manualshive.com logo in svg

Cisco Catalyst 3750-E Series, Software Configuration Manual

The Cisco Catalyst 3750-E Series provides powerful network switching capabilities. To ensure a seamless setup, refer to the easy-to-follow "Getting Started Manual" available for free download from our website. Get your hands on this comprehensive manual to maximize the potential of your Cisco Catalyst 3750-E Series.

Share
Download
background image

 

35-36

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

OL-9775-08

Chapter 35      Configuring Network Security with ACLs

Configuring VLAN Maps

Figure 35-4

Wiring Closet Configuration

If you do not want HTTP traffic switched from Host X to Host Y, you can configure a VLAN map on 
Switch A to drop all HTTP traffic from Host X (IP address 10.1.1.32) to Host Y (IP address 10.1.1.34) 
at Switch A and not bridge it to Switch B.

First, define the IP access list 

http

 that permits (matches) any TCP traffic on the HTTP port.

Switch(config)# 

ip access-list extended http

Switch(config-ext-nacl)# 

permit tcp host 10.1.1.32 host 10.1.1.34 eq www

Switch(config-ext-nacl)# 

exit

Next, create VLAN access map 

map2

 so that traffic that matches the 

http

 access list is dropped and all 

other IP traffic is forwarded.

Switch(config)# 

vlan access-map map2 10

Switch(config-access-map)# 

match ip address http

Switch(config-access-map)# 

action drop

Switch(config-access-map)# 

exit

Switch(config)# 

ip access-list extended match_all

Switch(config-ext-nacl)# 

permit ip any any

Switch(config-ext-nacl)# 

exit

Switch(config)# 

vlan access-map map2 20

Switch(config-access-map)# 

match ip address match_all

Switch(config-access-map)# 

action forward

Then, apply VLAN access map 

map2 

to VLAN 1.

Switch(config)# 

vlan filter map2 vlan 1

Denying Access to a Server on Another a VLAN

You can restrict access to a server on another VLAN. For example, server 10.1.1.100 in VLAN 10 needs 
to have access denied to these hosts (see 

Figure 35-5

): 

  •

Hosts in subnet 10.1.2.0/8 in VLAN 20 should not have access.

  •

Hosts 10.1.1.4 and 10.1.1.8 in VLAN 10 should not have access.

Switch A 

Switch C 

Switch B

VLAN map: Deny HTTP

from X to Y.

HTTP is dropped

at entry point.

Host X

10.1.1.32

Host Y

10.1.1.34

VLAN 1

VLAN 2
Packet

101355

Summary of Contents for Catalyst 3750-E Series

Page 1: ...est Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 3750 E and 3560 E Switch Software Configuration Guide Cisco IOS Release 12 2 55 SE August 2010 Text Part Number OL 9775 08 ...

Page 2: ...RRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE ...

Page 3: ...oS Features 1 12 Layer 3 Features 1 14 Power over Ethernet Features 1 15 Monitoring Features 1 15 Default Settings After Initial Switch Configuration 1 16 Network Configuration Examples 1 19 Design Concepts for Using the Switch 1 19 Small to Medium Sized Network Using Catalyst 3750 E and 3560 E Switches 1 26 Large Network Using Catalyst 3750 E and 3560 E Switches 1 28 Multidwelling Network Using C...

Page 4: ...standing the Boot Process 3 1 Assigning Switch Information 3 2 Default Switch Information 3 3 Understanding DHCP Based Autoconfiguration 3 3 DHCP Client Request Process 3 4 Understanding DHCP based Autoconfiguration and Image Update 3 5 DHCP Autoconfiguration 3 5 DHCP Auto Image Update 3 5 Limitations and Restrictions 3 6 Configuring DHCP Based Autoconfiguration 3 6 DHCP Server Configuration Guide...

Page 5: ...1 Configuration Service 4 2 Event Service 4 3 NameSpace Mapper 4 3 What You Should Know About the CNS IDs and Device Hostnames 4 3 ConfigID 4 3 DeviceID 4 4 Hostname and DeviceID 4 4 Using Hostname DeviceID and ConfigID 4 4 Understanding Cisco IOS Agents 4 5 Initial Configuration 4 5 Incremental Partial Configuration 4 6 Synchronized Configuration 4 6 Configuring Cisco IOS Agents 4 6 Enabling Auto...

Page 6: ...cks 5 16 Switch Stack Management Connectivity 5 16 Connectivity to the Switch Stack Through an IP Address 5 17 Connectivity to the Switch Stack Through an SSH Session 5 17 Connectivity to the Switch Stack Through Console Ports or Ethernet Management Ports 5 17 Connectivity to Specific Stack Members 5 18 Switch Stack Configuration Scenarios 5 18 Configuring the Switch Stack 5 20 Default Switch Stac...

Page 7: ... Capable Devices 6 6 Discovery Through Different VLANs 6 7 Discovery Through Different Management VLANs 6 7 Discovery Through Routed Ports 6 8 Discovery of Newly Installed Switches 6 9 HSRP and Standby Cluster Command Switches 6 10 Virtual IP Addresses 6 11 Other Considerations for Cluster Standby Groups 6 11 Automatic Recovery of Cluster Configuration 6 12 IP Addresses 6 13 Hostnames 6 13 Passwor...

Page 8: ...ing DNS 7 15 Default DNS Configuration 7 16 Setting Up DNS 7 16 Displaying the DNS Configuration 7 17 Creating a Banner 7 17 Default Banner Configuration 7 17 Configuring a Message of the Day Login Banner 7 18 Configuring a Login Banner 7 19 Managing the MAC Address Table 7 19 Building the Address Table 7 20 MAC Addresses and VLANs 7 20 MAC Addresses and Switch Stacks 7 21 Default MAC Address Tabl...

Page 9: ... 3 Disabling Password Recovery 9 5 Setting a Telnet Password for a Terminal Line 9 6 Configuring Username and Password Pairs 9 6 Configuring Multiple Privilege Levels 9 7 Setting the Privilege Level for a Command 9 8 Changing the Default Privilege Level for Lines 9 9 Logging into and Exiting a Privilege Level 9 9 Controlling Switch Access with TACACS 9 10 Understanding TACACS 9 10 TACACS Operation...

Page 10: ...ing and Troubleshooting CoA Functionality 9 39 Configuring RADIUS Server Load Balancing 9 39 Displaying the RADIUS Configuration 9 39 Controlling Switch Access with Kerberos 9 39 Understanding Kerberos 9 40 Kerberos Operation 9 42 Authenticating to a Boundary Switch 9 42 Obtaining a TGT from a KDC 9 42 Authenticating to Network Services 9 42 Configuring Kerberos 9 43 Configuring the Switch for Loc...

Page 11: ...entication Manager CLI Commands 10 9 Ports in Authorized and Unauthorized States 10 11 802 1x Authentication and Switch Stacks 10 11 802 1x Host Mode 10 12 802 1x Multiple Authentication Mode 10 13 MAC Move 10 13 MAC Replace 10 14 802 1x Accounting 10 15 802 1x Accounting Attribute Value Pairs 10 15 802 1x Readiness Check 10 16 802 1x Authentication with VLAN Assignment 10 16 802 1x Authentication...

Page 12: ...Authentication Configuration Guidelines 10 35 802 1x Authentication 10 35 VLAN Assignment Guest VLAN Restricted VLAN and Inaccessible Authentication Bypass 10 37 MAC Authentication Bypass 10 37 Maximum Number of Allowed Devices Per Port 10 38 Configuring 802 1x Readiness Check 10 38 Configuring Voice Aware 802 1x Security 10 39 Configuring 802 1x Violation Modes 10 40 Configuring 802 1x Authentica...

Page 13: ...ing 802 1x Authentication on the Port 10 67 Resetting the 802 1x Authentication Configuration to the Default Values 10 67 Displaying 802 1x Statistics and Status 10 68 C H A P T E R 11 Configuring Web Based Authentication 11 1 Understanding Web Based Authentication 11 1 Device Roles 11 2 Host Detection 11 2 Session Creation 11 3 Authentication Process 11 3 Local Web Authentication Banner 11 4 Web ...

Page 14: ...Ports 12 2 Access Ports 12 3 Trunk Ports 12 3 Tunnel Ports 12 4 Routed Ports 12 4 Switch Virtual Interfaces 12 5 SVI Autostate Exclude 12 5 EtherChannel Port Groups 12 6 10 Gigabit Ethernet Interfaces 12 6 Power over Ethernet Ports 12 6 Supported Protocols and Standards 12 7 Powered Device Detection and Initial Power Allocation 12 7 Power Management Modes 12 9 Power Monitoring and Power Policing 1...

Page 15: ...7 Configuring the Power Supplies 12 38 Monitoring and Maintaining the Interfaces 12 39 Monitoring Interface Status 12 40 Clearing and Resetting Interfaces and Counters 12 41 Shutting Down and Restarting the Interface 12 42 C H A P T E R 13 Configuring VLANs 13 1 Understanding VLANs 13 1 Supported VLANs 13 2 VLAN Port Membership Modes 13 3 Configuring Normal Range VLANs 13 4 Token Ring VLANs 13 5 N...

Page 16: ...P Port Priorities 13 22 Load Sharing Using STP Path Cost 13 24 Configuring VMPS 13 25 Understanding VMPS 13 26 Dynamic Access Port VLAN Membership 13 26 Default VMPS Client Configuration 13 27 VMPS Configuration Guidelines 13 27 Configuring the VMPS Client 13 28 Entering the IP Address of the VMPS 13 28 Configuring Dynamic Access Ports on VMPS Clients 13 28 Reconfirming VLAN Memberships 13 29 Chan...

Page 17: ...5 2 Cisco IP Phone Data Traffic 15 2 Configuring Voice VLAN 15 3 Default Voice VLAN Configuration 15 3 Voice VLAN Configuration Guidelines 15 3 Configuring a Port Connected to a Cisco 7960 IP Phone 15 4 Configuring Cisco IP Phone Voice Traffic 15 5 Configuring the Priority of Incoming Data Frames 15 6 Displaying Voice VLAN 15 7 C H A P T E R 16 Configuring Private VLANs 16 1 Understanding Private ...

Page 18: ...Q Tunneling Configuration Guidelines 17 4 Native VLANs 17 4 System MTU 17 5 IEEE 802 1Q Tunneling and Other Features 17 6 Configuring an IEEE 802 1Q Tunneling Port 17 7 Understanding Layer 2 Protocol Tunneling 17 8 Configuring Layer 2 Protocol Tunneling 17 10 Default Layer 2 Protocol Tunneling Configuration 17 11 Layer 2 Protocol Tunneling Configuration Guidelines 17 12 Configuring Layer 2 Protoco...

Page 19: ...ning Tree Mode 18 15 Disabling Spanning Tree 18 16 Configuring the Root Switch 18 16 Configuring a Secondary Root Switch 18 18 Configuring Port Priority 18 18 Configuring Path Cost 18 20 Configuring the Switch Priority of a VLAN 18 21 Configuring Spanning Tree Timers 18 22 Configuring the Hello Time 18 22 Configuring the Forwarding Delay Time for a VLAN 18 23 Configuring the Maximum Aging Time for...

Page 20: ...witch 19 18 Configuring a Secondary Root Switch 19 19 Configuring Port Priority 19 20 Configuring Path Cost 19 21 Configuring the Switch Priority 19 22 Configuring the Hello Time 19 23 Configuring the Forwarding Delay Time 19 24 Configuring the Maximum Aging Time 19 24 Configuring the Maximum Hop Count 19 25 Specifying the Link Type to Ensure Rapid Transitions 19 25 Designating the Neighbor Type 1...

Page 21: ... R 21 Configuring Flex Links and the MAC Address Table Move Update Feature 21 1 Understanding Flex Links and the MAC Address Table Move Update 21 1 Flex Links 21 1 VLAN Flex Link Load Balancing and Support 21 2 Flex Link Multicast Fast Convergence 21 3 Learning the Other Flex Link Port as the mrouter Port 21 3 Generating IGMP Reports 21 3 Leaking IGMP Reports 21 4 MAC Address Table Move Update 21 ...

Page 22: ... MAC Address Filtering 22 17 IP Source Guard for Static Hosts 22 17 Configuring IP Source Guard 22 18 Default IP Source Guard Configuration 22 18 IP Source Guard Configuration Guidelines 22 18 Enabling IP Source Guard 22 19 Configuring IP Source Guard for Static Hosts 22 20 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 22 20 Configuring IP Source Guard for Static Hosts on a...

Page 23: ...ulticast Group 24 3 Leaving a Multicast Group 24 5 Immediate Leave 24 6 IGMP Configurable Leave Timer 24 6 IGMP Report Suppression 24 6 IGMP Snooping and Switch Stacks 24 7 Configuring IGMP Snooping 24 7 Default IGMP Snooping Configuration 24 7 Enabling or Disabling IGMP Snooping 24 8 Setting the Snooping Method 24 8 Configuring a Multicast Router Port 24 9 Configuring a Host Statically to Join a ...

Page 24: ...ng 25 1 MLD Messages 25 3 MLD Queries 25 3 Multicast Client Aging Robustness 25 3 Multicast Router Discovery 25 4 MLD Reports 25 4 MLD Done Messages and Immediate Leave 25 4 Topology Change Notification Processing 25 5 MLD Snooping in Switch Stacks 25 5 Configuring IPv6 MLD Snooping 25 5 Default MLD Snooping Configuration 25 6 MLD Snooping Configuration Guidelines 25 6 Enabling or Disabling MLD Sn...

Page 25: ...d Configuring Port Security 26 13 Enabling and Configuring Port Security Aging 26 17 Port Security and Switch Stacks 26 18 Port Security and Private VLANs 26 18 Displaying Port Based Traffic Control Settings 26 19 C H A P T E R 27 Configuring CDP 27 1 Understanding CDP 27 1 CDP and Switch Stacks 27 2 Configuring CDP 27 2 Default CDP Configuration 27 2 Configuring the CDP Characteristics 27 2 Disab...

Page 26: ...uidelines 29 4 Enabling UDLD Globally 29 5 Enabling UDLD on an Interface 29 6 Resetting an Interface Disabled by UDLD 29 6 Displaying UDLD Status 29 7 C H A P T E R 30 Configuring SPAN and RSPAN 30 1 Understanding SPAN and RSPAN 30 1 Local SPAN 30 2 Remote SPAN 30 3 SPAN and RSPAN Concepts and Terminology 30 4 SPAN Sessions 30 4 Monitored Traffic 30 6 Source Ports 30 7 Source VLANs 30 7 VLAN Filte...

Page 27: ...T E R 31 Configuring RMON 31 1 Understanding RMON 31 1 Configuring RMON 31 3 Default RMON Configuration 31 3 Configuring RMON Alarms and Events 31 3 Collecting Group History Statistics on an Interface 31 5 Collecting Group Ethernet Statistics on an Interface 31 6 Displaying RMON Status 31 6 C H A P T E R 32 Configuring System Message Logging 32 1 Understanding System Message Logging 32 1 Configuri...

Page 28: ...t 33 7 Configuring Community Strings 33 8 Configuring SNMP Groups and Users 33 9 Configuring SNMP Notifications 33 12 Setting the CPU Threshold Notification Types and Values 33 16 Setting the Agent Contact and Location Information 33 16 Limiting TFTP Servers Used Through SNMP 33 17 SNMP Examples 33 18 Displaying SNMP Status 33 19 C H A P T E R 34 Configuring Embedded Event Manager 34 1 Understandi...

Page 29: ...s 35 15 Using Time Ranges with ACLs 35 17 Including Comments in ACLs 35 19 Applying an IPv4 ACL to a Terminal Line 35 19 Applying an IPv4 ACL to an Interface 35 20 Hardware and Software Treatment of IP ACLs 35 22 Troubleshooting ACLs 35 22 IPv4 ACL Configuration Examples 35 23 ACLs in a Small Networked Office 35 24 Numbered ACLs 35 25 Extended ACLs 35 25 Named ACLs 35 26 Time Range Applied to an I...

Page 30: ...36 3 IPv6 ACLs and Switch Stacks 36 3 Configuring IPv6 ACLs 36 3 Default IPv6 ACL Configuration 36 4 Interaction with Other Features and Switches 36 4 Creating IPv6 ACLs 36 4 Applying an IPv6 ACL to an Interface 36 7 Displaying IPv6 ACLs 36 8 C H A P T E R 37 Configuring QoS 37 1 Understanding QoS 37 2 Basic QoS Model 37 4 Classification 37 5 Classification Based on QoS ACLs 37 7 Classification Ba...

Page 31: ...t Mapping Table Configuration 37 39 Standard QoS Configuration Guidelines 37 39 QoS ACL Guidelines 37 39 IPv6 QoS ACL Guidelines 37 39 Applying QoS on Interfaces 37 39 Configuring IPv6 QoS on Switch Stacks 37 40 Policing Guidelines 37 40 General QoS Guidelines 37 41 Enabling QoS Globally 37 41 Enabling VLAN Based QoS on Physical Ports 37 42 Configuring Classification Using Port Trust States 37 43 ...

Page 32: ... WTD Thresholds for an Egress Queue Set 37 85 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 37 87 Configuring SRR Shaped Weights on Egress Queues 37 89 Configuring SRR Shared Weights on Egress Queues 37 90 Configuring the Egress Expedite Queue 37 90 Limiting the Bandwidth on an Egress Interface 37 91 Displaying Standard QoS Information 37 92 C H A P T E R 38 Configuring Ether...

Page 33: ...tion Guidelines 38 26 Configuring Link State Tracking 38 26 Displaying Link State Tracking Status 38 27 C H A P T E R 39 Configuring TelePresence E911 IP Phone Support 39 1 Understanding TelePresence E911 IP Phone Support 39 1 Configuring TelePresence E911 IP Phone Support 39 2 Configuration Guidelines 39 2 Enabling TelePresence E911 IP Phone Support 39 3 Example 39 3 C H A P T E R 40 Configuring ...

Page 34: ...ng Summary Addresses and Split Horizon 40 23 Configuring Split Horizon 40 25 Configuring OSPF 40 26 Default OSPF Configuration 40 27 OSPF Nonstop Forwarding 40 28 OSPF for Routed Access 40 29 Configuring Basic OSPF Parameters 40 30 Configuring OSPF Interfaces 40 30 Configuring OSPF Area Parameters 40 32 Configuring Other OSPF Parameters 40 33 Changing LSA Group Pacing 40 35 Configuring a Loopback ...

Page 35: ...onstop Forwarding Awareness 40 68 Enabling IS IS Routing 40 68 Configuring IS IS Global Parameters 40 70 Configuring IS IS Interface Parameters 40 72 Monitoring and Maintaining ISO IGRP and IS IS 40 74 Configuring Multi VRF CE 40 75 Understanding Multi VRF CE 40 76 Default Multi VRF CE Configuration 40 78 Multi VRF CE Configuration Guidelines 40 78 Configuring VRFs 40 79 Configuring VRF Aware Serv...

Page 36: ...essing in Routing Updates 40 102 Filtering Sources of Routing Information 40 103 Managing Authentication Keys 40 104 Monitoring and Maintaining the IP Network 40 105 C H A P T E R 41 Configuring IPv6 Unicast Routing 41 1 Understanding IPv6 41 1 IPv6 Addresses 41 2 Supported IPv6 Unicast Routing Features 41 3 128 Bit Wide Unicast Addresses 41 3 DNS for IPv6 41 4 Path MTU Discovery for IPv6 Unicast ...

Page 37: ...dCEF for IPv6 41 19 Configuring Static Routing for IPv6 41 20 Configuring RIP for IPv6 41 21 Configuring OSPF for IPv6 41 22 Configuring EIGRP for IPv6 41 24 Configuring HSRP for IPv6 41 24 Enabling HSRP Version 2 41 25 Enabling an HSRP Group for IPv6 41 25 Displaying IPv6 41 27 C H A P T E R 42 Configuring HSRP 42 1 Understanding HSRP 42 1 HSRP Versions 42 3 Multiple HSRP 42 4 HSRP and Switch Sta...

Page 38: ...ect Tracking 44 1 Understanding Enhanced Object Tracking 44 1 Configuring Enhanced Object Tracking Features 44 2 Default Configuration 44 2 Tracking Interface Line Protocol or IP Routing State 44 2 Configuring a Tracked List 44 3 Configuring a Tracked List with a Boolean Expression 44 4 Configuring a Tracked List with a Weight Threshold 44 5 Configuring a Tracked List with a Percentage Threshold 4...

Page 39: ... Stub Routing 46 5 IGMP Helper 46 6 Auto RP 46 7 Bootstrap Router 46 7 Multicast Forwarding and Reverse Path Check 46 8 Understanding DVMRP 46 9 Understanding CGMP 46 9 Multicast Routing and Switch Stacks 46 10 Configuring IP Multicast Routing 46 10 Default Multicast Routing Configuration 46 11 Multicast Routing Configuration Guidelines 46 11 PIMv1 and PIMv2 Interoperability 46 11 Auto RP and BSR ...

Page 40: ...of PIM Shortest Path Tree 46 37 Modifying the PIM Router Query Message Interval 46 38 Configuring Optional IGMP Features 46 38 Default IGMP Configuration 46 39 Configuring the Switch as a Member of a Group 46 39 Controlling Access to IP Multicast Groups 46 40 Changing the IGMP Version 46 41 Modifying the IGMP Host Query Message Interval 46 42 Changing the IGMP Query Timeout for IGMPv2 46 42 Changi...

Page 41: ... 47 1 MSDP Operation 47 2 MSDP Benefits 47 3 Configuring MSDP 47 3 Default MSDP Configuration 47 4 Configuring a Default MSDP Peer 47 4 Caching Source Active State 47 6 Requesting Source Information from an MSDP Peer 47 8 Controlling Source Information that Your Switch Originates 47 8 Redistributing Sources 47 9 Filtering Source Active Request Messages 47 11 Controlling Source Information that You...

Page 42: ...otten Password 49 3 Procedure with Password Recovery Enabled 49 4 Procedure with Password Recovery Disabled 49 6 Preventing Switch Stack Problems 49 8 Recovering from a Command Switch Failure 49 9 Replacing a Failed Command Switch with a Cluster Member 49 9 Replacing a Failed Command Switch with Another Switch 49 11 Recovering from Lost Cluster Member Connectivity 49 12 Preventing Autonegotiation ...

Page 43: ...nding OBFL 49 26 Configuring OBFL 49 26 Displaying OBFL Information 49 27 Fan Failures 49 27 Troubleshooting Tables 49 28 Troubleshooting CPU Utilization 49 28 Possible Symptoms of High CPU Utilization 49 28 Verifying the Problem and Cause 49 28 Troubleshooting Power over Ethernet PoE 49 30 Troubleshooting Stackwise Catalyst 3750 E Switches Only 49 33 C H A P T E R 50 Configuring Online Diagnostic...

Page 44: ...Using TFTP B 12 Uploading the Configuration File By Using TFTP B 13 Copying Configuration Files By Using FTP B 13 Preparing to Download or Upload a Configuration File By Using FTP B 14 Downloading a Configuration File By Using FTP B 14 Uploading a Configuration File By Using FTP B 16 Copying Configuration Files By Using RCP B 17 Preparing to Download or Upload a Configuration File By Using RCP B 1...

Page 45: ...C Commands 3 1 Unsupported Global Configuration Commands 3 1 Unsupported Route Map Configuration Commands 3 1 Archive Commands 3 2 Unsupported Privileged EXEC Commands 3 2 ARP Commands 3 2 Unsupported Global Configuration Commands 3 2 Unsupported Interface Configuration Commands 3 2 Boot Loader Commands 3 2 Unsupported User EXEC Commands 3 2 Unsupported Global Configuration Commands 3 2 Debug Comm...

Page 46: ...orted BGP Router Configuration Commands 3 9 Unsupported VPN Configuration Commands 3 9 Unsupported Route Map Commands 3 9 MAC Address Commands 3 10 Unsupported Privileged EXEC Commands 3 10 Unsupported Global Configuration Commands 3 10 Miscellaneous 3 10 Unsupported User EXEC Commands 3 10 Unsupported Privileged EXEC Commands 3 11 Unsupported Global Configuration Commands 3 11 MSDP 3 11 Unsupport...

Page 47: ... Global Configuration Commands 3 13 Spanning Tree 3 13 Unsupported Global Configuration Command 3 13 Unsupported Interface Configuration Command 3 13 VLAN 3 13 Unsupported Global Configuration Command 3 13 Unsupported User EXEC Commands 3 13 VTP 3 13 Unsupported Privileged EXEC Command 3 13 I N D E X ...

Page 48: ...Contents xlviii Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 ...

Page 49: ...line Master Index page on Cisco com http www cisco com en US products ps6350 products_product_indices_list html This guide does not provide detailed information on the GUIs for the embedded device manager or for Cisco Network Assistant hereafter referred to as Network Assistant that you can use to manage the switch However the concepts in this guide are applicable to the GUI user For information a...

Page 50: ...se Cisco com sites Catalyst 3750 E http www cisco com en US products ps7077 tsd_products_support_series_home html Catalyst 3560 E http www cisco com en US products ps7078 tsd_products_support_series_home html Note Before installing configuring or upgrading the switch see these documents For initial configuration information see the Using Express Setup section in the getting started guide or the Co...

Page 51: ...cuments are available from this Cisco com site http www cisco com en US products hw modules ps5455 products_device_support_tables_list html For Auto Smartports macros Auto Smartports Macros Configuration Guide and Release Notes for Auto Smartports Macros For Cisco EnergyWise Cisco EnergyWise Configuration Guide and Release Notes for Cisco EnergyWise For information about the Network Admission Cont...

Page 52: ...lii Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Preface ...

Page 53: ...atures The switch supports the cryptographic supports encryption universal software image The universal software image supports the IP base and the IP services feature sets You must have a Cisco IOS software license for a specific feature set to enable it For more information about the software license see the Cisco IOS Software Installation document on Cisco com The switch supports one of these f...

Page 54: ...based program For more information about Express Setup see the getting started guide User defined and Cisco default Smartports macros for creating custom switch configurations for simplified deployment across the network Auto Smartports Cisco default and user defined macros for dynamic port configuration based on the device type detected on the port Auto Smartport enhancements which add support fo...

Page 55: ...mages from the stack master or from a TFTP server Adding removing and replacing switches in the stack without disrupting the operation of the stack Provisioning a new member for a switch stack with the offline configuration feature You can configure in advance the interface configuration for a specific stack member number and for a specific switch type of a new switch that is not part of the stack...

Page 56: ...priately Support for the maximum packet size or maximum transmission unit MTU size for these types of frames Up to 9216 bytes for routed frames Up to 9216 bytes for frames that are bridged in hardware and software through Gigabit Ethernet ports and 10 Gigabit Ethernet ports IEEE 802 3x flow control on all ports the switch does not send pause frames Up to 64 Gb s of throughput in a Catalyst 3750 E ...

Page 57: ...hreshold Flex Link Multicast Fast Convergence to reduce the multicast traffic convergence time after a Flex Link failure Support for IEEE 802 11n enabled access points and support for powered devices that draw more than 15 4 watts RADIUS server load balancing to allow access and authentication requests to be distributed evenly across a server group Cisco Medianet to enable intelligent services in ...

Page 58: ...configuration storage and delivery DHCP for automating configuration of switch information such as IP address default gateway hostname and Domain Name System DNS and TFTP server names DHCP relay for forwarding User Datagram Protocol UDP broadcasts including IP address requests from DHCP clients DHCP server for automatic assignment of IP addresses and other DHCP options to IP hosts DHCP server port...

Page 59: ...iguration and image update to download a specified configuration a new image to a large number of switches Source Specific Multicast SSM mapping for multicast applications to provide a mapping of source to allowing IGMPv2 clients to utilize SSM allowing listeners to connect to multicast sources dynamically and reducing dependencies on the application The HTTP client in Cisco IOS supports can send ...

Page 60: ...alancing across VLANs and providing rapid convergence of spanning tree instances UplinkFast cross stack UplinkFast only on Catalyst 3750 E switches and BackboneFast for fast convergence after a spanning tree topology change and for achieving load balancing between redundant uplinks including Gigabit uplinks and cross stack Gigabit uplinks only on Catalyst 3750 E switches IEEE 802 1s Multiple Spann...

Page 61: ...capsulation IEEE 802 1Q or ISL to be used VLAN Trunking Protocol VTP and VTP pruning for reducing network traffic by restricting flooded traffic to links destined for stations receiving the traffic Voice VLAN for creating subnets for voice traffic from Cisco IP Phones Dynamic voice virtual LAN VLAN for multidomain authentication MDA to allow a dynamic voice VLAN on an MDA enabled port VLAN 1 minim...

Page 62: ... be applied to interfaces to filter IPv6 traffic Support for dynamic creation or attachment of an auth default ACL on a port that has no configured static ACLs DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping database and IP source bindings Dynamic ARP...

Page 63: ...wnloadable ACLs and redirect URLs to allow per user ACL downloads from a Cisco Secure ACS server to an authenticated switch Multiple user authentication to allow more than one host to authenticate on an 802 1x enabled port MAC authentication bypass to authorize clients based on the client MAC address Voice aware IEEE 802 1x and mac authentication bypass MAB security violation to shut down only the...

Page 64: ...ss to critical resources Customizable web authentication enhancement to allow the creation of user defined login success failure and expire web pages for local web authentication Support for Network Edge Access Topology NEAT to change the port host mode and to apply a standard port configuration on the authenticator switch port VLAN ID based MAC authentication to use the combined VLAN and MAC addr...

Page 65: ...traffic flows in aggregate to restrict specific applications or traffic flows to metered predefined rates Out of Profile Out of profile markdown for packets that exceed bandwidth utilization limits Ingress queueing and scheduling Two configurable ingress queues for user traffic one queue can be the priority queue Weighted tail drop WTD as the congestion avoidance mechanism for managing the queue l...

Page 66: ...ion and virtual private multicast networks Support for these IP services making them VRF aware so that they can operate on multiple routing instances HSRP uRPF ARP SNMP IP SLA TFTP FTP syslog traceroute and ping Fallback bridging for forwarding non IP traffic between two or more VLANs requires the IP services feature set Static IP routing for manually building a routing table of network path infor...

Page 67: ...f compliant powered devices from Power over Ethernet PoE capable ports if the switch detects that there is no power on the circuit Cisco IOS Release 12 2 44 SE and later supports enhanced PoE An enhanced PoE port can support any additional powered device that requires up to 20 W of power such as a Cisco AP1250 wireless access point Support for CDP with power consumption The powered device notifies...

Page 68: ... the proportion of hosts in a LAN by tracking the routing table state or to trigger the standby router failover IP Service Level Agreements IP SLAs support to measure network performance by using active traffic monitoring IP SLAs EOT to use the output from IP SLAs tracking operations triggered by an action such as latency jitter or packet loss for a standby router failover takeover EOT and IP SLAs...

Page 69: ...words are defined For more information see Chapter 7 Administering the Switch System name and prompt is Switch For more information see Chapter 7 Administering the Switch NTP is enabled For more information see Chapter 7 Administering the Switch DNS is enabled For more information see Chapter 7 Administering the Switch TACACS is disabled For more information see Chapter 9 Configuring Switch Based ...

Page 70: ... Address Table Move Update Feature DHCP snooping is disabled The DHCP snooping information option is enabled For more information see Chapter 22 Configuring DHCP Features and IP Source Guard IP source guard is disabled For more information see Chapter 22 Configuring DHCP Features and IP Source Guard Dynamic ARP inspection is disabled on all VLANs For more information see Chapter 23 Configuring Dyn...

Page 71: ...ticast Routing MSDP is disabled For more information see Chapter 47 Configuring MSDP Fallback bridging is not configured For more information see Chapter 48 Configuring Fallback Bridging Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Gigabit E...

Page 72: ... EtherChannel feature between the switch and its connected servers and routers Table 1 2 Providing Network Services Network Demands Suggested Design Methods Efficient bandwidth usage for multimedia applications and guaranteed bandwidth for critical applications Use IGMP snooping to efficiently forward multimedia and multicast traffic Use other QoS mechanisms such as packet classification marking s...

Page 73: ... them through a single IP address The Gigabit switch can be connected to a Gigabit server through a 1000BASE T connection Figure 1 1 Cost Effective Wiring Closet An evolving demand for IP telephony Use QoS to prioritize applications such as IP telephony during congestion and to help control both delay and jitter within the network Use switches that support at least two queues per port to prioritiz...

Page 74: ...t 3560 E switches in the access layer to provide Gigabit Ethernet to the desktop To prevent congestion use QoS DSCP marking priorities on these switches For high speed IP forwarding at the distribution layer connect the switches in the access layer to a Gigabit switch with routing capability or to a router The first illustration is of an isolated high performance workgroup where the Catalyst 3560 ...

Page 75: ... Chapter 1 Overview Network Configuration Examples Figure 1 3 High Performance Workgroup Gigabit to the Desktop with Catalyst 3650 E Standalone Switches 200853 Access layer standalone switches Stacking capable switches 200854 Cisco 2600 router Access layer standalone switches WAN ...

Page 76: ...of your network For high speed IP forwarding at the distribution layer connect the switches in the access layer to multilayer switches with routing capability The Gigabit interconnections minimize latency in the data flow QoS and policing on the switches provide preferential treatment for certain data streams They segment traffic streams into different paths for processing Security features on the...

Page 77: ...ork Configuration Examples Figure 1 5 Server Aggregation 86931 Si Si Si Si Si Si Campus core Catalyst 6500 switches Catalyst 4500 multilayer switches StackWise Plus switch stacks Server racks 200857 Campus core Catalyst 6500 switches StackWise switch stacks Access layer standalone switches Server racks ...

Page 78: ...owered devices such as Cisco IP Phones The server farm includes a call processing server running Cisco CallManager software Cisco CallManager controls call processing routing and Cisco IP Phone features and configuration The switches are interconnected through Gigabit interfaces This network uses VLANs to logically segment the network into well defined broadcast groups and for security management ...

Page 79: ...undant power when it is also connected to an AC power source Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power Cisco CallManager controls call processing routing and Cisco IP Phone features and configuration Users with workstations running Cisco SoftPhone software can place receive and control calls from their PCs Using Cisco IP Phones Ci...

Page 80: ...nonconforming traffic based on bandwidth limits are also configured on each switch stack or switch VLAN maps provide intra VLAN security and prevent unauthorized users from accessing critical pieces of the network QoS features can limit bandwidth on a per port or per user basis The switch ports are configured as either trusted or untrusted You can configure a trusted port to trust the CoS value th...

Page 81: ...multilayer switches Cisco IP Phones with workstations IEEE 802 3af compliant powered device such as a web cam Cisco IP Phones with workstations WAN IP IP IP IP IP IP 200861 Mixed hardware stack including the Catalyst 3750G Integrated Wireless LAN Controller IEEE 802 3af compliant powered device such as a web cam Aironet wireless access points Aironet wireless access points Mixed hardware stack inc...

Page 82: ...a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Standalone switches Standalone switches Cisco IP Phones with workstations WAN IP IP IP IEEE 802 3af compliant powered device such as a web cam Cisco IP Phones with workstations IP IP IP 200862 IEEE 802 3af compliant powered device such as a web cam Aironet wireless access points Aironet wireless access points ...

Page 83: ...3750 aggregation switch For more information about the Catalyst Long Reach Ethernet LRE switches see the documentation sets specific to these switches for LRE information All ports on the residential Catalyst 3750 E switches and Catalyst 2950 LRE switches if they are included are configured as IEEE 802 1Q trunks with protected port and STP root guard features enabled The protected port feature pro...

Page 84: ...l A common wavelength used for long distance transmissions is 1550 nm The CWDM SFP modules connect to CWDM optical add drop multiplexer OADM modules over distances of up to 393 701 feet 74 5 miles or 120 km The CWDM OADM modules combine or multiplex the different CWDM wavelengths allowing them to travel simultaneously on the same fiber optic cable The CWDM OADM modules on the receiving end separat...

Page 85: ...Configuration Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 3 Assigning the Switch IP Address and Default Gateway 95750 Access layer Catalyst 4500 multilayer switches Eight 1 Gbps connections 8 Gbps Catalyst switches CWDM OADM modules CWDM OADM modules Aggregation layer ...

Page 86: ...1 34 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 1 Overview Where to Go Next ...

Page 87: ...rently in Enter a question mark at the system prompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration st...

Page 88: ...global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file Inte...

Page 89: ...s unique This example shows how to enter the show configuration privileged EXEC command in an abbreviated form Switch show conf Table 2 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command...

Page 90: ...that you might encounter while using the CLI to configure your switch Using Configuration Logging You can log and view changes to the switch configuration You can use the Configuration Change Logging and Notification feature to track changes on a per session and per user basis The logger tracks each configuration command that is applied the user who entered the command the time that the Table 2 3 ...

Page 91: ...e command history feature is particularly useful for recalling long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size page 2 5 optional Recalling Commands page 2 6 optional Disabling the Command History Feature page 2 6 optional Changing the Command History Buffer Size By d...

Page 92: ...ing Command Lines that Wrap page 2 8 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing Table 2 4 Recalling Comm...

Page 93: ...mmand line Press Esc B Move the cursor back one word Press Esc F Move the cursor forward one word Press Ctrl T Transpose the character to the left of the cursor with the character located at the cursor Recall commands from the buffer and paste them in the command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Press...

Page 94: ...line the line is again shifted ten spaces to the left Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 Switch config 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 Press Esc L Change the word at the cursor to lowe...

Page 95: ... exclude and an expression that you want to search for or filter out command begin include exclude regular expression Expressions are case sensitive For example if you enter exclude output the lines that contain output are not displayed but the lines that contain Output appear This example shows how to include in the output display only lines where the expression protocol appears Switch show inter...

Page 96: ...session but your switch must first be configured for this type of access For more information see the Setting a Telnet Password for a Terminal Line section on page 9 6 You can use one of these methods to establish a connection with the switch Connect the switch console port to a management station or dial up modem or connect the Ethernet management port to a PC For information about connecting to ...

Page 97: ... Release 12 2 This chapter consists of these sections Understanding the Boot Process page 3 1 Assigning Switch Information page 3 2 Checking and Saving the Running Configuration page 3 16 Modifying the Startup Configuration page 3 18 Scheduling a Reload of the Software Image page 3 24 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 IPv4 If you p...

Page 98: ...ystem For more information see the Recovering from a Software Failure section on page 49 2 and the Recovering from a Lost or Forgotten Password section on page 49 3 Note You can disable password recovery For more information see the Disabling Password Recovery section on page 9 5 Before you can assign switch information make sure you have connected a PC or terminal to the console port or a PC to t...

Page 99: ... 3 Manually Assigning IP Information page 3 15 Default Switch Information Table 3 1 shows the default switch information Understanding DHCP Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices This protocol consists of two components one for delivering configuration parameters from a DHCP server to a device and a mechanism for allocating net...

Page 100: ... configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces the DHCP client is invoked and requests the IP address information for those interfaces Figure 3 1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server Figure 3 1 DHCP Client and Server Message Exchange The client S...

Page 101: ...er the ip address dhcp interface configuration command In this case if the client receives the DCHP hostname option from the DHCP interaction while acquiring an IP address for an interface the client accepts the DHCP hostname option and sets the flag to show that the system now has a hostname configured Understanding DHCP based Autoconfiguration and Image Update You can use the DHCP image upgrade ...

Page 102: ...Unless you configure a timeout the DHCP based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address The auto install process stops if a configuration file cannot be downloaded or it the configuration file is corrupted Note The configuration file that is downloaded from TFTP is merged with the existing configuration in the running configuration but is not...

Page 103: ...ver name are not found the switch might send broadcast instead of unicast TFTP requests Unavailability of other lease options does not affect autoconfiguration The switch can act as a DHCP server By default the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured These features are not operational If your DHCP server is a Cisco device for additional info...

Page 104: ...server name to an IP address You must configure the TFTP server name to IP address map on the DNS server The TFTP server contains the configuration files for the switch You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them You can enter up to two DNS server IP addresses in the lease database The DNS server can ...

Page 105: ...address is reserved for the switch and provided in the DHCP reply The configuration filename is not provided two file read method The switch receives its IP address subnet mask and the TFTP server address from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the network confg or cisconet cfg default configuration file If the network confg file cannot be read the sw...

Page 106: ...server maps the TFTP server name tftpserver to IP address 10 0 0 3 Switch 1 00e0 9f1e 2001 Cisco router 111394 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server DNS server TFTP server tftpserver 10 0 0 1 10 0 0 10 10 0 0 2 10 0 0 3 Switch 4 00e0 9f1e 2004 Table 3 2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key hardware address 00e0 9f1e 2001 00e0 9f1e 2002 00e...

Page 107: ...h A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by indexing its IP address 10 0 0 21 to its hostname switcha It reads the configuration file that corresponds to its hostname for example it reads switch1 confg from the TFTP server Switches B through D retrieve their configuration fil...

Page 108: ...text file for example autoinstall_dhcp that will be uploaded to the switch In the text file put the name of the image that you want to download for example c3750e ipservices mz 122 44 3 SE tarc This image must be a tar and not a bin file Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number o...

Page 109: ...number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash Step 5 default router address Specify the IP address of the default router for a DHCP cli...

Page 110: ...OOT path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER path list NVRAM Config file buffer size 32768 Timeout for Config Download 300 seconds Config Download via DHCP enabled next boot enabled Switch Note You should only configure and enable the Layer 3 interface Do not assign an IP address or DHCP based autoconfiguration with...

Page 111: ...ervices see Chapter 7 Administering the Switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assigned The range is 1 to 4094 Step 3 ip address ip address subnet mask Enter the IP address and subnet mask Step 4 exit Return to global configuration mode Step 5...

Page 112: ...ce VLAN1 ip address 172 20 137 50 255 255 255 0 no ip directed broadcast ip default gateway 172 20 137 1 snmp server community private RW snmp server community public RO snmp server community private es0 RW snmp server community public es0 RO snmp server chassis id 0x12 end To store the configuration or changes you have made to your startup configuration in flash memory enter this privileged EXEC ...

Page 113: ...h syncs with the stack and reloads automatically Beginning in privileged EXEC mode follow these steps to configure the NVRAM buffer size This example shows how to configure the NVRAM buffer size Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config boot buffersize 524288 Switch config end Switch Switch show boot BOOT path list Config file flash config te...

Page 114: ...omatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP based autoconfiguration feature For more information see the Understanding DHCP Based Autoconfiguration section on page 3 3 Table 3 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up the syste...

Page 115: ...igure it to manually boot up Note This command only works properly from a standalone switch Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot up during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to load during the next boot cycle For f...

Page 116: ...e Step 4 show boot Verify your entries The boot manual global command changes the setting of the MANUAL_BOOT environment variable The next time you reboot the system the switch is in boot loader mode shown by the switch prompt To boot up the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory...

Page 117: ...any environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name of a boot loader helper file which extends or patches the functionality of the boot loader can be stored as an environment variable Data that controls code which is responsible for reading th...

Page 118: ...bootable file that it can find in the flash file system boot system filesystem file url switch number all Note The switch number all keywords are supported only on Catalyst 3750 E switches Specifies the Cisco IOS image to load during the next boot cycle and the stack members on which the image is loaded This command changes the setting of the BOOT environment variable MANUAL_BOOT set MANUAL_BOOT y...

Page 119: ...ches SWITCH_PRIORITY set SWITCH_PRIORITY stack member number Changes the priority value of a stack member switch stack member number priority priority number Changes the priority value of a stack member Note This command is supported only on Catalyst 3750 E switches Table 3 4 Environment Variables continued Variable Boot Loader Command Cisco IOS Global Configuration Command Table 3 5 Environment V...

Page 120: ...and reload at hh mm month day day month text This command schedules a reload of the software to take place at the specified time using a 24 hour clock If you specify the month and day the reload is scheduled to take place at the specified time and date If you do not specify the month and day the reload takes place at the specified time on the current day if the specified time is later than the cur...

Page 121: ...he current day at 7 30 p m Switch reload at 19 30 Reload scheduled for 19 30 00 UTC Wed Jun 5 1996 in 2 hours and 25 minutes Proceed with reload confirm This example shows how to reload the software on the switch at a future time Switch reload at 02 00 jun 20 Reload scheduled for 02 00 00 UTC Thu Jun 20 1996 in 344 hours and 53 minutes Proceed with reload confirm To cancel a previously scheduled r...

Page 122: ...3 26 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 21521 01 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 123: ...ng CNS Configuration page 4 14 Understanding Cisco Configuration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their...

Page 124: ... Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration inf...

Page 125: ...que group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespac...

Page 126: ...nection to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the swi...

Page 127: ...he new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon succ...

Page 128: ... defer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Co...

Page 129: ...ult no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the...

Page 130: ...the hostname or the IP address of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway is establi...

Page 131: ...guration mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout seconds ...

Page 132: ... the point to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify more inter...

Page 133: ...address mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event and imag...

Page 134: ... ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Optio...

Page 135: ...ng a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal ...

Page 136: ...how cns config connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Displ...

Page 137: ...ging hardware and software stacks and about using universal software images with software licenses see the Cisco IOS Software Installation document on Cisco com Understanding Switch Stacks A switch stack is a set of up to nine stacking capable switches connected through their StackWise Plus or StackWise ports You can connect only one switch type in a stack or you can connect a mix of Catalyst 3750...

Page 138: ...of the stack master Every stack member is identified by its own stack member number All stack members are eligible to be stack masters If the stack master becomes unavailable the remaining stack members elect a new stack master from among themselves The switch with the highest stack member priority value becomes the new stack master The system level features supported on the stack master are suppo...

Page 139: ...umber Incompatibility Among Switches page 5 11 Minor Version Number Incompatibility Among Switches page 5 11 Incompatible Software and Stack Member Image Upgrades page 5 15 Switch Stack Configuration Files page 5 15 Additional Considerations for System Wide Configuration on Switch Stacks page 5 16 Switch Stack Management Connectivity page 5 16 Switch Stack Configuration Scenarios page 5 18 Note A ...

Page 140: ...able SFP module ports 10 100 1000 ports If one or both of these LEDs are not green on any of the switches the stack is not operating at full bandwidth Adding powered on switches merging causes the stack masters of the merging switch stacks to elect a stack master from among themselves The re elected stack master retains its role and configuration and so do its stack members All remaining switches ...

Page 141: ...1 The switch that is currently the stack master 2 The switch with the highest stack member priority value Note We recommend assigning the highest priority value to the switch that you prefer to be the stack master This ensures that the switch is re elected as stack master if a re election occurs 3 The switch that is not using the default interface level configuration 157553 Stack member 1 Stack me...

Page 142: ...f these events occurs The switch stack is reset The stack master is removed from the switch stack The stack master is reset or powered off The stack master fails The switch stack membership is increased by adding powered on standalone switches or switch stacks In the events marked by an asterisk the current stack master might be re elected based on the listed factors When you power on or reset an ...

Page 143: ...ly change the number or unless the number is already being used by another member in the stack If you manually change the stack member number by using the switch current stack member number renumber new stack member number global configuration command the new number goes into effect after that stack member resets or after you use the reload slot stack member number privileged EXEC command and only...

Page 144: ... you create on the switch stack is called the provisioned configuration The switch that is added to the switch stack and that receives this configuration is called the provisioned switch You manually create the provisioned configuration through the switch stack member number provision type global configuration command The provisioned configuration is automatically created when a switch is added to...

Page 145: ...o the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information The stack member number of the provisioned switch is in conflict with an existing stack member The stack master assigns a new stack member number to the provisioned switch The stack member numbers and the switch types match 1 If the new stack member number of the provisioned sw...

Page 146: ...dds to its running configuration a switch stack member number provision type global configuration command that matches the new switch For configuration information see the Provisioning a New Member for a Switch Stack section on page 5 23 Effects of Replacing a Provisioned Switch in a Switch Stack When a provisioned switch in a switch stack fails is removed from the stack and is replaced with anoth...

Page 147: ...d EXEC command Switches with the same Cisco IOS software version have the same stack protocol version Such switches are fully compatible and all features function properly across the switch stack Switches with the same Cisco IOS software version as the stack master immediately join the switch stack If an incompatibility exists the fully functional stack members generate a system message that descr...

Page 148: ...uto upgrade process cannot find the appropriate software in the stack to copy to the switch in VM mode In that case the auto extract process searches all switches in the stack whether they are in VM mode or not for the tar file needed to upgrade the switch stack or the switch in VM mode The tar file can be in any flash file system in the switch stack including the switch in VM mode If a tar file s...

Page 149: ...tware donor Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Found donor system 2 for Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW member s 1 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW System software to be uploaded Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW System Type 0x00000000 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW archiving c3750e universal mz 122 35 SE2 directory Mar 11 20 36 15 038 IMAGEMG...

Page 150: ...eloading system s 1 This example shows that the switch stack detected a new switch that is running a different minor version number than the switch stack Auto copy starts but cannot find software in the switch stack to copy to the VM mode switch to make it compatible with the switch stack The auto advise process starts and recommends that you download a tar file from the network to the switch in V...

Page 151: ...ply to all stack members Stack member interface specific configuration settings that are specific for each stack member The stack master has the saved and running configuration files for the switch stack All stack members periodically receive synchronized copies of the configuration files from the stack master If the stack master becomes unavailable any stack member assuming the role of stack mast...

Page 152: ...tarted with Cisco Network Assistant available on Cisco com MAC Addresses and Switch Stacks section on page 7 21 Setting the SDM Template section on page 8 5 802 1x Authentication and Switch Stacks section on page 10 11 VTP and Switch Stacks section on page 14 7 Private VLANs and Switch Stacks section on page 16 5 Spanning Tree and Switch Stacks section on page 18 12 MSTP and Switch Stacks section ...

Page 153: ...k can be lost if a stack master running the cryptographic software image and the IP base or IP services feature set fails and is replaced by a switch that is running the noncryptographic image and the same feature set We recommend that a switch running the cryptographic software image and the IP base or IP services feature set be the stack master Encryption features are unavailable if the stack ma...

Page 154: ...onnected through their StackWise Plus ports Table 5 2 Switch Stack Configuration Scenarios Scenario Result Stack master election specifically determined by existing stack masters Connect two powered on switch stacks through the StackWise Plus ports Only one of the two stack masters becomes the new stack master None of the other stack members become the stack master Stack master election specifical...

Page 155: ... image installed and the IP base feature set enabled 2 Restart both stack members at the same time Note The stack member with the cryptographic image and the IP base feature set is elected stack master Stack master election specifically determined by the MAC address Assuming that both stack members have the same priority value configuration file and feature set restart both stack members at the sa...

Page 156: ...e its MAC address as the stack MAC address even if the switch is now a stack member and not a stack master If Stack master failure Remove or power off the stack master Based on the factors described in the Stack Master Election and Re Election section on page 5 5 one of the remaining stack members becomes the new stack master All other stack members in the stack remain as stack members and do not ...

Page 157: ...ges If you enter a time delay of 1 to 60 minutes the stack MAC address of the previous stack master is used until the configured time period expires or until you enter the no stack mac persistent timer command Note If the entire switch stack reloads it uses the MAC address of the stack master as the stack MAC address Beginning in privileged EXEC mode follow these steps to enable persistent MAC add...

Page 158: ...kholed Switch config end Switch show switch Switch Stack Mac Address 0016 4727 a900 Mac persistency wait time 7 mins H W Current Switch Role Mac Address Priority Version State 1 Master 0016 4727 a900 1 0 Ready Assigning Stack Member Information These sections describe how to assign stack member information Assigning a Stack Member Number page 5 22 optional Setting the Stack Member Priority Value p...

Page 159: ...eturn to privileged EXEC mode Step 4 reload slot stack member number Reset the stack member Step 5 show switch Verify the stack member number Step 6 copy running config startup config Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 switch stack member number priority new priority number Specify the stack member number and...

Page 160: ...r of 2 for the switch stack The show running config command output shows the interfaces associated with the provisioned switch Switch config switch 2 provision switch_PID Switch config end Switch show running config include switch 2 interface GigabitEthernet2 0 1 interface GigabitEthernet2 0 2 interface GigabitEthernet2 0 3 output truncated Command Purpose Step 1 show switch Display summary inform...

Page 161: ...abling a Stack Port page 5 26 Re Enabling a Stack Port While Another Member Starts page 5 26 Understanding the show switch stack ports summary Output page 5 27 Identifying Loopback Problems page 5 28 Table 5 4 Commands for Displaying Stack Information Command Description show platform stack manager all Display all stack information such as the stack protocol version show platform stack ports buffe...

Page 162: ... The stack is in the full ring state you can disable only one stack port This message appears Enabling disabling a stack port may cause undesired stack changes Continue confirm The stack is in the partial ring state you cannot disable the port This message appears Disabling stack port not allowed with current stack configuration Re Enabling a Stack Port While Another Member Starts Stack Port 1 on ...

Page 163: ...Neighbor Switch number of the active member at the other end of the stack cable Cable Length Valid lengths are 50 cm 1 m or 3 m If the switch cannot detect the cable length the value is no cable The cable might not be connected or the link might be unreliable Link OK This shows if the link is stable The link partner is a stack port on a neighbor switch No The link partner receives invalid protocol...

Page 164: ...the stack cable from Port 1 on Switch 1 these messages appear 01 09 55 STACKMGR 4 STACK_LINK_CHANGE Stack Port 2 Switch 3 has changed to state DOWN 01 09 56 STACKMGR 4 STACK_LINK_CHANGE Stack Port 1 Switch 1 has changed to state DOWN Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 Absent None N...

Page 165: ...Status To LinkOK 1 1 Absent None No cable No No No 1 Yes 1 2 Absent None No cable No No No 1 Yes Software Loopback Examples Connected Stack Cables On Port 1 on Switch 1 the port status is Down and a cable is connected On Port 2 on Switch 1 the port status is Absent and no cable is connected Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Act...

Page 166: ...00 86031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable On a Catalyst 3750 member If at least one stack port has an connected stack cable the Loopback HW value for both stack ports is No If neither stack port has an connected stack cable the Loopback HW value for both stack ports is Yes On a Catalyst 3750 E or Catalyst 3750 X member If a stack port has an connected stack cable the Loopback HW valu...

Page 167: ...oopback Cable Count Port IOS HW length Event type LINK OK Stack Port 2 0000000005 1 FF08FF00 0001FBD3 0801080B EFFFFFFF 0C100CE6 No No No cable 0000000005 2 FF08FF00 8603E4A9 5555FFFF FFFFFFFF 0C100CE6 No No 50 cm Event type RAC 0000000006 1 FF08FF00 0001FC14 08050204 EFFFFFFF 0C100CE6 No No No cable 0000000006 2 FF08FF00 8603E4A9 5555FFFF FFFFFFFF 0C100CE6 No No 50 cm Event type LINK NOT OK Stack...

Page 168: ...0015B12 5555FFFF A49CFFFF 0C140CE4 No No 50 cm 0000009732 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type RAC 0000009733 1 FF01FF00 00015B4A 5555FFFF A49CFFFF 0C140CE4 No No 50 cm 0000009733 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type LINK NOT OK Stack Port 2 0000010119 1 FF01FF00 00010E69 25953FFF FFFFFFFF 0C140C14 No Yes No cable 0000010119 2 FF01FF00 ...

Page 169: ...Port 2 on Switch 1 has a port or cable problem if The In Loopback value is Yes or The Link OK Link Active or Sync OK value is No Fixing a Bad Connection Between Stack Ports Stack cables connect all members Port 2 on Switch 1 connects to Port 1 on Switch 2 This is the port status Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Chang...

Page 170: ...5 34 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 5 Managing Switch Stacks Troubleshooting Stacks ...

Page 171: ...ers and converting a switch cluster to a community see Getting Started with Cisco Network Assistant available on Cisco com This chapter focuses on Catalyst 3750 E and 3560 E switch clusters It also includes guidelines and limitations for clusters mixed with other cluster capable Catalyst switches but it does not provide complete descriptions of the cluster features for these other switches For com...

Page 172: ... switch as a Layer 3 router between the Layer 2 switches in the cluster network Cluster members are connected to the cluster command switch according to the connectivity guidelines described in the Automatic Discovery of Cluster Candidates and Members section on page 6 5 This section includes management VLAN considerations for the Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2950 and Cata...

Page 173: ...cted to all other cluster member switches except the cluster command and standby command switches through a common VLAN It is redundantly connected to the cluster so that connectivity to cluster member switches is maintained It is not a command or member switch of another cluster Catalyst 3550 12 1 4 EA1 or later Member or command switch Catalyst 2970 12 1 11 AX or later Member or command switch C...

Page 174: ...ndby group exists it is connected to every standby cluster command switch through at least one common VLAN The VLAN to each standby cluster command switch can be different It is connected to the cluster command switch through at least one common VLAN Note Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2940 Catalyst 2950 and Catalyst 3500 XL candidate and cluster member switches must be conn...

Page 175: ... about CDP see Chapter 27 Configuring CDP Following these connectivity guidelines ensures automatic discovery of the switch cluster cluster candidates connected switch clusters and neighboring edge devices Discovery Through CDP Hops page 6 5 Discovery Through Non CDP Capable and Noncluster Capable Devices page 6 6 Discovery Through Different VLANs page 6 7 Discovery Through Different Management VL...

Page 176: ...t cannot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 6 2 shows that the cluster command switch discovers the switch that is connected to a third party hub However the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch Figure 6 2 Discovery Through Non CDP Capable and Noncluster Capable Devices Command dev...

Page 177: ...uster command switch through their management VLAN For information about discovery through management VLANs see the Discovery Through Different Management VLANs section on page 6 7 For more information about VLANs see Chapter 13 Configuring VLANs Note For additional considerations about VLANs in switch stacks see the Switch Clusters and Switch Stacks section on page 6 14 Figure 6 3 Discovery Throu...

Page 178: ...se automatic discovery does not extend beyond a noncandidate device which is switch 7 Figure 6 4 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Discovery Through Routed Ports If the cluster command switch has a routed port RP configured it discovers only candidate and cluster member switches in the same VLAN as the routed port For more information about routed p...

Page 179: ...s to the VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 6 6 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port ar...

Page 180: ...oup is the active cluster command switch AC The switch with the next highest priority is the standby cluster command switch SC The other switches in the cluster standby group are the passive cluster command switches PC If the active cluster command switch and the standby cluster command switch become disabled at the same time the passive cluster command switch with the highest priority becomes the...

Page 181: ... page 6 13 Other Considerations for Cluster Standby Groups Note For additional considerations about cluster standby groups in switch stacks see the Switch Clusters and Switch Stacks section on page 6 14 These requirements also apply Standby cluster command switches must be the same type of switches as the cluster command switch For example if the cluster command switch is a Catalyst 3750 E or Cata...

Page 182: ...d switch continually forwards cluster configuration information but not device configuration information to the standby cluster command switch This ensures that the standby cluster command switch can take over the cluster immediately after the active cluster command switch fails Automatic discovery has these limitations This limitation applies only to clusters that have Catalyst 2950 Catalyst 2960...

Page 183: ...ster command switch fails and the standby cluster command switch takes over you must either use the standby group virtual IP address or any of the IP addresses available on the new active cluster command switch to access the cluster You can assign an IP address to a cluster capable switch but it is not necessary A cluster member switch is managed and communicates with other cluster member switches...

Page 184: ...ommunity strings command switch readonly community string esN where N is the member switch number command switch readwrite community string esN where N is the member switch number If the cluster command switch has multiple read only or read write community strings only the first read only and read write strings are propagated to the cluster member switch The switches support an unlimited number of...

Page 185: ...and switch stack All stack members should have redundant connectivity to all VLANs in the switch cluster Otherwise if a new stack master is elected stack members connected to any VLANs not configured on the new stack master lose their connectivity to the switch cluster You must change the VLAN configuration of the stack master or the stack members and add the stack members back to the switch clust...

Page 186: ...er must have that same public profile Before you add an LRE switch to a cluster make sure that you assign it the same public profile used by other LRE switches in the cluster A cluster can have a mix of LRE switches that use different private profiles Using the CLI to Manage Switch Clusters You can configure cluster member switches from the CLI by first logging into the cluster command switch Ente...

Page 187: ...bled you can enable it as described in the Configuring SNMP section on page 33 6 On Catalyst 1900 and Catalyst 2820 switches SNMP is enabled by default When you create a cluster the cluster command switch manages the exchange of messages between cluster member switches and an SNMP application The cluster software on the cluster command switch appends the cluster member switch number esN where N is...

Page 188: ...are Configuration Guide OL 9775 08 Chapter 6 Clustering Switches Using SNMP to Manage Switch Clusters Figure 6 8 SNMP Management for a Cluster Trap T r a p T r a p Command switch Trap 1 Trap 2 Trap 3 Member 1 Member 2 Member 3 33020 SNMP Manager ...

Page 189: ...rompt page 7 14 Creating a Banner page 7 17 Managing the MAC Address Table page 7 19 Managing the ARP Table page 7 31 Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the ...

Page 190: ... packet per minute is necessary to synchronize two devices to within a millisecond of one another NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP aut...

Page 191: ...switches Switch B and Switch F respectively Figure 7 1 Typical NTP Network Configuration If the network is isolated from the Internet Cisco s implementation of NTP allows a device to act as if it is synchronized through NTP when in fact it has learned the time by using other means Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always co...

Page 192: ...lt NTP configuration NTP is enabled on all interfaces by default All interfaces receive NTP packets Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps ...

Page 193: ... synchronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight characters fo...

Page 194: ...imply be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchron...

Page 195: ...mmand Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast version number key keyid destination address Enable the interface to send NTP broadcast packets to a peer By default this feature is disabled on all interfaces Optional For number specif...

Page 196: ...low these steps to control access to NTP services by using access lists Step 5 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup config Optio...

Page 197: ...rvices use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve only 42 S...

Page 198: ...rce address is to be taken The specified interface is used for the source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 7 5 Command Purpose Step 1 configure terminal Enter global configurat...

Page 199: ... and the stack master fails and different stack member resumes the role of stack master These sections contain this configuration information Setting the System Clock page 7 11 Displaying the Time and Date Configuration page 7 12 Configuring the Time Zone page 7 12 Configuring Summer Time Daylight Saving Time page 7 13 Setting the System Clock If you have an outside source on the network that prov...

Page 200: ...nfigure the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set the ...

Page 201: ...nfig clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring ...

Page 202: ...ter than symbol is appended The prompt is updated whenever the system name changes If you are accessing a stack member through the stack master you must use the session stack member number privileged EXEC command The stack member number range is from 1 through 9 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privileged EXEC ...

Page 203: ...uted database with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the deli...

Page 204: ...me Define a default domain name that the software uses to complete unqualified hostnames names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name m...

Page 205: ...mand Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also d...

Page 206: ...le shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message o...

Page 207: ...s these types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For comple...

Page 208: ... and adding the address and its associated port number to the address table As stations are added or removed from the network the switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured on a standalone switch or on the switch stack However the switch maintains an address table for each VLAN and STP can accelera...

Page 209: ...on all stack members When a switch joins a switch stack that switch receives the addresses for each VLAN learned on the other stack members When a stack member leaves the switch stack the remaining stack members age out or remove all addresses learned by the former stack member Default MAC Address Table Configuration Table 7 3 shows the default MAC address table configuration Changing the Address ...

Page 210: ...y storing the MAC address change activity When the switch learns or removes a MAC address an SNMP notification trap can be sent to the NMS If you have many users coming and going from the network you can set a trap interval time to bundle the notification traps to reduce network traffic The MAC notification history table stores MAC address activity for each port for which the trap is set MAC addre...

Page 211: ...command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification change Enable the switch to send MAC address change notification traps to the NMS Step 4 mac address table notification change Enable the MAC address change notification feature Step 5 mac address table notification change interval value history size value Enter the trap interval time an...

Page 212: ...added on the specified port Switch config snmp server host 172 20 10 10 traps private mac notification Switch config snmp server enable traps mac notification change Switch config mac address table notification change Switch config mac address table notification change interval 123 Switch config mac address table notification change history size 100 Switch config interface gigabitethernet1 0 2 Swi...

Page 213: ...tion an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server host host addr traps informs version 1 2c 3 community string notification type Specify the recipient of the trap message For host addr specify the name or address...

Page 214: ... message For host addr specify the name or address of the NMS Specify traps the default to send SNMP traps to the host Specify informs to send SNMP informs to the host Specify the SNMP version to support Version 1 the default is not available with informs For community string specify the string to send with the notification operation Though you can set this string by using the snmp server host com...

Page 215: ...ry VLAN you should also configure the same static MAC address in all associated VLANs Static MAC addresses configured in a private VLAN primary or secondary VLAN are not replicated in the associated VLAN For more information about private VLANs see Chapter 16 Configuring Private VLANs Beginning in privileged EXEC mode follow these steps to add a static address To remove static entries from the add...

Page 216: ...kets with that MAC address depending on which command was entered last The second command that you entered overrides the first command For example if you enter the mac address table static mac addr vlan vlan id interface interface id global configuration command followed by the mac address table static mac addr vlan vlan id drop command the switch drops packets with the specified MAC address as a ...

Page 217: ...isable MAC address learning on a single VLAN ID for example no mac address table learning vlan 223 or on a range of VLAN IDs for example no mac address table learning vlan 1 20 15 We recommend that you disable MAC address learning only in VLANs with two ports If you disable MAC address learning on a VLAN with more than two ports every packet entering the switch is flooded in that VLAN domain You c...

Page 218: ...nter global configuration mode Step 2 no mac address table learning vlan vlan id Disable MAC address learning on the specified VLAN or VLANs You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma Valid VLAN IDs s are 1 to 4094 The VLAN cannot be an internal VLAN Step 3 end Return to privileged EXEC mode Step 4 show mac address table learning vlan vlan id Verify the ...

Page 219: ...ia or MAC addresses and the VLAN ID Using an IP address ARP finds the associated MAC address When a MAC address is found the IP MAC address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by t...

Page 220: ...7 32 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 7 Administering the Switch Managing the ARP Table ...

Page 221: ...age for some functions for example use the default template to balance resources and use access template to obtain maximum ACL usage To allocate hardware resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features You can select SDM templates for IP Version 4 IPv4 to optimize these features Routing The routing template maximizes syst...

Page 222: ...lan to forward only IPv4 traffic These SDM templates support IPv4 and IPv6 environments Dual IPv4 and IPv6 default template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 routing ACLs and QoS for IPv6 on the switch Dual IPv4 and IPv6 routing template supports Layer 2 multicast routing including policy based routing QoS and ACLs for IPv4 and Layer 2 routing ACLs and QoS for IP...

Page 223: ... been ADDED to the stack SDM_MISMATCH 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE System 2 is incompatible with the SDM 2d23h SDM 6 MISMATCH_ADVISE template currently running on the stack and 2d23h SDM 6 MISMATCH_ADVISE will not function unless the stack is 2d23h SDM 6 MISMATCH_ADVISE downgraded Issuing the following commands 2d23h SDM 6 MISMATCH_ADVISE will...

Page 224: ...to take effect Use the sdm prefer vlan global configuration command only on switches intended for Layer 2 switching with no routing When you use the VLAN template no system resources are reserved for routing entries and any routing is done through software This overloads the CPU and severely degrades routing performance Do not use the routing template if you do not have routing enabled on your swi...

Page 225: ...of directly connected hosts 3K number of indirect routes 8K number of qos aces 0 5K number of security aces 1K On next reload template will be desktop vlan template To return to the default template use the no sdm prefer global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sdm prefer access default dual ipv4 and ipv6 default routing vlan rou...

Page 226: ...support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 6K number of igmp groups multicast routes 1K number of unicast routes 8K number of directly connected hosts 6K number of indirect routes 2K number of policy based routing aces 0 number of qos aces 0 5K number of security aces 1K This is an example of output from the show sdm prefer routing command...

Page 227: ...r of directly connected IPv4 hosts 1 5K number of indirect IPv4 routes 1 25K number of IPv6 multicast groups 1K number of directly connected IPv6 addresses 1 5K number of indirect IPv6 unicast routes 1 25K number of IPv4 policy based routing aces 0 25K number of IPv4 MAC qos aces 0 5K number of IPv4 MAC security aces 0 5K number of IPv6 policy based routing aces 0 25K number of IPv6 qos aces 0 5K ...

Page 228: ...8 8 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 8 Configuring SDM Templates Displaying the SDM Templates ...

Page 229: ...Typically you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security f...

Page 230: ... Password protection restricts access to a network or network device Privilege levels define what commands users can enter after they have logged into a network device Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 These sections contain this configuration information Default Password and Privilege Leve...

Page 231: ... any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new...

Page 232: ...obal configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 ...

Page 233: ...oot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmodem protoc...

Page 234: ...e switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port or attach a PC to the Ethernet management port The default data characteristics of the console port are 9600 8 1 no parity You might ...

Page 235: ...formation Setting the Privilege Level for a Command page 9 8 Changing the Default Privilege Level for Lines page 9 9 Logging into and Exiting a Privilege Level page 9 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the use...

Page 236: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is t...

Page 237: ... into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for the...

Page 238: ...tch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch Note We recommend a redundant connection between a switch stack and the TACACS server This is to help ensure that the TACACS server remains accessible in case on...

Page 239: ...ntrol session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounting...

Page 240: ...formation After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again contacted and it returns an ACCEPT or REJECT authorization response If an ACCEPT response is returne...

Page 241: ...host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a list of preferred hosts The software searches for hosts in the order in which ...

Page 242: ...named method list explicitly defined A defined method list overrides the default method list A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to ...

Page 243: ... using the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 9 13 line Use the line password for authentication Before you can use this authentication method you must ...

Page 244: ...ters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through ...

Page 245: ...tch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Se...

Page 246: ...at uses a smart card access control system In one case RADIUS has been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 9 2 on page 9 19 Network in which the user must on...

Page 247: ... challenge requires additional data from the user d CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization if it is enabled The additional data included with t...

Page 248: ...abled by default on Catalyst switches However some basic configuration is required for the following attributes Security and Password refer to the Preventing Unauthorized Access to Your Switch section in the Configuring Switch Based Authentication chapter in the Catalyst 3750 Switch Software Configuration Guide 12 2 50 SE Accounting refer to the Starting RADIUS Accounting section in the Configurin...

Page 249: ... on page 9 23 Table 9 2 Supported IETF Attributes Attribute Number Attribute Name 24 State 31 Calling Station ID 44 Acct Session ID 80 Message Authenticator 101 Error Cause Table 9 3 Error Cause Values Value Explanation 201 Residual Session Context Removed 202 Invalid EAP Packet Ignored 401 Unsupported Attribute 402 Missing Attribute 403 NAS Identification Mismatch 404 Invalid Request 405 Unsuppor...

Page 250: ... specific attribute Accounting Session ID IETF attribute 44 If more than one session identification attribute is included in the message all the attributes must match the session or the switch returns a Disconnect negative acknowledgement NAK or CoA NAK with the error code Invalid Attribute Value The packet format for a CoA Request code as defined in RFC 5176 consists of the fields Code Identifier...

Page 251: ...ntly authenticated by IEEE 802 1x the switch responds by sending an EAPoL1 RequestId message see footnote 1 below to the server If the session is currently authenticated by MAC authentication bypass MAB the switch sends an access request to the server passing the same identity attributes used for the initial successful authentication If session authentication is in progress when the switch receive...

Page 252: ...rk access on the port re enable it using a non RADIUS mechanism When a device with no supplicant such as a printer needs to acquire a new IP address for example after a VLAN change terminate the session on the host port with port bounce temporarily disable and then re enable the port CoA Disconnect Request This command is a standard Disconnect Request Because this command is session oriented it mu...

Page 253: ...the session is located the switch disables the hosting port for a period of 10 seconds re enables it port bounce and returns a CoA ACK If the switch fails before returning a CoA ACK to the client the process is repeated on the new active switch when the request is re sent from the client If the switch fails after returning a CoA ACK message to the client but before the operation has completed the ...

Page 254: ...entication You can optionally define method lists for RADIUS authorization and accounting A method list defines the sequence and methods to be used to authenticate to authorize or to keep accounts on a user You can use method lists to designate one or more security protocols to be used such as TACACS or local username lookup thus ensuring a backup system if the initial method fails The software us...

Page 255: ...e accounting the second host entry configured acts as a fail over backup to the first one Using this example if the first host entry fails to provide accounting services the RADIUS 4 RADIUS_DEAD message appears and then the switch tries the second host entry configured on the same device for accounting services The RADIUS host entries are tried in the order that they are configured A RADIUS server...

Page 256: ... the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key st...

Page 257: ...erformed and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence ...

Page 258: ...e RADIUS server For more information see the Identifying the RADIUS Server Host section on page 9 27 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the usern...

Page 259: ...ference Release 12 2 Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host ...

Page 260: ...nsmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as ...

Page 261: ... Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can ...

Page 262: ...t record which is the default condition In some situations users may be prevented from starting a session on the console or terminal connection until after the system reloads which can take more than three minutes To establish a console or telnet session with the router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Step 3 aaa auth...

Page 263: ... vendor ID is 9 and the supported option has vendor type 1 which is named cisco avpair The value is a string with this format protocol attribute sep value Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret text string used between the switch and all RADIUS servers Note The key is a text string that must match the encr...

Page 264: ...10 0 0 255 255 any cisco avpair mac inacl 3 deny any any decnet iv This example shows how to apply an output ACL in ASCII format to an interface for the duration of this connection cisco avpair ip outacl 2 deny ip 10 10 10 10 0 0 255 255 any Other vendors have their own unique vendor IDs options and associated VSAs For more information about vendor IDs and VSAs see RFC 2138 Remote Authentication D...

Page 265: ...uration command To disable the key use the no radius server key global configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Command Purpose Step 1 configure terminal Enter global configuration mode S...

Page 266: ...ents Step 7 auth type any all session key Specify the type of authorization the switch uses for RADIUS clients The client must match all the configured attributes for authorization Step 8 ignore session key Optional Configure the switch to ignore the session key For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com Step 9 ignore...

Page 267: ...he show running config privileged EXEC command Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system which authenticates requests for network resources by using a trusted third party These sections contain this information Understanding Kerberos page 9 40 Kerberos Operation page 9 42 Configuring Kerberos page 9 43 For Kerberos confi...

Page 268: ...beros protocol The Kerberos credential scheme uses a process called single logon This process authenticates a user once and then allows secure authentication without encrypting another password wherever that user credential is accepted This software release supports Kerberos 5 which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC t...

Page 269: ...her user or network service Note The Kerberos realm name must be in all uppercase characters Kerberos server A daemon that is running on a network host Users and network services register their identity with the Kerberos server Network services query the Kerberos server to authenticate to other network services KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and later K...

Page 270: ...ncrypted TGT that includes the user identity to the switch 5 The switch attempts to decrypt the TGT by using the password that the user entered If the decryption is successful the user is authenticated to the switch If the decryption is not successful the user repeats Step 2 either by re entering the username and password noting if Caps Lock or Num Lock is on or off or by entering a different user...

Page 271: ...ase characters Note A Kerberos server can be a Catalyst 3750 E or 3560 E switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol To set up a Kerberos authenticated server client system follow these steps Configure the KDC by using Kerberos commands Configure the switch to use the Kerberos protocol For instructions see the Kerberos Confi...

Page 272: ...etwork related service requests Step 6 username name privilege level password encryption type password Enter the local database and establish a username based authentication system Repeat this command for each user For name specify the user ID as one word Spaces and quotation marks are not allowed Optional For level specify the privilege level the user has after gaining access The range is 0 to 15...

Page 273: ...ease supports SSH Version 1 SSHv1 and SSH Version 2 SSHv2 This section consists of these topics SSH Servers Integrated Clients and Supported Versions page 9 45 Limitations page 9 46 SSH Servers Integrated Clients and Supported Versions The SSH feature has an SSH server and an SSH integrated client which are applications that run on the switch You can use an SSH client to connect to a switch runnin...

Page 274: ...running on a stack master and the stack master fails the new stack master uses the RSA key pair generated by the previous stack master If you get CLI error messages after entering the crypto key generate rsa global configuration command an RSA key pair has not been generated Reconfigure the hostname and domain and then enter the crypto key generate rsa command For more information see the Setting ...

Page 275: ...tch Step 3 ip domain name domain_name Configure a host domain for your switch Step 4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair We recommend that a minimum modulus size of 1024 bits When you generate RSA keys you are prompted to enter a modulus length A longer modulus length might be more secure but it takes longer t...

Page 276: ...ion shell starts the CLI based session time out value returns to the default of 10 minutes Specify the number of times that a client can re authenticate to the server The default is 3 the range is 0 to 5 Repeat this step when configuring both parameters Step 4 line vty line_number ending_line_number transport input ssh Optional Configure the virtual terminal line settings Enter line configuration ...

Page 277: ...HTTPS the URL of a secure connection begins with https instead of http The primary role of the HTTP secure server the switch is to listen for HTTPS requests on a designated port the default HTTPS port is 443 and pass the request to the HTTP 1 1 Web server The HTTP 1 1 server processes requests and passes responses pages back to the HTTP secure server which in turn responds to the original request ...

Page 278: ...elf signed certificate Switch show running config Building configuration output truncated crypto pki trustpoint TP self signed 3080755072 enrollment selfsigned subject name cn IOS Self Signed Certificate 3080755072 revocation check none rsakeypair TP self signed 3080755072 crypto ca certificate chain TP self signed 3080755072 certificate self signed 01 3082029F 30820208 A0030201 02020101 300D0609 ...

Page 279: ...his list defines the CipherSuites supported by the switch and ranks them from fastest to slowest in terms of router processing load speed 1 SSL_RSA_WITH_DES_CBC_SHA RSA key exchange RSA Public Key Cryptography with DES CBC for message encryption and SHA for message digest 2 SSL_RSA_WITH_RC4_128_MD5 RSA key exchange with RC4 128 bit encryption and MD5 for message digest 3 SSL_RSA_WITH_RC4_128_SHA R...

Page 280: ... keys and certificates Step 4 crypto key generate rsa Optional Generate an RSA key pair RSA key pairs are required before you can obtain a certificate for the switch RSA key pairs are generated automatically You can use this command to regenerate the keys if needed Step 5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode S...

Page 281: ... 4 ip http secure port port number Optional Specify the port number to be used for the HTTPS server The default port number is 443 Valid options are 443 or any number in the range 1025 to 65535 Step 5 ip http secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 128 sha des cbc sha Optional Specify the CipherSuites encryption algorithms to be used for encryption over the HTTPS connection If you do n...

Page 282: ...ires client authentication connections to the secure HTTP client fail Beginning in privileged EXEC mode follow these steps to configure a secure HTTP client Step 11 ip http timeout policy idle seconds life seconds requests value Optional Specify how long a connection to the HTTP server can remain open under the defined circumstances idle the maximum time period when no data is received or response...

Page 283: ...fore enabling SCP you must correctly configure SSH authentication and authorization on the switch Because SCP relies on SSH for its secure transport the router must have an Rivest Shamir and Adelman RSA key pair Note When using SCP you cannot enter the password into the copy command You must enter the password when prompted Step 3 ip http client secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 ...

Page 284: ...e except that SCP relies on SSH for security SCP also requires that authentication authorization and accounting AAA authorization be configured so the router can determine whether the user has the correct privilege level A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System IFS to and from a switch by using the copy command An authorized administrator c...

Page 285: ...apability to tag the packets These switches operate as access layer switches in the Cisco TrustSec network For more information about Cisco TrustSec see the Cisco TrustSec Switch Configuration Guide at this URL http www cisco com en US docs switches lan trustsec configuration guide trustsec html The sections on SXP define the capabilities supported on the switch Note For complete syntax and usage ...

Page 286: ...lue Pairs page 10 15 802 1x Multiple Authentication Mode page 10 13 802 1x Readiness Check page 10 16 802 1x Authentication with Per User ACLs page 10 18 802 1x Authentication with Guest VLAN page 10 21 802 1x Authentication with Restricted VLAN page 10 22 802 1x Authentication with Inaccessible Authentication Bypass page 10 23 802 1x Authentication with Downloadable ACLs and Redirect URLs page 10...

Page 287: ...tication Protocol EAP extensions is the only supported authentication server It is available in Cisco Secure Access Control Server Version 3 0 or later RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients Switch edge switch or wireless access point controls the physical access to the network based ...

Page 288: ... the client MAC address for authorization If the client MAC address is valid and the authorization succeeds the switch grants the client access to the network If the client MAC address is invalid and the authorization fails the switch assigns the client to a guest VLAN that provides limited services if a guest VLAN is configured If the switch gets an invalid identity from an 802 1x capable client ...

Page 289: ...ession Timeout RADIUS attribute Attribute 27 specifies the time after which re authentication occurs 141679 Yes No Client identity is invalid All authentication servers are down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins Yes No 1 1 1 1 This occurs if the switch does not detect EAPOL packets from the client Cli...

Page 290: ...P response identity frame However if during bootup the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If 802 1x authentication is not enabled or supported on the network access device any EAPOL frames from the client are dropped If the client ...

Page 291: ...ssful the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and stops 802 1x authentication Figure 10 4 shows the message exchange during MAC authentication bypass Figure 10 4 Message Exchange Duri...

Page 292: ...le host Multiple host MDA1 1 MDA Multidomain authentication Multiple Authentication22 2 Also referred to as multiauth 802 1x VLAN assignment Per user ACL Filter ID attribute Downloadable ACL3 Redirect URL 2 VLAN assignment VLAN assignment Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 MAC authentication bypass V...

Page 293: ...hentication bypass and web authentication The authentication manager commands determine the priority and order of authentication methods applied to a connected host The authentication manager commands control generic authentication features such as host mode violation mode and the authentication timer Generic authentication commands include the authentication host mode authentication violation and...

Page 294: ...directional authentication event dot1x auth fail vlan dot1x critical interface configuration dot1x guest vlan6 Enable the restricted VLAN on a port Enable the inaccessible authentication bypass feature Specify an active VLAN as an 802 1x guest VLAN authentication fallback fallback profile dot1x fallback fallback profile Configure a port to use web authentication as a fallback method for clients th...

Page 295: ...client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the port auto enables 802 1x authentication and causes the port to begin in the unauthorized state allowing only EAPOL frames to be sent and received through the port The...

Page 296: ... For example you can have a redundant connection to the stack master and another to a stack member and if the stack master fails the switch stack still has connectivity to the RADIUS server 802 1x Host Mode You can configure an 802 1x port for single host or for multiple hosts mode In single host mode see Figure 11 1 on page 11 2 only one client can be connected to the 802 1x enabled switch port T...

Page 297: ... or their VLAN information matches the operational VLAN The first host authorized on the port has a group VLAN assignment and subsequent hosts either have no VLAN assignment or their group VLAN matches the group VLAN on the port Subsequent hosts must use the same VLAN from the VLAN group as the first host If a VLAN list is used all hosts are subject to the conditions specified in the VLAN list Onl...

Page 298: ...ent for authorization on the new port For more information see the Enabling MAC Move section on page 10 49 MAC Replace Beginning with Cisco IOS Release 12 2 55 SE the MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated Note This feature does not apply to ports in multi auth mode because...

Page 299: ...t require information that is in the Acct Input Octets or the Acct Output Octets attributes of a RADIUS packet AV pairs are automatically sent by a switch that is configured for 802 1x accounting Three types of RADIUS accounting packets are sent by a switch START sent when a new user session starts INTERIM sent during an existing session for updates STOP sent when a session terminates Table 10 3 l...

Page 300: ...ust respond within the 802 1x timeout value For information on configuring the switch for the 802 1x readiness check see the Configuring 802 1x Readiness Check section on page 10 38 802 1x Authentication with VLAN Assignment The switch supports 802 1x authentication with VLAN assignment After successful 802 1x authentication of a port the RADIUS server sends the VLAN assignment to configure the sw...

Page 301: ...placed in the same VLAN specified by the RADIUS server as the first authenticated host Enabling port security does not impact the RADIUS server assigned VLAN behavior If 802 1x authentication is disabled on the port it is returned to the configured access VLAN and configured voice VLAN When the port is in the force authorized force unauthorized unauthorized or shutdown state it is put into the con...

Page 302: ...avoid configuration conflicts you should carefully plan the user profiles stored on the RADIUS server RADIUS supports per user attributes including vendor specific attributes These vendor specific attributes VSAs are in octet string format and are passed to the switch during the authentication process The VSAs used for per user ACLs are inacl n for the ingress direction and outacl n for the egress...

Page 303: ... a voice VLAN port the switch applies the ACL only to the phone Beginning with Cisco IOS Release 12 2 55 SE if you do not configure a static ACL on a port a dynamic Auth Default ACL is created and its policies are enforced The Auth Default ACL is not stored in NVRAM and cannot be retrieved by the nonvolatile generation NVGEN process The Auth Default ACL is removed from the port when the last authe...

Page 304: ...ined ACL AV pair to intercept an HTTP or HTTPS request from the endpoint device The switch then forwards the client web browser to the specified redirect address The url redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is redirected The url redirect acl AV pair contains the name or number of an ACL that specifies the HTTP or HTTPS traffic to redirect Traffic that ...

Page 305: ...ort on the switch to provide limited services to clients such as downloading the 802 1x client These clients might be upgrading their system for 802 1x authentication and some hosts such as Windows 98 systems might not be IEEE 802 1x capable When you enable a guest VLAN on an 802 1x802 1x port the switch assigns clients to a guest VLAN when the switch does not receive a response to its EAP request...

Page 306: ... 802 1x Authentication with MAC Authentication Bypass section on page 10 28 For more information see the Configuring a Guest VLAN section on page 10 51 802 1x Authentication with Restricted VLAN You can configure a restricted VLAN also referred to as an authentication failed VLAN for each IEEE 802 1x port on a switch stack or a switch to provide limited services to clients that cannot access the g...

Page 307: ...tion on page 10 52 802 1x Authentication with Inaccessible Authentication Bypass Use the inaccessible authentication bypass feature also referred to as critical authentication or the AAA fail policy when the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated You can configure the switch to connect those hosts to critical ports When a new host tries to connect t...

Page 308: ...RADIUS configured or user specified access VLAN If all the RADIUS servers are not available and the client is not connected to a critical port the switch might not assign clients to the guest VLAN if one is configured If all the RADIUS servers are not available and if a client is connected to a critical port and was previously assigned to a guest VLAN the switch keeps the port in the guest VLAN Re...

Page 309: ...end the VLAN information in any combination of VLAN IDs VLAN names or VLAN groups 802 1x User Distribution Configuration Guidelines Confirm that at least one VLAN is mapped to the VLAN group You can map more than one VLAN to a VLAN group You can modify the VLAN group by adding or deleting a VLAN When you clear an existing VLAN from the VLAN group name none of the authenticated ports in the VLAN ar...

Page 310: ...nectivity to the switch for up to 30 seconds For more information about voice VLANs see Chapter 15 Configuring Voice VLAN IEEE 802 1x Authentication with Port Security You can configure an IEEE 802 1x port with port security in either single host or multiple hosts mode You also must configure port security on the port by using the switchport port security interface configuration command When you e...

Page 311: ...nd the command reference for this release For more information about enabling port security on your switch see the Configuring Port Security section on page 26 8 IEEE 802 1x Authentication with Wake on LAN The IEEE 802 1x authentication with wake on LAN WoL feature allows dormant PCs to be powered when the switch receives a specific Ethernet frame known as the magic packet You can use this feature...

Page 312: ...ication occurs the switch uses IEEE 802 1x authentication as the preferred re authentication process if the previous session ended because the Termination Action RADIUS attribute value is DEFAULT Clients that were authorized with MAC authentication bypass can be re authenticated The re authentication process is the same as that for clients that were authenticated with IEEE 802 1x During re authent...

Page 313: ...If the value is the DEFAULT or is not set the session ends If the value is RADIUS Request the re authentication process starts View the NAC posture token which shows the posture of the client by using the show dot1x privileged EXEC command Configure secondary private VLANs as guest VLANs Configuring NAC Layer 2 IEEE 802 1x validation is similar to configuring IEEE 802 1x port based authentication ...

Page 314: ...multidomain For more information see Chapter 15 Configuring Voice VLAN Voice VLAN assignment on an MDA enabled port is supported in Cisco IOS Release 12 2 40 SE and later Note If you use a dynamic VLAN to assign a voice VLAN on an MDA enabled switch port the voice device fails authorization To authorize a voice device the AAA server must be configured to send a Cisco Attribute Value AV pair attrib...

Page 315: ...AT The Network Edge Access Topology NEAT feature extends identity to areas outside the wiring closet such as conference rooms This allows any type of device to authenticate on the port 802 1x switch supplicant You can configure a switch to act as a supplicant to another switch by using the 802 1x supplicant feature This configuration is helpful in a scenario where for example a switch is outside a...

Page 316: ...on the authenticator switch port and to change the port mode from access to trunk For Auto Smartports macros Auto Smartports Macros Configuration Guide and Release Notes for Auto Smartports Macros For more information see the Configuring an Authenticator and a Supplicant Switch with NEAT section on page 10 60 Voice Aware 802 1x Security You use the voice aware 802 1x security feature to configure ...

Page 317: ...60000050000000B288508E5 1w0d MAB 5 SUCCESS Authentication successful for client 0000 0000 0203 on Interface Fa4 0 4 AuditSessionID 160000050000000B288508E5 1w0d AUTHMGR 7 RESULT Authentication result success from mab for client 0000 0000 0203 on Interface Fa4 0 4 AuditSessionID 160000050000000B288508E5 The session ID is used by the NAD the AAA server and other report analyzing applications to iden...

Page 318: ...iguring an Authenticator and a Supplicant Switch with NEAT page 10 60 optional Configuring 802 1x Authentication with Downloadable ACLs and Redirect URLs page 10 62 optional Configuring VLAN ID based MAC Authentication page 10 64 optional Configuring Flexible Authentication Ordering page 10 65 optional Configuring Open1x page 10 65 optional Configuring a Web Authentication Local Banner page 10 66 ...

Page 319: ...zed state Quiet period 60 seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number of times that the switch will s...

Page 320: ... change an 802 1x enabled port to dynamic VLAN assignment an error message appears and the VLAN configuration is not changed EtherChannel port Do not configure a port that is an active or a not yet active member of an EtherChannel as an 802 1x port If you try to enable 802 1x authentication on an EtherChannel port an error message appears and 802 1x authentication is not enabled Switched Port Anal...

Page 321: ...uthentication timer reauthentication or dot1x timeout tx period The amount to decrease the settings depends on the connected 802 1x client type When configuring the inaccessible authentication bypass feature follow these guidelines The feature is supported on 802 1x port in single host mode and multihosts mode If the client is running Windows XP and the port to which the client is connected is in ...

Page 322: ...ing 802 1x Readiness Check The 802 1x readiness check monitors 802 1x activity on all the switch ports and displays information about the devices connected to the ports that support 802 1x You can use this feature to determine if the devices connected to the switch ports are 802 1x capable The 802 1x readiness check is allowed on all ports that can be configured for 802 1x The readiness check is n...

Page 323: ...lation shutdown vlan global configuration command You disable voice aware 802 1x security by entering the no version of this command This command applies to all 802 1x configured ports in the switch Note If you do not include the shutdown vlan keywords the entire port is shut down when it enters the error disabled state If you use the errdisable recovery cause security violation global configurati...

Page 324: ...w these steps to configure the security violation actions on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 errdisable detect cause security violation shutdown vlan Shut down any VLAN on which a security violation error occurs Note If the shutdown vlan keywords are not included the entire port enters the error disabled state and shuts down Step 3 errdis...

Page 325: ...thentication method list To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Note Though other key...

Page 326: ...e list of all RADIUS servers for authentication Note Though other keywords are visible in the command line help string only the group radius keywords are supported Step 4 dot1x system auth control Enable 802 1x authentication globally on the switch Step 5 aaa authorization network default group radius Optional Configure the switch to use user RADIUS authorization for all network related service re...

Page 327: ...more information see the Configuring Settings for All RADIUS Servers section on page 9 35 You also need to configure some settings on the RADIUS server These settings include the IP address of the switch and the key string to be shared by both the server and the switch For more information see the RADIUS server documentation Command Purpose Step 1 configure terminal Enter global configuration mode...

Page 328: ...e terminal Enter global configuration mode Step 2 interface interface id Specify the port to which multiple hosts are indirectly attached and enter interface configuration mode Step 3 authentication host mode multi auth multi domain multi host single host or dot1x host mode multi host multi domain Allow multiple hosts clients on an 802 1x authorized port The keywords have these meanings multi auth...

Page 329: ...efault Step 4 authentication timer inactivity reauthenticate server am restart value or dot1x timeout reauth period seconds server Set the number of seconds between re authentication attempts The authentication timer keywords have these meanings inactivity Interval in seconds after which if there is no activity from the client then it is unauthorized reauthenticate Time in seconds after which an a...

Page 330: ...ce gigabitethernet2 0 1 Changing the Quiet Period When the switch cannot authenticate the client the switch remains idle for a set period of time and then tries again The dot1x timeout quiet period interface configuration command controls the idle period A failed authentication of the client might occur because the client provided an invalid password You can provide a faster response time to the u...

Page 331: ...t identity frame from the client before resending the request Switch config if dot1x timeout tx period 60 Setting the Switch to Client Frame Retransmission Number In addition to changing the switch to client retransmission time you can change the number of times that the switch sends an EAP request identity frame assuming no response is received to the client before restarting the authentication p...

Page 332: ...ntication servers Beginning in privileged EXEC mode follow these steps to set the re authentication number This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x max reauth req count Set the number of times that the switch sends an EAP re...

Page 333: ...Switch config authentication mac move permit Enabling MAC Replace MAC replace allows a host to replace an authenticated host on a port Beginning in privileged EXEC mode follow these steps to enable MAC replace on an interface This procedure is optional Please review the purpose column for Step 3 below and indicate any changes needed Step 5 show authentication interface id or show dot1x interface i...

Page 334: ...perform accounting tasks such as logging start stop and interim update messages and time stamps To turn on these functions enable logging of Update Watchdog packets from this AAA client in your RADIUS server Network Configuration tab Next enable CVS RADIUS Accounting in your RADIUS server System Configuration tab Beginning in privileged EXEC mode follow these steps to configure 802 1x accounting a...

Page 335: ...re is optional Step 3 aaa accounting dot1x default start stop group radius Enable 802 1x accounting using the list of all RADIUS servers Step 4 aaa accounting system default start stop group radius Optional Enables system accounting using the list of all RADIUS servers and generates system accounting reload event messages when the switch reloads Step 5 end Return to privileged EXEc mode Step 6 sho...

Page 336: ...N when the authentication server does not receive a valid username and password The switch supports restricted VLANs only in single host mode Beginning in privileged EXEC mode follow these steps to configure a restricted VLAN This procedure is optional Step 7 show authentication interface id or show dot1x interface interface id Verify your entries Step 8 copy running config startup config Optional...

Page 337: ...nal Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuration Guidelines section on page 10 35 Step 3 switchport mode access or switchport mode priv...

Page 338: ... in privileged EXEC mode follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass feature This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server dead criteria time time tries tries Optional Set the conditions that are used to decide when a RADIUS server is considered unavailable ...

Page 339: ...ing specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server The key is a text string that must match the encryption key used on the RADIUS server Note Always configure the key as the last item in the radius server host command syntax because leading spaces are ignored but spaces within and at the end of the key are used If you use sp...

Page 340: ...witch config radius server deadtime 60 Switch config if dot1x critical Switch config if dot1x critical recovery action reinitialize Switch config if dot1x critical vlan 20 Switch config if end Step 7 authentication event server dead action authorize reinitialize vlan vlan id Use these keywords to move hosts on the port if the RADIUS server is unreachable authorize Move any new hosts trying to auth...

Page 341: ...rted port types see the 802 1x Authentication Configuration Guidelines section on page 10 35 Step 3 dot1x control direction both in Enable 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional both Sets the port as bidirectional The port cannot receive packets from or send packets to the host By default the port is bidirectional ...

Page 342: ... dot1x vlan group all Group Name Vlans Mapped eng dept 10 hr dept 20 This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added switch config vlan group eng dept vlan list 30 switch config show vlan group eng dept Group Name Vlans Mapped Step 4 dot1x mac auth bypass eap Enable MAC authentication bypass Optional Use the eap keyword to configure the switch t...

Page 343: ...ged EXEC mode follow these steps to configure NAC Layer 2 802 1x validation The procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x guest vlan vlan id Specify an active VLAN as an 802 1x guest VLAN The range is 1 to 4094 You can configure a...

Page 344: ...cator This example shows how to configure a switch as an 802 1x authenticator Switch configure terminal Switch config cisp enable Switch config interface gigabitethernet2 0 1 Switch config if switchport mode access Step 7 show authentication interface id or show dot1x interface interface id Verify your 802 1x authentication configuration Step 8 copy running config startup config Optional Save your...

Page 345: ...rd Create a password for the new username Step 6 dot1x supplicant force multicast Force the switch to send only multicast EAPOL packets when it receives either unicast or multicast packets This also allows NEAT to work on the supplicant switch in all host modes Step 7 interface interface id Specify the port to be configured and enter interface configuration mode Step 8 switchport trunk encapsulati...

Page 346: ...Ls and Redirect URLs In addition to configuring 802 1x authentication on the switch you need to configure the ACS For more information see the Cisco Secure ACS configuration guides Note You must configure a downloadable ACL on the ACS before downloading it to the switch After authentication on the port you can use the show ip access list privileged EXEC command to display the downloaded ACLs on th...

Page 347: ...ress of the network or host that sends a packet such as this The 32 bit quantity in dotted decimal format The keyword any as an abbreviation for source and source wildcard value of 0 0 0 0 255 255 255 255 You do not need to enter a source wildcard value The keyword host as an abbreviation for source and source wildcard of source 0 0 0 0 Optional Applies the source wildcard wildcard bits to the sou...

Page 348: ...res the IP device tracking table count count Sets the number of times that the switch sends the ARP probe The range is from 1 to 5 The default is 3 interval interval Sets the number of seconds that the switch waits for a response before resending the ARP probe The range is from 30 to 300 seconds The default is 30 seconds use svi Uses the switch virtual interface SVI IP address as source of ARP pro...

Page 349: ...n as fallback method Switch configure terminal Switch config interface gigabitethernet 1 0 1 Switch config authentication order dot1x webauth Configuring Open1x Beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication order ...

Page 350: ...ut the ip auth proxy auth proxy banner command see the Authentication Proxy Commands section of the Cisco IOS Security Command Reference on Cisco com Step 5 authentication host mode multi auth multi domain multi host single host Optional Set the authorization manager mode on a port Step 6 authentication open Optional Enable or disable open access on a port Step 7 authentication order dot1x mab web...

Page 351: ...t Values Beginning in privileged EXEC mode follow these steps to reset the 802 1x authentication configuration to the default values This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 no dot1x pae Disable 802 1x authentication on the port S...

Page 352: ...terface interface id privileged EXEC command To display the 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the 802 1x administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command Beginning with Cisco IOS Release 12 2 55 SE you can use the ...

Page 353: ...n on Layer 2 and Layer 3 interfaces When you initiate an HTTP session web based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users The users enter their credentials which the web based authentication feature sends to the authentication authorization and accounting AAA server for authentication If authentication succeeds web based authentication s...

Page 354: ...authentication status of the client The switch acts as an intermediary proxy between the client and the authentication server requesting identity information from the client verifying that information with the authentication server and relaying a response to the client Figure 11 1 shows the roles of these devices in a network Figure 11 1 Web Based Authentication Device Roles Host Detection The swi...

Page 355: ... password and the switch sends the entries to the authentication server If the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success page is sent to the user If the authentication fails the switch sends the login fail page The user retries the login If the maximum number of attempts fails the switch sends the login expi...

Page 356: ...ed You create a banner by using the ip admission auth proxy banner http global configuration command The default banner Cisco Systems and Switch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page as shown in Figure 11 2 Figure 11 2 Authentication Successful Banner You can also customize the banner as shown in Figure 11 3 Add a switch ro...

Page 357: ...d Web Banner If you do not enable a banner only the username and password dialog boxes appear in the web authentication login screen and no banner appears when you log into the switch as shown in Figure 11 4 Figure 11 4 Login Screen With No Banner For more information see the Cisco IOS Security Command Reference and the Configuring a Web Authentication Local Banner section on page 11 16 ...

Page 358: ...a hidden password or to confirm that the same page is not submitted twice The CLI command to redirect users to a specific URL is not available when the configured login form is enabled The administrator should ensure that the redirection is configured in the web page If the CLI command redirecting users to specific URL after authentication occurs is entered and then the command configuring web pag...

Page 359: ...11 7 LAN Port IP page 11 8 Gateway IP page 11 8 ACLs page 11 8 Context Based Access Control page 11 8 802 1x Authentication page 11 8 EtherChannel page 11 8 Port Security You can configure web based authentication and port security on the same port Web based authentication authenticates the port and port security manages network access for all MAC addresses including that of the client You can the...

Page 360: ...entication host policy ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface the ACL is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a port ACL PACL as the default access policy for ingress traffic from hosts connected to the port After authentication the web based authentication hos...

Page 361: ...y feature You can configure web based authentication only on access ports Web based authentication is not supported on trunk ports EtherChannel member ports or dynamic trunk ports You must configure the default ACL on the interface before configuring web based authentication Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface You cannot authenticate hosts on Lay...

Page 362: ...is example shows how to enable web based authentication on Fast Ethernet port 5 1 Switch config ip admission name webauth1 proxy http Switch config interface fastethernet 5 1 Switch config if ip admission webauth1 Switch config if exit Switch config ip device tracking This example shows how to verify the configuration Switch show ip admission configuration Authentication Proxy Banner not configure...

Page 363: ... the IP address and UDP port number creates a unique identifier that enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address If two different host entries on the same RADIUS server are configured for the same service for example authentication the second host entry that is configured functions as the failover backup to the first one The RADIUS host entries are c...

Page 364: ...nce Release 12 2 at this URL http www cisco com en US docs ios 12_2 security command reference fsecur_r html Note You need to configure some settings on the RADIUS server including the switch IP address the key string to be shared by both the server and the switch and the downloadable ACL DACL For more information see the RADIUS server documentation Command Purpose Step 1 ip radius source interfac...

Page 365: ...tion to display four substitute HTML pages to the user in place of the switch default HTML pages during web based authentication To specify the use of your custom authentication proxy web pages first store your custom HTML files on the switch flash memory then perform this task in global configuration mode Command Purpose Step 1 ip http server Enable the HTTP server The web based authentication fe...

Page 366: ...om file use the no form of the command Because the custom login page is a public web form consider these guidelines for the page The login form must accept user entries for the username and password and must show them as uname and pwd The custom login page should follow best practices for a web form such as page timeout hidden password and prevention of redundant submissions This example shows how...

Page 367: ...roxy webpage not configured HTTP Authentication success redirect to URL http www cisco com Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch list is disabled Authentication Proxy Max HTTP process is 7 Authentication Proxy Auditing is disabled Max Login attempts per user is 5 ...

Page 368: ...e maximum number of failed login attempts to 10 Switch config ip admission max login attempts 10 Configuring a Web Authentication Local Banner Beginning in privileged EXEC mode follow these steps to configure a local banner on a switch that has web authentication configured Command Purpose Step 1 ip admission max login attempts number Set the maximum number of failed login attempts The range is 1 ...

Page 369: ...pecific ports This example shows how to view only the global web based authentication status Switch show authentication sessions This example shows how to view the web based authentication settings for gigabit interface 3 27 Switch show authentication sessions interface gigabitethernet 3 27 Step 3 end Return to privileged EXEC mode Step 4 copy running config startup config Optional Save your entri...

Page 370: ...11 18 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 11 Configuring Web Based Authentication Displaying Web Based Authentication Status ...

Page 371: ... Configuring the Cisco RPS 2300 page 12 37 Configuring the Power Supplies page 12 38 Monitoring and Maintaining the Interfaces page 12 39 Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Interface Types This section describes the different types of...

Page 372: ...ed in transparent mode are not added to the VLAN database but are saved in the switch running configuration With VTP version 3 you can create extended range VLANs in client or server mode These VLANs are saved in the VLAN database In a switch stack the VLAN database is downloaded to all switches in a stack and all switches in the stack build the same VLAN database The running configuration and the...

Page 373: ...ver VMPS The VMPS can be a Catalyst 6500 series switch the Catalyst 3750 E or 3560 E switch cannot be a VMPS server You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone For more information about voice VLAN ports see Chapter 15 Configuring Voice VLAN Trunk Ports A trunk port car...

Page 374: ...uter it does not have to be connected to a router A routed port is not associated with a particular VLAN as is an access port A routed port behaves like a regular router interface except that it does not support VLAN subinterfaces Routed ports can be configured with a Layer 3 routing protocol A routed port is a Layer 3 interface only and does not support Layer 2 protocols such as DTP and STP Confi...

Page 375: ...g associated with data frames on an ISL or IEEE 802 1Q encapsulated trunk or the VLAN ID configured for an access port Configure a VLAN interface for each VLAN for which you want to route traffic and assign it an IP address For more information see the Manually Assigning IP Information section on page 3 15 Note When you create an SVI it does not become active until it is associated with a physical...

Page 376: ...access port group multiple tunnel ports into one logical tunnel port or group multiple routed ports into one logical routed port Most protocols operate over either single ports or aggregated switch ports and do not recognize the physical ports within the port group Exceptions are the DTP the Cisco Discovery Protocol CDP and the Port Aggregation Protocol PAgP which operate only on physical ports Wh...

Page 377: ...r remove power from the PoE port Cisco intelligent power management The powered device and the switch negotiate through power negotiation CDP messages for an agreed upon power consumption level The negotiation allows a high power Cisco powered device which consumes more than 7 W to operate at its highest power mode The powered device first boots up in low power mode consumes less than 7 W and nego...

Page 378: ...r consumption requirement of the connected Cisco powered devices which is the amount of power to allocate based on the CDP messages The switch adjusts the power budget accordingly This does not apply to third party PoE devices The switch processes a request and either grants or denies power If the request is granted the switch updates the power budget If the request is denied the switch ensures th...

Page 379: ...allowed on the port If the IEEE class maximum wattage of the powered device is greater than the configured maximum value the switch does not provide power to the port If the switch powers a powered device but the powered device later requests through CDP messages more than the configured maximum value the switch removes power to the port The power that was allocated to the powered device is reclai...

Page 380: ...the maximum power consumption also referred to as the cutoff power on a PoE port see the Maximum Power Allocation Cutoff Power on a PoE Port section on page 12 10 If the device uses more than the maximum power allocation on the port the switch can either turn off power to the port or the switch can generate a syslog message and update the LEDs the port LED is now blinking amber while still providi...

Page 381: ...ff power value by using the power inline auto max 6300 interface configuration command the configured maximum power allocation on the PoE port is 6 3 W 6300 mW The switch provides power to the connected devices on the port if the device needs up to 6 3 W If the CDP power negotiated value or the IEEE classification value exceeds the configured cutoff value the switch does not provide power to the c...

Page 382: ...ring MSDP Fallback bridging forwards traffic that the switch does not route or traffic belonging to a nonroutable protocol such as DECnet Fallback bridging connects multiple VLANs into one bridge domain by bridging between two or more SVIs or routed ports When configuring fallback bridging you assign SVIs or routed ports to bridge groups with each SVI or routed port assigned to only one bridge gro...

Page 383: ...ots the SFP module ports are numbered consecutively following the 10 100 1000 interfaces For example if the switch has 24 10 100 1000 ports the SFP module ports are gigabitethernet1 0 25 through gigabitethernet1 0 28 You can identify physical interfaces by physically checking the interface location on the switch You can also use the show privileged EXEC commands to display information about a spec...

Page 384: ...y its status by using the show privileged EXEC commands listed in the Monitoring and Maintaining the Interfaces section on page 12 39 Enter the show interfaces privileged EXEC command to see a list of all interfaces on or configured for the switch A report is provided for each interface that the device supports or for the specified interface Configuring a Range of Interfaces You can use the interf...

Page 385: ...n the first interface number and the hyphen when using the interface range command For example the command interface range gigabitethernet1 0 1 4 is a valid range the command interface range gigabitethernet1 0 1 4 is not a valid range The interface range command only works with VLAN interfaces that have been configured with the interface vlan command The show running config privileged EXEC command...

Page 386: ...ileged EXEC mode follow these steps to define an interface range macro Use the no define interface range macro_name global configuration command to delete a macro When using the define interface range global configuration command note these guidelines Valid entries for interface range vlan vlan ID vlan ID where the VLAN ID is 1 to 4094 gigabitethernet module first port last port for Catalyst 3560 ...

Page 387: ...nning config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Gigabit Ethernet ports all 10 Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named enet_list to include ports 1 and 2 on switch 1 and to verify the macro configu...

Page 388: ...address For a Catalyst 3560 E switch or a standalone Catalyst 3750 E switch connect the Ethernet management port to the PC as shown in Figure 12 2 Figure 12 2 Connecting a Switch to a PC In a stack with only Catalyst 3750 X or Catalyst 3750 E switches all the Ethernet management ports on the stack members are connected to a hub to which the PC is connected The active link is from the Ethernet mana...

Page 389: ...rk ports are associated with the same routing process the routes are propagated as follows The routes from the Ethernet management port are propagated through the network ports to the network The routes from the network ports are propagated through the Ethernet management port to the network Because routing is not supported between the Ethernet management port and the network ports traffic between...

Page 390: ...lists ACLs Routing protocols Caution Before enabling a feature on the Ethernet management port make sure that the feature is supported If you try to configure an unsupported feature on the Ethernet Management port the feature might not work properly and the switch might fail Configuring the Ethernet Management Port To specify the Ethernet management port in the CLI enter fastethernet0 To disable t...

Page 391: ...for an Interface page 12 31 Table 12 2 Boot Loader Commands Command Description arp ip_address Displays the currently cached ARP1 table when this command is entered without the ip_address parameter Enables ARP to associate a MAC address with the specified IP address when this command is entered with the ip_address parameter 1 ARP Address Resolution Protocol mgmt_clr Clears the statistics for the E...

Page 392: ...ration Feature Default Setting Operating mode Layer 2 or switching mode switchport command Allowed VLAN range VLANs 1 4094 Default VLAN for access ports VLAN 1 Layer 2 interfaces only Native VLAN for IEEE 802 1Q trunks VLAN 1 Layer 2 interfaces only VLAN trunking Switchport mode dynamic auto supports DTP Layer 2 interfaces only Port enable state All ports are enabled Port description None defined ...

Page 393: ...l However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode For SFP module ports the speed and duplex CLI options change depending on the SFP module type The 1000BASE x where x is BX CWDM LX SX and ZX SFP module ports support the nonegotiate keyword in the speed interface configuration command Duplex options are not supported The 1000BASE T SFP module ports support the ...

Page 394: ... specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to autonegotiate speed with the connected device If you use the 10 100 or the 1000 keywords with the auto keyword the port autonegotiates only at the specified speeds The nonegotiate keyword is available only for SFP module ports SFP module ports operate only at 1000 M...

Page 395: ...ive pause frames to on off or desired The default state is off When set to desired an interface can operate with an attached device that is required to send flow control packets or with an attached device that is not required to but can send flow control packets These rules apply to flow control settings on the device receive on or desired The port cannot send pause frames but can operate with an ...

Page 396: ...o MDIX you must also set the interface speed and duplex to auto so that the feature operates correctly Auto MDIX is supported on all 10 100 1000 Mb s and on 10 100 1000BASE TX small form factor pluggable SFP module interfaces It is not supported on 1000BASE SX or LX SFP module interfaces Table 12 4 shows the link states that result from auto MDIX settings and correct and incorrect cabling Beginnin...

Page 397: ...wer powered devices on a port Note When you make PoE configuration changes the port being configured drops power Depending on the new configuration the state of the other PoE ports and the state of the power budget the port might not be powered up again For example port 1 is in the auto and on state and you configure it for static mode The switch removes power from port 1 detects the powered devic...

Page 398: ...nt specified by the IEEE classification The difference between what is mandated by the IEEE classification and what is actually needed by the device is reclaimed into the global power budget for use by additional devices You can then extend the switch power budget and use it more effectively Step 3 power inline auto max max wattage never static max max wattage Configure the PoE mode on the port Th...

Page 399: ...er Ethernet Ports section on page 12 6 Beginning in privileged EXEC mode follow these steps to configure the amount of power budgeted to a powered device connected to each PoE port on a switch To return to the default setting use the no power inline consumption default global configuration command Beginning in privileged EXEC mode follow these steps to configure amount of power budgeted to a power...

Page 400: ...the switch The range for each device is 4000 to 15400 mW The default is 15400 mW Configure enhanced PoE to increase the maximum power supplied to a device up to 20 W Step 5 end Return to privileged EXEC mode Step 6 show power inline consumption Display the power consumption data Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command P...

Page 401: ... mode Step 5 errdisable detect cause inline power and errdisable recovery cause inline power and errdisable recovery interval interval Optional Enable error recovery from the PoE error disabled state and configure the PoE recover mechanism variables By default the recovery interval is 300 seconds For interval interval specify the time in seconds to recover from the error disabled state The range i...

Page 402: ...are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command Layer 3 EtherChannel ports EtherChannel interfaces made up of routed ports EtherChannel port interfaces are described in Chapter 38 Configuring EtherChannels and Link State Tracking A Layer 3 switch can have an IP address assigned to each routed port and SVI There is no defined limit to t...

Page 403: ...CNTL Z Switch config interface gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 192 20 135 21 255 255 255 0 Switch config if no shutdown Configuring SVI Autostate Exclude Configuring SVI autostate exclude on an access or trunk port in an SVI excludes that port in the calculation of the status of the SVI line state up or down status even if it belongs to the same VLAN...

Page 404: ... the system mtu routing bytes global configuration command to specify the system routing MTU value When configuring the system MTU values follow these guidelines The switch does not support the MTU on a per interface basis You can enter the system mtu bytes global configuration command on a Catalyst 3750 E switch but the command does not take effect on the switch This command only affects the syst...

Page 405: ...X only or Catalyst 3750 only stack A stack consisting of Catalyst 3750 X and Catalyst 3750 E switches or either of these and Catalyst 3750 switches also referred to as a mixed hardware stack Table 12 5 shows how the MTU values are applied depending on the configuration Table 12 5 System MTU Values Configuration system mtu command system jumbo mtu command system routing mtu command Standalone Catal...

Page 406: ...000 Invalid input detected at marker Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 system mtu jumbo bytes Optional Change the MTU size for all Gigabit Ethernet and 10 Gigabit Ethernet interfaces on the switch or the switch stack For information about the range for bytes see Table 12 5 Step 3 system mtu routing bytes Optional Change the system MTU for routed ports...

Page 407: ...highest priority and specifying a value of 6 assigns the port and its connected devices the lowest priority If multiple switches connected to the RPS 2300 need power the RPS 2300 provides power to the switches with the highest priority If the RPS 2300 still has power available it can then provide power to the switches with lower priorities Beginning in user EXEC mode follow these steps to configur...

Page 408: ...y on the switch Step 2 power rps switch number port rps port id mode active standby Specify the mode of the RPS 2300 port The keywords have these meanings switch number Specify the stack member to which the RPS 2300 is connected The range is 1 to 9 depending on the switch member numbers in the stack This keyword is supported only on Catalyst 3750 E switches port rps port id Specify the RPS 2300 po...

Page 409: ...for this release Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information Monitoring Interface Status page 12 40 Clearing and Resetting Interfaces and Counters page 12 41 Shutting Down and Restarting the Interface page 12 42 Command Purpose Step 1 power supply switch number off on Set the switch power supply to off or on by using one of thes...

Page 410: ...60 switches RPS 2300 or Cisco RPS 675 Redundant Power System also referred to as the RPS 675 show env rps detail Optional Display the details about the RPSs that are connected to the switch or switch stack show env rps switch switch number Optional Display the RPSs that are connected to each switch in the stack or to the specified switch The range is 1 to 9 depending on the switch member numbers i...

Page 411: ...ount of current on the interface show interfaces interface id transceiver properties detail module number Display physical and operational status about an SFP module show running config interface interface id Display the running configuration in RAM for the interface show version Display the hardware configuration software version the names and sources of configuration files and the boot images sh...

Page 412: ...ot mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to restart the interface To verify that an interface is disabled enter the show interfaces privileged EXEC command A disabled interface is shown as administratively down in the display Command Purpose Step 1 configure terminal Enter ...

Page 413: ... page 13 10 Displaying VLANs page 13 14 Configuring VLAN Trunks page 13 14 Configuring VMPS page 13 25 Understanding VLANs A VLAN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the ...

Page 414: ...ring Layer 3 Interfaces section on page 12 32 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm prefer vlan global configuration command to set the Switch Database Management sdm feature to the VLAN template which configures system resources to support the maximum number of unicast MAC addresses For more information on the SDM templates see Chapte...

Page 415: ... the VTP mode to transparent To participate in VTP there must be at least one trunk port on the switch or the switch stack connected to a trunk port of a second switch or switch stack Trunk ISL or IEEE 802 1Q A trunk port is a member of all VLANs by default including extended range VLANs but membership can be limited by configuring the allowed VLAN list You can also modify the pruning eligible lis...

Page 416: ... 3750 E switch thevlan dat file is stored in flash memory on the stack master Stack members have a vlan dat file that is consistent with the stack master Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan dat file If you want to modify the VLAN configuration use the commands described in these sections and in the command reference for this release T...

Page 417: ...ion page 13 7 Creating or Modifying an Ethernet VLAN page 13 8 Deleting a VLAN page 13 9 Assigning Static Access Ports to a VLAN page 13 9 Token Ring VLANs Although the switch does not support Token Ring connections a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches Switches running VTP Version 2 advertise informati...

Page 418: ...nces You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances If the number of VLANs on the switch exceeds the number of supported spanning tree instances we recommend that you configure the IEEE 802 1s Multiple STP MSTP on your switch to map multiple VLANs to a single spanning tree instance For more info...

Page 419: ...ions 1 and 2 if VTP mode is server the domain name and VLAN configuration for only the first 1005 VLANs use the VLAN database information VTP version 3 also supports VLANs 1006 to 4094 Default Ethernet VLAN Configuration Table 13 2 shows the default configuration for Ethernet VLANs Note The switch supports Ethernet interfaces exclusively Because FDDI and Token Ring VLANs are not locally supported ...

Page 420: ...an 20 Switch config vlan name test20 Switch config vlan end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter VLAN configuration mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding VLAN IDs greater t...

Page 421: ... cluster member switch to a VLAN first use the rcommand privileged EXEC command to log in to the cluster member switch Note If you assign an interface to a VLAN that does not exist the new VLAN is created See the Creating or Modifying an Ethernet VLAN section on page 13 8 Beginning in privileged EXEC mode follow these steps to assign a port to a VLAN in the VLAN database Command Purpose Step 1 con...

Page 422: ...VTP mode is transparent they are stored in the switch running configuration file and you can save the configuration in the startup configuration file by using the copy running config startup config privileged EXEC command Extended range VLANs created in VTP version 3 are stored in the VLAN database Note Although the switch supports 4094 VLAN IDs see the Supported VLANs section on page 13 2 for the...

Page 423: ... creates an internal VLAN for its use These internal VLANs use extended range VLAN numbers and the internal VLAN ID cannot be used for an extended range VLAN If you try to create an extended range VLAN with a VLAN ID that is already allocated as an internal VLAN an error message is generated and the command is rejected Because internal VLAN IDs are in the lower part of the extended range we recomm...

Page 424: ...range VLAN is the same as for normal range VLANs See the Assigning Static Access Ports to a VLAN section on page 13 9 This example shows how to create a new extended range VLAN with all default characteristics enter VLAN configuration mode and save the new VLAN in the switch startup configuration file Switch config vtp mode transparent Command Purpose Step 1 configure terminal Enter global configu...

Page 425: ...D for the routed port that is using the VLAN ID and enter interface configuration mode Step 4 shutdown Shut down the port to free the internal VLAN ID Step 5 exit Return to global configuration mode Step 6 vtp mode transparent Set the VTP mode to transparent for creating extended range VLANs Note This step is not required for VTP version 3 Step 7 vlan vlan id Enter the new extended range VLAN ID a...

Page 426: ...ge 13 17 Configuring an Ethernet Interface as a Trunk Port page 13 17 Configuring Trunk Ports for Load Sharing page 13 22 Trunking Overview A trunk is a point to point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch Ethernet trunks carry the traffic of multiple VLANs over a single link and you can extend the VLANs across an entire netw...

Page 427: ...ich could cause misconfigurations To avoid this you should configure interfaces connected to devices that do not support DTP to not forward DTP frames that is to turn off DTP If you do not intend to trunk across those links use the switchport mode access interface configuration command to disable trunking To enable trunking to a device that does not support DTP use the switchport mode trunk and sw...

Page 428: ...link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk desirable or auto mode switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link The interface becomes a trunk interface even if the neighboring interface is not a trunk interface switchport nonegotiate Prevents the i...

Page 429: ...g tree loops might result Disabling spanning tree on the native VLAN of an IEEE 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802 1Q trunk or disable spanning tree on every VLAN in the network Make sure your network is loop free before disabling span...

Page 430: ... these parameters the switch propagates the setting you entered to all ports in the group allowed VLAN list STP port priority for each VLAN STP Port Fast setting trunk status if one port in a port group ceases to be a trunk all ports cease to be trunks We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 trunk ports in MST mode If you try to enable IEEE 802 ...

Page 431: ...N 1 is the default VLAN on all trunk ports in all Cisco switches and it has previously been a requirement that VLAN 1 always be enabled on every trunk link You can use the VLAN 1 minimization feature to disable VLAN 1 on any individual VLAN trunk link so that no user traffic including spanning tree advertisements is sent or received on VLAN 1 Step 4 switchport mode dynamic auto desirable trunk Con...

Page 432: ...Ns use the no switchport trunk allowed vlan interface configuration command This example shows how to remove VLAN 2 from the allowed VLAN list on a port Switch config interface gigabitethernet1 0 1 Switch config if switchport trunk allowed vlan remove 2 Switch config if end Changing the Pruning Eligible List The pruning eligible list applies only to trunk ports Each trunk port has its own eligibil...

Page 433: ... mode Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter interface configuration mode Step 3 switchport trunk pruning vlan add except none remove vlan list vlan vlan Configure the list of VLANs allowed to be pruned from the trunk See the VTP Pruning section on page 14 6 For explanations about using the add except none and remove keywords see the command ...

Page 434: ...cking state You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a VLAN is forwarding traffic for that VLAN The trunk port with the lower priority higher values for the same VLAN remains in a blocking state for that VLAN One trunk port sends or receives all traffic for the VLAN Figure ...

Page 435: ...TP administrative domain The domain name can be 1 to 32 characters Step 3 vtp mode server Configure Switch A as the VTP server Step 4 end Return to privileged EXEC mode Step 5 show vtp status Verify the VTP configuration on both Switch A and Switch B In the display check the VTP Operating Mode and the VTP Domain Name fields Step 6 show vlan Verify that the VLANs exist in the database on Switch A S...

Page 436: ...ributed by Path Cost Step 15 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verify that Switch B has learned the VLAN configuration Step 16 configure terminal Enter global configuration mode on Switch A Step 17 interface gigabitethernet1 0 1 Define the interface to set the STP port priority and enter interface configuration mode Step 18 spanning tree vla...

Page 437: ... switchport mode trunk Configure the port as a trunk port The trunk defaults to ISL trunking Step 5 exit Return to global configuration mode Step 6 Repeat Steps 2 through 5 on a second interface in Switch A for a Catalyst 3560 E switch or in the Switch A stack for a Catalyst 3750 E switch Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries In the display make s...

Page 438: ...e host is not allowed on the port and the VMPS is in open mode the VMPS sends an access denied response If the VLAN is not allowed on the port and the VMPS is in secure mode the VMPS sends a port shutdown response If the port already has a VLAN assignment the VMPS provides one of these responses If the VLAN in the database matches the current VLAN on the port the VMPS sends an success response all...

Page 439: ...amic access port can belong to only one VLAN at a time but the VLAN can change over time depending on the MAC addresses seen Default VMPS Client Configuration Table 13 7 shows the default VMPS and dynamic access port configuration on client switches VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic access port VLAN membership You should configure the VMPS before you ...

Page 440: ... a cluster of switches enter the address on the command switch Beginning in privileged EXEC mode follow these steps to enter the IP address of the VMPS Note You must have IP connectivity to the VMPS for dynamic access ports to work You can test for IP connectivity by pinging the IP address of the VMPS and verifying that you get a response Configuring Dynamic Access Ports on VMPS Clients If you are...

Page 441: ...val VMPS clients periodically reconfirm the VLAN membership information received from the VMPS You can set the number of minutes after which reconfirmation occurs If you are configuring a member switch in a cluster this parameter must be equal to or greater than the reconfirmation setting on the command switch You must also first use the rcommand privileged EXEC command to log in to the member swi...

Page 442: ...uery the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it by entering the vmps r...

Page 443: ...S shuts down the port to prevent the host from connecting to the network More than 20 active hosts reside on a dynamic access port To re enable a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 13 5 shows a network with a VMPS server switch and VMPS client switches with dyn...

Page 444: ... 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switch G...

Page 445: ...es incorrect VLAN type specifications and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work...

Page 446: ...t the switch is in the VTP no management domain state until it receives an advertisement for a domain over a trunk link a link that carries the traffic of multiple VLANs or until you configure a domain name Until the management domain name is specified or learned you cannot create or modify VLANs on a VTP server and VLAN information is not propagated over the network If the switch receives a VTP a...

Page 447: ...in VTP client mode VLAN configurations are not saved in NVRAM In VTP version 3 VLAN configurations are saved in NVRAM in client mode VTP transparent VTP transparent switches do not participate in VTP A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements However in VTP version 2 or version 3 transparent sw...

Page 448: ...h configured VLAN VLAN IDs ISL and IEEE 802 1Q VLAN name VLAN type VLAN state Additional VLAN configuration information specific to the VLAN type In VTP version 3 VTP advertisements also include the primary server ID an instance number and a start index VTP Version 2 If you use VTP in your network you must decide which version of VTP to use By default VTP operates in version 1 VTP version 2 suppor...

Page 449: ...cannot be modified Private VLAN support Support for any database in a domain In addition to propagating VTP information version 3 can propagate Multiple Spanning Tree MST protocol database information A separate instance of the VTP protocol runs for each application that uses VTP VTP primary server and VTP secondary servers A VTP primary server updates the database information and sends updates th...

Page 450: ...nk ports that are included in the pruning eligible list Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible switch trunk ports If the VLANs are configured as pruning ineligible the flooding continues VTP pruning is supported in all VTP versions Figure 14 1 shows a switched network without VTP pruning enabled Port 1 on Switch A and Por...

Page 451: ...to function in VTP transparent mode If one or more switches in the network are in VTP transparent mode you should do one of these Turn off VTP pruning in the entire network Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible To configure VTP pruning on an interface use the switchport trunk pruning vlan interface configuratio...

Page 452: ...new master waits for the configured stack mac persistent timer value If the previous master switch does not rejoin the stack during this time then the new master issues the takeover message For more information about the switch stack see Chapter 5 Managing Switch Stacks Configuring VTP These sections contain this configuration information Default VTP Configuration page 14 8 VTP Configuration Guide...

Page 453: ...ion do not match the VLAN database the domain name and VTP mode and configuration for the first 1005 VLANs use the VLAN database information Domain Names When configuring VTP for the first time you must always assign a domain name You must configure all switches in the VTP domain with the same domain name Switches in VTP transparent mode do not exchange VTP messages with other switches and you do ...

Page 454: ...sion 1 only switch it does not exchange VTP information with switches that have version 2 enabled Cisco recommends placing VTP version 1 and 2 switches at the edge of the network because they do not forward VTP version 3 advertisements If there are TrBRF and TrCRF Token Ring networks in your environment you must enable VTP version 2 or version 3 for Token Ring VLAN switching to function properly T...

Page 455: ...VTP client mode you cannot change its VLAN configuration The client switch receives VTP updates from a VTP server in the VTP domain and then modifies its configuration accordingly When you configure the switch for VTP transparent mode VTP is disabled on the switch The switch does not send VTP updates and does not act on VTP updates received from other switches However a VTP transparent switch runn...

Page 456: ...ed with the same domain name This command is optional for modes other than server mode VTP server mode requires a domain name If the switch has a trunk connection to a VTP domain the switch learns the domain name from the VTP server in the domain You should configure the VTP domain before configuring other VTP parameters Step 3 vtp mode client server transparent off vlan mst unknown Configure the ...

Page 457: ...enter the no vtp password global configuration command This example shows how to configure a hidden password and how it appears Switch config vtp password mypassword hidden Generating the secret associated to the password Switch config end Switch show vtp password VTP password 89914640C8D90868B6A0D8103847A733 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vtp pass...

Page 458: ...rent mode If a switch is running VTP version 3 you can change to version 2 when the switch is in client mode if no extended VLANs exist no private VLANs exist and no hidden password was configured Caution VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain Do not enable VTP version 2 unless every switch in the VTP domain supports version 2 In TrCRF and TrBRF To...

Page 459: ...rver it is enabled for the entire VTP domain In VTP version 3 you must manually enable pruning on each switch in the domain Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible on trunk ports Reserved VLANs and extended range VLANs cannot be pruned To change the pruning eligible VLANs see the Changing the Pruning Eligible List section ...

Page 460: ...ormation from the VTP server and VTP domain With VTP version 3 the VLAN information is not erased Beginning in privileged EXEC mode follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Identify an interface and enter interface ...

Page 461: ...ain domain name Enter the original domain name on the switch Step 8 end The VLAN information on the switch is updated and you return to privileged EXEC mode Step 9 show vtp status Optional Verify that the domain name is the same as in Step 1 and that the configuration revision number is 0 Command Purpose Table 14 3 VTP Monitoring Commands Command Purpose show vtp counters Display counters about VT...

Page 462: ...14 18 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 14 Configuring VTP Monitoring VTP ...

Page 463: ...is connected to a Cisco 7960 IP Phone the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the...

Page 464: ...ed no Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 15 1 You can c...

Page 465: ...ANs The configuration of voice VLANs is not required on trunk ports The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Chapter 13 Configuring VLANs for information on how to create the voice VLAN Do not config...

Page 466: ...t See the Configuring 802 1x Readiness Check section on page 10 38 for more information Note If you enable IEEE 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 26 6 for more information A source or destination por...

Page 467: ...uring the port trust state you must first globally enable QoS by using the mls qos global configuration command Step 4 switchport voice detect cisco phone full duplex vlan vlan id dot1p none untagged Configure how the Cisco IP Phone carries voice traffic detect Configure the interface to detect and recognize a Cisco IP phone cisco phone When you initially implement the switchport voice detect comm...

Page 468: ... Cisco IP Phone Switch config if switchport voice detect cisco phone full duplex full duplex full duplex keyword Switch config if end This example shows how to disable switchport voice detect on a Cisco IP Phone Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 0 1 Switch config if no switchport voice detect cisco phone Sw...

Page 469: ...g Voice VLAN To display voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Step 3 switchport priority extend cos value trust Set the priority of data traffic received from the Cisco IP Phone access port cos value Configure the phone to override the priority received from the PC or the attached device with the specified CoS value The va...

Page 470: ...15 8 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 15 Configuring Voice VLAN Displaying Voice VLAN ...

Page 471: ...vate VLANs The private VLAN feature addresses two problems that service providers face when using VLANs Scalability The switch supports up to 1005 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support To enable IP routing each VLAN is assigned a subnet address space or a block of addresses which can result in wasting ...

Page 472: ...ed with the primary VLAN Isolated An isolated port is a host port that belongs to an isolated secondary VLAN It has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous ports Private VLANs block all traffic to isolated ports except traffic from promiscuous ports Traffic received from an isolated port is forwarded only to promiscuous ports Community A...

Page 473: ...tside the private VLAN You can use private VLANs to control access to end stations in these ways Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2 For example if the end stations are servers this configuration prevents Layer 2 communication between the servers Configure interfaces connected to default gateways and selected end station...

Page 474: ...s in the network the Layer 2 databases in these switches are not merged This can result in unnecessary flooding of private VLAN traffic on those switches Note When configuring private VLANs on the switch always use the default Switch Database Management SDM template to balance system resources between unicast routes and Layer 2 entries If another SDM template is configured use the sdm prefer defau...

Page 475: ...terface SVI represents the Layer 3 interface of a VLAN Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs Configure Layer 3 VLAN interfaces SVIs only for primary VLANs You cannot configure Layer 3 VLAN interfaces for secondary VLANs SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN If you try to configu...

Page 476: ... 13 Tasks for Configuring Private VLANs To configure a private VLAN perform these steps Step 1 Set VTP mode to transparent Step 2 Create the primary and secondary VLANs and associate them See the Configuring and Associating VLANs in a Private VLAN section on page 16 9 Note If the VLAN is not created already the private VLAN configuration process creates it Step 3 Configure interfaces to be isolate...

Page 477: ...ports unless the devices are running VTP version 3 You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs Extended VLANs VLAN IDs 1006 to 4094 can belong to private VLANs A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it An isolated or community VLAN can have only one primary VLAN associated with it Although a private VLAN contains m...

Page 478: ... Layer 2 hosts can communicate with each other at Layer 3 Private VLANs support these Switched Port Analyzer SPAN features You can configure a private VLAN port as a SPAN source port You can use VLAN based SPAN VSPAN on primary isolated and community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic Private VLAN Port Configuration Follow these guidelines when confi...

Page 479: ... do not configure 802 1x with port security voice VLAN or per user ACL on private VLAN ports A private VLAN host or promiscuous port cannot be a SPAN destination port If you configure a SPAN destination port as a private VLAN port the port becomes inactive If you configure a static MAC address on a promiscuous port in the primary VLAN you must add the same static address to all associated secondar...

Page 480: ...Designate the VLAN as the primary VLAN Step 5 exit Return to global configuration mode Step 6 vlan vlan id Optional Enter VLAN configuration mode and designate or create a VLAN that will be an isolated VLAN The VLAN ID range is 2 to 1001 and 1006 to 4094 Step 7 private vlan isolated Designate the VLAN as an isolated VLAN Step 8 exit Return to global configuration mode Step 9 vlan vlan id Optional ...

Page 481: ... vlan private vlan Primary Secondary Type Ports 20 501 isolated 20 502 community 20 503 community 20 504 non operational Configuring a Layer 2 Interface as a Private VLAN Host Port Beginning in privileged EXEC mode follow these steps to configure a Layer 2 interface as a private VLAN host port and to associate it with primary and secondary VLANs Note Isolated and community VLANs are both secondary...

Page 482: ...ministrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulation dot1q Administrative private vlan trunk normal VLANs none Administrative private vlan trunk private VLANs none Operational private vlan 20 501 output truncated Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port Beginning in privileged EXEC mode follow these steps to configure...

Page 483: ...vlan mapping 20 add 501 503 Switch config if end Use the show vlan private vlan or the show interface status privileged EXEC command to display primary and secondary VLANs and private VLAN ports on the switch Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter VLAN routing you configure an SVI for the primary VLAN and map secondary VLANs to t...

Page 484: ... routing of secondary VLAN ingress traffic from private VLANs 501 to 502 Switch configure terminal Switch config interface vlan 10 Switch config if private vlan mapping 501 502 Switch config if end Switch show interfaces private vlan mapping Interface Secondary VLAN Type vlan10 501 isolated vlan10 502 community Monitoring Private VLANs Table 16 1 shows the privileged EXEC commands for monitoring p...

Page 485: ...er 2 Protocol Tunneling page 17 8 Configuring Layer 2 Protocol Tunneling page 17 10 Monitoring and Maintaining Tunneling Status page 17 18 Understanding IEEE 802 1Q Tunneling Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same service provider network might overlap ...

Page 486: ...ider network they are encapsulated with another layer of an IEEE 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer IEEE 802 1Q tag is preserved in the encapsulated packet Therefore packets entering the service provider network are double tagged with the outer metro tag containing the customer s access VLAN ID and the inner VLAN ID being ...

Page 487: ...ed by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered It is possible to have multiple levels of tunneling and tagging but the switch supports only one level in this release If traffic coming from a customer network is not tagged native VLAN frames these packets are bridge...

Page 488: ...units MTUs are explained in these next sections Native VLANs When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks ISL trunks or nontrunking links When IEEE 802 1Q trunks are used in these core...

Page 489: ... The default system MTU for traffic on the switch is 1500 bytes You can configure Fast Ethernet ports on the Catalyst 3750 members in the mixed hardware switch stack to support frames larger than 1500 bytes by using the system mtu global configuration command You can configure 10 Gigabit and Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global config...

Page 490: ...his access is not needed you should not configure SVIs on VLANs that include tunnel ports Fallback bridging is not supported on tunnel ports Because all IEEE 802 1Q tagged packets received from a tunnel port are treated as non IP packets if fallback bridging is enabled on VLANs that have tunnel ports configured IP packets would be improperly bridged across VLANs Therefore you must not enable fallb...

Page 491: ...ative dot1q native vlan tagging is enabled Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode for the interface to be configured as a tunnel port This should be the edge port in the service provider network that connects to the customer switch Valid interfaces include physical interfaces and port channel logica...

Page 492: ...throughout the customer network propagating to all switches through the service provider Note To provide interoperability with third party vendors you can use the Layer 2 protocol tunnel bypass feature Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling protocol tunneling You implement bypass mode by enabling Layer 2 protocol tunneling on the ...

Page 493: ...therChannels by emulating a point to point network topology When you enable protocol tunneling PAgP or LACP on the SP switch remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels Customer X Site 2 VLANs 1 to 100 Customer Y Site 2 VLANs 1 to 200 Customer Y Site 1 VLANs 1 to 200 Customer X Site 1 VLANs 1 to 100 VLAN 30 Trunk ports Switch A Trunk ports VL...

Page 494: ...rt mode dynamic desirable The switch supports Layer 2 protocol tunneling for CDP STP and VTP For emulated point to point network topologies it also supports PAgP LACP and UDLD protocols The switch does not support Layer 2 protocol tunneling for LLDP Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tunneled pac...

Page 495: ...col tunneling configuration is distributed among all stack members Each stack member that receives an ingress packet on a local port encapsulates or decapsulates the packet and forwards it to the appropriate destination port On a single switch ingress Layer 2 protocol tunneled traffic is sent across all local ports in the same VLAN on which Layer 2 protocol tunneling is enabled In a stack packets ...

Page 496: ...access ports If you enable PAgP or LACP tunneling we recommend that you also enable UDLD on the interface for faster link failure detection Loopback detection is not supported on Layer 2 protocol tunneling of PAgP LACP or UDLD packets EtherChannel port groups are compatible with tunnel ports when the IEEE 802 1Q configuration is consistent within an EtherChannel port group If an encapsulated PDU w...

Page 497: ...The range is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured ...

Page 498: ...tion Drop Threshold Threshold Counter Counter Counter Gi1 0 11 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp 0 0 0 lacp 0 0 0 udld 0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configure Layer 2 point to point tunneling to facilitate the automatic creation of EtherChannels you need to configure both the SP edge switch and the customer switch Configuring the ...

Page 499: ... Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a shutdown threshold on this interface the drop thres...

Page 500: ...d Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if switchport access vlan 18 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Command Purpose Step 1 configure terminal Enter global co...

Page 501: ... trunk encapsulation isl Switch config if switchport mode trunk This example shows how to configure the customer switch at Site 1 Fast Ethernet interfaces 1 2 3 and 4 are set for IEEE 802 1Q trunking UDLD is enabled EtherChannel group 1 is enabled and the port channel is shut down and then enabled to activate the EtherChannel configuration Switch config interface gigabitethernet1 0 1 Switch config...

Page 502: ...ar l2protocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display IEEE 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery timer from a Layer 2 p...

Page 503: ...ltiple VLANs to the same spanning tree instance see Chapter 19 Configuring MSTP For information about other spanning tree features such as Port Fast UplinkFast root guard and so forth see Chapter 20 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of thes...

Page 504: ...spanning tree topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated r...

Page 505: ...tached LANs for which it is the designated switch If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is di...

Page 506: ...anning Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning tree blocking mode Bridge ID Switch Priority and Extended System ID The IEEE 802 1D standard requires that each switch has an unique bridge identifier bridge ID which controls the selection of the root switch Because each VLAN is consider...

Page 507: ...page 18 16 the Configuring a Secondary Root Switch section on page 18 18 and the Configuring the Switch Priority of a VLAN section on page 18 21 Spanning Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN As a result topology changes can take place at different times and at different places in a switched network When an interface transitions ...

Page 508: ... resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state does ...

Page 509: ...rning state from the listening state An interface in the learning state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames The interface enters the forwarding state from the learning state An interface in the for...

Page 510: ...s in a switched network might not be ideal For instance connecting higher speed links to an interface that has a higher number than the root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B a 10 100 link is the root port Network traffic might be more efficie...

Page 511: ...tch or each switch in the stack forwards those packets as unknown multicast addresses Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes the default setting of the mac address table aging time global configuration command However a spanning tree reconfiguration can cause many station locations to change Because these stations could be unreachable for 5 mi...

Page 512: ...uration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode each VLAN runs its own spanning tree instance up to the maximum supported MSTP This span...

Page 513: ...ee instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco IEEE 80...

Page 514: ...occurs within the stack and possibly outside the stack The remaining stack member with the lowest stack port ID becomes the stack root If the stack master fails or leaves the stack the stack members elect a new stack master and all stack members change their bridge IDs of the spanning trees to the new master bridge ID If the switch stack is the spanning tree root and the stack master fails or leav...

Page 515: ...nning tree are already in use you can disable spanning tree on one of the VLANs and then enable it on the VLAN where you want it to run Use the no spanning tree vlan vlan id global configuration command to disable spanning tree on a specific VLAN and use the spanning tree vlan vlan id global configuration command to enable spanning tree on the desired VLAN Table 18 3 Default Spanning Tree Configur...

Page 516: ...ut of spanning tree instances You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances Setting up allowed lists is not necessary in many cases and can make it more labor intensive to add another VLAN to the network Spanning tree commands control the configuration of VLAN spanning tree instances You cre...

Page 517: ...t rapid pvst to enable rapid PVST Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 48 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify that t...

Page 518: ... priority from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified VLAN...

Page 519: ...ime and the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode ...

Page 520: ...arding state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure ter...

Page 521: ...n mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0...

Page 522: ...ion mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state...

Page 523: ... and the spanning tree vlan vlan id root secondary global configuration commands to modify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global co...

Page 524: ...rs Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that ca...

Page 525: ...ening states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup c...

Page 526: ...sing the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing for 1 seco...

Page 527: ...rovides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based on the original IEEE 802 1D spanning tree with existing Cisco proprietary M...

Page 528: ...ols to which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the switch for a region by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance...

Page 529: ...ithin an MST Region The IST connects all the MSTP switches in a region When the IST converges the root of the IST becomes the CIST regional root called the IST master before the implementation of the IEEE 802 1s standard as shown in Figure 19 1 on page 19 4 It is the switch within the region with the lowest switch ID and path cost to the CIST root The CIST regional root is also the CIST root if th...

Page 530: ...e 19 1 MST Regions CIST Masters and CST Root Only the CST instance sends and receives BPDUs and MST instances add their spanning tree information into the BPDUs to interact with neighboring switches and compute the final spanning tree topology Because of this the spanning tree parameters related to BPDU transmission for example hello time forward time max age and max hops are configured only on th...

Page 531: ... the IST instance 0 Table 19 1 on page 19 5 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spanning ...

Page 532: ...egion to share a segment with a port belonging to a different region creating the possibility of receiving both internal and external messages on a port The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP compatible mode Note If there is a legacy STP switch on the segment messages are always considered ext...

Page 533: ...gured for prestandard BPDU transmission Figure 19 2 illustrates this scenario Assume that A is a standard switch and B a prestandard switch both configured to be in the same region A is the root switch for the CIST and thus B has a root port BX on segment X and an alternate port BY on segment Y If segment Y flaps and the port on BY becomes the alternate before sending out a single prestandard BPDU...

Page 534: ...if the newly added switch contains a better root port for the switch stack or a better designated port for the LAN connected to the stack The newly added switch causes a topology change in the network if another switch connected to the newly added switch changes its root port or designated ports When a stack member leaves the stack spanning tree reconvergence occurs within the stack and possibly o...

Page 535: ...ion information see the Configuring MSTP Features section on page 19 14 Port Roles and the Active Topology The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active topology The RSTP builds upon the IEEE 802 1D STP to select the switch with the highest switch priority lowest numerical priority value as the root switch as described in the Spanning T...

Page 536: ... the old root port and immediately transitions the new root port to the forwarding state Point to point links If you connect a port to another port through a point to point link and the local port becomes a designated port it negotiates a rapid transition with the other port by using the proposal agreement handshake to ensure a loop free topology As shown in Figure 19 4 Switch A is connected to Sw...

Page 537: ...lt setting that is controlled by the duplex setting by using the spanning tree link type interface configuration command Figure 19 4 Proposal and Agreement Handshaking for Rapid Convergence Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port the RSTP forces all other ports to synchronize with the new root info...

Page 538: ...uring Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Version 1 Length field is set to zero which means that no version 1 protocol information is present Table 19 3 shows the RSTP flag fields 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Design...

Page 539: ...to the blocking state but does not send the agreement message The designated port continues sending BPDUs with the proposal flag set until the forward delay timer expires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher switch ID higher path cost and so forth than currently stored for the port with...

Page 540: ...P switch is using IEEE 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections contain this configuration information Default MSTP Configuration page 19 14 MSTP Configuration Guidelines page 19 15 Specifying the MST Region Configuration and Enabling MSTP page 19 16 required ...

Page 541: ...ime For example all VLANs run PVST all VLANs run rapid PVST or all VLANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 18 11 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 13 18 All stack members run the same version of spanning tree all PVST rapid PVST or MSTP For...

Page 542: ...he Optional Spanning Tree Configuration Guidelines section on page 20 12 When the switch is in MST mode it uses the long path cost calculation method 32 bits to compute the path cost values With the long path cost calculation method these path cost values are supported Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region they must have the...

Page 543: ...to an MST instance For instance id the range is 0 to 4094 For vlan vlan range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLA...

Page 544: ...lowest switch priority 4096 is the value of the least significant bit of a 4 bit switch priority value as shown in Table 18 1 on page 18 5 If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority value every time the ...

Page 545: ...es Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root primary diameter net diameter hello time seconds Configure a switch as the root switch For...

Page 546: ...a port to put in the forwarding state Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last For more information see the Configuring Path Cost section on page 19 21 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root secondary diameter net diameter hello time seconds...

Page 547: ...ast If all interfaces have the same cost value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel lo...

Page 548: ...ary and the spanning tree mst instance id root secondary global configuration commands to modify the switch priority Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The port channel range is 1 to...

Page 549: ...stance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch will be chosen as the root switch Priority values are 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 and 61440 All o...

Page 550: ...ward time seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config...

Page 551: ...ransitions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional To return the port to its default setting use the no spanning tree link type interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max hops hop count Specify the numb...

Page 552: ... switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is t...

Page 553: ...keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 19 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information fo...

Page 554: ...19 28 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 19 Configuring MSTP Displaying the MST Configuration and Status ...

Page 555: ... 18 Configuring STP For information about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 19 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 2...

Page 556: ...creating a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 20 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the global ...

Page 557: ...mand prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its Port...

Page 558: ...meter is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provid...

Page 559: ...nkFast CSUF provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a switch stack During the fast transition an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbone With this feature you can have a redundant and resilient ne...

Page 560: ...ate stack root port on Switch 2 or Switch 3 and puts it into the forwarding state in less than 1 second Figure 20 5 Cross Stack UplinkFast Topology When certain link loss or spanning tree events occur described in Events that Cause Fast Convergence section on page 20 7 the Fast Uplink Transition Protocol uses the neighbor list to send fast transition requests to stack members The switch sending th...

Page 561: ...s under these circumstances The stack root port link fails If two switches in the stack have alternate paths to the root only one of the switches performs the fast transition The failed link which connects the stack root to the spanning tree root recovers A network reconfiguration causes a new stack root switch to be selected A network reconfiguration causes a new port on the current stack root sw...

Page 562: ...paths to send a root link query RLQ request The Catalyst 3750 E switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack The Catalyst 3560 E switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in the network W...

Page 563: ...ding state providing a path from Switch B to Switch A The root switch election takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 20 7 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 20 7 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a shared me...

Page 564: ... shown in Figure 20 9 You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root switch or bei...

Page 565: ... designated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration informatio...

Page 566: ... the feature remains disabled inactive until you change the spanning tree mode to PVST Enabling Port Fast An interface with the Port Fast feature enabled is moved directly to the spanning tree forwarding state without waiting for the standard forward time delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on an interface connected...

Page 567: ...r disabled state When this happens the switch shuts down the entire port on which the violation occurred To prevent the port from shutting down you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 inte...

Page 568: ... portfast bpduguard default global configuration command by using the spanning tree bpduguard enable interface configuration command Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast enabled interfaces it prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins ...

Page 569: ...ace configuration command Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority To enable UplinkFast on a VLAN with switch priority configured first restore the switch priority on the VLAN to the default value by using the no spanning tree vlan vlan id priority global configuration command Note When you enable Uplink...

Page 570: ...ing tree uplinkfast command Enabling Cross Stack UplinkFast When you enable or disable the UplinkFast feature by using the spanning tree uplinkfast global configuration command CSUF is automatically globally enabled or disabled on nonstack port interfaces For more information see the Enabling UplinkFast for Use with Redundant Links section on page 20 15 To disable UplinkFast on the switch and all ...

Page 571: ...EtherChannel guard feature use the no spanning tree etherchannel guard misconfig global configuration command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration ...

Page 572: ...ard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the same time ...

Page 573: ...nning tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 20 2 Commands for Display...

Page 574: ...20 20 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 20 Configuring Optional Spanning Tree Features Displaying the Spanning Tree Status ...

Page 575: ...hapter see the command reference for this release The chapter consists of these sections Understanding Flex Links and the MAC Address Table Move Update page 21 1 Configuring Flex Links and MAC Address Table Move Update page 21 7 Monitoring Flex Links and the MAC Address Table Move Update page 21 14 Understanding Flex Links and the MAC Address Table Move Update This section contains this informatio...

Page 576: ...d starts forwarding traffic to switch C When port 1 comes back up it goes into standby mode and does not forward traffic port 2 continues forwarding traffic You can also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic For example in the example in Figure 21 1 you can configure the Flex Links pair with preemption mode In the scenario shown when port 1...

Page 577: ...orts are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port Both Flex Link ports are always part of multicast groups Though both Flex Link ports are part of the groups in normal operation mode all traffic on the backup port is blocked So the normal multicast data flow is not affected by the addition of the backup port as an mrouter port When the changeover happe...

Page 578: ...up port which became the forwarding port Configuration Examples These are configuration examples for learning the other Flex Link port as the mrouter port when Flex Link is configured on GigabitEthernet1 0 11 and GigabitEthernet1 0 12 and output for the show interfaces switchport backup command Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interf...

Page 579: ...ackup interface gigabitEthernet 1 0 12 multicast fast convergence command This example shows turning on this feature Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitEthernet 1 0 11 Switch config if switchport backup interface gigabitEthernet 1 0 12 multicast fast convergence Switch config if exit Switch show interfaces switchport b...

Page 580: ... address of the PC has been learned on port 3 of switch C Traffic from the server to the PC is forwarded from port 3 to port 1 If the MAC address table move update feature is not configured and port 1 goes down port 2 starts forwarding traffic However for a short time switch C keeps forwarding traffic from the server to the PC through port 3 and the PC does not get the traffic because port 1 is do...

Page 581: ...ections contain this information Configuration Guidelines page 21 7 Default Configuration page 21 8 Configuring Flex Links page 21 8 Configuring VLAN Load Balancing on Flex Links page 21 10 Configuring the MAC Address Table Move Update Feature page 21 12 Configuration Guidelines You can configure up to 16 backup links You can configure only one Flex Link backup link for any active link and it must...

Page 582: ...deline to configure VLAN load balancing on the Flex Links feature For Flex Link VLAN load balancing you must choose the preferred VLANs on the backup interface You cannot configure a preemption mechanism and VLAN load balancing for the same Flex Links pair Follow these guidelines to configure MAC address table move update feature You can enable and configure this feature on the access switch to se...

Page 583: ...rtup config Optional Save your entries in the switch startup configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport b...

Page 584: ...t Gi1 0 1 100000 Kbit Gi1 0 2 Mac Address Move Update Vlan auto Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode follow these steps to configure VLAN load balancing on Flex Links To disable the VLAN load balancing feature use the no switchport backup interface interface id prefer vlan vlan range interface configuration command Step 7 show interface interface id switc...

Page 585: ... of the Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet2 0 6 GigabitEthernet2 0 8 Active Down Backup Up Vlans Preferred on Active Interface 1 50 Vlans Preferred on Backup Interface 60 100 120 When a Flex Link interface comes up VLANs preferred on this interface are blocked on the peer interface and moved ...

Page 586: ...Switch conf end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport backup interface interface id or switchport backup interface interface id mmu pri...

Page 587: ...f unavail cnt 0 Xmt last interface None Beginning in privileged EXEC mode follow these steps to configure a switch to get and process MAC address table move update messages To disable the MAC address table move update feature use the no mac address table move update receive configuration command To display the MAC address table move update information use the show mac address table move update pri...

Page 588: ...C commands for monitoring the Flex Links configuration and the MAC address table move update information Table 21 1 Flex Links and MAC Address Table Move Update Monitoring Commands Command Purpose show interface interface id switchport backup Displays the Flex Link backup interface configured for an interface or all the configured Flex Links and the state of each active and backup interface up or ...

Page 589: ...1 Configuring DHCP Features page 22 8 Displaying DHCP Snooping Information page 22 15 Understanding IP Source Guard page 22 16 Configuring IP Source Guard page 22 18 Displaying IP Source Guard Information page 22 25 Understanding DHCP Server Port Based Address Allocation page 22 25 Configuring DHCP Server Port Based Address Allocation page 22 26 Displaying DHCP Server Port Based Address Allocation...

Page 590: ...ng untrusted DHCP messages and by building and maintaining a DHCP snooping binding database also referred to as a DHCP snooping binding table For more information about this database see the Displaying DHCP Snooping Information section on page 22 15 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate between untrusted interfaces connec...

Page 591: ...cannot build a complete DHCP snooping binding database When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow untrusted global configuration command the aggregation switch accepts packets with option 82 information from the edge switch The aggregation switch learns the bindings for hosts connected thr...

Page 592: ...rver The DHCP server receives the packet If the server is option 82 capable it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the requ...

Page 593: ... 2 Suboption Packet Formats Figure 22 3 shows the packet formats for user configured remote ID and circuit ID suboptions The switch uses these packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option format remote id global configuration command and the ip dhcp snooping vlan information option format type circuit id string interface configuration comma...

Page 594: ...ing has an IP address an associated MAC address the lease time in hexadecimal format the interface to which the binding applies and the VLAN to which the interface belongs The database agent stores the bindings in a file at a configured location At the end of each entry is a checksum that accounts for all the bytes from the start of the file through all the bytes associated with the entry Each ent...

Page 595: ... previous file update This is an example of a binding file 2bb4c2a1 TYPE DHCP SNOOPING VERSION 1 BEGIN 192 1 168 1 3 0003 47d8 c91f 2BB6488E Gi1 0 4 21ae5fbb 192 1 168 3 3 0003 44d6 c52f 2BB648EB Gi1 0 4 1bdb223f 192 1 168 2 3 0003 47d9 c8f1 2BB648AB Gi1 0 4 584a38f0 END When the switch starts and the calculated checksum value equals the stored checksum value the switch reads entries from the bind...

Page 596: ...CP Relay Agent page 22 10 Specifying the Packet Forwarding Address page 22 11 Enabling DHCP Snooping and Option 82 page 22 12 Enabling DHCP Snooping on Private VLANs page 22 14 Enabling the Cisco IOS DHCP Server Database page 22 14 Enabling the DHCP Snooping Binding Database Agent page 22 14 Default DHCP Configuration Table 22 1 Default DHCP Configuration Feature Default Setting DHCP server Enable...

Page 597: ...eature is not supported If a switch port is connected to a DHCP server configure a port as trusted by entering the ip dhcp snooping trust interface configuration command If a switch port is connected to a DHCP client configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command Follow these guidelines when configuring the DHCP snooping binding database Bec...

Page 598: ... IOS DHCP server and relay agent features are enabled on your switch but are not configured These features are not operational For procedures to configure the switch as a DHCP server see the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 DHCP Server and Switch Stacks The DHCP binding database is managed on the stack master Wh...

Page 599: ... these steps to specify the packet forwarding address Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Create a switch virtual interface by entering a VLAN ID and enter interface configur...

Page 600: ...by commas a range of VLAN IDs separated by hyphens or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space Step 4 ip dhcp snooping information option Enable the switch to insert and remove DHCP relay information option 82 field in forwarded DHCP request messages to the DHCP server This is the default setting Step 5 ip dhcp snooping information option form...

Page 601: ...to 4094 The default circuit ID is the port identifier in the format vlan mod port You can configure the circuit ID to be a string of 3 to 63 ASCII characters no spaces Optional Use the override keyword when you do not want the circuit ID suboption inserted in TLV format to define subscriber information Step 9 ip dhcp snooping trust Optional Configure the interface as trusted or untrusted Use the n...

Page 602: ...HCP snooping is enabled Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database see the DHCP Configuration Task List section in the Configuring DHCP chapter of the Cisco IOS IP Configuration Guide Release 12 2 Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode follow these steps to enable and configure t...

Page 603: ...duration for which the transfer should be delayed after the binding database changes The range is from 15 to 86400 seconds The default is 300 seconds 5 minutes Step 5 end Return to privileged EXEC mode Step 6 ip dhcp snooping binding mac address vlan vlan id ip address interface interface id expiry seconds Optional Add binding entries to the DHCP snooping binding database The vlan id range is from...

Page 604: ...bindings An entry in this table has an IP address its associated MAC address and its associated VLAN number The switch uses the IP source binding table only when IP source guard is enabled IPSG is supported only on Layer 2 ports including access and trunk ports You can configure IPSG with source IP address filtering or with source IP and MAC address filtering These sections contain this informatio...

Page 605: ...umber of hosts allowed to send traffic to a given port This is equivalent to port security at Layer 3 IPSG for static hosts also supports dynamic hosts If a dynamic host receives a DHCP assigned IP address that is available in the IP DHCP snooping table the same entry is learned by the IP device tracking table In a stacked environment when the master failover occurs the IP source guard entries for...

Page 606: ...VLAN on the trunk interface the switch might not properly filter traffic If you enable IP source guard with source IP and MAC address filtering DHCP snooping and port security must be enabled on the interface You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82 When IP source guard is enabled with MAC address fi...

Page 607: ...rity Enable IP source guard with source IP address filtering Enable IP source guard with source IP and MAC address filtering Note When you enable both IP source guard and port security by using the ip verify source port security interface configuration command there are two caveats The DHCP server must support option 82 or the client is not assigned an IP address The MAC address in the DHCP packet...

Page 608: ... Static Hosts on a Layer 2 Access Port page 22 20 Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port page 22 23 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port Note You must configure the ip device tracking maximum limit number interface configuration command globally for IPSG for static hosts to work If you only configure this command on a port without ...

Page 609: ...ort option 82 or the client is not assigned an IP address The MAC address in the DHCP packet is not learned as a secure address The MAC address of the DHCP client is learned as a secure address only when the switch receives non DHCP data traffic Step 7 ip device tracking maximum number Establish a maximum limit for the number of static IPs that the IP device tracking table allows on the port The r...

Page 610: ...ter mode IP address Mac address Vlan Gi1 0 3 ip mac trk active 40 1 1 24 00 00 00 00 03 04 1 Gi1 0 3 ip mac trk active 40 1 1 20 00 00 00 00 03 05 1 Gi1 0 3 ip mac trk active 40 1 1 21 00 00 00 00 03 06 1 Gi1 0 3 ip mac trk active 40 1 1 22 00 00 00 00 03 07 1 Gi1 0 3 ip mac trk active 40 1 1 23 00 00 00 00 03 08 1 This example displays all IP or MAC binding entries for all interfaces The CLI disp...

Page 611: ... Enabled IP Device Tracking Probe Count 3 IP Device Tracking Probe Interval 30 IP Address MAC Address Vlan Interface STATE 200 1 1 8 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 9 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 10 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 1 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 2 0001 0600 0000 8 GigabitEthernet1 0 1 ...

Page 612: ...er configuration VLAN mode for another VLAN Step 6 private vlan isolated Establish an isolated VLAN on a private VLAN port Step 7 exit Exit VLAN configuration mode Step 8 vlan vlan id1 Enter configuration VLAN mode Step 9 private vlan association 201 Associate the VLAN on an isolated private VLAN port Step 10 exit Exit VLAN configuration mode Step 11 interface fastEthernet interface id Enter inter...

Page 613: ...active 40 1 1 23 200 Gi1 0 3 ip trk active 40 1 1 24 200 Gi1 0 3 ip trk active 40 1 1 20 200 Gi1 0 3 ip trk active 40 1 1 21 200 Gi1 0 3 ip trk active 40 1 1 22 200 Gi1 0 3 ip trk active 40 1 1 23 201 Gi1 0 3 ip trk active 40 1 1 24 201 Gi1 0 3 ip trk active 40 1 1 20 201 Gi1 0 3 ip trk active 40 1 1 21 201 Gi1 0 3 ip trk active 40 1 1 22 201 The output shows that the five valid IP MAC bindings ar...

Page 614: ...e client identifier In all cases by connecting the Ethernet cable to the same port the same IP address is allocated through DHCP to the attached device The DHCP server port based address allocation feature is only supported on a Cisco IOS DHCP server and not a third party server Configuring DHCP Server Port Based Address Allocation Default Port Based Address Allocation Configuration page 22 26 Por...

Page 615: ... configuration mode Step 2 ip dhcp use subscriber id client id Configure the DHCP server to globally use the subscriber identifier as the client identifier on all incoming DHCP messages Step 3 ip dhcp subscriber id interface name Automatically generate a subscriber identifier based on the short name of the interface A subscriber identifier configured on a specific interface takes precedence over t...

Page 616: ...eassigned IP address 10 1 1 7 switch show running config Building configuration Current configuration 4899 bytes version 12 2 hostname switch no aaa new model clock timezone EST 0 ip subnet zero ip dhcp relay information policy removal pad no ip dhcp use vrf connected ip dhcp use subscriber id client id ip dhcp subscriber id interface name ip dhcp excluded address 10 1 1 1 10 1 1 3 ip dhcp pool dh...

Page 617: ...n the Search field to access the Cisco IOS software documentation You can also access the documentation here http www cisco com en US docs ios ipaddr command reference iad_book html Displaying DHCP Server Port Based Address Allocation Table 22 4 Commands for Displaying DHCP Port Based Address Allocation Information Command Purpose show interface interface id Display the status and configuration of...

Page 618: ...22 30 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 22 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port Based Address Allocation ...

Page 619: ...Understanding Dynamic ARP Inspection ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Ho...

Page 620: ...t intercepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a val...

Page 621: ...itch bypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 23 2 assume that both Swit...

Page 622: ...ed to prevent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains in that s...

Page 623: ... Configuring the Log Buffer section on page 23 13 Configuring Dynamic ARP Inspection Default Dynamic ARP Inspection Configuration page 23 5 Dynamic ARP Inspection Configuration Guidelines page 23 6 Configuring Dynamic ARP Inspection in DHCP Environments page 23 7 required in DHCP environments Configuring ARP ACLs for Non DHCP Environments page 23 9 required in non DHCP environments Limiting the Ra...

Page 624: ...able Dynamic ARP inspection on RSPAN VLANs If Dynamic ARP inspection is enabled on RSPAN VLANs Dynamic ARP inspection packets might not reach the RSPAN destination port A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match Otherwise the physical port remains suspended in the port channel A port channel inherits its trust sta...

Page 625: ...attack to other VLANs when the software places the port in the error disabled state When you enable dynamic ARP inspection on the switch policers that were configured to police ARP traffic are no longer effective The result is that all ARP traffic is sent to the CPU Configuring Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP inspection when two switche...

Page 626: ...other switch and enter interface configuration mode Step 5 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the trusted interface It simply forwards the packets For untrusted interfaces the switch intercepts all ARP requests and responses It verifi...

Page 627: ... 3 and use a router to route packets between them Beginning in privileged EXEC mode follow these steps to configure an ARP ACL on Switch A This procedure is required in non DHCP environments Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp access list acl name Define an ARP ACL and enter ARP access list configuration mode By default no ARP access lists are defin...

Page 628: ...gs determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL ARP packets containing only IP to MAC address bindings are compared against the ACL Packets are permitted only if the access list permits them Step 6 interface interface id Specify the Switch A interface that is connected to Switch B and enter interface configuration mode Step 7 no ip arp inspe...

Page 629: ...it to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp inspection limit interface configuration command the interface reverts to its default rate limit For configuration guidelines for rate limiting trunk ports and EtherChannel ports see the Dynamic ARP Inspection Configura...

Page 630: ... the destination MAC address the sender and target IP addresses and the source MAC address Step 5 errdisable detect cause arp inspection and errdisable recovery cause arp inspection and errdisable recovery interval interval Optional Enable error recovery from the dynamic ARP inspection error disabled state and configure the dynamic ARP inspection recover mechanism variables By default recovery is ...

Page 631: ...r global configuration mode Step 2 ip arp inspection validate src mac dst mac ip Perform a specific check on incoming ARP packets By default no checks are performed The keywords have these meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with differ...

Page 632: ...e Step 1 configure terminal Enter global configuration mode Step 2 ip arp inspection log buffer entries number logs number interval seconds Configure the dynamic ARP inspection logging buffer By default when dynamic ARP inspection is enabled denied or dropped ARP packets are logged The number of log entries is 32 The number of system messages is limited to 5 per second The logging rate interval is...

Page 633: ...l match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets that match DHCP bindings For dhcp bindings none do not...

Page 634: ...r this release Table 23 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC validation failure IP validation failure ACL permitted and denied and DHCP permitted and denied packets for the ...

Page 635: ...me function as IGMP snooping for IPv4 traffic For information about MLD snooping see Chapter 25 Configuring IPv6 MLD Snooping Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the IP Multicast Routing Commands section in the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consi...

Page 636: ... it receives an IGMP join request The switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 0 0 xxx the command fails Because the switch uses IP multicast groups there are n...

Page 637: ...osts It constrains traffic to approximately the same set of ports as the IGMP snooping feature on IGMPv2 or IGMPv1 hosts Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature Joining a Multicast Group When a host connected to the sw...

Page 638: ...nformation in the IGMP report to set up a forwarding table entry as shown in Table 24 1 that includes the port numbers connected to Host 1and the router The switch hardware can distinguish IGMP information packets from other packets for the multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packet...

Page 639: ...e VLAN wishes to receive multicast traffic the router continues forwarding the multicast traffic to the VLAN The switch forwards multicast group traffic only to those hosts listed in the forwarding table for that IP multicast group maintained by IGMP snooping When hosts want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave message...

Page 640: ...red from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 24 11 IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This feature is n...

Page 641: ...erge if the stack master is removed Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on the content These sections contain this configuration information Default IGMP Snooping Configuration page 24 7 Enabling or Disabling IGMP Snooping page 24 8 Setting the Snooping Method page 24 8 Configuring a Multicast Router Port page 24 9 Con...

Page 642: ...nd for the specified VLAN number Setting the Snooping Method Multicast capable router ports are added to the forwarding table for every Layer 2 multicast entry The switch learns of such ports through one of these methods Snooping on IGMP queries Protocol Independent Multicast PIM packets and Distance Vector Multicast Routing Protocol DVMRP packets Listening to Cisco Group Management Protocol CGMP ...

Page 643: ...s to alter the method in which a VLAN interface dynamically accesses a multicast router To return to the default learning method use the no ip igmp snooping vlan vlan id mrouter learn cgmp global configuration command This example shows how to configure IGMP snooping to use CGMP packets as the learning method Switch configure terminal Switch config ip igmp snooping vlan 1 mrouter learn cgmp Switch...

Page 644: ... Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter interface interface id Specify the multicast router VLAN ID and the interface to the multicast router The VLAN ID range is 1 to 1001 and 1006 to 4094 The interface can be a physical interface or a port channel The port channel range is 1 to 48 Step 3 end Return to privileged EXEC...

Page 645: ...mediate Leave on VLAN 130 Switch configure terminal Switch config ip igmp snooping vlan 130 immediate leave Switch config end Configuring the IGMP Leave Timer Follows these guidelines when configuring the IGMP leave timer You can configure the leave time globally or on a per VLAN basis Configuring the leave time on a VLAN overrides the global setting The default leave time is 1000 milliseconds The...

Page 646: ...g and when a port went down without sending a leave message If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command the flooding stops after receiving 1 general query If you set the count to 7 the flooding until 7 general queries are received Groups are relearned based on the general queries received during the TCN event Beginning in privileged EXEC mo...

Page 647: ...ation command Disabling Multicast Flooding During a TCN Event When the switch receives a TCN multicast traffic is flooded to all the ports until 2 general queries are received If the switch has many ports with attached hosts that are subscribed to different multicast groups this flooding might exceed the capacity of the link and cause packet loss You can use the ip igmp snooping tcn flood interfac...

Page 648: ...ooping querier supports IGMP Versions 1 and 2 When administratively enabled the IGMP snooping querier moves to the nonquerier state if it detects the presence of a multicast router in the network When it is administratively enabled the IGMP snooping querier moves to the operationally disabled state under these conditions IGMP snooping is disabled in the VLAN PIM is enabled on the SVI of the corres...

Page 649: ...t supported when the query includes IGMPv3 reports IGMP report suppression is enabled by default When it is enabled the switch forwards only one IGMP report per multicast router query When report suppression is disabled all IGMP reports are forwarded to the multicast routers Step 4 ip igmp snooping querier query interval interval count Optional Set the interval between IGMP queriers The range is 1...

Page 650: ...playing IGMP Snooping Information Command Purpose show ip igmp snooping vlan vlan id Display the snooping configuration information for all VLANs on the switch or for a specified VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ip igmp snooping groups count dynamic count user count Display multicast table information for...

Page 651: ...he other feature However if IGMP snooping and MVR are both enabled MVR reacts only to join and leave messages from multicast groups configured under MVR Join and leave messages from all other multicast groups are managed by IGMP snooping The switch CPU identifies the MVR IP multicast streams and their associated IP multicast group in the switch forwarding table intercepts the IGMP messages and mod...

Page 652: ... switch stack is supported Receiver ports and source ports can be on different switches in a switch stack Multicast data sent on the multicast VLAN is forwarded to all MVR receiver ports across the stack When a new switch is added to a stack by default it has no receiver ports If a switch fails or is removed from the stack only those receiver ports belonging to that switch will not receive the mul...

Page 653: ...nfigured time period the receiver port is removed from multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave was received As soon as the leave message is received the receiver port is removed from multicast group membership which speeds up leave latency Enable the Immediate Leave feature only on receiver ports to which a single rec...

Page 654: ...he maximum number of multicast entries MVR group addresses that can be configured on a switch that is the maximum number of television channels that can be received is 256 Because MVR on the switch uses IP multicast addresses instead of MAC multicast addresses aliased IP multicast addresses are allowed on the switch However if the switch is interoperating with Catalyst 3550 or Catalyst 3500 XL swi...

Page 655: ... a contiguous series of MVR group addresses the range for count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address Each multicast address would correspond to one television channel Step 4 mvr querytime value Optional Define the maximum time to wait for IGMP...

Page 656: ...ot be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Configure a port as a receiver port if it is a subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLA...

Page 657: ...n Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 24 6 Commands for Displaying MVR Information Command Purpose show mvr Displays MVR status and values for the switch whether MVR is enabled or disabled the multicast VLAN the maximum 256 and current 0 through 256 number of multicast groups the query response time and the MVR mode s...

Page 658: ...interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic IGMP filtering is ...

Page 659: ...nfigured When a profile is configured if neither the permit nor deny keyword is included the default is to deny access to the range of IP addresses Beginning in privileged EXEC mode follow these steps to create an IGMP profile To delete a profile use the no ip igmp profile profile number global configuration command To delete an IP multicast address or range of IP multicast addresses use the no ra...

Page 660: ...pply profiles to ports that belong to an EtherChannel port group You can apply a profile to multiple interfaces but each interface can have only one profile applied to it Beginning in privileged EXEC mode follow these steps to apply an IGMP profile to a switch port To remove a profile from an interface use the no ip igmp filter profile number interface configuration command This example shows how ...

Page 661: ...um number of IGMP groups that a Layer 2 interface can join you can configure an interface to replace the existing group with the new group for which the IGMP report was received by using the ip igmp max groups action replace interface configuration command Use the no form of this command to return to the default which is to drop the IGMP join report Follow these guidelines when configuring the IGM...

Page 662: ... can configure the IGMP throttling action before an interface adds entries to the forwarding table Beginning in privileged EXEC mode follow these steps to configure the throttling action when the maximum number of entries is in the forwarding table To return to the default action of dropping the report use the no ip igmp max groups action interface configuration command Command Purpose Step 1 conf...

Page 663: ...u can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface Table 24 8 Commands for Displaying IGMP Filtering and Throttling Configuration Command Purpose show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running config interface interface id Displays the configuration o...

Page 664: ...24 30 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 665: ...ut IPv6 on the switch seeChapter 41 Configuring IPv6 Unicast Routing Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release or the Cisco IOS documentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 25 1 Configuring IPv6 MLD Snooping section on page 25 5 Display...

Page 666: ...nced snooping MESS which sets up IPv6 source and destination multicast address based forwarding MLD snooping can be enabled or disabled globally or per VLAN When MLD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then performs IPv6 multicast address based bridg...

Page 667: ...sing From the received query MLD snooping builds the IPv6 multicast address database It detects multicast router ports maintains timers sets report response time learns the querier IP source address for the VLAN learns the querier port in the VLAN and maintains multicast address aging Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 t...

Page 668: ...oup within the VLAN is forwarded using this address When MLD snooping is disabled reports are flooded in the ingress VLAN When MLD snooping is enabled MLD report suppression called listener message suppression is automatically enabled With report suppression the switch forwards the first MLDv1 report received by a group to IPv6 multicast routers subsequent reports for the group are not sent to the...

Page 669: ...ping tcn flood query count global configuration command The default is to send two queries The switch also generates MLDv1 global Done messages with valid link local IPv6 source addresses when the switch becomes the STP root in the VLAN or when it is configured by the user This is same as done in IGMP snooping MLD Snooping in Switch Stacks The MLD IPv6 group and MAC address databases are maintaine...

Page 670: ...er You can enable both features at the same time on the switch The maximum number of multicast entries allowed on the switch or switch stack is determined by the configured SDM template The maximum number of address entries allowed for the switch or switch stack is 1000 Table 25 1 Default MLD Snooping Configuration Feature Default Setting MLD snooping Global Disabled MLD snooping per VLAN Enabled ...

Page 671: ...outer is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 to 4094 IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750 E or 3560 E switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping ...

Page 672: ... PIMv6 queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Command Purpose Step 1 configure terminal Enter global co...

Page 673: ...ave on a VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interface in...

Page 674: ...to 7 the default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener query int...

Page 675: ...nal Switch config ipv6 mld snooping last listener query interval 2000 Switch config exit Disabling MLD Listener Message Suppression MLD snooping listener message suppression is enabled by default When it is enabled the switch forwards only one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in pri...

Page 676: ...ticast router interfaces When you enable MLD snooping the switch automatically learns the interface to which a multicast router is connected These are dynamically learned interfaces Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming p...

Page 677: ...ol Understanding Storm Control page 26 1 Default Storm Control Configuration page 26 3 Configuring Storm Control and Threshold Levels page 26 3 Default Protected Port Configuration page 26 6 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LA...

Page 678: ...ic is reached all multicast traffic except control traffic such as bridge protocol data unit BDPU and Cisco Discovery Protocol CDP frames are blocked However the switch does not differentiate between routing updates such as OSPF and regular multicast data traffic so both types of traffic are blocked The graph in Figure 26 1 shows broadcast traffic patterns on an interface over a given period of ti...

Page 679: ...r the threshold level that you want to be used for a particular type of traffic However because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm c...

Page 680: ...ising threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic...

Page 681: ...r disabled if small frames arrive at a specified rate threshold You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global configuration...

Page 682: ...nnot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwarding behavior between a protected port and a nonprotected port proceeds as usual Because a switch stack represents a singl...

Page 683: ... interface gigabitethernet1 0 1 Switch config if switchport protected Switch config if end Configuring Port Blocking By default the switch floods packets with unknown destination MAC addresses out of all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to...

Page 684: ...ck multicast Switch config if switchport block unicast Switch config if end Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port When you assign secure MAC addresses to a secure port the port does not forward packets with source addresses outside the group of defined ad...

Page 685: ...cure MAC addresses These are manually configured by using the switchport port security mac address mac address interface configuration command stored in the address table and added to the switch running configuration Dynamic secure MAC addresses These are dynamically configured stored only in the address table and removed when the switch restarts Sticky secure MAC addresses These can be dynamicall...

Page 686: ...s are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses You are not notified that a security violation has occurred Note We do not recommend configuring the protect violation mode on a trunk port The protect mode disables learning when any VLAN reaches its maximum limit even if the port has not...

Page 687: ...P phone requires one MAC address The Cisco IP phone address is learned on the voice Table 26 1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses Sends SNMP trap Sends syslog message Displays error message2 2 The switch returns an error message if you manually configur...

Page 688: ...ue overwrites the previously configured value If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not support port security aging of sticky secure MAC addresses Table 26 3 summarizes port security compatibility with other port based features Table 26 3 Port Security Compatibili...

Page 689: ...ess voice Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system This number is set by the active Switch Database Management SDM template See Chapter 8 Configuring the Switch SDM Template This number is the to...

Page 690: ...s not reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is error...

Page 691: ...configured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC addresses ...

Page 692: ...and followed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the no switchport port security command all secure addresses on the interface except those that were manually configured a...

Page 693: ...ddresses on a per port basis Beginning in privileged EXEC mode follow these steps to configure port security aging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 switchport port security aging static time time type absolute inactivity Enable or disable stati...

Page 694: ...witch joins a stack the new switch will get the configured secure addresses All dynamic secure addresses are downloaded by the new stack member from the other stack members When a switch either the stack master or a stack member leaves the stack the remaining stack members are notified and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table F...

Page 695: ...nterfaces interface id switchport privileged EXEC command displays among other characteristics the interface traffic suppression and control configuration The show storm control and show port security privileged EXEC commands display those storm control and port security settings To display traffic control information use one or more of the privileged EXEC commands in Table 26 4 Table 26 4 Command...

Page 696: ...26 20 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 26 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 697: ... With CDP network management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems t...

Page 698: ...f time to hold the information before discarding it and whether or not to send Version 2 advertisements Beginning in privileged EXEC mode follow these steps to configure the CDP timer holdtime and advertisement type Note Steps 2 through 4 are all optional and can be performed in any order Table 27 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enab...

Page 699: ...d with Cisco Network Assistant available on Cisco com Beginning in privileged EXEC mode follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled This example shows how to enable CDP if it has been disabled Switch configure terminal Switch config cdp run Switch config end Step 4 cdp advertise v2 Op...

Page 700: ...nable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the configura...

Page 701: ...rs or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can limit the display to the interface about which you want i...

Page 702: ...27 6 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 27 Configuring CDP Monitoring and Maintaining CDP ...

Page 703: ... MED and Wired Location Service page 28 5 Monitoring and Maintaining LLDP LLDP MED and Wired Location Service page 28 11 Understanding LLDP LLDP MED and Wired Location Service LLDP page 28 1 LLDP MED page 28 2 Wired Location Service page 28 3 LLDP The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bri...

Page 704: ...s such as IP phones and network devices such as switches It specifically provides support for voice over IP VoIP applications and provides additional TLVs for capabilities discovery network policy Power over Ethernet inventory management and location information By default all LLDP MED TLVs are enabled LLDP MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine th...

Page 705: ...ion TLV Provides location information from the switch to the endpoint device The location TLV can send this information Civic location information Provides the civic address information and postal information Examples of civic location information are street address road name and postal community name information ELIN location information Provides the location information of a caller The location ...

Page 706: ...tected the association Depending on the device capabilities the switch obtains this client information at link down Slot and port that was disconnected MAC address IP address 802 1X user name if applicable Device category is specified as a wired station State is specified as delete Serial number UDI Time in seconds since the switch detected the disassociation When the switch shuts down it sends an...

Page 707: ...interface If the switchport voice vlan vlan id is already configured on an interface you can apply a network policy profile on the interface This way the interface has the voice or voice signaling VLAN network policy profile applied on the interface You cannot configure static secure MAC addresses on an interface that has a network policy profile You cannot configure a network policy profile on a ...

Page 708: ...rding it and the initialization delay time You can also select the LLDP and LLDP MED TLVs to send and receive Beginning in privileged EXEC mode follow these steps to configure the LLDP characteristics Note Steps 2 through 5 are optional and can be performed in any order Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp run Enable LLDP globally on the switch Step...

Page 709: ...LV on an interface Step 3 lldp reinit delay Optional Specify the delay time in seconds for LLDP to initialize on an interface The range is 2 to 5 seconds the default is 2 seconds Step 4 lldp timer rate Optional Set the sending frequency of LLDP updates in seconds The range is 5 to 65534 seconds the default is 30 seconds Step 5 lldp tlv select Optional Specify the LLDP TLVs to send or receive Step ...

Page 710: ...signaling vlan vlan id cos cvalue dscp dvalue dot1p cos cvalue dscp dvalue none untagged Configure the policy attributes voice Specify the voice application type voice signaling Specify the voice signaling application type vlan Specify the native VLAN for voice traffic vlan id Optional Specify the VLAN for voice traffic The range is 1 to 4094 cos cvalue Optional Specify the Layer 2 priority class ...

Page 711: ...cation Service Beginning in privileged EXEC mode follow these steps to configure location information for an endpoint and to apply it to an interface Step 7 lldp med tlv select network policy Specify the network policy TLV Step 8 end Return to privileged EXEC mode Step 9 show network policy profile Verify the configuration Step 10 copy running config startup config Optional Save your entries in th...

Page 712: ... or place civic location id Specify global civic location information for an interface elin location id Specify emergency location information for an interface id Specify the ID for the civic location or the ELIN location The ID range is 1 to 4095 word Specify a word or phrase with additional location information Step 6 end Return to privileged EXEC mode Step 7 show location Verify the configurati...

Page 713: ... and the delay time before LLDP initializes on an interface show lldp entry entry name Display information about a specific neighbor You can enter an asterisk to display all neighbors or you can enter the neighbor name show lldp interface interface id Display information about interfaces with LLDP enabled You can limit the display to a specific interface show lldp neighbors interface id detail Dis...

Page 714: ... Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 28 Configuring LLDP LLDP MED and Wired Location Service Monitoring and Maintaining LLDP LLDP MED and Wired Location Service ...

Page 715: ... UDLD detects a unidirectional link it disables the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation page 29 1 Methods to Detect Unidirectional Links page 29 2 Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to ...

Page 716: ...links one of the ports is down while the other is up One of the fiber strands in the cable is disconnected In these cases UDLD disables the affected port In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bid...

Page 717: ... the port is disabled If UDLD in normal mode is in the advertisement or in the detection phase and all the neighbor cache entries are aged out UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up seque...

Page 718: ...onal link if it is connected to a UDLD incapable port of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 29 1 Default UDLD Configuration Feature Default Setting UDLD ...

Page 719: ...er optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 29 1 message time message timer interval Configures the period of time betwee...

Page 720: ...mand enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface configuration...

Page 721: ...Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release ...

Page 722: ...29 8 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 29 Configuring UDLD Displaying UDLD Status ...

Page 723: ...ected to a network analyzer or other monitoring or security device SPAN copies or mirrors traffic received or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destinati...

Page 724: ...ly within one switch all source ports or source VLANs and destination ports are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis For example in Figure 30 1 all traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10 receives all netw...

Page 725: ...h B The traffic for each RSPAN session is carried over a user specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as R...

Page 726: ...r more ports or one or more VLANs and send the monitored traffic to one or more destination ports A local SPAN session is an association of a destination port with source ports or source VLANs all on a single network device Local SPAN does not have separate source and destination sessions Local SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stre...

Page 727: ...tions Sources can be ports or VLANs but you cannot mix source ports and source VLANs in the same session The switch other than the Catalyst 3560E 12D switch supports up to two local SPAN or RSPAN source sessions You can run both a local SPAN and an RSPAN source session in the same switch or switch stack The switch or switch stack supports a total of 66 source and RSPAN destination sessions You can...

Page 728: ...N session you can also monitor a port or VLAN for both received and sent packets This is the default The default configuration for local SPAN session ports is to send all packets untagged SPAN also does not normally monitor bridge protocol data unit BPDU packets and Layer 2 protocols such as Cisco Discovery Protocol CDP VLAN Trunk Protocol VTP Dynamic Trunking Protocol DTP Spanning Tree Protocol S...

Page 729: ...ss egress or both to monitor It can be any port type for example EtherChannel Gigabit Ethernet and so forth For EtherChannel sources you can monitor traffic for the entire EtherChannel or individually on a physical port as it participates in the port channel It can be an access port trunk port routed port or voice VLAN port It cannot be a destination port Source ports can be in the same or differe...

Page 730: ... RSPAN session it is located on the switch containing the RSPAN destination session There is no destination port on a switch or switch stack running only an RSPAN source session When a port is configured as a SPAN destination port the configuration overwrites the original port configuration When the SPAN destination configuration is removed the port reverts to its previous configuration If a confi...

Page 731: ...delines section on page 30 13 In a local SPAN session with only one destination port you do not need to specify the destination port group If you add a second destination port to the session the port must be in the same destination port group as the existing destination port RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions It has these special characteri...

Page 732: ...hannel You can configure an EtherChannel group as a source port but not as a SPAN destination port When a group is configured as a SPAN source the entire group is monitored If a physical port is added to a monitored EtherChannel group the new port is added to the SPAN source port list If a port is removed from a monitored EtherChannel group it is automatically removed from the source port list A p...

Page 733: ...rface It is applied to all the traffic that is monitored on all interfaces in the SPAN session The packets that are permitted by this ACL are copied to the SPAN destination port No other packets are copied to the SPAN destination port The original traffic continues to be forwarded and any port VLAN and router ACLs attached are applied The FSPAN ACL does not have any effect on the forwarding decisi...

Page 734: ...supported on all feature sets IPv6 FSPAN ACLs are supported only in the advanced IP services feature set For information on configuring the switch for FSPAN and FRSPAN see the Configuring FSPAN and FRSPAN section on page 30 27 Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration page 30 12 Configuring Local SPAN page 30 12 Configuring RSPAN page 30 19 Default SPAN and RSPAN Configuratio...

Page 735: ...ry the original encapsulation headers untagged ISL or IEEE 802 1Q if the encapsulation replicate keywords are specified If the keywords are not specified the packets are sent in native form You can configure a disabled port to be a source or destination port but the SPAN function does not start until the destination port and at least one source port or source VLAN are enabled You can limit SPAN tr...

Page 736: ...alyst 3560E 12D switch you can only enter 1 for the session_number For interface id specify the source port or source VLAN to monitor For source interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The ran...

Page 737: ...0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet1 0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Step 4 monitor session session_number destination interface inter...

Page 738: ...ig monitor session 2 source vlan 10 Switch config end Creating a Local SPAN Session and Configuring Incoming Traffic Beginning in privileged EXEC mode follow these steps to create a SPAN session to specify the source ports or VLANs and the destination ports and to enable incoming traffic on the destination port for a network security device such as a Cisco IDS Sensor Appliance For details about th...

Page 739: ...erface id encapsulation replicate ingress dot1q vlan vlan id isl untagged vlan vlan id vlan vlan id Specify the SPAN session the destination port the packet encapsulation and the ingress VLAN and encapsulation For session_number specify the session number entered in Step 3 When entering this command on the Catalyst 3560E 12D switch you can only enter 1 for the session_number For interface id speci...

Page 740: ... trunk port Step 4 monitor session session_number filter vlan vlan id Limit the SPAN source traffic to specific VLANs For session_number enter the session number specified in Step 3 For vlan id the range is 1 to 4094 Optional Use a comma to specify a series of VLANs or use a hyphen to specify a range of VLANs Enter a space before and after the comma enter a space before and after the hyphen Step 5...

Page 741: ...t ACL to RSPAN traffic to selectively filter or monitor specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches For RSPAN configuration you can distribute the source ports and the destination ports across multiple switches in your network RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols The RSPAN VLAN is configured only on trunk ports and n...

Page 742: ...ion command This example shows how to create RSPAN VLAN 901 Switch config vlan 901 Switch config vlan remote span Switch config vlan end Creating an RSPAN Source Session Beginning in privileged EXEC mode follow these steps to start an RSPAN source session and to specify the monitored source and the destination RSPAN VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Ste...

Page 743: ...ing the RSPAN VLAN A single session can include multiple sources ports or VLANs defined in a series of commands but you cannot combine source ports and source VLANs in one session Optional Specify a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional Specify the direction of traffic to monitor If you do not specify a traffic dir...

Page 744: ...ion remote vlan 901 destination port group b Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to configure the RSPAN source session to limit RSPAN source traffic to specific VLANs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number all local remote Remove any existing SPAN configuration ...

Page 745: ...ANs 1 through 5 and 9 to destination RSPAN VLAN 902 Switch config no monitor session 1 Switch config monitor session 1 source interface gigabitethernet0 2 rx Switch config monitor session 1 filter vlan 1 5 9 Switch config monitor session 1 destination remote vlan 902 destination port group a Switch config end Step 5 On a switch other than the Catalyst 3560E 12D switch monitor session session_numbe...

Page 746: ...ion For session_number the range is 1 to 66 Specify all to remove all RSPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 6 monitor session session_number source remote vlan vlan id Specify the RSPAN session and the source RSPAN VLAN For session_number the range is 1 to 66 When entering this command on the Catalyst 3560E 12D switch you can only enter...

Page 747: ...and Configuring Incoming Traffic Beginning in privileged EXEC mode follow these steps to create an RSPAN destination session to specify the source RSPAN VLAN and the destination port and to enable incoming traffic on the destination port for a network security device such as a Cisco IDS Sensor Appliance For details about the keywords not related to incoming traffic see the Creating an RSPAN Destin...

Page 748: ...capsulation For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Though visible in the command line help string encapsulation replicate is not supported for RSPAN The origin...

Page 749: ...CL command is rejected If the session has FSPAN ACL configured any commands including Catalyst 3750 ports as source ports are rejected The Catalyst 3750 ports can be added as destination ports in an FSPAN session VLAN based FSPAN sessions cannot be configured on a stack that includes Catalyst 3750 switches FSPAN ACLs cannot be applied to per port per VLAN sessions You can configure per port per VL...

Page 750: ... SPAN session and the source port monitored port For session_number the range is 1 to 66 For interface id specify the source port or the source VLAN to monitor For source interface id specify the source port to monitor Only physical interfaces are valid For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A single session can include multiple sources ...

Page 751: ...replicates the source interface encapsulation method If not selected the default is to send packets in native form untagged Note You can use monitor session session_number destination command multiple times to configure multiple destination ports Step 5 monitor session session_number filter ip ipv6 mac access group access list number name Specify the SPAN session the types of packets to filter and...

Page 752: ...ffic both Monitor both received and sent traffic rx Monitor received traffic tx Monitor sent traffic Step 4 monitor session session_number destination remote vlan vlan id Specify the RSPAN session and the destination RSPAN VLAN For session_number enter the number defined in Step 3 For vlan id specify the source RSPAN VLAN to monitor Step 5 vlan vlan id Enter the VLAN sub mode For vlan id specify t...

Page 753: ...SPAN and RSPAN Displaying SPAN RSPAN FSPAN and FRSPAN Status Displaying SPAN RSPAN FSPAN and FRSPAN Status To display the current SPAN RSPAN FSPAN or FRSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured sessions ...

Page 754: ...30 32 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 30 Configuring SPAN and RSPAN Displaying SPAN RSPAN FSPAN and FRSPAN Status ...

Page 755: ...ensive network fault diagnosis planning and performance tuning information Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Understanding RMON page 31 1 Configuring RMON page 31 3 Displaying RMON Status page 31 6 Understanding RMON RMON is an Int...

Page 756: ...pecific management information base MIB object for a specified interval triggers an alarm at a specified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to ge...

Page 757: ... RMON Configuration RMON is disabled by default no alarms or events are configured Configuring RMON Alarms and Events You can configure your switch for RMON by using the command line interface CLI or an SNMP compatible network management station We recommend that you use a generic RMON console application on the network management station NMS to take advantage of the RMON network management capabi...

Page 758: ...or value specify a number at which the alarm is triggered and one for when the alarm is reset The range for the rising threshold and falling threshold values is 2147483648 to 2147483647 Optional For event number specify the event number to trigger when the rising or falling threshold exceeds its limit Optional For owner string specify the owner of the alarm Step 3 rmon event number description str...

Page 759: ...ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command This example also generates an SNMP trap when the event is triggered Switch config rmon event 1 log trap eventtrap description High ifOutErrors owner jjones Collecting Group History Statistics on an Interface You must first configure RMON al...

Page 760: ...unning config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which to collect statistics and enter interface configuration mode Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For i...

Page 761: ...rmation about the fields in these displays see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 show rmon history Displays the RMON history table show rmon statistics Displays the RMON statistics table Table 31 1 Commands for Displaying RMON Status continued Command Purpose ...

Page 762: ...31 8 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 31 Configuring RMON Displaying RMON Status ...

Page 763: ...privileged EXEC commands to a logging process Stack members can trigger system messages A stack member that generates a system message appends its hostname in the form of hostname n where n is a switch number from 1 to 9 and redirects the output to the logging process on the stack master Though the stack master is a stack member it does not append its hostname to system messages The logging proces...

Page 764: ...tput Configuring System Message Logging System Log Message Format page 32 2 Default System Message Logging Configuration page 32 4 Disabling Message Logging page 32 4 optional Setting the Message Display Destination Device page 32 5 optional Synchronizing Log Messages page 32 6 optional Enabling and Disabling Time Stamps on Log Messages page 32 8 optional Enabling and Disabling Sequence Numbers in...

Page 765: ...terface Vlan1 changed state to down Switch 2 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet2 0 1 changed state to down 2 Switch 2 Table 32 1 System Log Message Elements Element Description seq no Stamps log messages with a sequence number only if the service sequence numbers global configuration command is configured For more information see the Enabling and Disabling Seque...

Page 766: ...ng Message logging is enabled by default It must be enabled to send messages to any destination other than the console When enabled log messages are sent to a logging process which logs messages to designated locations asynchronously to the processes that generated the messages Beginning in privileged EXEC mode follow these steps to disable message logging This procedure is optional Table 32 2 Def...

Page 767: ...s This procedure is optional Step 4 show running config or show logging Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging buffered size Log messages to an internal buffer on the switch or on a standalone switch or in the case of a...

Page 768: ...debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solicited device output and prompts After the unsolicited mes...

Page 769: ...bers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 logging synchronous level severity level all limit number of buffe...

Page 770: ...than one log message can have the same time stamp you can display messages with sequence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configuratio...

Page 771: ...figuration command To disable logging to syslog servers use the no logging trap global configuration command Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged to the c...

Page 772: ...s displayed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the switch histor...

Page 773: ...clear the log at any time by entering the no logging enable command followed by the logging enable command to disable and re enable logging Use the show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that configuration...

Page 774: ...ce GigabitEthernet4 0 1 43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface GigabitEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility Logging Messages to a UNIX Syslog Daemon Before you ca...

Page 775: ...the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid For more information see the man syslog conf and man syslogd commands on your UNIX system Configuring the UNIX System Logging Facility When sending system log messages to an external device you can ...

Page 776: ...ng the Logging Configuration To display the logging configuration and the contents of the log buffer use the show logging privileged EXEC command For information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Step 6 show running config Verify your entries Step 7 copy running config startup config Optional Save your entries in the config...

Page 777: ... To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respond to a man...

Page 778: ...ing packets over the network and includes these security features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword Both SNMPv1 and SNMPv2C use a community base...

Page 779: ...d on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv MD5 or SHA Data Encryption Standard DES or Advanced Encryption Standard AES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Allows specifying the User based Security Model USM with these encryption algorithms DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard 3DES 168 bit encryption ...

Page 780: ...write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application The Network Assistant software appends the member switch number esN where N is the switch number to the first...

Page 781: ...than traps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and in...

Page 782: ...onfiguration Tunnel 5078 5142 Physical such as Gigabit Ethernet or SFP2 module interfaces 10000 14500 Null 14501 1 SVI switch virtual interface 2 SFP small form factor pluggable Table 33 3 ifIndex Values Interface Type ifIndex Range Table 33 4 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1 1 This is the default when the switch starts and the startup configuration does not ...

Page 783: ...st the configuration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has i...

Page 784: ...to configure a community string on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server community string view view name ro rw access list number Configure the community string Note The symbol is used for delimiting the context information Avoid using the symbol as part of the SNMP community string when configuring this command For string specify a...

Page 785: ...ws and you can add new users to the SNMP group Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then create the list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The per...

Page 786: ...h priv read readview write writeview notify notifyview access access list Configure a new SNMP group on the remote device For groupname specify the name of the group Specify a security model v1 is the least secure of the possible security models v2c is the second least secure model It allows transmission of informs and integers twice the normal width v3 the most secure requires you to select an au...

Page 787: ...able only when the v3 keyword is specified auth is an authentication level setting session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v3 you can also configure a private priv encryption algorithm and password string priv password not to exceed 64 characters priv specifies t...

Page 788: ...hanges config Generates a trap for SNMP configuration changes copy config Generates a trap for SNMP copy configuration changes cpu threshold Allow CPU related traps entity Generates a trap for SNMP entity changes envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown status supply temperature flash Generates SNMP FLASH notifications In a sw...

Page 789: ...fication type port security configure the port security trap first and then configure the port security trap rate snmp server enable traps port security snmp server enable traps port security trap rate rate rtr Generates a trap for the SNMP Response Time Reporter RTR snmp Generates a trap for SNMP type notifications for authentication cold start warm start link up or link down storm control Genera...

Page 790: ...h noauth priv read readview write writeview notify notifyview access access list Configure an SNMP group Step 5 snmp server host host addr informs traps version 1 2c 3 auth noauth priv community string notification type Specify the recipient of an SNMP trap operation For host addr specify the name or Internet address of the host the targeted recipient Optional Enter informs to send SNMP informs to...

Page 791: ... list of notification types see Table 33 5 on page 33 12 or enter snmp server enable traps To enable multiple types of traps you must enter a separate snmp server enable traps command for each trap type Note When you configure a trap by using the notification type port security configure the port security trap first and then configure the port security trap rate snmp server enable traps port secur...

Page 792: ...lization rising percentage the percentage 1 to 100 of CPU resources that when exceeded for the configured interval sends a CPU threshold notification interval seconds the duration of the CPU threshold violation in seconds 5 to 86400 that when met sends a CPU threshold notification falling fall percentage the percentage 1 to 100 of CPU resources that when usage falls below this level for the config...

Page 793: ...st number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access...

Page 794: ...ty string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled The se...

Page 795: ...and Reference Table 33 6 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP group on the network show snmp pending Displays information on pending SNMP requests...

Page 796: ...33 20 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 33 Configuring SNMP Displaying SNMP Status ...

Page 797: ...mplete EEM document set see these documents in the Cisco IOS Network Management Configuration Guide Embedded Event Manager Overview http www cisco com en US docs ios netmgmt configuration guide nm_eem_overview html Writing Embedded Event Manager Policies Using the Cisco IOS CLI http www cisco com en US docs ios netmgmt configuration guide nm_eem_policy_cli html Writing Embedded Event Manager Polic...

Page 798: ...curs The EEM policies then implement recovery based on the current state of the system and the actions specified in the policy for the given event Figure 34 1 Embedded Event Manager Core Event Detectors See the EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment Event Detectors page 34 3 Embedded Event Manager Actions page 34 4 Embedded Event Manag...

Page 799: ... also publishes an event about an interface based on the rate of change for the entry and exit values None event detector Publishes an event when the event manager run CLI command executes an EEM policy EEM schedules and runs policies on the basis on an event specification within the policy itself An EEM policy must be manually identified and registered before the event manager run command execute...

Page 800: ...Cisco IOS process crosses a threshold Memory utilization for a Cisco IOS process crosses a threshold Two events can be monitored at the same time and the event publishing criteria requires that one or both events cross their specified thresholds Embedded Event Manager Actions These actions occur in response to an event Modifying a named counter Publishing an application specific event Generating a...

Page 801: ... in variables available in EEM applets Defined by Cisco and can be read only or read write The read only variables are set by the system before an applet starts to execute The single read write variable _exit_status allows you to set the exit status for policies triggered from synchronous events Cisco defined environment variables and Cisco system defined environment variables might apply to one s...

Page 802: ... 7 For complete information about configuring embedded event manager see the Cisco IOS Network Management Configuration Guide Release 12 4T Note To configure EEM you must have the IP services feature set installed on the switch Registering and Defining an Embedded Event Manager Applet Beginning in privileged EXEC mode perform this task to register an applet with EEM and to define the EEM applet us...

Page 803: ...el msg msg text Specify the action when an EEM applet is triggered Repeat this action to add other CLI commands to the applet Optional The priority keyword specifies the priority level of the syslog messages If selected you need to define the priority level argument For msg text the argument can be character text an environment variable or a combination of the two Step 5 end Exit applet configurat...

Page 804: ...e every hour of every day Switch config event manager environment_cron_entry 0 59 2 0 23 1 0 6 This example shows the sample EEM policy named tm_cli_cmd tcl registered as a system policy The system policies are part of the Cisco IOS image User defined TCL scripts must first be copied to flash memory Switch config event manager policy tm_cli_cmd tcl type system Displaying Embedded Event Manager Inf...

Page 805: ...Services Release 12 2 Catalyst 3750 E and 3560 E switches also support Cisco TrustSec Security Group Tag SCT Exchange Protocol SXP This feature supports security group access control lists SGACLs which define ACL policies for a group of devices instead of an IP address The SXP control protocol allows tagging packets with SCTs without a hardware upgrade and runs between access layer devices at the ...

Page 806: ...e forwarded but not Telnet traffic ACLs can be configured to block inbound traffic outbound traffic or both An ACL contains an ordered list of access control entries ACEs Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE The meaning of permit or deny depends on the context in which the ACL is used The switch supports IP ACLs and Ethernet MA...

Page 807: ...an SVI incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL Outgoing routed IP packets are filtered by both the VLAN map and the router ACL Other packets are filtered only by the VLAN map If IEEE 802 1Q tunneling is configured on an interface any IEEE 802 1Q encapsulated IP packets received on the tunnel port can be filtered by MAC ACLs but not by...

Page 808: ... interface and you apply a new IP access list or MAC access list to the interface the new ACL replaces the previously configured one Router ACLs You can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces You apply router ACLs on interfaces for specific directions inbound or outbound You can...

Page 809: ...rtype using MAC VLAN maps IP traffic is not access controlled by MAC VLAN maps You can enforce VLAN maps only on packets going through the switch you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch With VLAN maps forwarding of packets is permitted or denied based on the action specified in the map Figure 35 2 shows how a VLAN map is applied ...

Page 810: ...a deny because all Layer 3 and Layer 4 information is present The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information Instead they match the third ACE a permit Because the first fragment was denied host 10 1 1 2 cannot reassemble a complete packet so packet B is effectively denied However the later fragments that are permitted will consume ban...

Page 811: ...e the Configuring IP Services section in the IP Addressing and Services chapter of the Cisco IOS IP Configuration Guide Release 12 2 For detailed information about the commands see the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 2 The switch does not support these Cisco IOS router ACL related features Non IP protocol ACLs see Table 35 1 on page 35 8 or bridge gr...

Page 812: ... List Numbers page 35 8 ACL Logging page 35 9 Creating a Numbered Standard ACL page 35 10 Creating a Numbered Extended ACL page 35 11 Resequencing ACEs in an ACL page 35 15 Creating Named Standard and Extended ACLs page 35 15 Using Time Ranges with ACLs page 35 17 Including Comments in ACLs page 35 19 Access List Numbers The number you use to denote your ACL shows the type of access list that you ...

Page 813: ...ssages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log keyword the software might not be able to match the hardware processing rate and not all packets will be logged The first packet that triggers the ...

Page 814: ...tandard IP access list 2 10 deny 171 69 198 102 20 permit any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify whether t...

Page 815: ... of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic routing encap...

Page 816: ...c parameters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can...

Page 817: ...ontrol Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port numb...

Page 818: ...ecedence precedence tos tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings...

Page 819: ...ess list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The adva...

Page 820: ...Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and enter access list configuration mode Th...

Page 821: ...set the times and the dates or the days of the week in the time range Then enter the time range name when applying an ACL to set restrictions to the access list You can use the time range to define when the permit or deny statements in the ACL are in effect for example during a specified time period or on specified days of the week The time range keyword and argument are referenced in the named an...

Page 822: ...xtended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp any any t...

Page 823: ...rmit or deny statements and some remarks after the associated statements To include a comment for IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command To remove the remark use the no form of this command In this example the workstation that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed ...

Page 824: ...Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces When private VLANs are configured you can apply router ACLs only on the primary VLAN SVIs The ACL is applied to both primary and secondary VLAN Layer 3 traffic Note By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group These access...

Page 825: ... packet against the ACL If the ACL permits the packet the switch sends the packet If the ACL rejects the packet the switch discards the packet By default the input interface sends ICMP Unreachable messages whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are normally...

Page 826: ...be applied in hardware packets arriving in a VLAN that must be routed are routed in software but are bridged in hardware If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware Use the sh...

Page 827: ...available To avoid this issue Move the fourth ACE before the first ACE by using ip access list resequence global configuration command permit tcp source source wildcard destination destination wildcard permit tcp source source wildcard destination destination wildcard range 5 60 permit tcp source source wildcard destination destination wildcard range 15 160 permit tcp source source wildcard destin...

Page 828: ...rce addresses 172 20 128 64 to 172 20 128 95 The ACL is applied to traffic coming out of routed Port 1 from the specified source address Switch config access list 6 permit 172 20 128 64 0 0 0 31 Switch config end Switch show access lists Standard IP access list 6 10 permit 172 20 128 64 wildcard bits 0 0 0 31 Switch config interface gigabitethernet1 0 1 Switch config if ip access group 6 out This ...

Page 829: ...ig if ip access group 102 in In this example suppose that you have a network connected to the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection...

Page 830: ...outgoing traffic and the marketing_group ACL is applied to incoming traffic on a Layer 3 port Switch config interface gigabitethernet3 0 2 Switch config if no switchport Switch config if ip address 2 0 5 1 255 255 255 0 Switch config if ip access group Internet_filter out Switch config if ip access group marketing_group in Time Range Applied to an IP ACL This example denies HTTP traffic on IP on M...

Page 831: ... interface in the log entry In this example standard named access list stan1 denies traffic from 10 1 1 0 0 0 0 255 allows traffic from all other sources and includes the log keyword Switch config ip access list standard stan1 Switch config std nacl deny 10 1 1 0 0 0 0 255 log Switch config std nacl permit any log Switch config std nacl exit Switch config interface gigabitethernet1 0 1 Switch conf...

Page 832: ... message when the log input keyword is entered 00 04 21 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 Vlan1 0001 42ef a400 10 1 1 61 0 0 1 packet A log message for the same sort of packet using the log keyword does not include the input interface information 00 05 47 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 10 1 1 61 0 0 1 packet Creating Named MAC Extended ACLs You ...

Page 833: ...pe mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address with a mask or a specific host source MAC address and any destination MAC address destinati...

Page 834: ...terface configuration command This example shows how to apply MAC access list mac1 to a port to filter packets entering the port Switch config interface gigabitethernet1 0 2 Router config if mac access group mac1 in Note The mac access group interface configuration command is only valid when applied to a physical Layer 2 interface You cannot use the command on EtherChannel port channels After rece...

Page 835: ...fault or drop and enter the match command to specify an IP packet or a non IP packet with only a known MAC address and to match the packet against one or more ACLs standard or extended Note If the VLAN map is configured with a match clause for a type of packet IP or MAC and the map action is drop all packets that match the type are dropped If the VLAN map has no match clause and the configured act...

Page 836: ...h the primary and secondary VLANs For more information about private VLANs see Chapter 16 Configuring Private VLANs For configuration examples see the Using VLAN Maps in Your Network section on page 35 35 For information about using both router ACLs and VLAN maps see the VLAN Maps and Router ACL Configuration Guidelines section on page 35 38 Creating a VLAN Map Each VLAN map consists of an ordered...

Page 837: ...atch clauses Switch config ip access list extended ip1 Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map map_1 10 Switch config access map match ip address ip1 Switch config access map action drop This example shows how to create a VLAN map to permit a packet ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded In this m...

Page 838: ...packets with decnet iv or vines ip protocols Drop all other non IP packets Forward all IP packets Switch config mac access list extended good hosts Switch config ext macl permit host 000 0c00 0111 any Switch config ext macl permit host 000 0c00 0211 any Switch config ext nacl exit Switch config mac access list extended good protocols Switch config ext macl permit any any decnet ip Switch config ex...

Page 839: ...a wiring closet configuration routing might not be enabled on the switch In this configuration the switch can still support a VLAN map and a QoS classification ACL In Figure 35 4 assume that Host X and Host Y are in different VLANs and are connected to wiring closet switches A and C Traffic from Host X to Host Y is eventually being routed by Switch B a Layer 3 switch with routing enabled Traffic f...

Page 840: ... traffic is forwarded Switch config vlan access map map2 10 Switch config access map match ip address http Switch config access map action drop Switch config access map exit Switch config ip access list extended match_all Switch config ext nacl permit ip any any Switch config ext nacl exit Switch config vlan access map map2 20 Switch config access map match ip address match_all Switch config acces...

Page 841: ... a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward IP packets that do not match the ACL Switch config vlan access map SERVER1_MAP Switch config access map match ip address SERVER1_ACL Switch config access map action drop Switch config vlan access map SERVER1_MAP 20 Switch config access map action forward Switch config access map exit Step 3 Apply the VLAN map t...

Page 842: ...nfigured on the same VLAN Merging the router ACL with the VLAN map might significantly increase the number of ACEs If you must configure a router ACL and a VLAN map on the same VLAN use these guidelines for both router ACL and VLAN map configuration You can configure only one VLAN map and one router ACL in each direction input output on a VLAN interface Whenever possible try to write the ACL with ...

Page 843: ...ed Packets page 35 39 ACLs and Bridged Packets page 35 39 ACLs and Routed Packets page 35 40 ACLs and Multicast Packets page 35 41 ACLs and Switched Packets Figure 35 6 shows how an ACL is applied on packets that are switched within a VLAN Packets switched within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map of the input VLAN Figure 35 6 Applying ...

Page 844: ... ACLs are applied on routed packets The ACLs are applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Figure 35 8 Applying ACLs on Routed Packets Frame Fallback bridge VLAN 10 Host A VLAN 10 Packet 101358 VLAN 20 Host B VLAN 20 VLAN 10 map VLAN 20 map Frame Routing function VLAN 10 Host A VLAN 10 Packet 101359 VLAN 20 Host B VLAN 20 VLAN...

Page 845: ... the packet no destination receives a copy of the packet Figure 35 9 Applying ACLs on Multicast Packets Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch and you can display the ACLs that have been applied to interfaces and VLANs When you use the ip access group interface configuration command to apply ACLs to a Layer 2 or 3 interface you can display the ...

Page 846: ...y show running config interface interface id Displays the contents of the configuration file for the switch or the specified interface including all configured MAC and IP access lists and which access groups are applied to an interface show mac access group interface interface id Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface Table 35 2 Commands for ...

Page 847: ... the sdm prefer dual ipv4 and ipv6 default routing vlan global configuration command For related information see these chapters For more information about SDM templates see Chapter 8 Configuring SDM Templates For information about IPv6 on the switch see Chapter 41 Configuring IPv6 Unicast Routing For information about ACLs on the switch see Chapter 35 Configuring Network Security with ACLs Note Fo...

Page 848: ... are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SVI packets received on the ports to which a port ACL is applied are filtered by the port ACL Outgoing routed IPv6 packets are filtered by the router ACL Other packets are not filtered Note If any port ACL IPv4 IPv6 or MAC is applied to an interface that port ACL is used to filte...

Page 849: ...nterface that requires hardware forwarding physical ports or SVIs the switch checks to determine whether or not the ACL can be supported on the interface If not attaching the ACL is rejected If an ACL is applied to an interface and you attempt to add an access control entry ACE with an unsupported keyword the switch does not allow the ACE to be added to the ACL that is currently attached to the in...

Page 850: ... is to be dropped due to a port ACL the frame is not bridged You can create both IPv4 and IPv6 ACLs on a switch or switch stack and you can apply both IPv4 and IPv6 ACLs to the same interface Each ACL must have a unique name an error message appears if you try to use a name that is already configured You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the sam...

Page 851: ...mal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix prefix length argumen...

Page 852: ...tor port number dscp value log log input neq port protocol range port protocol routing sequence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that the operator port port number or name must be a UDP port number or name and the established parameter is not v...

Page 853: ...y to inbound management traffic on Layer 3 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface Step 5 show ipv6 access list Verify the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 i...

Page 854: ...ow access lists privileged EXEC command The output shows all access lists that are configured on the switch or switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 access lists configured on the...

Page 855: ...configured You can configure QoS on physical ports and on switch virtual interfaces SVIs Other than to apply policy maps you configure the QoS settings such as classification queueing and scheduling the same way on physical ports and SVIs When configuring QoS on a physical port you apply a nonhierarchical policy map When configuring QoS on an SVI you apply a nonhierarchical or a hierarchical polic...

Page 856: ...ted IP type of service ToS field to carry the classification class information Classification can also be carried in the Layer 2 frame These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 37 1 Prioritization bits in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p class of service CoS value...

Page 857: ...s allocated per traffic class The behavior of an individual device when handling traffic in the DiffServ architecture is called per hop behavior If all devices along a path provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the tra...

Page 858: ... be taken when a packet is out of profile and determines what to do with the packet pass through a packet without modification mark down the QoS label in the packet or drop the packet For more information see the Policing and Marking section on page 37 9 Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet Queuein...

Page 859: ...n in Figure 37 3 Trust the CoS value in the incoming frame configure the port to trust CoS Then use the configurable CoS to DSCP map to generate a DSCP value for the packet Layer 2 ISL frame headers carry the CoS value in the 3 least significant bits of the 1 byte User field Layer 2 802 1Q frame headers carry the CoS value in the 3 most significant bits of the Tag Control Information field CoS val...

Page 860: ...n the incoming packet configure the port to trust IP precedence and generate a DSCP value for the packet by using the configurable IP precedence to DSCP map The IP Version 4 specification defines the 3 most significant bits of the 1 byte ToS field as the IP precedence IP precedence values range from 0 for low priority to 7 for high priority You can also classify IP traffic based on IPv6 precedence...

Page 861: ...e the QoS label Read ingress interface configuration for classification Assign DSCP identical to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the Qo...

Page 862: ... map is a mechanism that you use to name a specific traffic flow or class and isolate it from all other traffic The class map defines the criteria used to match against a specific traffic flow to further classify it The criteria can include matching the access group defined by the ACL or matching a specific list of DSCP or IP precedence values If you have more than one type of traffic that you wan...

Page 863: ...ies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label For information on the policed DSCP map see the Mapping Tables section...

Page 864: ...h verifies that there is enough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average rate The size of the bucket imposes an upper l...

Page 865: ...erface level of the hierarchical policy map A hierarchical policy map has two levels The first level the VLAN level specifies the actions to be taken against a traffic flow on an SVI The second level the interface level specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface level policy map 86835 Yes Yes No No Pass thro...

Page 866: ...icy map only supports individual policers and does not support aggregate policers You can configure different interface level policy maps for each class defined in the VLAN level policy map See the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 37 64 for an example of a hierarchical policy map Figure 37 5 shows the policing and marking process wh...

Page 867: ...is map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or through the CoS input and output queue threshold ...

Page 868: ...d bandwidth of all ports can exceed the bandwidth of the stack or internal ring ingress queues are located after the packet is classified policed and marked and before packets are forwarded into the switch fabric Because multiple ingress ports can simultaneously send packets to an egress port and cause congestion outbound queues are located after the stack or internal ring Marker Policer Marker Po...

Page 869: ...ll state CoS values 4 and 5 are assigned to the 60 percent threshold and CoS values 0 to 3 are assigned to the 40 percent threshold Suppose the queue is already filled with 600 frames and a new frame arrives It contains CoS values 4 and 5 and is subjected to the 60 percent threshold If this frame is added to the queue the threshold will be exceeded so the switch drops it Figure 37 8 WTD and Queue ...

Page 870: ...er interface Each interface can be uniquely configured For more information see the Allocating Bandwidth Between the Ingress Queues section on page 37 82 the Configuring SRR Shaped Weights on Egress Queues section on page 37 89 and the Configuring SRR Shared Weights on Egress Queues section on page 37 90 Queueing and Scheduling on Ingress Queues Figure 37 9 and Figure 37 10 show the queueing and s...

Page 871: ... ring Drop packet Start Yes No Table 37 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network and stack operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flows You can use the mls qos srr queue input threshold the mls qos sr...

Page 872: ...with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a percentage by using the mls qos srr queue input bandwidth weight1 weight2 g...

Page 873: ...R services it until it is empty before servicing the other three queues Figure 37 11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750 E Switches 86694 Receive packet from the stack ring Read QoS label DSCP or CoS value Determine egress queue number and threshold based on the label Are thresholds being exceeded Send the packet out the port Queue the packet Service the queue accor...

Page 874: ...l The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue to prevent any queue or port from consuming all the buffers and depriving other queues and to control whether to grant buffer space to a requesting queue The switch detects whether the target queue has not consumed more buffers than its reserved amount under limit whether it has consumed all o...

Page 875: ...pace is 400 you can allocate 70 percent of it to queue 1 and 10 percent to queues 2 through 4 Queue 1 then has 280 buffers allocated to it and queues 2 through 4 each have 40 buffers allocated to them You can guarantee that the allocated buffers are reserved for a specific queue in a queue set For example if there are 100 buffers for a queue you can reserve 50 percent 50 buffers The switch returns...

Page 876: ...is not used in the ratio calculation The expedite queue is a priority queue and it is serviced until empty before the other queues are serviced You enable the expedite queue by using the priority queue out interface configuration command You can combine the commands described in this section to prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues by allocating a ...

Page 877: ... different traffic flows It uses the ingress and egress queues instead of using the default disabled QoS behavior The switch offers best effort service to each packet regardless of the packet contents or size and sends it from a single queue When you enable auto QoS it automatically classifies traffic based on the traffic type and ingress packet label The switch uses the classification results to ...

Page 878: ...Phone the ingress classification is set to not trust the QoS label in the packet The policing is applied to the traffic matching the policy map classification before the switch enables the trust boundary feature When you enter the auto qos voip cisco softphone interface configuration command on a port at the network edge that is connected to a device running the Cisco SoftPhone the switch uses pol...

Page 879: ...oip generated commands that you configured on the interface before Cisco IOS Release 12 2 55 SE migrate to the enhanced commands Global values change with the migration of enhanced commands For a complete list of the generated commands that are applied to the running configuration see Table 37 5 Auto QoS Configuration Migration Auto QoS configuration migration from legacy auto QoS to enhanced auto...

Page 880: ...ations from the interface Global Auto QoS Configuration Table 37 5 Generated Auto QoS Configuration Description Automatically Generated Command voip Enhanced Automatically Generated Command Video Trust Classify The switch automatically enables standard QoS and configures the CoS to DSCP map maps CoS values in incoming packets to a DSCP value Switch config mls qos Switch config mls qos map cos dscp...

Page 881: ... Switch config mls qos srr queue input dscp map queue 1 threshold 2 9 10 11 12 13 14 15 Switch config mls qos srr queue input dscp map queue 1 threshold 3 0 1 2 3 4 5 6 7 Switch config mls qos srr queue input dscp map queue 1 threshold 3 32 Switch config mls qos srr queue input dscp map queue 2 threshold 1 16 17 18 19 20 21 22 23 Switch config mls qos srr queue input dscp map queue 2 threshold 2 3...

Page 882: ...p queue 4 threshold 2 9 10 11 12 13 14 15 Switch config mls qos srr queue output dscp map queue 4 threshold 3 0 1 2 3 4 5 6 7 Switch config no mls qos srr queue output dscp map Switch config mls qos srr queue output dscp map queue 1 threshold 3 32 33 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 1 16 17 18 19 20 21 22 23 Switch config mls qos srr queue o...

Page 883: ...3 Switch config no mls qos srr queue input priority queue 1 Switch config no mls qos srr queue input priority queue 2 Switch config mls qos srr queue input bandwidth 70 30 Switch config mls qos srr queue input threshold 1 80 90 Switch config mls qos srr queue input priority queue 2 bandwidth 30 The switch automatically configures the egress queue buffer sizes It configures the bandwidth and the SR...

Page 884: ...ef Switch config class map match all AutoQoS VoIP Control Trust Switch config cmap match ip dscp cs3 af31 Switch config policy map AutoQoS Police CiscoPhone Switch config pmap class AutoQoS VoIP RTP Trust Switch config pmap c set dscp ef Switch config pmap c police 320000 8000 exceed action policed dscp transmit Switch config pmap class AutoQoS VoIP Control Trust Switch config pmap c set dscp cs3 ...

Page 885: ..._CLASS Switch config pmap c set dscp default Switch config if service policy input AUTOQOS SRND4 CLASSIFY POLICY If you entered the auto qos classify police command the switch automatically creates class maps and policy maps Switch config mls qos map policed dscp 0 10 18 to 8 Switch config mls qos map cos dscp 0 8 16 24 32 46 48 56 Switch config class map match all AUTOQOS_MULTIENHANCED_CONF_CLASS...

Page 886: ...LICY This is the enhanced configuration for the auto qos voip cisco softphone command Switch config mls qos map policed dscp 0 10 18 to 8 Switch config mls qos map cos dscp 0 8 16 24 32 46 48 56 Switch config class map match all AUTOQOS_MULTIENHANCED_CONF_CLASS Switch config cmap match access group name AUTOQOS ACL MULTIENHANCED CONF Switch config class map match all AUTOQOS_VOIP_DATA_CLASS Switch...

Page 887: ...iguration Any user entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory If the generated commands are not applied the previous running configuration is restored Auto QoS Configuration Guidelines Before configuring auto QoS you should be aware of this information After auto QoS is enabled do not modify a policy map or ...

Page 888: ...p commands are executed on the switch and the mls qos command is disabled the enhanced auto QoS configuration is generated Otherwise legacy auto QoS commands are executed Enabling Auto QoS For optimum QoS performance enable auto QoS on all the devices in your network Beginning in privileged EXEC mode follow these steps to enable auto QoS devices within a QoS domain Command Purpose Step 1 configure...

Page 889: ...ic is switched in pass through mode packets are switched without any rewrites and classified as best effort without any policing Displaying Auto QoS Information To display the initial auto QoS configuration use the show auto qos interface interface id privileged EXEC command To display any user changes to that configuration use the show running config privileged EXEC command You can compare the sh...

Page 890: ... video streams Bandwidth requirements and speed of the network Location of congestion points in the network These sections contain this configuration information Default Standard QoS Configuration page 37 36 Standard QoS Configuration Guidelines page 37 39 Enabling QoS Globally page 37 41 required Enabling VLAN Based QoS on Physical Ports page 37 42 optional Configuring Classification Using Port T...

Page 891: ...s queue configuration when QoS is enabled Table 37 7 shows the default CoS input queue threshold map when QoS is enabled Table 37 8 shows the default DSCP input queue threshold map when QoS is enabled Table 37 6 Default Ingress Queue Configuration Feature Queue 1 Queue 2 Buffer allocation 90 percent 10 percent Bandwidth allocation 1 1 The bandwidth is equally shared between the queues SRR sends pa...

Page 892: ...eue 3 Queue 4 Buffer allocation 25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 1 A shaped weight of zero m...

Page 893: ...the guidelines with for configuring QoS with access control lists ACLs It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS IP fragments are sent as best effort IP fragments are denoted by fields in the IP header Only one ACL per class map and only one match class map configuration command per class map are supported The ACL can have multiple ACEs which match...

Page 894: ... IPv6 QoS on Switch Stacks You can enable IPv6 QoS on a switch or a switch stack If the stack includes only Catalyst 3750 X and Catalyst 3750 E switches the QoS configuration applies to all traffic These are the guidelines for IPv6 QoS in a stack that includes one or more Catalyst 3750 switches Any switch can be the stack master You can attach policies with IPv6 ACLs only on Catalyst 3750 X and 37...

Page 895: ... classification policing mapping and queueing on the individual physical ports that comprise the EtherChannel You must decide whether the QoS configuration should match on all ports in the EtherChannel If you need to modify a policy map of an existing QoS policy first remove the policy map from all interfaces and then modify or copy the policy map After you finish the modification apply the modifi...

Page 896: ...sable VLAN based QoS on the physical port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS globally QoS runs with the default settings described in the Default Standard QoS Configuration section on page 37 36 the Queueing and Scheduling on Ingress Queues section on page 37 16 and the Queueing and Scheduling on Egress Queues section on page 37 19 S...

Page 897: ...page 37 44 Configuring a Trusted Boundary to Ensure Port Security page 37 45 Enabling DSCP Transparency Mode page 37 46 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 37 47 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the switch port wit...

Page 898: ...terfaces are physical ports Step 3 mls qos trust cos dscp ip precedence Configure the port trust state By default the port is not trusted If no keyword is specified the default is dscp The keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress pa...

Page 899: ...passes the telephone and connects the PC directly to the switch Without trusted boundary the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting By contrast trusted boundary uses CDP to detect the presence of a Cisco IP Phone such as the Cisco IP Phone 7910 7935 7940 and 7960 on a switch port If the telephone is not detected the trusted boundary feature disa...

Page 900: ... ip dscp command the switch does not modify the DSCP field in the incoming packet and the DSCP field in the outgoing packet is the same as that in the incoming packet Note Enabling DSCP transparency does not affect the port trust settings on IEEE 802 1Q tunneling ports Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP globally By default CDP is ena...

Page 901: ...transparency is still enabled Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic you can configure the switch ports bordering the domains to a DSCP trusted state as shown in Figure 37 15 Then the receiving port accepts the DSCP trusted value and avoids the classifi...

Page 902: ...n Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map The default DSCP to DSCP mutation map is a null map which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map b...

Page 903: ...raffic by using Layer 2 MAC ACLs Creating an IP Standard ACL Beginning in privileged EXEC mode follow these steps to create an IP standard ACL for IPv4 traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list nu...

Page 904: ...d 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is being sent You specify this by...

Page 905: ... 10 1 1 1 host 10 1 1 2 precedence 5 This example shows how to create an ACL that permits PIM traffic from any source to a destination group address of 224 0 0 2 with a DSCP set to 32 Switch config access list 102 permit pim any 224 0 0 2 dscp 32 Creating an IPv6 ACL Beginning in privileged EXEC mode follow these steps to create an IPv6 ACL for IPv6 traffic Note Before creating IPv6 ACLs you must ...

Page 906: ... For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix prefix length argument it must match the destination port Optional T...

Page 907: ... are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0 0 For mask enter the wildcard bits by placing ones in the bit...

Page 908: ...tion command For more information see the Classifying Policing and Marking Traffic on Physical Ports by Using Policy Maps section on page 37 59 and the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 37 64 Beginning in privileged EXEC mode follow these steps to create a class map and to define the match criterion to classify traffic Command Purpos...

Page 909: ...lt is match all Note Because only one match command per class map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 35 15 for limitations when using the match all and the match any keywords Step 4 match protocol ip ipv6 Optional Specify the IP protocol to which the class map applies Use the argument ip to specify I...

Page 910: ... config cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Step 5 match access group acl index or name ip dscp dscp list ip precedence ip precedence list Define the match criterion to classify traffic...

Page 911: ...tion mode By default no class maps are defined When you use the match protocol command only the match all keyword is supported For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Step 3 match protocol ip ipv6 Optional Specify the IP protocol to which the class map applies Use the argument ip to specify IPv4 traffi...

Page 912: ...ch config if service policy input pm1 This example shows how to configure a class map that applies to both IPv4 and IPv6 traffic Switch config ip access list 101 permit ip any any Switch config ipv6 access list ipv6 any permit ip any any Switch config Class map cm 1 Switch config cmap match access group 101 Switch config cmap exit Switch config Class map cm 2 Switch config cmap match access group ...

Page 913: ...recedence to DSCP map If you want the egress DSCP value to be different than the ingress value use the set dscp new dscp policy map class configuration command If you enter or have used the set ip dscp command the switch changes this command to set dscp in its configuration You can use the set ip precedence or the set precedence policy map class configuration command to change the packet IP preced...

Page 914: ...ss map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 35 15 for limitations when using the match all and the match any keywords Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode By default no policy maps are defined The default behavior ...

Page 915: ...lue for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 37 74 Step 6 set dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For dscp new dscp enter a new DSCP v...

Page 916: ...h config pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet2 0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address 0001...

Page 917: ...lass cm 1 Switch config pmap c set dscp 4 Switch config pmap c exit Switch config pmap class cm 2 Switch config pmap c set dscp 6 Switch config pmap c exit Switch config pmap class class default Switch config pmap c exit Switch config pmap exit Switch config interface G0 1 Switch config if switch mode access Switch config if service policy input pm1 Classifying Policing and Marking Traffic on SVIs...

Page 918: ...ence value This setting appears as set ip precedence in the switch configuration If VLAN based QoS is enabled the hierarchical policy map supersedes the previously configured port based policy map The hierarchical policy map is attached to the SVI and affects all traffic belonging to the VLAN The actions specified in the VLAN level policy map affect the traffic belonging to the SVI The police acti...

Page 919: ...Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same See ...

Page 920: ...all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified t...

Page 921: ...when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet For more information see the Configuring the Policed DSCP Map section on page 37 76 Step 14 exit Return to policy map configuration mode Step 15 exit Return to global configuration mo...

Page 922: ...e ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 37 74 Step 1...

Page 923: ...ccess 101 Switch config cmap exit Switch config exit Switch Switch This example shows how to attach the new map to an SVI Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config class map cm interface 1 Switch config cmap match input gigabitethernet3 0 1 gigabitethernet3 0 2 Switch config cmap exit Switch config policy map port plcmap Switch config pmap cl...

Page 924: ... config class map cm 2 Switch config cmap match ip dscp 20 Switch config cmap match protocol ip Switch config cmap exit Switch config policy map pm1 Switch config pmap class cm 1 Switch config pmap c set dscp 4 Switch config pmap c exit Switch config pmap class cm 2 Switch config pmap c set dscp 6 Switch config pmap c exit Switch config pmap exit Switch config interface G1 0 1 Switch config if ser...

Page 925: ...ed to multiple traffic classes within the same policy map By default no aggregate policer is defined For information on the number of policers supported see the Standard QoS Configuration Guidelines section on page 37 39 For aggregate policer name specify the name of the aggregate policer For rate bps specify average traffic rate in bits per second b s The range is 8000 to 10000000000 For burst by...

Page 926: ...onfig cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Switch config pmap c trust dscp Switch config pmap c police aggregate transmit1 Switch config pmap c exit Switch config pmap class ipclass2 Switch config pmap c set dscp 56 Switch...

Page 927: ... map are not appropriate Configuring the DSCP to CoS Map page 37 77 optional Configuring the DSCP to DSCP Mutation Map page 37 78 optional unless the null settings in the map are not appropriate All the maps except the DSCP to DSCP mutation map are globally defined and are applied to all ports Configuring the CoS to DSCP Map You use the CoS to DSCP map to map CoS values in incoming packets to a DS...

Page 928: ...o map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 37 13 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map cos dscp dscp1 dscp8 Modify the CoS to DSCP m...

Page 929: ...low these steps to modify the policed DSCP map This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map ip prec dscp dscp1 dscp8 Modify the IP precedence to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space The DSCP range is 0 to 63 Step 3 end Retur...

Page 930: ...8 49 5 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of 53 ...

Page 931: ... map a DSCP value of 08 corresponds to a CoS value of 0 Configuring the DSCP to DSCP Mutation Map If two QoS domains have different DSCP definitions use the DSCP to DSCP mutation map to translate one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With ingress ...

Page 932: ...0 00 00 00 00 00 10 10 1 10 10 10 10 14 15 16 17 18 19 2 20 20 20 23 24 25 26 27 28 29 3 30 30 30 30 30 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mutation na...

Page 933: ...need to perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by DSCP or CoS value to each queue What drop percentage thresholds apply to each queue and which CoS or DSCP values map to each threshold How much of the available buffer space is allocated between the queues How much of the available bandwidth is allocated b...

Page 934: ...d to queue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separate each va...

Page 935: ...default setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated betw...

Page 936: ... mls qos srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr qu...

Page 937: ...xt sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth of the port ...

Page 938: ...e is disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the availabili...

Page 939: ... the WTD thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 400 percen...

Page 940: ...the maximum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet1 0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particul...

Page 941: ...e 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop threshold pe...

Page 942: ...ch is 12 5 percent Switch config interface gigabitethernet2 0 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the egress que...

Page 943: ...d the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 and one and a third times the bandwidth of queue 3 Switch config interface gigabitethernet2 0 1 Switch config if srr...

Page 944: ...t your QoS solution Beginning in privileged EXEC mode follow these steps to limit the bandwidth on an egress port This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on a switch Step 3 interface interface id Specify the egress port and enter interface configuration mode Step 4 priority queue out Enable the egress expedite q...

Page 945: ...S class maps which define the match criteria to classify traffic show mls qos Display global QoS configuration information show mls qos aggregate policer aggregate policer name Display the aggregate policer configuration show mls qos input queue Display QoS settings for the ingress queues show mls qos interface interface id buffers policers queueing statistics Display QoS information at the port l...

Page 946: ...37 92 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 37 Configuring QoS Displaying Standard QoS Information ...

Page 947: ...ailed link to the remaining links in the channel without intervention This chapter also describes how to configure link state tracking Unless otherwise noted the term switch refers to a Catalyst 3750 E or 3560 E standalone switch and to a Catalyst 3750 E switch stack Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release Unde...

Page 948: ...witchport interface configuration command For more information see the Chapter 12 Configuring Interface Characteristics You can configure an EtherChannel in one of these modes Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP or On Configure both ends of the EtherChannel in the same mode When you configure one end of an EtherChannel in either PAgP or LACP mode the system negoti...

Page 949: ... a link within an EtherChannel fails traffic previously carried over that failed link moves to the remaining links within the EtherChannel If traps are enabled on the switch a trap is sent for a failure that identifies the switch the EtherChannel and the failed link Inbound broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChann...

Page 950: ...ber can be the same as the port channel number or you can use a new number If you use a new number the channel group command dynamically creates a new port channel With Layer 3 ports you should manually create the logical interface by using the interface port channel global configuration command followed by the no switchport interface configuration command Then you manually assign an interface to ...

Page 951: ...sco switches and on those switches licensed by vendors to support PAgP PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports You can use PAgP only in single switch EtherChannel configurations PAgP cannot be enabled on cross stack EtherChannels For more information see the EtherChannel Configuration Guidelines section on page 38 12 By using PAgP ...

Page 952: ...artner is a file server or a packet analyzer that is not generating traffic In this case running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational However the silent setting allows PAgP to operate to attach the port to a channel group and to use the port for transmission PAgP Interaction with Virtual Switches and Dual Active Detection A ...

Page 953: ...ble mode Link Aggregation Control Protocol The LACP is defined in IEEE 802 3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802 3ad protocol LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports By using LACP the switch or switch stack learns the identity of partners capable of supporting LACP ...

Page 954: ...hout negotiations The on mode can be useful if the remote device does not support PAgP or LACP In the on mode a usable EtherChannel exists only when the switches at both ends of the link are configured in the on mode Ports that are configured in the on mode in the same channel group must have compatible port characteristics such as speed and duplex Ports that are not compatible are suspended even ...

Page 955: ...ncoming packet Therefore to provide load balancing packets from the same IP source address sent to different IP destination addresses could be sent on different ports in the channel But packets sent from different source IP addresses to the same destination IP address are always sent on the same port in the channel With source and destination IP address based forwarding when packets are forwarded ...

Page 956: ...ree detects this condition and acts accordingly Any PAgP or LACP configuration on a winning switch stack is not affected but the PAgP or LACP configuration on the losing switch stack is lost after the stack reboots With PAgP if the stack master fails or leaves the stack a new stack master is elected A spanning tree reconvergence is not triggered unless there is a change in the EtherChannel bandwid...

Page 957: ... more information see the EtherChannel Configuration Guidelines section on page 38 12 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical ports assigned to the port channel interface and configuration changes applied to the physical port affect only the port where you apply the configuration Default EtherChannel Configurati...

Page 958: ...ure an EtherChannel in both the PAgP and LACP modes EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack Individual EtherChannel groups can run either PAgP or LACP but they cannot interoperate Do not configure a Switched Port Analyzer SPAN destination port as part of an EtherChannel Do not configure a secure port as part of an EtherChannel ...

Page 959: ...s by assigning ports to a channel group with the channel group interface configuration command This command automatically creates the port channel logical interface If you enabled PAgP on a port in the auto or desirable mode you must reconfigure it for either the on mode or the LACP mode before adding this port to a cross stack EtherChannel PAgP does not support cross stack EtherChannels Beginning...

Page 960: ...k on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is...

Page 961: ...nel It uses LACP passive mode and assigns two ports on stack member 2 and one port on stack member 3 as static access ports in VLAN 10 to channel 5 Switch configure terminal Switch config interface range gigabitethernet2 0 4 5 Switch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode active Switch config if range exit...

Page 962: ...gical interface and enter interface configuration mode For port channel number the range is 1 to 48 Step 3 no switchport Put the interface into Layer 3 mode Step 4 ip address ip address mask Assign an IP address and subnet mask to the EtherChannel Step 5 end Return to privileged EXEC mode Step 6 show etherchannel channel group number detail Verify your entries Step 7 copy running config startup co...

Page 963: ...tches in the switch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not spec...

Page 964: ...tchport Switch config if channel group 7 mode active Switch config if exit Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 38 8 Beginning in privileged EXEC mode follow these steps to configure E...

Page 965: ...up for all transmissions and use other ports for hot standby The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely ...

Page 966: ...r global configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on ...

Page 967: ...he LACP port priority to affect how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 38 21 and the Configuring the LACP Port Priority section on page 38 22 Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system priority glob...

Page 968: ...ure is optional To return the LACP port priority to the default value use the no lacp port priority interface configuration command Displaying EtherChannel PAgP and LACP Status Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 lacp port priority priority Configure t...

Page 969: ...relationship known as teaming and the link is lost on the primary interface connectivity transparently changes to the secondary interface Figure 38 6 on page 38 24 shows a network configured with link state tracking To enable link state tracking create a link state group and specify the interfaces that are assigned to the link state group An interface can be an aggregation of ports an EtherChannel...

Page 970: ... provides primary links to server 1 and server 2 through link state group 1 Port 1 is connected to server 1 and port 2 is connected to server 2 Port 1 and port 2 are the downstream interfaces in link state group 1 Port 5 and port 6 are connected to distribution switch 1 through link state group 1 Port 5 and port 6 are the upstream interfaces in link state group 1 141680 Network Layer 3 link Server...

Page 971: ...hese are the interactions between the downstream and upstream interfaces when link state tracking is enabled If any of the upstream interfaces are in the link up state the downstream interfaces can change to or remain in the link up state If all of the upstream interfaces become unavailable link state tracking automatically puts the downstream interfaces in the error disabled state Connectivity to...

Page 972: ... the interfaces Switch configure terminal Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 link state track number Create a link state group and enable link state tracking For Catalyst 3560 E switches the group number can be 1 to 2 For Catalyst 3750 E switches the group number can be 1 to 10 The default is 1 Step 3 interface interface id Specify a physical interface...

Page 973: ...the show link state group command to display the link state group information Enter this command without keywords to display information about all link state groups Enter the group number to display information specific to the group Enter the detail keyword to display detailed information about the group This is an example of output from the show link state group 1 command Switch show link state g...

Page 974: ...38 28 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 38 Configuring EtherChannels and Link State Tracking Configuring Link State Tracking ...

Page 975: ...IP Phone Support page 39 1 Configuring TelePresence E911 IP Phone Support page 39 2 Understanding TelePresence E911 IP Phone Support You can use a Cisco IP phone as a user interface in a Cisco TelePresence System See in Figure 1 In this configuration the IP phone must always be on and available for emergency calls If the power to the codec in the Cisco TelePresence System fails is disrupted or if ...

Page 976: ...h the IP network If power to the codec fails is disrupted or if the codec fails the IP phone is still connected to the IP network and is available for emergency calls The switch forwards all CDP packets received on the ingress port to the egress port If multiple IP phones are connected to the codec through a single port on the switch only one phone communicates with it through the IP network This ...

Page 977: ...igabitEthernet2 0 2 egress GigabitEthernet2 0 13 Switch show cdp forward Ingress Egress packets packets Port Port forwarded dropped Gi2 0 1 Gi2 0 12 0 0 Gi2 0 2 Gi2 0 13 0 0 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config no cdp forward ingress gigabitethernet2 0 1 Switch config end Switch Mar 1 13 39 14 120 SYS 5 CONFIG_I Configured from console b...

Page 978: ...e Configuration Guide OL 9775 08 Chapter 39 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Switch show cdp forward Ingress Egress packets packets Port Port forwarded dropped Gi2 0 2 Gi2 0 13 0 0 Switch ...

Page 979: ...able IP Version 6 IPv6 unicast routing and configure interfaces to forward IPv6 traffic in addition to IPv4 traffic For information about configuring IPv6 on the switch see Chapter 41 Configuring IPv6 Unicast Routing For more detailed IP unicast configuration information see the Cisco IOS IP Configuration Guide Release 12 2 For complete syntax and usage information for the commands used in this ch...

Page 980: ...ter to route traffic between the VLAN referred to as inter VLAN routing You configure one or more routers to route traffic to the appropriate destination VLAN Figure 40 1 shows a basic routing topology Switch A is in VLAN 10 and Switch B is in VLAN 20 The router has an interface in each VLAN Figure 40 1 Routing Topology Example When Host A in VLAN 10 needs to communicate with Host B in VLAN 10 it ...

Page 981: ...rces than distance vector protocols Distance vector protocols supported by the switch are Routing Information Protocol RIP which uses a single distance metric cost to determine the best path and Border Gateway Protocol BGP which adds a path vector mechanism The switch also supports the Open Shortest Path First OSPF link state protocol and Enhanced IGRP EIGRP which adds some link state routing feat...

Page 982: ...ports NSF capable routing for OSPF and EIGRP For more information see the OSPF NSF Capability section on page 40 28 and the EIGRP NSF Capability section on page 40 39 Upon election the new stack master performs these functions It starts generating receiving and processing routing updates It builds routing tables generates the CEF database and distributes it to stack members It uses its MAC address...

Page 983: ... See the Assigning IP Addresses to Network Interfaces section on page 40 7 Note A Layer 3 switch can have an IP address assigned to each routed port and SVI The number of routed ports and SVIs that you can configure is not limited by software However the interrelationship between this number and the number and volume of features being implemented might have an impact on CPU utilization because of ...

Page 984: ...onds 4 hours IP broadcast address 255 255 255 255 all ones IP classless routing Enabled IP default gateway Disabled IP directed broadcast Disabled all IP directed broadcasts are dropped IP domain Domain list No domain names defined Domain lookup Enabled Domain name Enabled IP forward protocol If a helper address is defined or User Datagram Protocol UDP flooding is configured UDP forwarding is enab...

Page 985: ... all ones subnet 131 108 255 0 and even though it is discouraged you can enable the use of subnet zero if you need the entire subnet space for your IP address Beginning in privileged EXEC mode follow these steps to enable subnet zero Use the no ip subnet zero global configuration command to restore the default and disable the use of subnet zero Command Purpose Step 1 configure terminal Enter globa...

Page 986: ...elieve the pressure on the rapidly depleting Class B address space In Figure 40 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet Figu...

Page 987: ...or LAN and a network address which identifies the network to which the device belongs Note In a switch stack network communication uses a single MAC address and the IP address of the stack The local address or MAC address is known as a data link address because it is contained in the data link layer Layer 2 section of the packet header and is read by data link Layer 2 devices To communicate with a...

Page 988: ...RP server on the same network segment as the router interface Use the ip rarp server address interface configuration command to identify the server For more information on RARP see the Cisco IOS Configuration Fundamentals Configuration Guide Release 12 2 You can perform these tasks to configure address resolution Define a Static ARP Cache page 40 10 Set ARP Encapsulation page 40 11 Enable Proxy AR...

Page 989: ...terface configuration mode and specify the interface to configure Step 5 arp timeout seconds Optional Set the length of time an ARP cache entry will stay in the cache The default is 14400 seconds 4 hours The range is 0 to 2147483 seconds Step 6 end Return to privileged EXEC mode Step 7 show interfaces interface id Verify the type of ARP and the timeout value used on all interfaces or a specific in...

Page 990: ...reply packet with its own Ethernet MAC address and the host that sent the request sends the packet to the switch which forwards it to the intended host Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address Proxy ARP is enabled by default To enable it after it has been disabled see the Enable Proxy ARP section on page 40 12 Proxy ARP works as long as othe...

Page 991: ...ve retransmissions The only required task for IRDP routing on an interface is to enable IRDP processing on that interface When enabled the default parameters apply You can optionally change any of these parameters Beginning in privileged EXEC mode follow these steps to enable and configure IRDP on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip defa...

Page 992: ...cause they are Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most modern IP implementations you can set the address to be used as the broadcast address Many implementations including the one in the switch support several addressing schemes for ...

Page 993: ...o physical broadcasts Use the no ip forward protocol global configuration command to remove a protocol or port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to configure Step 3 ip directed broadcast access list number Enable directed broadcast to physical broadcast translation on ...

Page 994: ...Command Reference Volume 1 of 3 Addressing and Services Release 12 2 lists the ports that are forwarded by default if you do not specify any UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring the router to act as a BOOTP forwarding agent BOOTP packets carry DHCP information Beginning in privileged EXEC mode follow these steps to en...

Page 995: ... must meet these criteria Note that these are the same conditions used to consider packet forwarding using IP helper addresses The packet must be a MAC level broadcast The packet must be an IP level broadcast The packet must be a TFTP DNS Time NetBIOS ND or BOOTP packet or a UDP specified by the ip forward protocol udp global configuration command The time to live TTL value of the packet must be a...

Page 996: ...Table 40 2 lists the commands for clearing contents You can display specific statistics such as the contents of IP routing tables caches and databases the reachability of nodes and the routing path that packets are taking through the network Table 40 3 lists the privileged EXEC commands for displaying IP statistics Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip...

Page 997: ...tatus of interfaces show ip irdp Display IRDP values show ip masks address Display the masks used for network addresses and the number of subnets using each mask show ip redirects Display the address of a default gateway show ip route address mask protocol Display the current state of the routing table show ip route summary Display the current state of the routing table in summary form Command Pur...

Page 998: ...r stack master to be running the IP services feature set Using RIP the switch sends routing information updates advertisements every 30 seconds If a router does not receive an update from another router for 180 seconds or more it marks the routes served by that router as unusable If there is still no update after 240 seconds the router removes all routing table entries for the non updating router ...

Page 999: ...anslations IP RIP authentication key chain No authentication Authentication mode clear text IP RIP receive version According to the version router configuration command IP RIP send version According to the version router configuration command IP RIP triggered According to the version router configuration command IP split horizon Varies with media Neighbor None defined Network None specified Offset...

Page 1000: ...ault is 240 seconds Step 8 version 1 2 Optional Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets By default the switch receives Version 1 and 2 but sends only Version 1 You can also use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending and receiving on interfaces Step 9 no auto summary Optional Disable autom...

Page 1001: ...cation use the no ip rip authentication mode interface configuration command To prevent authentication use the no ip rip authentication key chain interface configuration command Configuring Summary Addresses and Split Horizon Routers connected to broadcast type IP networks and using distance vector routing protocols normally use the split horizon mechanism to reduce the possibility of routing loop...

Page 1002: ... the ip address interface configuration command Note If split horizon is enabled neither autosummary nor interface summary addresses those configured with the ip summary address rip router configuration command are advertised Switch config router rip Switch config router interface gigabitethernet1 0 2 Switch config if ip address 10 1 5 1 255 255 255 0 Switch config if ip summary address rip 10 2 0...

Page 1003: ...bling split horizon unless you are certain that your application requires it to properly advertise routes Beginning in privileged EXEC mode follow these steps to disable split horizon on the interface To enable the split horizon mechanism use the ip split horizon interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id ...

Page 1004: ... any IP routing protocol can be redistributed into another IP routing protocol At the intradomain level this means that OSPF can import routes learned through EIGRP and RIP OSPF routes can also be exported into RIP Plain text and MD5 authentication among neighboring routers within an area is supported Configurable routing interface parameters include interface output cost retransmission interval i...

Page 1005: ...nd the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from other routing domains 110 OSPF database filter Disabled All outgoing link state advertisements LSAs are flooded to the interface IP OSPF name l...

Page 1006: ...ower traffic loss following a stack master change When a stack master change occurs in an OSPF NSF capable stack the new stack master must do two things to resynchronize its link state database with its OSFP neighbors Release the available OSPF neighbors on the network without resetting the neighbor relationship Reacquire the contents of the link state database for the network After a stack master...

Page 1007: ...aces configured for Hot Standby Router Protocol HSRP OSPF for Routed Access With Cisco IOS Release 12 2 55 SE the IP Base image supports OSPF for routed access The IP services image is required if you need multiple OSPFv2 and OSPFv3 instances without route restrictions Additionally the IP services image is required to enable the multi VRF CE feature OSPF for Routed Access is designed specifically ...

Page 1008: ...t across all routers in an attached network If you modify these parameters be sure all routers in the network have compatible values Note The ip ospf interface configuration commands are all optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router ospf process id Enable OSPF routing and enter router configuration mode The process ID is an internally used ide...

Page 1009: ... the number of seconds between hello packets sent on an OSPF interface The value must be the same for all nodes on a network The range is 1 to 65535 seconds The default is 10 seconds Step 8 ip ospf dead interval seconds Optional Set the number of seconds after the last device hello packet was seen before its neighbors declare the OSPF router to be down The value must be the same for all nodes on a...

Page 1010: ...gure the ABR to advertise a summary route that covers all networks in the range Note The OSPF area router configuration commands are all optional Beginning in privileged EXEC mode follow these steps to configure area parameters Step 14 show ip ospf neighbor detail Display NSF awareness status of neighbor switch The output matches one of these examples Options is 0x52 LLS Options is 0x1 LR When bot...

Page 1011: ...F routing domain Domain Name Server DNS names for use in all OSPF show privileged EXEC command displays makes it easier to identify a router than displaying it by router ID or neighbor ID Default Metrics OSPF calculates the OSPF metric for an interface according to the bandwidth of the interface The metric is calculated as ref bw divided by bandwidth where ref is 10 by default and bandwidth bw is ...

Page 1012: ...guration mode Step 3 summary address address mask Optional Specify an address and IP subnet mask for redistributed routes so that only one summary route is advertised Step 4 area area id virtual link router id hello interval seconds retransmit interval seconds trans authentication key key message digest key keyid md5 key Optional Establish a virtual link and set its parameters See the Configuring ...

Page 1013: ... If a loopback interface is configured with an IP address OSPF uses this IP address as its router ID even if other interfaces have higher IP addresses Because loopback interfaces never fail this provides greater stability OSPF automatically prefers a loopback interface over other interfaces and it chooses the highest IP address among all loopback interfaces Beginning in privileged EXEC mode follow...

Page 1014: ...opology change to synchronize at the same time Routers that are not affected by topology changes are not involved in recomputations Step 4 end Return to privileged EXEC mode Step 5 show ip interface Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 40 6 Show IP OSPF Statistics Commands Command Purpose show ip os...

Page 1015: ...d not be For efficiency reliability is provided only when necessary For example on a multiaccess network that has multicast capabilities such as Ethernet it is not necessary to send hellos reliably to all neighbors individually Therefore EIGRP sends a single multicast hello with an indication in the packet informing the receivers that the packet need not be acknowledged Other types of packets such...

Page 1016: ...on Default metric Only connected routes and interface static routes can be redistributed without a default metric The metric includes Bandwidth 0 or greater kb s Delay tens of microseconds 0 or any positive number that is a multiple of 39 1 nanoseconds Reliability any number between 0 and 255 255 means 100 percent reliability Loading effective bandwidth as a number between 0 and 255 255 is 100 per...

Page 1017: ...val between the primary Route Processor RP in a router failing and the backup RP taking over or while the primary RP is manually reloaded for a nondisruptive software upgrade This feature cannot be disabled For more information on this feature see the EIGRP Nonstop Forwarding NSF Awareness section of the Cisco IOS IP Routing Protocols Configuration Guide Release 12 4 EIGRP NSF Capability The IP se...

Page 1018: ...ng information database RIB of convergence and floods its topology table to all NSF aware peers Note NSF is not supported on interfaces configured for Hot Standby Router Protocol HSRP Use the nsf EIGRP routing configuration command to enable EIGRP NSF routing Use the show ip protocols privileged EXEC command to verify that NSF is enabled on the device See the command reference for this release for...

Page 1019: ... end Return to privileged EXEC mode Step 11 show ip protocols Verify your entries Step 12 show ip protocols Verify your entries For NSF awareness the output shows IP Routing is NSF aware EIGRP NSF enabled Step 13 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 in...

Page 1020: ...l Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated Step 8 end Return to privileged EXEC mode Step 9 show ip eigrp interface Display which interfaces EIGRP is active on and information about EIGRP relating to those interfaces Step 10 copy running config startup config Optional Save your entries in the configuratio...

Page 1021: ...tch The switch responds to all queries for summaries connected routes and routing updates Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes and a router that has a stub peer does not query that peer The stub router depends on the distribution router to send the proper updates to all peers In Figure 40 4 switch B is configured as an EI...

Page 1022: ...de up of routers that operate under the same administration and that run Interior Gateway Protocols IGPs such as RIP or OSPF within their boundaries and that interconnect by using an Exterior Gateway Protocol EGP BGP Version 4 is the standard EGP for interdomain routing in the Internet The protocol is defined in RFCs 1163 1267 and 1771 You can find detailed information about BGP in Internet Routin...

Page 1023: ...CP as its transport protocol specifically port 179 Two BGP speakers that have a TCP connection to each other for exchanging routing information are known as peers or neighbors In Figure 40 5 Routers A and B are BGP peers as are Routers B and C and Routers C and D The routing information is a series of AS numbers that describe the full path to the destination network BGP uses this information to co...

Page 1024: ...within BGP and supports the advertising of IP prefixes These sections contain this configuration information Default BGP Configuration page 40 46 Enabling BGP Routing page 40 49 Managing Routing Policy Changes page 40 51 Configuring BGP Decision Attributes page 40 53 Configuring BGP Filtering with Route Maps page 40 55 Configuring BGP Filtering by Neighbor page 40 55 Configuring Prefix Lists for B...

Page 1025: ...ing Disabled by default When enabled Half life is 15 minutes Re use is 750 10 second increments Suppress is 2000 10 second increments Max suppress time is 4 times half life 60 minutes BGP router ID The IP address of a loopback interface if one is configured or the highest IP address configured for a physical interface on the router Default information originate protocol or network redistribution D...

Page 1026: ...op router as next hop for BGP neighbor Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defined Private AS number removal Disabled Route maps None applied to a peer Send community attributes None sent to neighbors Shutdown or soft reconfiguration Not enabled Timers keepalive 60 seconds holdtime 180 ...

Page 1027: ... passed to an external neighbor if the AS path includes private AS numbers these numbers are dropped If your AS will be passing traffic through it from another AS to a third AS it is important to be consistent about the routes it advertises If BGP advertised a route before all routers in the network had learned about the route through the IGP the AS might receive traffic that some routers could no...

Page 1028: ...connection For IBGP the IP address can be the address of any of the router interfaces Step 6 neighbor ip address peer group name remove private as Optional Remove private AS numbers from the AS path in outbound routing updates Step 7 no synchronization Optional Disable synchronization between BGP and an IGP Step 8 no auto summary Optional Disable automatic network summarization By default when a s...

Page 1029: ...r increments A table version number that continually increments means that a route is flapping causing continual routing updates For exterior protocols a reference to an IP network from the network router configuration command controls only which networks are advertised This is in contrast to Interior Gateway Protocols IGPs such as EIGRP which also use the network command to specify where to send ...

Page 1030: ... IP and FIB tables provided by the neighbor are lost Not recommended Outbound soft reset No configuration no storing of routing table updates Does not reset inbound routing table updates Dynamic inbound soft reset Does not clear the BGP session and cache Does not require storing of routing table updates and has no memory overhead Both BGP routers must support the route refresh capability in Cisco ...

Page 1031: ... routing updates By default the weight attribute is 32768 for paths that the router originates and zero for other paths Routes with the largest weight are preferred You can use access lists route maps or the neighbor weight router configuration command to set weights 3 Prefer the route with the highest local preference Local preference is part of the routing update and exchanged among routers in t...

Page 1032: ...nge is 1 to 4294967295 The lowest value is the most desirable Step 7 bgp bestpath med missing as worst Optional Configure the switch to consider a missing MED as having a value of infinity making the path without a MED value the least desirable path Step 8 bgp always compare med Optional Configure the switch to compare MEDs for paths from neighbors in different autonomous systems By default MED co...

Page 1033: ...nd Processing in Routing Updates section on page 40 102 for information about the distribute list command You can use route maps on a per neighbor basis to filter updates and to modify various attributes A route map can be applied to either inbound or outbound updates Only the routes that pass the route map are sent or accepted in updates On both inbound and outbound updates matching is supported ...

Page 1034: ... Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enable a BGP routing process assign it an AS number and enter router configuration mode Step 3 neighbor ip address peer group name distribute list access list number name in out Optional Filter BGP routing updates to or from neighbors as specified in an access list Note You can also use the neigh...

Page 1035: ...need to specify a sequence number when removing a configuration entry Show commands include the sequence numbers in their output Before using a prefix list in a command you must set up the prefix list Beginning in privileged EXEC mode follow these steps to create a prefix list or to add an entry to a prefix list To delete a prefix list and all of its entries use the no ip prefix list list name glo...

Page 1036: ...ccept prefer or distribute to other neighbors A BGP speaker can set append or modify the community of a route when learning advertising or redistributing routes When routes are aggregated the resulting aggregate has a COMMUNITIES attribute that contains all communities from all the initial routes You can use community lists to create groups of communities to use in a match clause of a route map As...

Page 1037: ...g all the configuration information by using the neighbor shutdown router configuration command Beginning in privileged EXEC mode use these commands to configure BGP peers Step 5 set comm list list num delete Optional Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map Step 6 exit Return to globa...

Page 1038: ...The default is 75 percent Step 14 neighbor ip address peer group name next hop self Optional Disable next hop processing on the BGP updates to a neighbor Step 15 neighbor ip address peer group name password string Optional Set MD5 authentication on a TCP connection to a BGP peer The same password must be configured on both BGP peers or the connection between them is not made Step 16 neighbor ip ad...

Page 1039: ...ommand Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the AS and the atomic aggregate attribute is set to indicate that information might be missing Step 4...

Page 1040: ... to all internal neighbors To prevent a routing information loop all IBPG speakers must be connected The internal neighbors do not send routes learned from internal neighbors to other internal neighbors With route reflectors all IBGP speakers need not be fully meshed because another method is used to pass learned routes to neighbors When you configure an internal BGP peer to be a route reflector i...

Page 1041: ...y available then unavailable then available then unavailable and so on When route dampening is enabled a numeric penalty value is assigned to a route when it flaps When a route s accumulated penalties reach a configurable limit BGP suppresses advertisements of the route even if the route is running The reuse limit is a configurable value that is compared with the penalty If the penalty is less tha...

Page 1042: ...Protocols Release 12 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 bgp dampening Enable BGP route dampening Step 4 bgp dampening half life reuse suppress max suppress route map map Optional Change the default values of route dampening factors Step 5 end Return to privileged EXEC mode Step 6...

Page 1043: ...s not in peer groups to which the prefix has been advertised Also display prefix attributes such as the next hop and the local prefix show ip bgp cidr only Display all BGP routes that contain subnet and supernet network masks show ip bgp community community number exact Display routes that belong to the specified communities show ip bgp community list community list number exact match Display rout...

Page 1044: ...nce of the IS IS routing process Small IS IS networks are built as a single area that includes all the routers in the network As the network grows larger it is usually reorganized into a backbone area made up of the connected set of all Level 2 routers from all areas which is in turn connected to local areas Within a local area routers know how to reach all system IDs Between areas routers know ho...

Page 1045: ... 5000 ms LSP maximum lifetime without a refresh 1200 seconds 20 minutes before t he LSP packet is deleted LSP refresh interval Send LSP refreshes every 900 seconds 15 minutes Maximum LSP packet size 1497 bytes NSF Awareness1 1 NSF Nonstop Forwarding Enabled2 Allows Layer 3 switches to continue forwarding packets from a neighboring NSF capable router during hardware or software changes 2 IS IS NSF ...

Page 1046: ...routing on the switch Step 3 router isis area tag Enable the IS IS routing for the specified routing process and enter IS IS routing configuration mode Optional Use the area tag argument to identify the area to which the IS IS router is assigned You must enter a value if you are configuring multiple IS IS areas The first IS IS instance configured is Level 1 2 by default Later instances are automat...

Page 1047: ...01 0000 0000 000b 00 Switch config router exit Switch config interface gigabitethernet1 0 1 Switch config if ip router isis Switch config if clns router isis Switch config interface gigabitethernet1 0 2 Switch config if ip router isis Switch config if clns router isis Switch config router exit Router C Switch config clns routing Switch config router isis Switch config router net 49 0001 0000 0000 ...

Page 1048: ...twork has a maximum transmission unit MTU size of less than 1500 bytes you can lower the LSP MTU so that routing will still occur The partition avoidance router configuration command prevents an area from becoming partitioned when full connectivity is lost among a Level1 2 border router adjacent Level 1 routers and end hosts Beginning in privileged EXEC mode follow these steps to configure IS IS p...

Page 1049: ...he default is to send LSP refreshes every 900 seconds 15 minutes Step 11 max lsp lifetime seconds Optional Set the maximum time that LSP packets remain in the router database without being refreshed The range is from 1 to 65535 seconds The default is 1200 seconds 20 minutes After the specified time interval the LSP packet is deleted Step 12 lsp gen interval level 1 level 2 lsp max wait lsp initial...

Page 1050: ...her hello packet before declaring the neighbor down This determines how quickly a failed link or neighbor is detected so that routes can be recalculated Change the hello multiplier in circumstances where hello packets are lost Step 14 prc interval prc max wait prc initial wait prc second wait Optional Sets IS IS partial route computation PRC throttling timers prc max wait the maximum interval in s...

Page 1051: ...ose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode If the interface is not already configured as a Layer 3 interface enter the no switchport command to put it into Layer 3 mode Step 3 isis metric default metric level 1 level 2 Optional Configure the metric or cost for the specifie...

Page 1052: ...umber of milliseconds between packets at which IS IS LSPs will be re sent on point to point links The range is from 0 to 65535 The default is determined by the isis lsp interval command Step 9 isis priority value level 1 level 2 Optional Configure the priority to use for designated router election The range is from 0 to 127 The default is 64 Step 10 isis circuit type level 1 level 1 2 level 2 only...

Page 1053: ... clear clns route Remove dynamically derived CLNS routing information show clns Display information about the CLNS network show clns cache Display the entries in the CLNS routing cache show clns es neighbors Display ES neighbor entries including the associated areas show clns filter expr Display filter expressions show clns filter set Display filter sets show clns interface interface id Display th...

Page 1054: ...e devices Customer edge CE devices provide customers access to the service provider network over a data link to one or more provider edge routers The CE device advertises the site s local routes to the router and learns the remote VPN routes from it A Catalyst 3750 E or 3560 E switch can be a CE Provider edge PE routers exchange routing information with CE devices by using static routing or a rout...

Page 1055: ...ch are used to distinguish the VRFs during processing For each new VPN route learned the Layer 3 setup function retrieves the policy label by using the VLAN ID of the ingress port and inserts the policy label and new route to the multi VRF CE routing section If the packet is received from a routed port the port internal VLAN ID number is used if the packet is received from an SVI the VLAN number i...

Page 1056: ... services or advanced IP services feature set enabled on your switch A switch with multi VRF CE is shared by multiple customers and each customer has its own routing table Because customers use different VRF tables the same IP addresses can be reused Overlapped IP addresses are allowed in different VPNs Multi VRF CE lets multiple customers share the same physical link between the PE and the CE Tru...

Page 1057: ... enabled on an interface and the reverse Configuring VRFs Beginning in privileged EXEC mode follow these steps to configure one or more VRFs For complete syntax and usage information for the commands see the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 i...

Page 1058: ...pports VRF aware services have the following characteristics The user can ping a host in a user specified VRF ARP entries are learned in separate VRFs The user can display Address Resolution Protocol ARP entries for specific VRFs These services are VRF Aware ARP Ping Simple Network Management Protocol SNMP Hot Standby Router Protocol HSRP Unicast Reverse Path Forwarding uRPF Syslog Traceroute FTP ...

Page 1059: ...ease 12 2 Command Purpose ping vrf vrf name ip host Display the ARP table in the specified VRF Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server trap authentication vrf Enable SNMP traps for packets on a VRF Step 3 snmp server engineID remote host vrf vpn instance engine id string Configure a name for the remote SNMP engine on a switch Step 4 snmp server ...

Page 1060: ...e information for the commands refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 2 Step 6 standby 1 ip ip address Enable HSRP and configure the virtual IP address Step 7 end Return to privileged EXEC mode Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Ente...

Page 1061: ...ticular interface even if no VRF is configured on that interface To specify the source IP address for FTP connections use the ip ftp source interface show mode command To use the address of the interface where the connection is made use the no form of this command To specify the IP address of an interface as the source address for TFTP connections use the ip tftp source interface show mode command...

Page 1062: ...ode Step 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an AS number and an arbitrary number xxx y or an IP address and an arbitrary number A B C D y Step 5 route target export import both route target ext community Create a list of import export or import and export route target communities for the specified VRF Enter either an AS system number and an...

Page 1063: ...efine a network address and mask on which OSPF runs and the area ID for that network address Step 6 end Return to privileged EXEC mode Step 7 show ip ospf process id Verify the configuration of the OSPF network Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp au...

Page 1064: ...6000 or Catalyst 6500 switch acting as a PE router Figure 40 7 Multi VRF CE Configuration Example Configuring Switch A On Switch A enable routing and configure VRF Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config ip vrf v11 Switch config vrf rd 800 1 Switch config vrf route target export 800 1 Switch config vrf route target ...

Page 1065: ...itchport mode trunk Switch config if no ip address Switch config if exit Configure the VLANs used on Switch A VLAN 10 is used by VRF 11 between the CE and the PE VLAN 20 is used by VRF 12 between the CE and the PE VLANs 118 and 208 are used for the VPNs that include Switch F and Switch D respectively Switch config interface vlan10 Switch config if ip vrf forwarding v11 Switch config if ip address ...

Page 1066: ...e per line End with CNTL Z Switch config ip routing Switch config interface gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 208 0 0 20 255 255 255 0 Switch config if exit Switch config router ospf 101 Switch config router network 208 0 0 0 0 0 0 255 area 0 Switch config router end Configuring Switch F Switch F belongs to VPN 2 Configure the connection to Switch A by...

Page 1067: ...fig interface gigabitethernet1 1 0 20 Router config if encapsulation dot1q 20 Router config if ip vrf forwarding v2 Router config if ip address 83 0 0 3 255 255 255 0 Router config if exit Router config router bgp 100 Router config router address family ipv4 vrf v2 Router config router af neighbor 83 0 0 8 remote as 800 Router config router af neighbor 83 0 0 8 activate Router config router af net...

Page 1068: ... Other Security Features chapter in the Cisco IOS Security Configuration Guide Release 12 2 Configuring Protocol Independent Features This section describes how to configure IP routing protocol independent features These features are available on switches running the IP base or the IP services feature set except that with the IP base feature set protocol related features are available only for RIP...

Page 1069: ...or dCEF forwarding applies only to the software forwarding path that is traffic that is forwarded by the CPU CEF or distributed CEF is enabled globally by default If for some reason it is disabled you can re enable it by using the ip cef or ip cef distributed global configuration command The default configuration is CEF or dCEF enabled on all Layer 3 interfaces Entering the no ip route cache cef i...

Page 1070: ...to change the maximum number of parallel paths installed in a routing table from the default Use the no maximum paths router configuration command to restore the default value Step 7 show cef linecard detail or show cef linecard slot number detail Display CEF related interface information on a Catalyst 3560 E switch or Display CEF related interface information on a Catalyst 3750 E switch by stack ...

Page 1071: ...oute higher than that of the dynamic protocol Static routes that point to an interface are advertised through RIP IGRP and other dynamic routing protocols whether or not static redistribute router configuration commands were specified for those routing protocols These static routes are advertised because static routes that point to an interface are considered in the routing table to be connected a...

Page 1072: ...ine a static route to a network as the static default route Use the no ip default network network number global configuration command to remove the route When default information is passed through a dynamic routing protocol no further configuration is required The system periodically scans its routing table to choose the optimal default network as its default route In IGRP networks there might be ...

Page 1073: ...el You can use the BGP route map continue clause to execute additional entries in a route map after an entry is executed with successful match and set clauses You can use the continue clause to configure and organize more modular policy definitions so that specific policy configurations need not be repeated within the same route map Beginning in Cisco IOS Release 12 2 37 SE the switch supports the...

Page 1074: ...number type number Match the specified next hop route out one of the specified interfaces Step 10 match ip route source access list number access list name access list number access list name Match the address specified by the specified advertised access lists Step 11 match route type local internal external type 1 type 2 Match the specified route type local Locally generated BGP routes internal O...

Page 1075: ...he OSPF external metric type for redistributed routes Step 20 set metric type internal Set the multi exit discriminator MED value on prefixes advertised to external BGP neighbor to match the IGP metric of the next hop Step 21 set weight Set the BGP weight for the routing table The value can be from 1 to 65535 Step 22 end Return to privileged EXEC mode Step 23 show route map Display all route maps ...

Page 1076: ...ersus batch traffic or routing based on dedicated links For example you could transfer stock records to a corporate office on a high bandwidth high cost link for a short time while transmitting routine application data such as e mail over a low bandwidth low cost link With PBR you classify traffic using access control lists ACLs and then make traffic go through a different path PBR is applied to i...

Page 1077: ...f an EtherChannel You can define a maximum of 246 IP policy route maps on the switch or switch stack You can define a maximum of 512 access control entries ACEs for PBR on the switch or switch stack When configuring match criteria in a route map follow these guidelines Do not match ACLs that permit packets destined for a local address PBR would forward these packets which could cause ping or Telne...

Page 1078: ...are subject to PBR PBR can be fast switched or implemented at speeds that do not slow down the switch Fast switched PBR supports most match and set commands PBR must be enabled before you enable fast switched PBR Fast switched PBR is disabled by default Packets that are generated by the switch or local packets are not normally policy routed When you globally enable local PBR on the switch all pack...

Page 1079: ...et the next hop must be adjacent Step 5 exit Return to global configuration mode Step 6 interface interface id Enter interface configuration mode and specify the interface to configure Step 7 ip policy route map map tag Enable PBR on a Layer 3 interface and identify the route map to use You can configure only one route map on an interface However you can have multiple route map entries with differ...

Page 1080: ...ation command The default keyword sets all interfaces as passive by default You can then configure individual interfaces where you want adjacencies by using the no passive interface router configuration command The default keyword is useful in Internet service provider and large enterprise networks where many of the distribution routers have more than 200 interfaces Controlling Advertising and Pro...

Page 1081: ...ements there are no general guidelines for assigning administrative distances Beginning in privileged EXEC mode follow these steps to filter sources of routing information Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp rip eigrp Enter router configuration mode Step 3 distribute list access list number access list name out interface name routing process ...

Page 1082: ...uring key changes Note that the router must know these lifetimes Beginning in privileged EXEC mode follow these steps to manage authentication keys Step 5 show ip protocols Display the default administrative distance for a specified routing process Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure termina...

Page 1083: ...ion key information Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 40 17 Commands to Clear IP Routes or Display Route Status Command Purpose clear ip route network mask Clear one or more routes from the IP routing table show ip protocols Display the parameters and state of the active routing protocol process show ip route addres...

Page 1084: ...40 106 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 40 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network ...

Page 1085: ...e switch to use the a dual IPv4 and IPv6 switch database management SDM template See the Dual IPv4 and IPv6 Protocol Stacks section on page 41 5 Unless otherwise noted the term switch refers to a Catalyst 3750 E or 3560 E standalone switch and to a Catalyst 3750 E switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation refer...

Page 1086: ...Switch Stacks page 41 9 IPv6 Addresses The switch supports only IPv6 unicast addresses It does not support site local unicast addresses anycast addresses or multicast addresses The IPv6 128 bit addresses are represented as a series of eight 16 bit hexadecimal fields separated by colons in the format n n n n n n n n This is an example of an IPv6 address 2031 0000 130F 0000 0000 09C0 080F 130B For e...

Page 1087: ...runk ports for static routes Routing Information Protocol RIP for IPv6 and Open Shortest Path First OSPF Version 3 Protocol It supports up to 16 equal cost routes and can simultaneously forward IPv4 and IPv6 frames at line rate 128 Bit Wide Unicast Addresses The switch supports aggregatable global unicast addresses and link local unicast addresses It does not support site local unicast addresses A...

Page 1088: ...unctions In IPv6 ICMP packets are also used in the neighbor discovery protocol and path MTU discovery Neighbor Discovery The switch supports NDP for IPv6 a protocol running on top of ICMPv6 and static neighbor entries for IPv6 stations that do not support NDP The IPv6 neighbor discovery process uses ICMP messages and solicited node multicast addresses to determine the link layer address of a neigh...

Page 1089: ... router solicitations to request router advertisements for configuring interfaces For more information about autoconfiguration and duplicate address detection see the Implementing IPv6 Addressing and Basic Connectivity chapter of Cisco IOS IPv6 Configuration Library on Cisco com IPv6 Applications The switch has IPv6 support for these applications Ping traceroute Telnet TFTP and FTP Secure Shell SS...

Page 1090: ...out IPv4 and IPv6 protocol stacks see the Implementing IPv6 Addressing and Basic Connectivity chapter of Cisco IOS IPv6 Configuration Library on Cisco com DHCP for IPv6 Address Assignment DHCPv6 enables DHCP servers to pass configuration parameters such as IPv6 network addresses to IPv6 clients The address assignment feature manages non duplicate address assignment in the correct prefix based on t...

Page 1091: ...r ID is derived from a local IPv4 address so any IPv4 node always has an available router ID However EIGRP IPv6 might be running in a network with only IPv6 nodes and therefore might not have an available IPv4 router ID For more information about EIGRP for IPv6 see the Implementing EIGRP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com HSRP for IPv6 The switch running the ...

Page 1092: ... chapter in the Cisco IOS IPv6 Configuration Library on Cisco com HTTP S Over IPv6 The HTTP client sends requests to both IPv4 and IPv6 HTTP servers which respond to requests from both IPv4 and IPv6 HTTP clients URLs with literal IPv6 addresses must be specified in hexadecimal using 16 bit values between colons The accept socket call chooses an IPv4 or IPv6 address family The accept socket is eith...

Page 1093: ... are not forwarded The switch routes IPv6 to IPv4 and IPv4 to IPv6 packets in hardware but the switch cannot be an IPv6 to IPv4 or IPv4 to IPv6 tunnel endpoint Bridged IPv6 packets with hop by hop extension headers are forwarded in software In IPv4 these packets are routed in software but bridged in hardware In addition to the normal SPAN and RSPAN limitations defined in the software configuration...

Page 1094: ...5 Managing Switch Stacks These are the functions of IPv6 stack master and members Stack master runs IPv6 routing protocols generates routing tables distributes CEFv6 routing tables to stack members that use dCEFv6 runs IPv6 host functionality and IPv6 applications Stack member must be running the IP services feature set receives CEFv6 routing tables from the stack master programs the routes into h...

Page 1095: ...e address comprise the prefix the network portion of the address To forward IPv6 traffic on an interface you must configure a global IPv6 address on that interface Configuring an IPv6 address on an interface automatically configures a link local address and activates IPv6 for the interface The configured interface automatically joins these required multicast groups for that link solicited node mul...

Page 1096: ...rface configuration mode and specify the Layer 3 interface to configure The interface can be a physical interface a switch virtual interface SVI or a Layer 3 EtherChannel Step 7 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 8 ipv6 address ipv6 prefix prefix length eui 64 or ipv6 address ipv6 address link local or ipv6 enable Specify a global ...

Page 1097: ...group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router adver...

Page 1098: ...nable IPv6 routing Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable routing on the switch Step 3 ipv6 unicast routing Enable forwarding of IPv6 data packets on the switch Step 4 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 5 no switchport Remove the interface from Layer 2 configuratio...

Page 1099: ...ig if ipv6 address 2001 0DB8 c18 1 64 eui 64 Switch config if end Configuring DHCP for IPv6 Address Assignment Default DHCPv6 Address Assignment Configuration page 41 15 DHCPv6 Address Assignment Configuration Guidelines page 41 15 Enabling DHCPv6 Server Function page 41 16 Enabling DHCPv6 Client Function page 41 18 Default DHCPv6 Address Assignment Configuration By default no DHCPv6 features are ...

Page 1100: ...e range is 5 to 4294967295 seconds Specify infinite for no time interval Step 4 link address IPv6 prefix Optional Specify a link address IPv6 prefix When an address on the incoming interface or a link address in the packet matches the specified IPv6 prefix the server uses the configuration information pool This address must be in hexadecimal using 16 bit values between colons Step 5 vendor specifi...

Page 1101: ...s 2001 2000 0 48 Switch config dhcpv6 address prefix 2001 1003 0 64 Switch config dhcpv6 end Step 10 ipv6 dhcp server poolname automatic rapid commit preference value allow hint Enable DHCPv6 server function on an interface poolname Optional User defined name for the IPv6 DHCP pool The pool name can be a symbolic string such as Engineering or an integer such as 0 automatic Optional Enables the sys...

