 1 6 manually 1 4 summer time 1 6 time zones 1 5 displaying the time and date 1 5 overview 1 2 See also NTP system description TLV 1 2 system message logging default configuration 1 4 defining error message severity ...

Page 1531: ...ents of 1 7 extracting 1 8 image file format 1 26 TCL script registering and defining with embedded event manager 1 7 TDR 1 18 Telnet accessing management interfaces 1 10 number of connections 1 8 setting a password 1 6 templates SDM 1 2 temporary self signed certificate 1 49 Terminal Access Controller Access Control System Plus See TACACS terminal lines setting a password 1 6 ternary content addr...

Page 1532: ... suppression 1 1 transmit hold count see STP transparent mode VTP 1 4 trap door mechanism 1 2 traps configuring MAC address notification 1 15 1 17 1 18 configuring managers 1 12 enabling 1 15 1 17 1 18 1 12 notification types 1 12 overview 1 1 1 4 troubleshooting connectivity problems 1 15 1 16 1 18 CPU utilization 1 29 detecting unidirectional links 1 1 displaying crash information 1 24 PIMv1 and...

Page 1533: ... neighbor database 1 2 overview 1 1 resetting an interface 1 6 status displaying 1 7 support for 1 9 UDP configuring 1 16 UDP jitter configuring 1 9 UDP jitter operation IP SLAs 1 8 unauthorized ports with IEEE 802 1x 1 10 unicast MAC address filtering 1 7 and adding static addresses 1 21 and broadcast MAC addresses 1 21 and CPU packets 1 21 and multicast addresses 1 21 and router MAC addresses 1 ...

Page 1534: ...oup 1 11 command switch 1 11 virtual ports MKA 1 3 Virtual Private Network See VPN virtual router 1 1 1 2 virtual switches and PAgP 1 6 vlan dat file 1 4 VLAN 1 disabling on a trunk port 1 20 minimization 1 19 VLAN ACLs See VLAN maps vlan assignment response VMPS 1 26 VLAN blocking REP 1 12 VLAN configuration at bootup 1 7 saving 1 7 VLAN database and startup configuration file 1 7 and VTP 1 1 VLA...

Page 1535: ...1 10 illustrated 1 2 internal 1 11 in the switch stack 1 6 limiting source traffic with RSPAN 1 20 limiting source traffic with SPAN 1 16 modifying 1 8 multicast 1 17 native configuring 1 21 normal range 1 1 1 4 number supported 1 10 parameters 1 4 port membership modes 1 3 static access ports 1 9 STP and IEEE 802 1Q trunks 1 12 supported 1 2 Token Ring 1 5 traffic between 1 2 VLAN bridge STP 1 12...

Page 1536: ...P 1 82 ping 1 82 RADIUS 1 83 SNMP 1 82 syslog 1 83 tftp 1 84 traceroute 1 84 uRPF 1 83 VRFs configuring multicast 1 85 VTP adding a client to a domain 1 17 advertisements 1 17 1 4 and extended range VLANs 1 2 and normal range VLANs 1 2 client mode configuring 1 13 configuration requirements 1 11 saving 1 9 configuration requirements 1 11 configuration revision number guideline 1 17 resetting 1 17 ...

Page 1537: ...aintaining 1 10 negotiation 1 3 packet redirection 1 3 packet return method 1 3 redirecting traffic received from a client 1 6 setting the password 1 7 unsupported WCCPv2 features 1 5 web authentication 1 15 configuring 1 16 to described 1 11 web based authentication customizeable web pages 1 6 description 1 1 web based authentication interactions with other features 1 7 Web Cache Communication Pr...

Page 1538: ...Index IN 58 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Reviews:

No comments

Related manuals for Catalyst 3560-X Series

Vb-C60 - Ptz Network Camera

Brand: Canon Pages: 30

Brand: Cabletron Systems Pages: 21

Brand: WAGO Pages: 2

Brand: REXROTH Pages: 68

Brand: DCE Pages: 5

OXTOPUS EIA-709

Brand: OCCITALINA Pages: 54

Brand: Juniper Pages: 502

Brand: Lanner Pages: 63

Brand: Freund Pages: 6

Brand: LevelOne Pages: 26

Elinx EIR510 Series

Brand: B&B Electronics Pages: 2

Brand: Casablanca Pages: 13

Ethernet MCA 10/100 Adapter

Brand: Olicom Pages: 88

Airborne M2M ABDN-er-DP55 Series

Brand: B+B SmartWorx Pages: 120

Brand: LevelOne Pages: 146

Brand: Digital Equipment Pages: 90

7798 I/SITE LAN

Brand: CSI Pages: 56

Brand: Helmholz Pages: 20

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands