manualshive.com logo in svg

Cisco Catalyst 4500 Series, Software Configuration Manual

The Cisco Catalyst 4500 Series is a powerful network switch offering seamless connectivity and efficient performance. To unlock the full potential of this product, users can easily download the comprehensive Command Reference Manual for free from our website, ensuring hassle-free operation and optimal network management.

Share
Download
background image

48-2

Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex

 

Chapter 48      Configuring MACsec Encryption

Understanding Media Access Control Security and MACsec Key Agreement

Note

For more information, refer to the 

Cisco TrustSec Switch Configuration Guide

:

http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

For complete syntax and usage information for the switch commands used in this chapter, see the

Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch

.

If a command is not in the 

Cisco Catalyst 4500 Series Switch Command Reference 

, you can locate it in 

the 

Cisco IOS Master Command List, All Releases

.

Understanding Media Access Control Security
and MACsec Key Agreement

MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using 
out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the 
required session keys and manages the required encryption keys. MKA and MACsec are implemented 
after successful authentication using the 802.1X Extensible Authentication Protocol (EAP) and 
EAP-Transport Layer Security (EAP-TLS) framework. MKA MACsec supports both host facing links 
(links between network access devices and endpoint devices such as a PC or IP phone) and 
switch-to-switch links, beginning in Cisco IOS Release 15.2(5)E and Cisco IOS XE Release 3.9.0E.

A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy 
associated with the client. MACsec frames are encrypted and protected with an integrity check value 
(ICV). When the switch receives frames from the client, it decrypts them and calculates the correct ICV 
by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If 
they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent 
over the secured port (the access point used to provide the secure MAC service to a client) using the 
current session key.

The MKA Protocol manages the encryption keys used by the underlying MACsec protocol. The basic 
requirements of MKA are defined in 802.1X-2010. The MKA Protocol extends 802.1X to allow peer 
discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data 
exchanged by the peers. 

Pre-shared keys (PSKs) are used to generate Connectivity Association Keys (CAKs). In symmetric 
cryptography, PSK means a key or a shared secret. This key is shared between parties before it is used. 
The PSK is used to generate the Key Encryption Key (KEK) and the integrity check value (ICV) Key 
(ICK).

In a switch-to-switch connection using the PSK, there is no concept of the authenticator, because of the 
EAP authentication on the switch. So the switch with highest priority becomes the Key Server (KS). In 
the current implementation, MKA can act as a non-KS without much change, except for accepting the 
PSK instead of the CAK.

The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP 
authentication produces a master session key (MSK) shared by both partners in the data exchange. 
Entering the EAP session ID generates a secure connectivity association key name (CKN). Because the 
switch is the authenticator, it is also the key server, generating a random 128-bit secure association key 
(SAK), which it sends it to the client partner. The client is never a key server and can only interact with 
a single MKA entity, the key server. After key derivation and generation, the switch sends periodic 
transports to the partner at a default interval of 2 seconds.

The CAK and CKN will be derived from the configured PSK name and value

Summary of Contents for Catalyst 4500 Series

Page 1: ...ive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE Release 3 9 xE and Cisco IOS Release 15 2 5 Ex Last Modified November 28 2016 ...

Page 2: ......

Page 3: ...ING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPL...

Page 4: ......

Page 5: ...1 3 Flex Links and MAC Address Table Move Update 1 3 Flexible NetFlow Supervisor Engine 7 E 7L E and 8 E only 1 4 Internet Group Management Protocol IGMP Snooping 1 4 IPv6 Multicast BSR and BSR Scoped Zone Support 1 5 IPv6 Multicast Listen Discovery MLD and Multicast Listen Discovery Snooping 1 6 Jumbo Frames 1 6 Link Aggregation Control Protocol 1 7 Cisco IOS XE IP Application Services Features i...

Page 6: ... Enhanced Object Tracking 1 15 GLBP 1 15 Cisco IOS XE IP Application Services Features in Cisco IOS XE 3 1 0SG 1 15 HSRP 1 16 Cisco IOS XE IP Application Services HSRP Features in Cisco IOS XE 3 1 0SG 1 16 SSO Aware HSRP 1 17 NHRP 1 17 IP Routing Protocols 1 17 BGP 1 17 EIGRP 1 18 IS IS 1 18 OSPF 1 19 RIP 1 19 In Service Software Upgrade 1 19 IPv6 1 20 Multicast Services 1 20 NSF with SSO 1 21 OSP...