Page 1102: ...ommand This example shows how to acquire an IPv6 address and to enable the rapid commit option Switch config interface gigabitethernet2 0 1 Switch config if ipv6 address dhcp rapid commit This document describes only the DHCPv6 address assignment For more information about configuring the DHCPv6 client server or relay agent functions see the Implementing DHCP for IPv6 chapter in the Cisco IOS IPv6...

Page 1103: ...lt but automatically enabled when you configure IPv6 routing To route IPv6 unicast packets you must first globally configure forwarding of IPv6 unicast packets by using the ipv6 unicast routing global configuration command and you must configure an IPv6 address and IPv6 processing on an interface by using the ipv6 address interface configuration command To disable IPv6 CEF or distributed CEF use t...

Page 1104: ...precede the decimal value ipv6 address The IPv6 address of the next hop that can be used to reach the specified network The IPv6 address of the next hop need not be directly connected recursion is done to find the IPv6 address of the directly connected next hop The address must be in the form documented in RFC 2373 specified in hexadecimal using 16 bit values between colons interface id Specify di...

Page 1105: ...ce id recursive detail or show ipv6 route static updated Verify your entries by displaying the contents of the IPv6 routing table interface interface id Optional Display only those static routes with the specified interface as an egress interface recursive Optional Display only recursive static routes The recursive keyword is mutually exclusive with the interface keyword but it can be used with or...

Page 1106: ... the defaults might adversely affect OSPF for the IPv6 network Before you enable IPv6 OSPF on an interface you must enable routing by using the ip routing global configuration command enable the forwarding of IPv6 packets by using the ipv6 unicast routing global configuration command and enable IPv6 on Layer 3 interfaces on which you are enabling IPv6 OSPF Step 7 ipv6 rip name default information ...

Page 1107: ...tional Set the address range status to advertise and generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for this summary route which is used during OSPF SPF calculation to determine the shortest pat...

Page 1108: ...d interfaces to make them active EIGRP IPv6 does not need to be configured on a passive interface For more configuration procedures see the Implementing EIGRP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Configuring HSRP for IPv6 Hot Standby Router Protocol HSRP for IPv6 provides routing redundancy for routing IPv6 traffic not dependent on the availability of any singl...

Page 1109: ...tep 5 show standby Verify the configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP for IPv6 Step 3 standby group number ipv6 link local addr...

Page 1110: ...empt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional delay Set to cause the local router to postpone taking over the active role for the shown number of seconds The range is 0 to 3600 1 hour The default is 0 no delay before taking over Optional re...

Page 1111: ... IPv6 static routes show ipv6 traffic Display IPv6 traffic statistics Table 41 3 Commands for Displaying EIGRP IPv6 Information Command Purpose show ipv6 eigrp as number interface Displays information about interfaces configured for EIGRP IPv6 show ipv6 eigrp as number neighbor Displays the neighbors discovered by EIGRP IPv6 show ipv6 eigrp as number traffic Displays the number of EIGRP IPv6 packe...

Page 1112: ...0 Global unicast address es 3FFE C000 0 1 20B 46FF FE2F D940 subnet is 3FFE C000 0 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retran...

Page 1113: ...y Router Protocol Version 2 feature module at http www cisco com en US docs ios 12_3t 12_3t4 feature guide gthsrpv2 html This chapter consists of these sections Understanding HSRP page 42 1 Configuring HSRP page 42 5 Displaying HSRP Configurations page 42 13 Understanding HSRP HSRP is Cisco s standard method of providing high network availability by providing first hop redundancy for IP hosts on a...

Page 1114: ...d standby routers When HSRP is configured on an interface Internet Control Message Protocol ICMP redirect messages are automatically enabled for the interface You can configure multiple Hot Standby groups among switches and switch stacks that are operating in Layer 3 to make more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an in...

Page 1115: ... they are mutually exclusive HSRPv2 Version 2 of the HSRP has these features To match the HSRP group number to the VLAN ID of a subinterface HSRPv2 can use a group number from 0 to 4095 and a MAC address from 0000 0C9F F000 to 0000 0C9F FFFF HSRPv2 uses the multicast address 224 0 0 102 to send hello packets HSRPv2 and CGMP leave processing are no longer mutually exclusive and both can be enabled ...

Page 1116: ...n for Routers A and B establishes two HSRP groups For group 1 Router A is the default active router because it has the assigned highest priority and Router B is the standby router For group 2 Router B is the default active router because it has the assigned highest priority and Router A is the standby router During normal operation the two routers share the IP traffic load When either router becom...

Page 1117: ...page 42 6 Enabling HSRP page 42 6 Configuring HSRP Priority page 42 8 Configuring MHSRP page 42 10 Configuring HSRP Authentication and Timers page 42 10 Enabling HSRP Support for ICMP Redirect Messages page 42 12 Configuring HSRP Groups and Clustering page 42 12 Troubleshooting HSRP for Mixed Stacks of Catalyst 3750 X 3750 E and 3750 Switches page 42 12 Default HSRP Configuration Table 42 1 Defaul...

Page 1118: ...ches HSRP for IPv4 and HSRP for IPv6 are mutually exclusive You cannot enable both at the same time HSRP groups can be configured up to 32 instances Configure only one instance of a First Hop Redundancy Protocol FHRP The switches support HSRPv1 HSRPv2 and HSRP for IPv6 When configuring group numbers for HSRPv2 and HSRP you must use group numbers in ranges that are multiples of 256 Valid ranges are...

Page 1119: ...n on the interface 1 Select HSRPv1 2 Select HSRPv2 If you do not enter this command or do not specify a keyword the interface runs the default HSRP version HSRP v1 Step 4 standby group number ip ip address secondary Create or enable the HSRP group using its number and virtual IP address Optional group number The group number on the interface for which HSRP is being enabled The range is 0 to 255 th...

Page 1120: ...y priority of the configured device For each interface configured for hot standby you can configure a separate list of interfaces to be tracked The standby track interface priority interface configuration command specifies how much to decrement the hot standby priority when a tracked interface goes down When the interface comes back up the priority is incremented by the same amount When multiple t...

Page 1121: ...ge is 0 to 36000 seconds 1 hour the default is 0 no delay before taking over Optional delay reload Set to cause the local router to postpone taking over the active role after a reload for the number of seconds shown The range is 0 to 36000 seconds 1 hour the default is 0 no delay before taking over after a reload Optional delay sync Set to cause the local router to postpone taking over the active ...

Page 1122: ...ority 110 Switch config if standby 1 preempt Switch config if standby 2 ip 10 0 0 4 Switch config if standby 2 preempt Switch config if end Router B Configuration Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if no switchport Switch config if ip address 10 0 0 2 255 255 255 0 Switch config if standby 1 ip 10 0 0 3 Switch config if standby 1 preempt Switch con...

Page 1123: ...switchport Switch config if standby 1 ip Switch config if standby 1 timers 5 15 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on which you want to set authentication Step 3 standby group number authentication string Optional authentication string Enter a st...

Page 1124: ...d routing redundancy If you create a cluster with the same HSRP standby group name without entering the routing redundancy keyword HSRP standby routing is disabled for the group This example shows how to bind standby group my_hsrp to the cluster and enable the same HSRP group to be used for command switch redundancy and router redundancy The command can only be executed on the cluster command swit...

Page 1125: ...by command without qualifiers can result in an unwieldy display This is a an example of output from the show standby privileged EXEC command displaying HSRP information for two standby groups group 1 and group 100 Switch show standby VLAN1 Group 1 Local state is Standby priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 182 Hot standby IP address is 172 20 128 3 configure...

Page 1126: ...42 14 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 42 Configuring HSRP Displaying HSRP Configurations ...

Page 1127: ...nfiguration Guide Release 12 4T at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html For command syntax information see the command reference at this URL http www cisco com en US docs ios ipsla command reference sla_book html This chapter consists of these sections Understanding Cisco IOS IP SLAs page 43 1 Configuring IP SLAs Operations page 43 6 Monito...

Page 1128: ...an find more details about network management products that use Cisco IOS IP SLAs at this URL http www cisco com go ipsla Using IP SLAs can provide these benefits Service level agreement monitoring measurement and verification Network performance monitoring Measures the jitter latency or packet loss in the network Provides continuous reliable and predictable measurements IP service network health ...

Page 1129: ...LAs responder if required 2 Configure the required IP SLAs operation type 3 Configure any options available for the specified operation type 4 Configure threshold conditions if required 5 Schedule the operation to run then let the operation run for a period of time to gather statistics 6 Display and interpret the results of the operation using the Cisco IOS CLI or a network management system NMS s...

Page 1130: ...ponder is not required for services that are already provided by the destination router such as Telnet or HTTP You cannot configure the IP SLAs responder on non Cisco devices and Cisco IOS IP SLAs can send operational packets only to services native to those devices Response Time Computation for IP SLAs Switches and routers can take tens of milliseconds to process incoming packets due to other hig...

Page 1131: ...P The pending state is also used when an operation is a reaction threshold operation waiting to be triggered You can schedule a single IP SLAs operation or a group of operations at one time You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the CISCO RTTMON MIB Scheduling the operations to run at evenly distributed times allows you to control the amo...

Page 1132: ...or details about configuring other operations see he Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html This section includes this information Default Configuration page 43 6 Configuration Guidelines page 43 6 Configuring the IP SLAs Responder page 43 7 Analyzing IP Service Levels by Using the UDP Jitter Operation...

Page 1133: ...orm http Type of Operation to Perform jitter Type of Operation to Perform pathEcho Type of Operation to Perform pathJitter Type of Operation to Perform tcpConnect Type of Operation to Perform udpEcho IP SLAs low memory water mark 21741224 Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software based devices including some Layer 2 switches that do not support...

Page 1134: ... operations measure this data Per direction jitter source to destination and destination to source Per direction packet loss Per direction delay one way delay Round trip delay average round trip time Because the paths for the sending and receiving of data can be different asymmetric you can use the per direction data to more readily identify where congestion or other problems are occurring in the ...

Page 1135: ...e from 1 to 65535 Optional source ip ip address hostname Specify the source IP address or hostname When a source IP address or hostname is not specified IP SLAs chooses the IP address nearest to the destination Optional source port port number Specify the source port number in the range from 1 to 65535 When a port number is not specified IP SLAs chooses an available port Optional control Enable or...

Page 1136: ...Configure the scheduling parameters for an individual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter ...

Page 1137: ... The IP SLAs ICMP echo operation conforms to the same specifications as ICMP ping testing and the two methods result in the same response times Note This operation does not require the IP SLAs responder to be enabled Beginning in privileged EXEC mode follow these steps to configure an ICMP echo operation on the source device Command Purpose Step 1 configure terminal Enter global configuration mode...

Page 1138: ...vidual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter the hour minute second in 24 hour notation and ...

Page 1139: ...s including all defaults for all IP SLAs operations or a specific operation show ip sla enhanced history collection statistics distribution statistics entry number Display enhanced history statistics for collected history buckets or distribution statistics for all IP SLAs operations or a specific operation show ip sla ethernet monitor configuration entry number Display IP SLAs automatic Ethernet c...

Page 1140: ...43 14 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 43 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations ...

Page 1141: ...3560 E standalone switch and to a Catalyst 3750 E switch stack For additional information about Enhanced Object Tracking see the Enhanced Object Tracking feature guide located under Cisco IOS Software Release 12 2T Feature Guides The chapter includes these sections Understanding Enhanced Object Tracking page 44 1 Configuring Enhanced Object Tracking Features page 44 2 Monitoring Enhanced Object Tr...

Page 1142: ...are not met the IP routing state is down Beginning in privileged EXEC mode follow these steps to track the line protocol state or IP routing state of an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number interface interface id line protocol Optional Create a tracking list to track the line protocol state of an interface and enter tracking...

Page 1143: ...her AND or OR operators When you measure the tracked list state by a weight threshold you assign a weight number to each object in the tracked list The state of the tracked list is determined by whether or not the threshold was met The state of each object is determined by comparing the total weight of all objects against a threshold weight for each object When you measure the tracked list by a pe...

Page 1144: ...t Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list boolean and or Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 boolean Specify the state of the tracked list based on a Boolean calculation and Specify that the list is up if all objects are up or down if one or more objects are down...

Page 1145: ...wo small bandwidth connections and object 3 represents one large bandwidth connection The configured down 10 value means that once the tracked object is up it will not go down until the threshold value is equal to or lower than 10 which in this example means that all connections are down Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list thresh...

Page 1146: ...rcentage up 51 down 10 Switch config track exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list threshold percentage Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based on...

Page 1147: ...p threshold is 254 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Configuring a Tracked List with a Boolean Expression section on page 44 4 For threshold weight see the Configuring a Tracked List with a Weight Threshold section on page 44 5 For threshold percentage see the Configuring a T...

Page 1148: ...ic to measure network performance Cisco IP SLAs operations collects real time metrics that you can use for network troubleshooting design and analysis For more information about Cisco IP SLAs on the switch see Chapter 43 Configuring Cisco IOS IP SLAs Operations For IP SLAs command information see the Cisco IOS IP SLAs Command Reference Release 12 4T Object tracking of IP SLAs operations allows cli...

Page 1149: ...global configuration mode Step 2 track object number rtr operation number state Enter tracking configuration mode to track the state of an IP SLAs operation The object number range is from 1 to 500 The operation number range is from 1 to 2147483647 Step 3 delay up seconds down seconds up seconds down seconds Optional Specify a period of time in seconds to delay communicating state changes of a tra...

Page 1150: ...tor the state of the connection to the primary gateway For more information about Cisco IP SLAs support on the switch see Chapter 43 Configuring Cisco IOS IP SLAs Operations For more information about static route object tracking see this URL http www cisco com en US docs ios 12_3 12_3x 12_3xe feature guide dbackupx html You use this process to configure static route object tracking Step 1 Configu...

Page 1151: ...co IP SLAs operation and enter IP SLA configuration mode Step 3 icmp echo destination ip address destination hostname source ipaddr ip address hostname source interface interface id Configure a Cisco IP SLAs end to end ICMP echo response time operation and enter IP SLAs ICMP echo configuration mode Step 4 timeout milliseconds Set the amount of time for which the operation waits for a response from...

Page 1152: ...y routing on packets You can enter multiple numbers or names Step 5 set ip next hop dynamic dhcp For DHCP networks only Set the next hop to the gateway that was most recently learned by the DHCP client Step 6 set interface interface id For static routing networks only Indicate where to send output packets that pass a match clause of a route map for policy routing Step 7 exit Exit route map configu...

Page 1153: ...ter 44 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking show track resolution Display the resolution of tracked parameters show track timers Display tracked polling interval timers Table 44 1 Commands for Displaying Tracking Information continued Command Purpose ...

Page 1154: ...44 14 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 44 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...

Page 1155: ...from servers Application engines accelerate content delivery and ensure maximum scalability and availability of content In a service provider network you can deploy the WCCP and application engine solution at the points of presence POPs In an enterprise network you can deploy the WCCP and application engine solution at the regional site and the small branch office To use this feature the switch or...

Page 1156: ...information the application engine forwards it to the requesting client and also caches it to fulfill future requests With WCCP the application engine cluster a series of application engines can service multiple routers or switches as shown Figure 45 1 Figure 45 1 Cisco Cache Engine and WCCP Network Configuration WCCP Message Exchange This sequence of events describes the WCCP message exchange 1 T...

Page 1157: ...present The application engine does not intercept the reconnection attempt In this way the application engine effectively cancels the redirection of a packet to the application engine and creates a bypass flow If the return method is generic route encapsulation GRE the switch receives the returned packet through a GRE tunnel that is configured in the application engine The switch CPU uses Cisco Ex...

Page 1158: ...r all routers in the service group for example 225 0 0 0 If you add and remove routers dynamically using a single multicast address provides easier configuration because you do not need to specifically enter the addresses of all devices in the WCCP network You can use a router group list to validate the protocol packets received from the application engine Packets matching the address in the group...

Page 1159: ...to configure WCCP on your switch Default WCCP Configuration page 45 5 WCCP Configuration Guidelines page 45 5 Enabling the Cache Service page 45 6 required Default WCCP Configuration WCCP Configuration Guidelines Before configuring WCCP on your switch make sure to follow these configuration guidelines The application engines and switches in the same service group must be in the same subnetwork dir...

Page 1160: ...the stack member switches should be larger than the client MTU size The MAC layer MTU size configured on ports connected to application engines should take into account the GRE tunnel header bytes You cannot configure WCCP and VPN routing forwarding VRF on the same switch interface You cannot configure WCCP and PBR on the same switch interface You cannot configure WCCP and a private VLAN PVLAN on ...

Page 1161: ... the connection between the switch and the application engine By default no password is configured and no authentication is performed You must configure the same password on each application engine When authentication is enabled the switch discards messages that are not authenticated Step 3 interface interface id Specify the interface connected to the application engine or the server and enter int...

Page 1162: ...1 1 Switch config interface gigabitethernet1 0 1 Switch config if no switchport Switch config if ip address 172 20 10 30 255 255 255 0 Switch config if no shutdown Switch config if ip wccp web cache group listen Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if no shutdown Switch...

Page 1163: ...terminal Switch config ip wccp web cache 80 group list 15 Switch config access list 15 permit host 171 69 198 102 Switch config access list 15 permit host 171 69 198 104 Switch config access list 15 permit host 171 69 198 106 Switch config vlan 299 Switch config vlan exit Switch config interface vlan 299 Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if exit Switch config int...

Page 1164: ...aintaining WCCP Command Purpose clear ip wccp web cache Removes statistics for the web cache service show ip wccp web cache Displays global information related to WCCP show ip wccp web cache detail Displays information for the switch and all application engines in the WCCP cluster show ip interface Displays status about any IP WCCP redirection commands that are configured on an interface for examp...

Page 1165: ... of a group receive the message To use this feature the switch or stack master must be running the IP services feature set To use the PIM stub routing feature the switch or stack master can be running the IP base image Unless otherwise noted the term switch refers to a Catalyst 3750 E or 3560 E standalone switch and to a Catalyst 3750 E switch stack Note For complete syntax and usage information f...

Page 1166: ...co routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP Figure 46 1 shows where these protocols operate within the IP multicast environment Figure 46 1 IP Multicast Routing Protocols According to IPv4 multicast standards the MAC destination multicast address begins with 0100 5e and is appended by the last 23 bits of the IP addre...

Page 1167: ...ses which are class D addresses The high order bits of a Class D address are 1110 Therefore host group addresses can be in the range 224 0 0 0 through 239 255 255 255 Multicast addresses in the range 224 0 0 0 to 224 0 0 255 are reserved for use by routing protocols and other network control traffic The address 224 0 0 0 is guaranteed not to be assigned to any group IGMP packets are sent using the...

Page 1168: ... discovery and distribution mechanism that enables routers and multilayer switches to dynamically learn the group to RP mappings Sparse mode and dense mode are properties of a group as opposed to an interface We strongly recommend sparse dense mode as opposed to either sparse mode or dense mode only PIM join and prune messages have more flexible encoding for multiple address families A more flexib...

Page 1169: ...s to be torn down when they are no longer needed When the number of PIM enabled interfaces exceeds the hardware capacity and PIM SM is enabled with the SPT threshold is set to infinity the switch does not create S G entries in the multicast routing table for the some directly connected interfaces if they are not already in the table The switch might not correctly forward traffic from these interfa...

Page 1170: ...guration allows the directly connected hosts to receive traffic from multicast source 200 1 1 3 See the Configuring PIM Stub Routing section on page 46 22 for more information Figure 46 2 PIM Stub Router Configuration IGMP Helper PIM stub routing moves routed traffic closer to the end user and reduces network traffic You can also reduce traffic by configuring a stub router switch with the IGMP hel...

Page 1171: ...her method to distribute group to RP mapping information to all PIM routers and multilayer switches in the network It eliminates the need to manually configure RP information in every router and switch in the network However instead of using IP multicast to distribute group to RP mapping information BSR uses hop by hop flooding of special BSR messages to distribute the mapping information The BSR ...

Page 1172: ...rived on an interface that is on the reverse path back to the source 2 If the packet arrives on the interface leading back to the source the RPF check is successful and the packet is forwarded to all interfaces in the outgoing interface list which might not be all interfaces on the router 3 If the RPF check fails the packet is discarded Some multicast routing protocols such as DVMRP maintain a sep...

Page 1173: ...ng information to make the packet forwarding decision The software does not implement the complete DVMRP However it supports dynamic discovery of DVMRP routers and can interoperate with them over traditional media such as Ethernet and FDDI or over DVMRP specific tunnels DVMRP neighbors build a route table by periodically exchanging source network routing information in route report messages The ro...

Page 1174: ...by devices and are ready to take over if there is a stack master failure If the stack master fails all stack members delete their multicast routing tables The newly elected stack master starts building the routing tables and distributes them to the stack members Note If a stack master running the IP services feature set fails and if the newly elected stack master is running the IP base feature set...

Page 1175: ...PIM domain PIMv1 together with the Auto RP feature can perform the same tasks as the PIMv2 BSR However Auto RP is a standalone protocol separate from PIMv1 and is a proprietary Cisco protocol PIMv2 is a standards track protocol in the IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and B...

Page 1176: ... prevents these messages from reaching all routers and multilayer switches in your network Therefore if your network has a PIMv1 device in it and only Cisco routers and multilayer switches it is best to use Auto RP If you have a network that includes non Cisco routers configure the Auto RP mapping agent and the BSR on a Cisco PIMv2 router or multilayer switch Ensure that no PIMv1 device is on the ...

Page 1177: ...interface on which you want to enable multicast routing and enter interface configuration mode The specified interface must be one of the following A routed port a physical port that has been configured as a Layer 3 port by entering the no switchport interface configuration command An SVI a VLAN interface created by using the interface vlan vlan id global configuration command These interfaces mus...

Page 1178: ...SSM is the routing protocol that supports the implementation of SSM and is derived from PIM sparse mode PIM SM Internet Group Management Protocol version 3 IGMPv3 To run SSM with IGMPv3 SSM must be supported in the Cisco IOS router the host where the application is running and the application itself How SSM Differs from Internet Standard Multicast The current IP multicast infrastructure in the Int...

Page 1179: ...o suppress MSDP signalling registering or PIM SM shared tree operations from occurring within the SSM range Use the ip pim ssm global configuration command to configure the SSM range and to enable SSM This configuration has the following effects For groups within the SSM range S G channel subscriptions are accepted through IGMPv3 include mode membership reports PIM operations within the SSM range ...

Page 1180: ...nce for re use of a single address within the SSM range between different applications For example an application service providing a set of television channels should even with SSM use a different group for each television S G channel This setup guarantees that multiple receivers to different channels within the same application service never experience traffic aliasing in networks that include L...

Page 1181: ...on guidelines Before you configure SSM mapping enable IP multicast routing enable PIM sparse mode and configure SSM For information on enabling IP multicast routing and PIM sparse mode see the Default Multicast Routing Configuration section on page 46 11 Before you configure static SSM mapping you must configure access control lists ACLs that define the group ranges to be mapped to source addresse...

Page 1182: ...ated with the multicast group When SSM mapping is configured if a router receives an IGMPv1 or IGMPv2 membership report for a particular group the router translates this report into one or more channel memberships for the well known sources associated with this group When the router receives an IGMPv1 or IGMPv2 membership report for a group the router uses SSM mapping to determine one or more sour...

Page 1183: ...de switchover mechanism One video source is active and the other backup video source is passive The passive source waits until an active source failure is detected before sending the video traffic for the TV channel Thus the server side switchover mechanism ensures that only one of the servers is actively sending video traffic for the TV channel To look up one or more source addresses for a group ...

Page 1184: ...e configured SSM range Note By default this command enables DNS based SSM mapping Step 3 no ip igmp ssm map query dns Optional Disable DNS based SSM mapping Note Disable DNS based SSM mapping if you only want to rely on static SSM mapping By default the ip igmp ssm map global configuration command enables DNS based SSM mapping Step 4 ip igmp ssm map static access list source address Configure stat...

Page 1185: ...server address1 server address2 server address6 Specify the address of one or more name servers to use for name and address resolution Step 6 Repeat Step 5 to configure additional DNS servers for redundancy if required Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries Step 9 copy running config startup config Optional Save your entries in the configuration fi...

Page 1186: ...owed in the Layer 2 access domains The PIM protocol is not supported in access domains The redundant PIM stub router topology is not supported Enabling PIM Stub Routing Beginning in privileged EXEC mode follow these steps to enable PIM stub routing on an interface This procedure is optional Table 46 3 SSM Mapping Monitoring Commands Command Purpose show ip igmp ssm mapping Display information abou...

Page 1187: ...rt Switch config if ip address 10 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if end To verify that PIM stub is enabled for each interface use the show ip pim interface privileged EXEC command Switch show ip pim interface Address Interface Ver Nbr Query DR DR Mode Count Intvl Prior 3 1 1 2 GigabitEthernet3 0 25 v2 SD 1 30 1 3 1 1 2 100 1 1 1 Vlan100 v2 P 0 30 1 100 1 1 1 10 1...

Page 1188: ...members You can configure a single RP for multiple groups defined by an access list If there is no RP configured for a group the multilayer switch treats the group as dense and uses the dense mode PIM techniques Beginning in privileged EXEC mode follow these steps to manually configure the address of the RP This procedure is optional Command Purpose Step 1 configure terminal Enter global configura...

Page 1189: ...ure an RP as described in the Manually Assigning an RP to Multicast Groups section on page 46 24 If routed interfaces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups If routed interfaces are configured in sparse mode and you enter the ip pim autorp listener global configuration command Auto RP can still be used e...

Page 1190: ...up Adding Auto RP to an Existing Sparse Mode Cloud This section contains some suggestions for the initial deployment of Auto RP into an existing sparse mode cloud to minimize disruption of the existing multicast infrastructure Beginning in privileged EXEC mode follow these steps to deploy Auto RP in an existing sparse mode cloud This procedure is optional Command Purpose Step 1 show running config...

Page 1191: ...ate a standard access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source enter the multicast group address range for which the RP should be used Optional For source wildcard enter the wildc...

Page 1192: ...hese two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ip pim accept rp command accepting the RP must be configured as follows Switch config ip pim accept rp 172 10 20 1 1 Switch config access list 1 permit 224 0 1 39 Switch config access list 1 permit 224 0 1 40 Filtering Incoming RP Announce...

Page 1193: ... 16 2 1 if the announcements are for any groups in the 239 0 0 0 through 239 255 255 255 range This range is the administratively scoped address range Configuring PIMv2 BSR Defining the PIM Domain Border page 46 30 optional Defining the IP Multicast Boundary page 46 31 optional Configuring Candidate BSRs page 46 31 optional Step 3 access list access list number deny permit source source wildcard C...

Page 1194: ...hese steps to define the PIM domain border This procedure is optional To remove the PIM border use the no ip pim bsr border interface configuration command Figure 46 5 Constraining PIMv2 BSR Messages Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip pim bsr ...

Page 1195: ...g as candidate BSRs should have good connectivity to other devices and be in the backbone portion of the network Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies ...

Page 1196: ...y Auto RP is used any device can be configured as an RP In a network that includes only Cisco PIMv2 routers and multilayer switches and with routers from other vendors any device can be used as an RP In a network of Cisco PIMv1 routers Cisco PIMv2 routers and routers from other vendors configure only Cisco PIMv2 routers and multilayer switches as RPs Command Purpose Step 1 configure terminal Enter...

Page 1197: ...switch be both the Auto RP mapping agent and the BSR Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels...

Page 1198: ...from selecting a different RP from those PIMv1 DRs due to the longest match lookup in the RP mapping database Beginning in privileged EXEC mode follow these steps to verify the consistency of group to RP mappings This procedure is optional Command Purpose Step 1 show ip pim rp group name group address mapping On any Cisco device display the available RP mappings Optional For group name specify the...

Page 1199: ...1 Verify RP mapping with the show ip pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features Understand...

Page 1200: ...ource At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tree 8 The R...

Page 1201: ...ll groups Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard ac...

Page 1202: ...ese steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Configuring Optional IGMP Features Default IGMP Configuration page 46 39 Configuring the Switch as a Member of a Group page 46 39 optional Controlling Access to IP Multicast Groups page 46 40 optional Changing the...

Page 1203: ...icast group pinging that group causes all these devices to respond The devices respond to ICMP echo request packets addressed to a group of which they are members Another example is the multicast trace route tools provided in the software Caution Performing this procedure might impact the CPU performance because the CPU will receive all data traffic for the group address Table 46 4 Default IGMP Co...

Page 1204: ...llow these steps to filter multicast groups allowed on an interface This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp join group group address Configure the switch to join a multicast group By default no group memberships are ...

Page 1205: ...ptional Step 5 access list access list number deny permit source source wildcard Create a standard access list For access list number specify the access list created in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group that hosts on the subnet can join Optional For source wildca...

Page 1206: ...register and PIM join messages toward the RP router Beginning in privileged EXEC mode follow these steps to modify the host query interval This procedure is optional To return to the default setting use the no ip igmp query interval interface configuration command Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2 you can specify the period of time before the switch takes over as t...

Page 1207: ...to the default setting use the no ip igmp query max response time interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp querier timeout seconds Specify the IGMP query timeout The default is 60 seconds twice the query interval...

Page 1208: ...ure the switch itself to be a statically connected member of a group and enable fast switching This procedure is optional To remove the switch as a member of the group use the no ip igmp static group group address interface configuration command Configuring Optional Multicast Routing Features These sections describe how to configure optional multicast routing features Features for Layer 2 connecti...

Page 1209: ... Step 2 interface interface id Specify the interface that is connected to the Layer 2 Catalyst switch and enter interface configuration mode Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfaces Enabling CGMP triggers a CGMP join message Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches Optional When you enter the proxy keyword ...

Page 1210: ...on the time the session is active its IP multicast group addresses media format contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in the SDR Session Announcement window Enabling sdr Listener Support By default the switch does not listen to session directory advertisements Beginning in privileged EXEC mode follow these steps ...

Page 1211: ...t boundaries and TTL thresholds control the scoping of multicast domains however TTL thresholds are not supported by the switch You should use multicast boundaries instead of TTL thresholds to limit the forwarding of multicast traffic outside of a domain or a subdomain Figure 46 7 shows that Company XYZ has an administratively scoped boundary set for the multicast address range 239 0 0 0 8 on all ...

Page 1212: ...Company XYZ Engineering Marketing 239 128 0 0 16 239 0 0 0 8 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched The perm...

Page 1213: ...s on attached networks by listening to DVMR probe messages When a DVMRP neighbor has been discovered the PIM device periodically sends DVMRP report messages advertising the unicast sources reachable in the PIM domain By default directly connected subnets and networks are advertised The device forwards multicast packets that have been forwarded by DVMRP routers and in turn forwards multicast packet...

Page 1214: ...e packet is being sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything Step 3 interface interface id Specify the interface connected to the MBONE and enabled for multicast routing and enter ...

Page 1215: ... 0 0 255 255 Switch config access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 255 Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP The software then sends and receives multicast packets through the tunnel This strategy enables...

Page 1216: ...estination ip address Specify the destination address of the tunnel interface Enter the IP address of the mrouted router Step 6 tunnel mode dvmrp Configure the encapsulation mode for the tunnel to DVMRP Step 7 ip address address mask or ip unnumbered type number Assign an IP address to the interface or Configure the interface as unnumbered Step 8 ip pim dense mode sparse mode Configure the PIM mod...

Page 1217: ...f interface gigabitethernet1 0 1 Switch config if ip address 172 16 2 1 255 255 255 0 Switch config if ip pim dense mode Switch config exit Switch config access list 1 permit 198 92 37 0 0 0 0 255 Advertising Network 0 0 0 0 to DVMRP Neighbors If your switch is a neighbor of an mrouted Version 3 6 device you can configure the software to advertise network 0 0 0 0 the default route to the DVMRP nei...

Page 1218: ...im 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0 pim 171 69 214 18 171 69 214 17 mm1 45a cisco com 1 0 pim Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders It is also possible to propagate DVMRP routes into and through a PIM cloud PIM uses this information howe...

Page 1219: ...ters and multilayer switches However if there is a DVMRP capable multicast router the Cisco device can do PIM DVMRP multicast routing Beginning in privileged EXEC mode follow these steps to enable DVMRP unicast routing This procedure is optional To disable this feature use the no ip dvmrp unicast routing interface configuration command Rejecting a DVMRP Nonpruning Neighbor By default Cisco devices...

Page 1220: ...ure the switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 46 9 In this case when the switch receives DVMRP probe or report message without the prune capable flag set the switch logs a syslog message and discards the message 101244 Router A Route...

Page 1221: ...dure is optional To disable this function use the no ip dvmrp reject non pruners interface configuration command 101245 Router A Router B RP Multicast traffic gets to receiver not to leaf DVMRP device Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Layer 3 switch Command Purpose Step 1 configure terminal Enter global con...

Page 1222: ...EXEC mode follow these steps to change the DVMRP route limit This procedure is optional To configure no route limit use the no ip dvmrp route limit global configuration command Changing the DVMRP Route Threshold By default 10 000 DVMRP routes can be received per interface within a 1 minute interval When that rate is exceeded a syslog message is issued warning that there might be a route surge occu...

Page 1223: ... tunnel shares the same IP address as Fast Ethernet port 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router is able to poison reverse only these two routes to the directly connected subnets and is able to only RPF properly for multicast traffic sent by sources on these two Ethernet se...

Page 1224: ...MRP Report 159888 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered gigabitethernet1 0 1 interface gigabitethernet1 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface gigabitethernet1 0 2 ip addr 176 32 15 1 255 255 255 0 ip pim dense mode Network Intf Metric Dist 176 13 10 0 24 Gi0 1 10514432 90 176 32 15 0 24 Gi0 2 10512012 90 176 32 20 0 24 Gi...

Page 1225: ... better paths to individual subnets inside the PIM cloud If you configure the ip dvmrp summary address interface configuration command and did not configure no ip dvmrp auto summary you get both custom and autosummaries Beginning in privileged EXEC mode follow these steps to disable DVMRP autosummarization This procedure is optional Command Purpose Step 1 configure terminal Enter global configurat...

Page 1226: ...ommand Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip dvmrp metric offset in out increment Change...

Page 1227: ...display information about node reachability and discover the routing path that packets of your device are taking through the network You can use any of the privileged EXEC commands in Table 46 6 to display various routing statistics Table 46 5 Commands for Clearing Caches Tables and Databases Command Purpose clear ip cgmp Clear all group entries the Catalyst switches have cached clear ip dvmrp rou...

Page 1228: ...w ip pim neighbor type number List the PIM neighbors discovered by the switch This command is available in all software images show ip pim rp group name group address Display the RP routers associated with a sparse mode multicast group This command is available in all software images show ip rpf source address name Display how the switch is doing Reverse Path Forwarding that is from the unicast ro...

Page 1229: ...switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Understanding MSDP page 47 1 Configuring MSDP page 47 3 Monitoring and Maintaining MSDP page 47 19 Understanding MSDP MSDP allows multicast sources for a group to be known to all rendezv...

Page 1230: ... all MSDP peers The SA message identifies the source the group the source is sending to and the address of the RP or the originator ID the IP address of the interface used as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover which ...

Page 1231: ...ases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving memory Configuring MSDP Default MSDP Configuration page 47 4 Configuring a Default MSDP Peer page 47 4 required Caching Source Active State page 47 6 opti...

Page 1232: ...ges from that peer Figure 47 2 shows a network in which default MSDP peers might be used In Figure 47 2 a customer who owns Switch B is connected to the Internet through two Internet service providers ISPs one owning Router A and the other owning Router C They are not running BGP or MBGP between them To learn about sources in the ISP s domain or in other domains Switch B at the customer site ident...

Page 1233: ...ssages For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the prefix l...

Page 1234: ... after a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network length Optio...

Page 1235: ...cached For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are mat...

Page 1236: ...icast traffic This procedure is optional To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA request messages to the MSDP peer at 171 69 1 1 Switch config ip msdp sa request 171 69 1 1 Controlling Source Information that Your Switch Originates You can control the multicast source infor...

Page 1237: ...ure which S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of an IP standard or extended access list The range is 1 to 99 for standard access lists and 100 to 199 for extended lists The access list controls which local sources are advertised and to wh...

Page 1238: ...cess if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore For destination ...

Page 1239: ...request 171 69 2 2 list 1 Switch config access list 1 permit 192 4 22 0 0 0 0 255 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for gro...

Page 1240: ...privileged EXEC mode follow these steps to apply a filter This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the specified pe...

Page 1241: ...s necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to...

Page 1242: ...A messages that its MSDP RPF peers send to it However you can control the source information that you receive from MSDP peers by filtering incoming SA messages In other words you can configure the switch to not accept them You can perform one of these actions Filter all incoming SA messages from an MSDP peer Specify an IP extended access list to pass certain source group pairs Filter based on matc...

Page 1243: ...ose SA messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For a...

Page 1244: ... address name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it and later bring it up When a peer is shut down the TCP connection is terminated and is not restarted You can also shut down an MSDP session without losing configuration information f...

Page 1245: ...s This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config Ver...

Page 1246: ...de sources to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in the SA me...

Page 1247: ...us system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message counts T...

Page 1248: ...47 20 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Chapter 47 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 1249: ...ks page 48 3 Fallback Bridging Overview With fallback bridging the switch bridges together two or more VLANs or routed ports essentially connecting multiple VLANs within one bridge domain Fallback bridging forwards traffic that the switch does not route and forwards traffic belonging to a nonroutable protocol such as DECnet A VLAN bridge domain is represented with switch virtual interfaces SVIs A ...

Page 1250: ...ge group only when the address is learned on a VLAN the reverse is not true Any address that is learned on a stack member is learned by all switches in the stack To participate in the spanning tree algorithm by receiving and in some cases sending BPDUs on the LANs to which they are attached A separate spanning tree process runs for each configured bridge group Each bridge group participates in a s...

Page 1251: ...stacks merge or if a switch is added to the stack any new VLANs that are part of a bridge group and become active are included in the VLAN bridge STP When a stack member fails the addresses learned from this member are deleted from the bridge group MAC address table For more information about switch stacks see Chapter 5 Managing Switch Stacks Configuring Fallback Bridging Default Fallback Bridging...

Page 1252: ... on the same switch if the ports are in different VLANs Beginning in privileged EXEC mode follow these steps to create a bridge group and to assign an interface to it This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to r...

Page 1253: ...bridge group 10 Switch config if exit Adjusting Spanning Tree Parameters You might need to adjust certain spanning tree parameters if the default values are not suitable You configure parameters affecting the entire spanning tree by using variations of the bridge global configuration command You configure interface specific parameters by using variations of the bridge group interface configuration...

Page 1254: ... with the lowest interface value is elected Beginning in privileged EXEC mode follow these steps to change the interface priority This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group priority number Change the VLAN bridge spanning tree priority of the switch For bridge group specify the bridge group number The range is 1 to...

Page 1255: ...0 1 Switch config if bridge group 10 path cost 20 Adjusting BPDU Intervals Adjusting the Interval between Hello BPDUs page 48 8 optional Changing the Forward Delay Interval page 48 8 optional Changing the Maximum Idle Interval page 48 9 optional Step 5 show running config Verify your entry Step 6 copy running config startup config Optional Save your entry in the configuration file Command Purpose ...

Page 1256: ... activated for switching and before forwarding actually begins Beginning in privileged EXEC mode follow these steps to change the forward delay interval This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group hello time seconds Specify the interval between hello BPDUs For bridge group specify the bridge group number The range ...

Page 1257: ...ated in one switching subnetwork from impacting devices in the other switching subnetwork yet still permit switching throughout the network as a whole For example when switched LAN subnetworks are separated by a WAN BPDUs can be prevented from traveling across the WAN link Beginning in privileged EXEC mode follow these steps to disable spanning tree on a port This procedure is optional Command Pur...

Page 1258: ... by using the session stack member number global configuration command Enter the show bridge bridge group interface id mac address verbose privileged EXEC command at the stack member prompt For information about the fields in these displays see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 12 2 Step 5 show running config Verify your entry Step 6 copy running con...

Page 1259: ...lete syntax and usage information for the commands used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 2 Recovering from a Software Failure page 49 2 Recovering from a Lost or Forgotten Password page 49 3 Preventing Switch Stack Problems page 49 8 Recovering from a Command Switch Failure page 49 9 Recovering from Lost Cluster Member Connecti...

Page 1260: ...in file from the tar file If you are using Windows use a zip program that can read a tar file Use the zip program to navigate to and extract the bin file If you are using UNIX follow these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filename tar im...

Page 1261: ...ten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power on and by entering a new password These recovery procedures require that you have physical access to the switch Note On these switches a system administrator can disable some of the functionality of this feature by...

Page 1262: ... green then release the Mode button Several lines of information about the software appear with instructions informing you if the password recovery procedure has been disabled or not If you see a message that begins with this The system has been interrupted prior to initializing the flash file system The following commands will initialize the flash file system proceed to the Procedure with Passwor...

Page 1263: ... text old This file contains the password definition switch rename flash config text flash config text old Step 6 Boot up the system switch boot You are prompted to start the setup program Enter N at the prompt Continue with the configuration dialog yes no N Step 7 At the switch prompt enter privileged EXEC mode Switch enable Step 8 Rename the configuration file to its original name Switch rename ...

Page 1264: ... mode enter the no shutdown command Step 14 Reload the switch or switch stack Switch reload Procedure with Password Recovery Disabled If the password recovery mechanism is disabled this message appears The password recovery mechanism has been triggered but is currently disabled Access to the boot loader prompt through the password recovery mechanism is disallowed at this point However if you agree...

Page 1265: ...global configuration mode Switch configure terminal Step 7 Change the password Switch config enable secret password The secret password can be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading spaces Step 8 Return to privileged EXEC mode Switch config exit Switch Note Before continuing to Step 9 power on any connected stack members...

Page 1266: ...le that you might not be able to identify the session from which you entered a command Manually assigning stack member numbers according to the placement of the switches in the stack can make it easier to remotely troubleshoot the switch stack However you need to remember that the switches have manually assigned numbers if you add remove or rearrange switches later Use the switch current stack mem...

Page 1267: ... capable making a note of the command switch password and cabling your cluster to provide redundant connectivity between the member switches and the replacement command switch These sections describe two solutions for replacing a failed command switch Replacing a Failed Command Switch with a Cluster Member page 49 9 Replacing a Failed Command Switch with Another Switch page 49 11 These recovery pr...

Page 1268: ...ary depending on the member switch that you selected to be the command switch Continue with configuration dialog yes no y or Configuring global parameters If this prompt does not appear enter enable and press Return Enter setup and press Return to start the setup program Step 11 Respond to the questions in the setup program When prompted for the hostname recall that on a command switch the hostnam...

Page 1269: ... Using the Ethernet Management Port section on page 12 18 and the hardware configuration guide Step 3 At the switch prompt enter privileged EXEC mode Switch enable Switch Step 4 Enter the password of the failed command switch Step 5 Use the setup program to configure the new switch IP information This program prompts you for IP address information and passwords From privileged EXEC mode enter setu...

Page 1270: ...at Step 9 Step 13 Start your browser and enter the IP address of the new command switch Step 14 From the Cluster menu select Add to Cluster to display a list of candidate switches to add to the cluster Recovering from Lost Cluster Member Connectivity Some configurations can prevent the command switch from maintaining contact with member switches If you are unable to maintain management contact wit...

Page 1271: ... the duplex settings on the two ports to match The speed parameter can adjust itself even if the connected port does not autonegotiate Troubleshooting Power over Ethernet Switch Ports Disabled Port Caused by Power Loss page 49 13 Disabled Port Caused by False Link Up page 49 14 Disabled Port Caused by Power Loss If a powered device such as a Cisco IP Phone 7910 that is connected to a PoE switch po...

Page 1272: ...ough the error message text refers to GBIC interfaces and modules the security messages actually refer to the SFP modules and module interfaces For more information about error messages see the system message guide for this release If you are using a non Cisco SFP module remove the SFP module from the switch and replace it with a Cisco module After inserting a Cisco SFP module use the errdisable r...

Page 1273: ...s for a reply Ping returns one of these responses Normal response The normal response hostname is alive occurs in 1 to 10 seconds depending on network traffic Destination does not respond If the host does not respond a no answer message is returned Unknown host If the host does not exist an unknown host message is returned Destination unreachable If the default gateway cannot reach the specified n...

Page 1274: ...ceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It finds the path by using the MAC address tables of the switches in the path When the switch detects a device in the path that does not support Layer 2 traceroute the sw...

Page 1275: ...o multiple VLANs you must specify the VLAN to which both the source and destination MAC addresses belong If the VLAN is not specified the path is not identified and an error message appears The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses belong to the same subnet When you specify the IP addresses the switch uses the Address Resolut...

Page 1276: ...lue of 1 or 0 it drops the datagram and sends an Internet Control Message Protocol ICMP time to live exceeded message to the sender Traceroute finds the address of the first hop by examining the source address field of the ICMP time to live exceeded message To identify the next hop traceroute sends a UDP packet with a TTL value of 2 The first router decrements the TTL field by 1 and sends the data...

Page 1277: ...e in progress enter the escape sequence Ctrl X by default Simultaneously press and release the Ctrl Shift and 6 keys and then press the X key Using TDR Understanding TDR page 49 19 Running TDR and Displaying the Results page 49 20 Understanding TDR You can use the Time Domain Reflector TDR feature to diagnose and resolve cabling problems When running TDR a local device sends a signal through a cab...

Page 1278: ...r cable or is in series with a solid core cable The link is a 10 Megabit or a 100 Megabit link The cable is a stranded cable The link partner is a Cisco IP Phone The link partner is not IEEE 802 3 compliant Running TDR and Displaying the Results When you run TDR on an interface you can run it on the stack master or a stack member To run TDR enter the test cable diagnostics tdr interface interface ...

Page 1279: ...e the show running config command to check its configuration Even if the switch is properly configured it might not generate the type of traffic you want to monitor during the particular period that debugging is enabled Depending on the feature you are debugging you can use commands such as the TCP IP ping command to generate network traffic To disable debugging of SPAN enter this command in privi...

Page 1280: ...sage logging see Chapter 32 Configuring System Message Logging Using the show platform forward Command The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system Depending upon the parameters entered about the packet the output provides lookup table results and port map...

Page 1281: ...ped due to failed DEJA_VU Check on Gi1 0 2 This is an example of the output when the packet coming in on port 1 in VLAN 5 is sent to an address already learned on the VLAN on another port It should be forwarded from the port on which the address was learned Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 0009 43a8 0145 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number...

Page 1282: ...ting table It should be forwarded as specified in the routing table Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 03 e319 ee44 ip 110 1 5 5 16 1 10 5 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index Hit A Data InptACL 40_10010A05_0A010505 00_41000014_000A0000 01FFA 03000000 L3Local 00_00000000_00000000 90_00001400_10010A05 010F0...

Page 1283: ...an display the most recent basic crashinfo file that is the file with the highest sequence number at the end of its filename by entering the show stacks or the show tech support privileged EXEC command You also can access the file by using any command that can copy or display files such as the more or the copy privileged EXEC command Extended crashinfo Files The switch creates the extended crashin...

Page 1284: ... NTP When the switch is running you can retrieve the OBFL data by using the show logging onboard privileged EXEC commands If the switch fails contact your Cisco technical support representative to find out how to retrieve the data When an OBFL enabled switch is restarted there is a 10 minute delay before logging of new data begins Configuring OBFL To enable OBFL use the hw module module switch num...

Page 1285: ...wn and this error message appears Multiple fan FRU PS failure detected System may get overheated Change fan quickly The switch might overheat and shut down Table 49 3 Commands for Displaying OBFL Information Command Purpose show logging onboard module switch number clilog Displays the OBFL CLI commands that were entered on a standalone switch or the specified stack members show logging onboard mod...

Page 1286: ... too busy and shows how to verify a CPU utilization problem Table 49 4 lists the primary types of CPU utilization problems that you can identify It gives possible causes and corrective action with links to the Troubleshooting High CPU Utilization document on Cisco com Possible Symptoms of High CPU Utilization Note that excessive CPU utilization might result in these symptoms but the symptoms could...

Page 1287: ... time running Cisco IOS processes and time spent handling interrupts The time spent handling interrupts is zero percent For complete information about CPU utilization and how to troubleshoot utilization problems see the Troubleshooting High CPU Utilization document on Cisco com Table 49 4 Troubleshooting CPU Utilization Problems Type of Problem Cause Corrective Action Interrupt percentage value is...

Page 1288: ...t is good Connect a known good non PoE Ethernet device to the Ethernet cable and make sure that the powered device establishes a link and exchanges traffic with another host Verify that the total cable length from the switch front panel to the powered device is not more than 100 meters Disconnect the Ethernet cable from the switch port Use a short Ethernet cable to connect a known good Ethernet de...

Page 1289: ...e the existing distribution cables Enter the shut and no shut interface configuration commands and verify that an Ethernet link is established If this connection is good use a short patch cord to connect a powered device to this port and verify that it powers on If the device powers on verify that all intermediate patch panels are correctly connected Disconnect all but one of the Ethernet cables f...

Page 1290: ... correctly If a non PoE device has link problems or a high error rate the problem might be an unreliable cable connection between the switch port and the powered device For more information see Cisco Phone Disconnects or Resets on Cisco com Non Cisco powered device does not work on Cisco PoE switch A non Cisco powered device is connected to a Cisco PoE switch but never powers on or powers on and t...

Page 1291: ...witch see Configuration Mismatch StackWise port frequently or rapidly changing up down states flapping Error messages report stack link problems Possible traffic disruption Unreliable StackWise cable connection or interface see StackWise Port Flapping Switch member port not coming up Enter the show switch detail privileged EXEC command Unreliable StackWise cable connection or interface see StackWi...

Page 1292: ...ems off Verify port numbering see Stack Master Election and Port Number Assignment Enter the show switch privileged EXEC command Interpret state messages see Joining a Stack Typical Sequence States and Rules Stack members need to be upgraded Stack members running different major or minor versions of the Cisco IOS software Defective StackWise switch interface or cable see Quick and Easy Catalyst 37...

Page 1293: ...onnected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet ports and so forth Solder joints Online diagnostics are categorized as on demand scheduled or health monitoring diagnostics On demand d...

Page 1294: ...iagnostic schedule switch 6 test 1 4 7 weekly saturday 10 30 For more examples see the Examples section of the diagnostic schedule command in the command reference for this release Command Purpose diagnostic schedule switch number test name test id test id range all basic non disruptive daily hh mm on mm dd yyyy hh mm weekly day of week hh mm Schedule on demand diagnostic tests for a specific day ...

Page 1295: ...ame test id test id range all hh mm ss milliseconds day Configure the health monitoring interval of the specified tests The switch number keyword is supported only on Catalyst 3750 E switches The range is from 1 to 9 When specifying the tests use one of these parameters name Name of the test that appears in the show diagnostic content command output test id ID number of the test that appears in th...

Page 1296: ...s from 1 to 9 When specifying the tests use one of these parameters name Name of the test that appears in the show diagnostic content command output test id ID number of the test that appears in the show diagnostic content command output test id range ID numbers of the tests that appear in the show diagnostic content command output all All of the diagnostic tests The range for the failure threshol...

Page 1297: ...e tests you cannot stop the testing process This example shows how to start a diagnostic test by using the test name Switch diagnostic start switch 2 test TestInlinePwrCtlr This example shows how to start all of the basic diagnostic tests Switch diagnostic start switch 1 test all Command Purpose diagnostic start switch number test name test id test id range all basic non disruptive Start the diagn...

Page 1298: ... 50 1 Commands for Diagnostic Test Configuration and Results Command Purpose show diagnostic content switch number all 1 1 The switch number all parameter is supported only on Catalyst 3750 E switches Display the online diagnostics configured for a switch show diagnostic status Display the currently running diagnostic tests show diagnostic result switch number all 1 detail test name test id test i...

Page 1299: ...s using the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN n use this community string in the SNMP message configured community string n CISCO ADMISSION POLICY MIB CISCO AUTHMEWORK MIB CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CLUSTER MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO DHCP SNOOPING MIB CISCO ...

Page 1300: ...ails are shown CISCO NAC NAD MIB CISCO PAE MIB CISCO PAGP MIB CISCO PING MIB CISCO PORT QOS MIB the cportQosStats Table returns the values from the octets and packet counters depending on switch configuration CISCO PORT STORM CONTROL MIB CISCO PRIVATE VLAN MIB CISCO POWER ETHERNET EXT MIB CISCO PROCESS MIB Only stack master details are shown CISCO PRODUCTS MIB CISCO RTTMON MIB CISCO SLB MIB Only w...

Page 1301: ...pable switches some objects reflect only the stack master OLD CISCO CPU MIB OLD CISCO FLASH MIB Supports only the stack master in a switch stack Use CISCO FLASH_MIB OLD CISCO INTERFACES MIB OLD CISCO IP MIB OLD CISCO SYS MIB OLD CISCO TCP MIB OLD CISCO TS MIB PIM MIB RFC1213 MIB Functionality is as per the agent capabilities specified in the CISCO RFC1213 CAPABILITY my RFC1253 MIB OSPF MIB RMON MI...

Page 1302: ...edure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not support passive mode Step 2 Use FTP to access the server ftp cisco com Step 3 Log in with the username anonymous Step 4 Enter your e mail username when prompted for the password Step 5 At the ftp prompt change directories to pub mibs v1 and pub mibs v2 Step 6 Use the get MIB_filename command to obtain a cop...

Page 1303: ... single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash As viewed from the stack master or any stack member flash refers to the local flash device which is the device attached to the same switch on which the file system is being viewed In a switch stack e...

Page 1304: ...976 5135872 flash rw flash opaque rw bs opaque rw vb 524288 520138 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem opaque ro ymodem This example shows a switch stack In this example the stack master is stack member 2 therefore flash2 is aliased to flash The file system on stack member 5 is displayed as flash5 on the stack master Switch show file systems File Systems...

Page 1305: ...onfiguration file to flash memory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM devic...

Page 1306: ... Beginning in privileged EXEC mode follow these steps to change directories and to display the working directory Table B 2 Commands for Displaying Information About Files Command Description dir all filesystem filename Display a list of files on a file system show file systems Display more information about each of the files on a file system show file information file url Display information about...

Page 1307: ...be recovered Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used as the co...

Page 1308: ... at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive download sw command but are no longer needed If you omit the filesystem option the switch uses the default device specified by the cd command For file url you specify the path directory and the name of the file to be deleted When you attempt to d...

Page 1309: ...ilename TFTP syntax tftp location directory filename For flash file url specify the location on the local flash file system in which the new file is created You can also specify an optional list of files or directories within the source directory to add to the new file If none are specified all files and directories at this level are written to the newly created file Step 2 archive table source ur...

Page 1310: ...iversal mz 122 35 SE2 html directory c3750e universal mz 122 35 SE2 html const htm 556 bytes c3750e universal mz 122 35 SE2 html xhome htm 9373 bytes c3750e universal mz 122 35 SE2 html menu css 1654 bytes output truncated This example shows how to extract the contents of a file located on the TFTP server at 172 20 10 30 Switch archive xtract tftp 172 20 10 30 saved flash new configs Step 3 archiv...

Page 1311: ...rform this for one of these reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the same configuration commands...

Page 1312: ...ation files on the switch as if you were entering the commands at the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular comma...

Page 1313: ...h by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File By Using TFTP page B 11 Downloading the Configuration File By Using TFTP page B 12 Uploading the Configuration File By Usi...

Page 1314: ... TFTP server follow these steps Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation Step 2 Verify that the TFTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page B 11 Step 3 Log into the switch through the console port the Ethernet management port or a Telnet session Step 4 Downlo...

Page 1315: ...3750 E switches The file is uploaded to the TFTP server This example shows how to upload a configuration file from a switch to a TFTP server Switch copy system running config tftp 172 16 2 155 tokyo confg Write file tokyo confg on host 172 16 2 155 confirm y Writing tokyo confg OK Copying Configuration Files By Using FTP You can copy configuration files to or from an FTP server The FTP protocol re...

Page 1316: ...f you do not have a router to route traffic between subnets Check connectivity to the FTP server by using the ping command If you are accessing the switch through the console or a Telnet session and you do not have a valid username make sure that the current FTP username is the one that you want to use for the FTP download You can enter the show users privileged EXEC command to view the valid user...

Page 1317: ...rver with an IP address of 172 16 101 101 to the switch startup configuration Switch configure terminal Switch config ip ftp username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Conn...

Page 1318: ...p ftp password mypass Switch config end Switch copy nvram startup config ftp Remote host 172 16 101 101 Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 14 Step 2 ...

Page 1319: ...ame as the remote username The switch hostname For a successful RCP copy request you must define an account on the network server for the remote username If the server has a directory structure the configuration file is written to or copied from the directory associated with the remote username on the server For example if the configuration file is in the home directory of a user on the server spe...

Page 1320: ...irectory on the remote server with an IP address of 172 16 101 101 and load and run those commands on the switch Switch copy rcp netadmin1 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host1 confg OK Switch SYS 5 CONFIG Configured from host1 config by rcp from 172 16 101 101 Command Purpos...

Page 1321: ...d a configuration file by using RCP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config rcp netadmin1 172 16 101 101 switch2 confg Write file switch confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101 Switch Comman...

Page 1322: ... the erase startup config privileged EXEC command Caution You cannot restore the startup configuration file after it has been deleted Deleting a Stored Configuration File To delete a saved configuration from flash memory use the delete flash filename privileged EXEC command Depending on the setting of the file prompt global configuration command you might be prompted for confirmation before you de...

Page 1323: ...he configuration files saved in the configuration archive The Cisco IOS configuration archive in which the configuration files are stored and available for use with the configure replace command is in any of these file systems FTP HTTP RCP TFTP Replacing a Configuration The configure replace privileged EXEC command replaces the running configuration with any saved configuration file When you enter...

Page 1324: ...ck Make sure that the switch has free memory larger than the combined size of the two configuration files the running configuration and the saved replacement configuration Otherwise the configuration replacement operation fails Make sure that the switch also has sufficient free memory to execute the configuration replacement or rollback configuration commands Certain configuration commands such as...

Page 1325: ...Set the maximum number of archive files of the running configuration to be saved in the configuration archive number Maximum files of the running configuration file in the configuration archive Valid values are from 1 to 14 The default is 10 Note Before using this command you must first enter the path archive configuration command to specify the location and filename prefix for the files in the co...

Page 1326: ... time seconds Specify the time in seconds within which you must enter the configure confirm command to confirm replacement of the running configuration file If you do not enter the configure confirm command within the specified time limit the configuration replacement operation is automatically stopped In other words the running configuration file is restored to the configuration that existed befo...

Page 1327: ...Network Assistant to upgrade your switch For information about upgrading your switch by using a TFTP server or a web browser HTTP see the release notes You can replace the current image with the new one or keep the current image in flash memory after a download You can use the archive download sw allow feature upgrade privileged EXEC command to allow installation of an image with a different featu...

Page 1328: ... tar c3750e universal tar 122 35 SE2 tar File Format of Images on a Server or Cisco com Software images on a server or downloaded from Cisco com are in a file format which contains these files An info file which serves as a table of contents for the file One or more subdirectories containing other images and files such as Cisco IOS images and web management files This example shows some of the inf...

Page 1329: ...tack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member These s...

Page 1330: ...ing the ping command Ensure that the image to be downloaded is in the correct directory on the TFTP server usually tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an empty file enter the ...

Page 1331: ...nt image The allow feature upgrade option allows installation of a software images with different feature sets Optional The directory option specifies a directory for the images The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For...

Page 1332: ...tch of the same type Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and th...

Page 1333: ... reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using FTP page B 31 Downloading an Image File By Using FTP page B 32 Uploading an Image File By Using FTP page B 34 Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server The FTP prot...

Page 1334: ...sername by using the ip ftp username username global configuration command This new name will be used during all archive operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged...

Page 1335: ...ot been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page B 31 For location specify the IP address of the FTP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the director...

Page 1336: ...e url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using FTP You can upload an image from the switch to an FTP server You can later download this image to the same switch or to another switch of the same type Use ...

Page 1337: ... switch stacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to...

Page 1338: ...The switch hostname For the RCP copy request to execute successfully an account must be defined on the network server for the remote username If the server has a directory structure the image file is written to or copied from the directory associated with the remote username on the server For example if the image file resides in the home directory of a user on the server specify that user s name a...

Page 1339: ...te username see Steps 4 and 5 Step 4 ip rcmd remote username username Optional Specify the remote username Step 5 end Return to privileged EXEC mode Step 6 archive download sw allow feature upgrade directory overwrite reload tftp location directory image name1 tar image name2 tar image name3 tar image name4 tar Download the images file from the RCP server to the switch and overwrite the current im...

Page 1340: ...orce recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using RCP You can upload an image fro...

Page 1341: ... to copy the software image from an existing stack member to the one that has incompatible software That switch automatically reloads and joins the stack as a fully functioning member Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 36 Step 2 Log into the switch through the cons...

Page 1342: ... force reload source stack member number Copy the running image file from a stack member and then unconditionally reload the updated stack member Note At least one stack member must be running the image that is to be copied to the switch that is running the incompatible software For destination system destination stack member number specify the number of the stack member the destination to which t...

Page 1343: ...s are listed by software feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination show access lists rate limit destination show accounting show ip accounting checkpoint outp...

Page 1344: ... logging persistent show archive config show archive log ARP Commands Unsupported Global Configuration Commands arp ip address hardware address smds arp ip address hardware address srp a arp ip address hardware address srp b Unsupported Interface Configuration Commands arp probe ip probe proxy Boot Loader Commands Unsupported User EXEC Commands verify Unsupported Global Configuration Commands boot...

Page 1345: ...ory url location Parameters are not supported for this command event manager run policy name paramater1 paramater15 show event manager detector show event manager version Unsupported Global Configuration Commands event manager detector rpc no event manager directory user repository url location event manager applet applet name maxrun Unsupported Commands in Applet Configuration Mode attribute EEM ...

Page 1346: ...p multicast router ports groups group address show bridge vlan show interfaces crb show interfaces ethernet fastethernet interface slot port irb show subscriber policy range Unsupported Global Configuration Commands bridge bridge group acquire bridge bridge group address mac address forward discard interface id bridge bridge group aging time seconds bridge bridge group bitswap_l3_addresses bridge ...

Page 1347: ...rn list access list number bridge group bridge group input type list access list number bridge group bridge group lat compression bridge group bridge group output address list access list number bridge group bridge group output lat service deny group list bridge group bridge group output lat service permit group list bridge group bridge group output lsap list access list number bridge group bridge...

Page 1348: ...face Configuration Commands mtu standby mac refresh seconds standby use bia IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping tcn Interface Commands Unsupported Privileged EXEC Commands show interfaces interface id vlan vlan id crb fair queue irb mac accounting precedence irb random detect rate limit shape Unsupported Global Configuration Commands interface tunnel U...

Page 1349: ...are switched in hardware without CPU involvement you can use this command but multicast packet information is not displayed The show ip mpacket commands are supported but are only useful for packets received at the switch CPU If the route is hardware switched the command has no effect because the CPU does not receive the packet and cannot display it show ip pim vc group address name type number sh...

Page 1350: ...ddress flap statistics clear ip bgp prefix list debug ip cef stats show cef drop not cef switched show ip accounting checkpoint output packets access violations show ip bgp dampened paths show ip bgp inconsistent as show ip bgp regexp regular expression Unsupported Global Configuration Commands ip accounting precedence input output ip accounting list ip address wildcard ip accounting transits coun...

Page 1351: ...s Unsupported BGP Router Configuration Commands address family vpnv4 default information originate neighbor advertise map neighbor allowas in neighbor default originate neighbor description network backdoor table map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route type for policy based routing PBR set as path tag prepend as path string set automatic tag set da...

Page 1352: ...ble address show mac address table aging time show mac address table count show mac address table dynamic show mac address table interface show mac address table multicast show mac address table notification show mac address table static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast addres...

Page 1353: ...bal drop threshold memory reserve critical service compress config stack mac persistent timer supported on Catalyst 3750 E switches only track object number rtr MSDP Unsupported Privileged EXEC Commands show access expression show exception show location show pm LINE show smf interface id show subscriber policy policy number show template template name Unsupported Global Configuration Commands ip ...

Page 1354: ...tatistics show ip nat translations QoS Unsupported Global Configuration Command priority list Unsupported Interface Configuration Commands priority group rate limit Unsupported Policy Map Configuration Command class class default where class default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authenticat...

Page 1355: ...ed Global Configuration Command spanning tree pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported User EXEC Commands show running config vlan show vlan ifindex VTP Unsupported Privileged EXEC Command vtp password password pruning version number ...

Page 1356: ...3 14 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 Appendix 3 Unsupported Commands in Cisco IOS Release 12 2 53 SE2 VTP ...

Page 1357: ...mbers 5 25 access lists See ACLs access ports and Layer 2 protocol tunneling 17 11 defined 12 3 in switch clusters 6 9 access template 8 1 accounting with 802 1x 10 50 with IEEE 802 1x 10 15 with RADIUS 9 34 with TACACS 9 11 9 17 ACEs and QoS 37 8 defined 35 2 Ethernet 35 2 IP 35 2 ACLs ACEs 35 2 any keyword 35 13 applying on bridged packets 35 39 on multicast packets 35 41 on routed packets 35 40...

Page 1358: ... named IPv4 35 15 IPv6 36 3 names 36 4 number per QoS class map 37 39 port 35 2 36 1 precedence of 35 3 QoS 37 7 37 49 resequencing entries 35 15 router 35 2 36 1 router ACLs and VLAN map configuration guidelines 35 38 standard IP configuring for QoS classification 37 49 37 51 standard IPv4 creating 35 10 matching criteria 35 8 support for 1 10 support in hardware 35 22 time ranges 35 17 types sup...

Page 1359: ...owed VLAN list 13 19 AP1250 wireless access point 1 15 application engines redirecting traffic to 45 1 area border routers See ABRs area routing IS IS 40 66 ISO IGRP 40 66 ARP configuring 40 10 defined 1 6 7 31 40 10 encapsulation 40 11 static cache configuration 40 10 table address resolution 7 31 managing 7 31 ASBRs 40 26 AS path filters BGP 40 55 asymmetrical links and IEEE 802 1Q tunneling 17 ...

Page 1360: ...tomatic recovery clusters 6 10 See also HSRP automatic upgrades auto upgrade in switch stacks 5 12 auto MDIX configuring 12 26 described 12 26 autonegotiation duplex mode 1 4 interface configuration guidelines 12 23 mismatches 49 13 autonomous system boundary routers See ASBRs autonomous systems in BGP 40 49 Auto RP described 46 7 autosensing port speed 1 4 autostate exclude 12 6 auxiliary VLAN Se...

Page 1361: ...in tracked lists 44 4 booting boot loader function of 3 2 boot process 3 2 manually 3 19 specific image 3 20 boot loader accessing 3 21 described 3 2 environment variables 3 21 prompt 3 21 trap door mechanism 3 2 bootstrap router BSR described 46 7 Border Gateway Protocol See BGP BPDU error disabled state 20 2 filtering 20 3 RSTP format 19 12 BPDU filtering described 20 3 disabling 20 15 enabling ...

Page 1362: ...3 overview 46 9 server support only 46 9 switch support of 1 4 CIDR 40 61 CipherSuites 9 51 Cisco 7960 IP Phone 15 1 Cisco AP1250 wireless access point 1 15 Cisco Discovery Protocol See CDP Cisco Express Forwarding See CEF Cisco Group Management Protocol See CGMP Cisco intelligent power management 12 7 Cisco IOS DHCP server See DHCP Cisco IOS DHCP server Cisco IOS File System See IFS Cisco IOS IP ...

Page 1363: ...very 6 10 benefits 1 2 compatibility 6 4 described 6 1 LRE profile considerations 6 16 managing through CLI 6 16 through SNMP 6 17 planning 6 4 planning considerations automatic discovery 6 5 automatic recovery 6 10 CLI 6 16 host names 6 13 IP addresses 6 13 LRE profiles 6 16 passwords 6 14 RADIUS 6 16 SNMP 6 14 6 17 switch stacks 6 14 TACACS 6 16 See also candidate switch command switch cluster s...

Page 1364: ...patibility feature 26 12 compatibility software See stacks switch config text 3 18 configurable leave timer IGMP 24 6 configuration initial defaults 1 16 Express Setup 1 2 See also getting started guide and hardware installation guide configuration conflicts recovering from lost member connectivity 49 12 configuration examples network 1 19 configuration files archiving B 21 clearing the startup co...

Page 1365: ...6 CoS input queue threshold map for QoS 37 18 CoS output queue threshold map for QoS 37 21 CoS to DSCP map for QoS 37 74 counters clearing interface 12 41 CPU utilization troubleshooting 49 28 crashinfo file 49 24 critical authentication IEEE 802 1x 10 54 critical VLAN 10 23 cross stack EtherChannel configuration guidelines 38 13 configuring on Layer 2 interfaces 38 13 on Layer 3 physical interfac...

Page 1366: ... 21 MAC address table move update 21 8 MSDP 47 4 MSTP 19 14 multi VRF CE 40 78 MVR 24 20 NTP 7 4 optional spanning tree configuration 20 12 OSPF 40 27 password and privilege level 9 2 PIM 46 11 private VLANs 16 6 RADIUS 9 27 RIP 40 21 RMON 31 3 RSPAN 30 12 SDM template 8 4 SNMP 33 6 SPAN 30 12 SSL 9 51 standard QoS 37 36 STP 18 13 switch stacks 5 20 system message logging 32 4 system name and prom...

Page 1367: ... 1 6 1 14 support for 1 6 DHCP based autoconfiguration and image update configuring 3 11 to 3 14 understanding 3 5 to 3 6 DHCP binding database See DHCP snooping binding database DHCP binding table See DHCP snooping binding database DHCP object tracking configuring primary interface 44 11 DHCP option 82 circuit ID suboption 22 5 configuration guidelines 22 9 default configuration 22 8 displaying 2...

Page 1368: ...server function 41 16 diagnostic schedule command 50 2 Differentiated Services architecture QoS 37 2 Differentiated Services Code Point 37 2 Diffusing Update Algorithm DUAL 40 36 Digital Optical Monitoring DOM 12 40 directed unicast requests 1 6 directories changing B 4 creating and removing B 5 displaying the working B 4 discovery clusters See automatic discovery Distance Vector Multicast Routing...

Page 1369: ...9 disabling 46 61 connecting PIM domain to DVMRP router 46 51 enabling unicast routing 46 54 interoperability with Cisco devices 46 49 with Cisco IOS software 46 9 mrinfo requests responding to 46 54 neighbors advertising the default route to 46 53 discovery with Probe messages 46 49 displaying information 46 54 prevent peering with nonpruning 46 57 rejecting nonpruning 46 55 overview 46 9 routes ...

Page 1370: ...23 3 priority of ARP ACLs and DHCP snooping entries 23 4 rate limiting of ARP packets configuring 23 11 described 23 4 error disabled state 23 4 statistics clearing 23 16 displaying 23 16 validation checks performing 23 12 dynamic auto trunking mode 13 16 dynamic desirable trunking mode 13 16 Dynamic Host Configuration Protocol See DHCP based autoconfiguration dynamic port VLAN membership describe...

Page 1371: ...nd entry 2 4 EtherChannel automatic creation of 38 5 38 7 channel groups binding physical and logical interfaces 38 4 numbering of 38 4 configuration guidelines 38 12 configuring Layer 2 interfaces 38 13 Layer 3 physical interfaces 38 16 Layer 3 port channel logical interfaces 38 15 default configuration 38 11 described 38 2 displaying status 38 22 forwarding methods 38 8 38 18 IEEE 802 3ad descri...

Page 1372: ...eue for QoS 37 90 Express Setup 1 2 See also getting started guide extended crashinfo file 49 24 extended range VLANs configuration guidelines 13 11 configuring 13 10 creating 13 11 creating with an internal VLAN ID 13 13 defined 13 1 extended system ID MSTP 19 18 STP 18 4 18 16 extended universal identifier See EUI Extensible Authentication Protocol over LAN 10 2 external BGP See EBGP external ne...

Page 1373: ... B 7 extracting B 8 image file format B 26 file system displaying available file systems B 2 displaying file information B 3 local file system names B 1 network file system names B 5 setting the default B 3 filtering in a VLAN 35 31 IPv6 traffic 36 3 36 7 non IP traffic 35 28 show and more command output 2 9 filtering show and more command output 2 9 filters IP See ACLs IP flash device number of B...

Page 1374: ...stant H hardware limitations and Layer 3 interfaces 12 32 hello time MSTP 19 23 STP 18 22 help for the command line 2 3 hierarchical policy maps 37 9 configuration guidelines 37 39 configuring 37 64 described 37 12 history changing the buffer size 2 5 described 2 5 disabling 2 6 recalling commands 2 6 history table level and number of syslog messages 32 10 host names in clusters 6 13 host ports co...

Page 1375: ...CMP Router Discovery Protocol See IRDP ICMPv6 41 4 IDS appliances and ingress RSPAN 30 25 and ingress SPAN 30 16 IEEE 802 1D See STP IEEE 802 1p 15 1 IEEE 802 1Q and trunk ports 12 3 configuration limitations 13 17 encapsulation 13 14 native VLAN for untagged traffic 13 21 tunneling compatibility with other features 17 6 defaults 17 4 described 17 1 tunnel ports with other features 17 6 IEEE 802 1...

Page 1376: ...25 default configuration 24 24 described 24 24 support for 1 5 IGMP groups configuring filtering 24 27 setting the maximum number 24 27 IGMP helper 46 6 IGMP Immediate Leave configuration guidelines 24 11 described 24 6 enabling 24 11 IGMP profile applying 24 26 configuration mode 24 25 configuring 24 25 IGMP snooping and address aliasing 24 2 and stack changes 24 7 configuring 24 7 default config...

Page 1377: ... Interior Gateway Protocol See IGP internal BGP See IBGP internal neighbors BGP 40 49 internal power supplies See power supplies Internet Control Message Protocol See ICMP Internet Group Management Protocol See IGMP Internet Protocol version 6 See IPv6 Inter Switch Link See ISL inter VLAN routing 1 14 40 2 Intrusion Detection System See IDS appliances inventory management TLV 28 3 28 7 IP ACLs for...

Page 1378: ... 33 Cisco implementation 46 2 configuring basic multicast routing 46 12 IP multicast boundary 46 47 default configuration 46 11 enabling multicast forwarding 46 13 PIM mode 46 13 group to RP mappings Auto RP 46 7 BSR 46 7 MBONE deleting sdr cache entries 46 63 described 46 46 displaying sdr cache 46 64 enabling sdr listener support 46 46 limiting DVMRP routes advertised 46 58 limiting sdr cache en...

Page 1379: ... network performance 43 3 monitoring 43 13 multioperations scheduling 43 5 object tracking 44 9 operation 43 3 reachability tracking 44 9 responder described 43 4 enabling 43 7 response time 43 4 scheduling 43 5 SNMP support 43 2 supported metrics 43 2 threshold monitoring 43 6 track object monitoring agent configuring 44 11 track state 44 9 UDP jitter operation 43 8 IP source guard and 802 1x 22 ...

Page 1380: ...addressing classes 40 7 configuring 40 5 IPv6 41 3 IRDP 40 13 Layer 3 interfaces 40 5 MAC address and IP address 40 9 passive interfaces 40 102 protocols distance vector 40 3 dynamic 40 3 link state 40 3 proxy ARP 40 10 redistribution 40 95 reverse address resolution 40 9 routed ports 40 5 static routing 40 3 steps to configure 40 5 subnet mask 40 7 subnet zero 40 7 supernet 40 8 UDP 40 16 unicast...

Page 1381: ...affic filtering 36 3 IRDP configuring 40 13 definition 40 13 support for 1 14 IS IS addresses 40 66 area routing 40 66 default configuration 40 67 monitoring 40 75 show commands 40 75 system routing 40 66 ISL and IPv6 41 3 and trunk ports 12 3 encapsulation 1 9 13 14 trunking with IEEE 802 1 tunneling 17 5 ISO CLNS clear commands 40 75 dynamic routing protocols 40 65 monitoring 40 75 NETs 40 65 NS...

Page 1382: ...0 7 assigning IPv4 and IPv6 addresses to 41 14 assigning IPv6 addresses to 41 12 changing from Layer 2 mode 40 7 40 81 40 82 types of 40 5 Layer 3 packets classification methods 37 2 LDAP 4 2 Leaking IGMP Reports 21 4 LEDs switch See hardware installation guide Lightweight Directory Access Protocol See LDAP line configuration mode 2 2 Link Aggregation Control Protocol See EtherChannel Link Failure...

Page 1383: ...20 removing 7 22 in ACLs 35 28 IP address association 40 9 static adding 7 27 allowing 7 29 7 30 characteristics of 7 27 dropping 7 28 removing 7 27 MAC address learning 1 6 MAC address learning disabling on a VLAN 7 30 MAC address notification support for 1 15 MAC address table move update configuration guidelines 21 8 configuring 21 12 default configuration 21 8 description 21 6 monitoring 21 14...

Page 1384: ...aging 6 16 passwords 6 13 recovering from lost connectivity 49 12 requirements 6 4 See also candidate switch cluster standby group and standby command switch messages to users through banners 7 17 metrics in BGP 40 53 metric translations between routing protocols 40 98 metro tags 17 2 MHSRP 42 4 MIBs accessing files with FTP A 4 location of files A 4 overview 33 1 SNMP interaction with 33 4 suppor...

Page 1385: ...h 47 8 received by switch 47 14 default configuration 47 4 dense mode regions sending SA messages to 47 17 specifying the originating address 47 18 filtering incoming SA messages 47 14 SA messages to a peer 47 12 SA requests from a peer 47 11 join latency defined 47 6 meshed groups configuring 47 16 defined 47 16 originating address changing 47 18 overview 47 1 peer RPF flooding 47 2 peers configu...

Page 1386: ...e naming change 19 6 terminology 19 5 instances supported 18 10 interface state blocking to forwarding 20 2 interoperability and compatibility among modes 18 11 interoperability with IEEE 802 1D described 19 8 restarting migration process 19 26 IST defined 19 2 master 19 3 operations within a region 19 3 loop guard described 20 11 enabling 20 18 mapping VLANs to MST instance 19 17 MST region CIST ...

Page 1387: ...iguring 40 78 default configuration 40 78 defined 40 75 displaying 40 89 monitoring 40 89 network components 40 78 packet forwarding process 40 77 support for 1 14 MVR and address aliasing 24 20 and IGMPv3 24 21 configuring interfaces 24 22 default configuration 24 20 described 24 17 example application 24 18 in the switch stack 24 20 modes 24 21 multicast television application 24 18 setting glob...

Page 1388: ...logy See NEAT network management CDP 27 1 RMON 31 1 SNMP 33 1 network performance measuring with IP SLAs 43 3 network policy TLV 28 2 28 7 Network Time Protocol See NTP no commands 2 4 nonhierarchical policy maps configuration guidelines 37 39 configuring 37 59 described 37 10 non IP traffic filtering 35 28 nontrunking mode 13 16 normal range VLANs 13 4 configuration guidelines 13 5 configuring 13...

Page 1389: ...ics 40 33 route 40 33 settings 40 27 described 40 26 for IPv6 41 7 interface parameters configuring 40 31 LSA group pacing 40 35 monitoring 40 36 router IDs 40 35 route summarization 40 33 support for 1 14 virtual links 40 33 out of profile markdown 1 13 P packet modification with QoS 37 22 PAgP Layer 2 protocol tunneling 17 9 See EtherChannel parallel paths in routing tables 40 92 passive interfa...

Page 1390: ...t for 1 14 versions interoperability 46 11 troubleshooting interoperability problems 46 35 v2 improvements 46 4 PIM DVMRP as snooping method 24 9 ping character output description 49 16 executing 49 15 overview 49 15 PoE auto mode 12 9 CDP with power consumption described 12 7 CDP with power negotiation described 12 7 Cisco intelligent power management 12 7 configuring 12 27 devices supported 12 6...

Page 1391: ...e authentication 10 45 quiet period 10 46 RADIUS server 10 43 11 12 RADIUS server parameters on the switch 10 42 11 11 restricted VLAN 10 52 switch to client frame retransmission number 10 47 10 48 switch to client retransmission time 10 47 violation mode 10 27 violation modes 10 40 to 10 41 default configuration 10 34 11 9 described 10 1 device roles 10 3 11 2 displaying statistics 10 68 11 17 do...

Page 1392: ...A authorization 10 41 characteristics 10 17 configuration tasks 10 17 described 10 16 voice aware 802 1x security configuring 10 39 described 10 32 10 39 voice VLAN described 10 25 PVID 10 25 VVID 10 25 wake on LAN described 10 27 port based authentication methods supported 10 8 port based trust IPv4 and IPv6 8 2 port blocking 1 4 26 7 port channel See EtherChannel port description TLV 28 2 Port F...

Page 1393: ...cted ports private VLANs across multiple switches 16 4 and SDM template 16 4 and SVIs 16 5 and switch stacks 16 5 benefits of 16 1 community ports 16 2 community VLANs 16 2 16 3 configuration guidelines 16 7 16 8 configuration tasks 16 6 configuring 16 9 default configuration 16 6 end station access to 16 3 IP addressing 16 3 isolated port 16 2 isolated VLANs 16 2 16 3 mapping 16 13 monitoring 16 ...

Page 1394: ...running configuration 37 33 egress queue defaults 37 25 list of generated commands 37 26 basic model 37 4 classification class maps described 37 8 defined 37 4 DSCP transparency described 37 46 flowchart 37 7 forwarding treatment 37 3 in frames and packets 37 3 IP ACLs described 37 7 37 8 MAC ACLs described 37 5 37 8 options for IP traffic 37 6 options for non IP traffic 37 5 policy maps described...

Page 1395: ...escribed 37 4 displaying the threshold map 37 81 flowchart 37 16 mapping DSCP or CoS values 37 81 priority queue described 37 18 scheduling described 37 4 setting WTD thresholds 37 81 WTD described 37 18 IP phones automatic classification and queueing 37 23 detection and trusted settings 37 23 37 45 limiting bandwidth on egress interface 37 91 mapping tables CoS to DSCP 37 74 displaying 37 92 DSCP...

Page 1396: ... server load balancing 9 39 suggested network environments 9 18 support for 1 12 tracking services accessed by user 9 34 RADIUS Change of Authorization 9 19 range macro 12 16 of interfaces 12 14 rapid convergence 19 10 rapid per VLAN spanning tree plus See rapid PVST rapid PVST described 18 10 IEEE 802 1Q trunking interoperability 18 11 instances supported 18 10 Rapid Spanning Tree Protocol See RS...

Page 1397: ...e measuring with IP SLAs 43 4 restricted VLAN configuring 10 52 described 10 22 using with IEEE 802 1x 10 22 restricting access NTP services 7 8 overview 9 1 passwords and privilege levels 9 2 RADIUS 9 17 TACACS 9 10 retry count VMPS changing 13 30 reverse address resolution 40 9 Reverse Address Resolution Protocol See RARP RFC 1058 RIP 40 20 1112 IP multicast and IGMP 24 2 1157 SNMPv1 33 2 1163 B...

Page 1398: ... 95 static 40 3 routing domain confederation BGP 40 62 Routing Information Protocol See RIP routing protocol administrative distances 40 93 RPS See Cisco Redundant Power System 2300 RPS 2300 See Cisco Redundant Power System 2300 RSPAN 30 3 and stack changes 30 11 characteristics 30 9 configuration guidelines 30 19 default configuration 30 12 destination ports 30 8 displaying status 30 31 in a swit...

Page 1399: ... 8 1 secondary VLANs 16 2 Secure Copy Protocol secure HTTP client configuring 9 54 displaying 9 55 secure HTTP server configuring 9 53 displaying 9 55 secure MAC addresses and switch stacks 26 18 deleting 26 16 maximum number of 26 10 types of 26 9 secure ports and switch stacks 26 18 configuring 26 9 secure remote connections 9 45 Secure Shell See SSH Secure Socket Layer See SSL security port 26 ...

Page 1400: ...P 27 1 SNMP accessing MIB variables with 33 4 agent described 33 4 disabling 33 7 and IP SLAs 43 2 authentication level 33 10 community strings configuring 33 8 for cluster switches 33 4 overview 33 4 configuration examples 33 18 default configuration 33 6 engine ID 33 7 groups 33 7 33 9 host 33 7 ifIndex values 33 5 in band management 1 7 in clusters 6 14 informs and trap keyword 33 12 described ...

Page 1401: ... monitored ports 30 7 monitoring ports 30 8 overview 1 15 30 1 ports restrictions 26 12 received traffic 30 6 session limits 30 13 sessions configuring ingress forwarding 30 17 30 26 creating 30 14 30 28 defined 30 4 limiting source traffic to specific VLANs 30 18 removing destination monitoring ports 30 15 specifying monitored ports 30 14 30 28 with ingress traffic enabled 30 16 source ports 30 7...

Page 1402: ...5 IEEE 802 1x port based authentication 10 11 IGMP snooping 24 7 IP routing 40 4 IPv6 ACLs 36 3 MAC address tables 7 21 MSTP 19 8 multicast routing 46 10 MVR 24 18 port security 26 18 SDM template selection 8 3 SNMP 33 1 SPAN and RSPAN 30 11 STP 18 12 switch clusters 6 14 system message log 32 2 VLANs 13 6 VTP 14 7 stack master bridge ID MAC address 5 7 defined 5 2 election 5 5 IPv6 41 10 re elect...

Page 1403: ...y Document MSTP instances supported 18 10 multicast routing stack master and member roles 46 10 offline configuration described 5 8 effects of adding a provisioned switch 5 8 effects of removing a provisioned switch 5 10 effects of replacing a provisioned switch 5 10 provisioned configuration defined 5 8 provisioned switch defined 5 8 provisioning a new member 5 23 partitioned 5 4 49 8 provisioned...

Page 1404: ...ing 40 93 understanding 41 6 static routing 40 3 static routing support enhanced object tracking 44 10 static SSM mapping 46 18 46 20 static traffic forwarding 46 21 static VLAN membership 13 2 statistics 802 1X 11 17 CDP 27 5 IEEE 802 1x 10 68 interface 12 40 IP multicast routing 46 63 OSPF 40 36 QoS ingress and egress 37 92 RMON group Ethernet 31 6 RMON group history 31 5 SNMP input and output 3...

Page 1405: ...8 10 interface state blocking to forwarding 20 2 interface states blocking 18 6 disabled 18 7 forwarding 18 6 18 7 learning 18 7 listening 18 7 overview 18 5 interoperability and compatibility among modes 18 11 keepalive messages 18 2 Layer 2 protocol tunneling 17 8 limitations with IEEE 802 1Q trunks 18 11 load sharing overview 13 22 using path costs 13 24 using port priorities 13 22 loop guard d...

Page 1406: ...tchport block multicast command 26 8 switchport block unicast command 26 8 switchport command 12 22 switchport mode dot1q tunnel command 17 7 switchport protected command 26 7 switch priority MSTP 19 22 STP 18 21 switch software features 1 1 switch virtual interface See SVI synchronization BGP 40 49 syslog See system message logging system capabilities TLV 28 2 system clock configuring daylight sa...

Page 1407: ...g the services to the user 9 16 operation of 9 12 overview 9 10 support for 1 11 tracking services accessed by user 9 17 tagged packets IEEE 802 1Q 17 3 Layer 2 protocol 17 8 tar files creating B 7 displaying the contents of B 7 extracting B 8 image file format B 26 TCL script registering and defining with embedded event manager 34 7 TDR 1 16 Telnet accessing management interfaces 2 10 number of c...

Page 1408: ...g objects 44 1 tracking process 44 1 track state tracking IP SLAs 44 9 traffic blocking flooded 26 8 fragmented 35 5 fragmented IPv6 36 2 unfragmented 35 5 traffic policing 1 13 traffic suppression 26 1 transmit hold count see STP transparent mode VTP 14 3 trap door mechanism 3 2 traps configuring MAC address notification 7 22 7 24 7 25 configuring managers 33 12 defined 33 3 enabling 7 22 7 24 7 ...

Page 1409: ... disabling globally 29 5 on fiber optic interfaces 29 5 per interface 29 6 echoing detection mechanism 29 3 enabling globally 29 5 per interface 29 6 Layer 2 protocol tunneling 17 10 link detection mechanism 29 1 neighbor database 29 2 overview 29 1 resetting an interface 29 6 status displaying 29 7 support for 1 8 UDP configuring 40 16 UDP jitter configuring 43 9 UDP jitter operation IP SLAs 43 8...

Page 1410: ...tract 5 12 virtual IP address cluster standby group 6 11 command switch 6 11 Virtual Private Network See VPN virtual router 42 1 42 2 virtual switches and PAgP 38 6 vlan dat file 13 4 VLAN 1 disabling on a trunk port 13 20 minimization 13 19 VLAN ACLs See VLAN maps vlan assignment response VMPS 13 26 VLAN configuration at bootup 13 7 saving 13 7 VLAN configuration mode 2 2 VLAN database and startu...

Page 1411: ...lustrated 13 2 internal 13 11 in the switch stack 13 6 limiting source traffic with RSPAN 30 22 limiting source traffic with SPAN 30 18 modifying 13 8 multicast 24 17 native configuring 13 21 normal range 13 1 13 4 number supported 1 9 parameters 13 4 port membership modes 13 3 static access ports 13 9 STP and IEEE 802 1Q trunks 18 11 supported 13 2 Token Ring 13 5 traffic between 13 2 VLAN bridge...

Page 1412: ...0 81 RADIUS 40 82 SNMP 40 81 syslog 40 82 tftp 40 83 traceroute 40 83 uRPF 40 82 VRFs configuring multicast 40 84 VTP adding a client to a domain 14 16 advertisements 13 17 14 4 and extended range VLANs 13 2 14 2 and normal range VLANs 13 2 14 2 client mode configuring 14 13 configuration requirements 14 11 saving 14 9 configuration requirements 14 11 configuration revision number guideline 14 16 ...

Page 1413: ...intaining 45 10 negotiation 45 3 packet redirection 45 3 packet return method 45 3 redirecting traffic received from a client 45 6 setting the password 45 7 unsupported WCCPv2 features 45 5 web authentication 10 16 configuring 11 16 to described 1 9 web based authentication customizeable web pages 11 6 description 11 1 web based authentication interactions with other features 11 7 Web Cache Commun...

Page 1414: ...Index IN 58 Catalyst 3750 E and 3560 E Switch Software Configuration Guide OL 9775 08 ...

Reviews:

No comments

Related manuals for Catalyst 3750-E Series

D-Link DSL-500 Command Reference Manual preview
DSL-500
Brand: D-Link Pages: 15
D-Link DWL-G550 Product Data Sheet preview
DWL-G550
Brand: D-Link Pages: 2
Eaton INDGW-X2 Manual preview
INDGW-X2
Brand: Eaton Pages: 10
Lantronix SISPM1040-582-LRT Quick Start Manual preview
SISPM1040-582-LRT
Brand: Lantronix Pages: 2
Lantronix SDS1101 Quick Start Manual preview
SDS1101
Brand: Lantronix Pages: 7
Lantronix Maestro E220 Series Quick Start Manual preview
Maestro E220 Series
Brand: Lantronix Pages: 25
Ratoc Systems SCSI PC Card REX-9530V Product Manual preview
SCSI PC Card REX-9530V
Brand: Ratoc Systems Pages: 30
AlphaShield INTERNET PRIVACY PROTECTION (Spanish) Manual Del Usuario preview
INTERNET PRIVACY PROTECTION
Brand: AlphaShield Pages: 49
EVS Neuron NFR2000 Installation And Service Manual preview
Neuron NFR2000
Brand: EVS Pages: 30
SIIG IO1037 Quick Installation Manual preview
IO1037
Brand: SIIG Pages: 6
Renesas Emulator MCU Board for 38D5 Group M38D59T-RLFS User Manual preview
Emulator MCU Board for 38D5 Group M38D59T-RLFS
Brand: Renesas Pages: 4
Aztech DSL5068EN(1T1R) User Manual preview
DSL5068EN(1T1R)
Brand: Aztech Pages: 40
Daedalon EC-33 Instruction Manual preview
EC-33
Brand: Daedalon Pages: 6
Blackmagicdesign Teranex 2D Processor Installation And Operation Manual preview
Teranex 2D Processor
Brand: Blackmagicdesign Pages: 969
IDT Tsi310TM User Manual preview
Tsi310TM
Brand: IDT Pages: 207
HPE FlexNetwork 5130 Series Troubleshooting Manual preview
FlexNetwork 5130 Series
Brand: HPE Pages: 33
Rainbow QPBB Instruction Manual preview
QPBB
Brand: Rainbow Pages: 2
3Com EtherLink 3C905C-TX User Manual preview
EtherLink 3C905C-TX
Brand: 3Com Pages: 96

Brands by name

Popular brands

Load more brands