Page 7: ...d 10 100 Autonegotiation 1 30 Intelligent Power Management 1 30 MAC Address Notification 1 30 MAC Notify MIB 1 30 NetFlow lite 1 31 Power over Ethernet 1 31 Secure Shell 1 31 Simple Network Management Protocol 1 31 Smart Install 1 32 SPAN and RSPAN 1 32 Universal Power over Ethernet 1 32 Web Content Coordination Protocol 1 32 Wireshark 1 33 XML PI 1 33 Security Features 1 33 802 1X Identity Based ...

Page 8: ...face 2 2 Accessing the CLI Through Telnet 2 2 Performing Command Line Processing 2 3 Performing History Substitution 2 4 About Cisco IOS Command Modes 2 4 Getting a List of Commands and Syntax 2 5 Virtual Console for Standby Supervisor Engine 2 6 ROMMON Command Line Interface 2 7 Archiving Crashfiles Information 2 8 Displaying a Crash Dump for Supervisor Engine 6 E and 6L E 2 8 Configuring the Swi...

Page 9: ...3 22 Encrypting Passwords 3 22 Configuring Multiple Privilege Levels 3 23 Setting the Privilege Level for a Command 3 23 Changing the Default Privilege Level for Lines 3 23 Logging In to a Privilege Level 3 24 Exiting a Privilege Level 3 24 Displaying the Password Access Level and Privilege Level Configuration 3 24 Recovering a Lost Enable Password 3 25 Modifying the Supervisor Engine Startup Conf...

Page 10: ...nd Date Configuration 4 12 Configuring the Time Zone 4 12 Configuring Summer Time Daylight Saving Time 4 13 Managing Software Licenses Using Permanent Right To Use Features 4 14 About a PRTU License 4 15 Benefits of a PRTU License 4 15 Guidelines for the RTU License Model 4 16 Applying a PRTU License 4 16 Activating a PRTU License 4 16 Deactivating a PRTU License 4 17 Displaying Software License I...

Page 11: ...ture Compatibility 4 42 Feature Incompatibility 4 43 Partial Feature Incompatibility 4 43 Displaying Address Table Entries 4 44 Managing the ARP Table 4 44 Configuring Embedded CiscoView Support 4 44 Understanding Embedded CiscoView 4 45 Installing and Configuring Embedded CiscoView 4 45 Displaying Embedded CiscoView Information 4 48 Configuring Virtual Switching Systems 5 1 Understanding Virtual ...

Page 12: ... and Guidelines 5 29 Dual Active Detection Restrictions and Guidelines 5 30 Configuring a VSS 5 30 Configuring Easy VSS 5 30 Converting to a VSS 5 32 Backing Up the Standalone Configuration 5 33 Configuring SSO and NSF 5 34 Assigning Virtual Switch Domain and Switch Numbers 5 34 Configuring VSL Port Channel and Ports 5 34 Converting the Switch to Virtual Switch Mode 5 36 Converting to Quad Supervi...

Page 13: ...SU 5 63 Compatibility Matrix 5 63 Compatibility Verification Using Cisco Feature Navigator 5 64 How to Perform the ISSU Process 5 64 Verifying the ISSU Software Installation 5 65 Verifying Redundancy Mode Before Beginning the ISSU Process 5 65 Verifying the ISSU State Before Beginning the ISSU Process 5 67 ISSU using the Four command Sequence Step 1 loadversion 5 68 ISSU using the Four command Seq...

Page 14: ...s for NETCONF RPCs 6 14 Examples for RESTCONF RPCs 6 15 Using ODM Models 6 15 Enabling SSHv2 6 17 Activating and Deactivating the ODM 6 17 Enabling the Polling Mode 6 19 Displaying Supported Parsers and Polling Intervals 6 20 Monitoring Programmability 6 23 Troubleshooting Programmability 6 25 Sample Configuration and Reference Information 6 28 DHCP Server Settings on Linux 6 28 Using HTTP 6 28 Us...

Page 15: ... Beginning the ISSU Process 7 20 Loading New Cisco IOS Software on the Standby Supervisor Engine 7 21 Switching to the Standby Supervisor Engine 7 24 Stopping the ISSU Rollback Timer Optional 7 26 Loading New Cisco IOS Software on the New Standby Supervisor Engine 7 27 Using changeversion to Automate an ISSU Upgrade 7 29 Aborting a Software Upgrade During ISSU 7 34 Configuring the Rollback Timer t...

Page 16: ... to Automate an ISSU Upgrade 8 30 Aborting a Software Upgrade During ISSU 8 36 Configuring the Rollback Timer to Safeguard Against Upgrade Issues 8 37 Displaying ISSU Compatibility Matrix Information 8 39 Cisco High Availability Features in Cisco IOS XE 3 1 0SG 8 41 Configuring Interfaces 9 1 About Interface Configuration 9 2 Using the interface Command 9 2 Configuring a Range of Interfaces 9 4 Us...

Page 17: ... 9 22 Supervisor Engine 8 E Uplink Configurations 9 22 Restrictions for Configuring Sup 7 E Uplink Mode on Supervisor Engine 8 E 9 24 Configuring Supervisor Engine 7 E Mode on Supervisor Engine 8 E 9 24 Selecting the Uplink Port on a Supervisor Engine 7L E 9 25 Single Supervisor Mode 9 25 Redundant Supervisor Mode 9 26 Digital Optical Monitoring Transceiver Support 9 26 Configuring Optional Interf...

Page 18: ...6 Examples 9 47 Resetting the Interface to the Default Configuration 9 48 Checking Port Status and Connectivity 10 1 Checking Module Status 10 1 Checking Interfaces Status 10 2 Displaying MAC Addresses 10 3 Checking Cable Status Using Time Domain Reflectometer 10 3 Overview 10 3 Running the TDR Test 10 4 TDR Guidelines 10 5 Using Telnet 10 5 Changing the Logout Timer 10 6 Monitoring User Sessions ...

Page 19: ...de 11 13 Manipulating Bootflash on the Redundant Supervisor Engine 11 14 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7 E Supervisor Engine 7L E and Supervisor Engine 8 E 12 1 About Supervisor Engine Redundancy 12 2 Overview 12 2 RPR Operation 12 2 SSO Operation 12 3 About Supervisor Engine Redundancy Synchronization 12 4 RPR Supervisor Engine Configuration Synch...

Page 20: ...14 Verifying IS IS NSF 13 15 Configuring EIGRP NSF 13 16 Verifying EIGRP NSF 13 16 Cisco High Availability Features in Cisco IOS XE 3 1 0SG 13 17 Environmental Monitoring and Power Management 14 1 About Environmental Monitoring 14 1 Using CLI Commands to Monitor your Environment 14 2 Displaying Environment Conditions 14 2 Displaying On Board Failure Logging OBFL information for 9000W AC 14 4 Emerg...

Page 21: ...rface 15 5 Displaying the Operational Status for an Interface 15 6 Displaying all PoE Detection and Removal Events 15 7 Displaying the PoE Consumed by a Module 15 8 PoE Policing and Monitoring 15 12 PoE Policing Modes 15 12 Configuring Power Policing on an Interface 15 13 Displaying Power Policing on an Interface 15 14 Configuring Errdisable Recovery 15 14 Enhanced Power PoE Support on the E Serie...

Page 22: ...Network Assistant in Community or Cluster Mode 16 13 Configuring Network Assistant on a Networked Switch in Community Mode 16 13 Configuring Network Assistant in a Networked Switch in Cluster Mode 16 17 Configuring VLANs VTP and VMPS 17 1 VLANs 17 1 About VLANs 17 1 VLAN Configuration Guidelines and Restrictions 17 3 VLAN Ranges 17 3 Configurable Normal Range VLAN Parameters 17 4 VLAN Default Conf...

Page 23: ...tabase Configuration File Example 17 31 Configuring IP Unnumbered Interface 18 1 About IP Unnumbered Interface Support 18 1 IP Unnumbered Interface Support with DHCP Server and Relay Agent 18 2 DHCP Option 82 18 2 IP Unnumbered Interface with Connected Host Polling 18 3 IP Unnumbered Configuration Guidelines and Restrictions 18 3 Configuring IP Unnumbered Interface Support with DHCP Server 18 4 Co...

Page 24: ...nd Static SmartPort 21 1 Configuring SmartPort Macros 21 2 Passing Parameters Through the Macro 21 2 Macro Parameter Help 21 3 Default SmartPort Macro Configuration 21 3 cisco global 21 4 cisco desktop 21 4 cisco phone 21 4 cisco router 21 5 cisco switch 21 5 SmartPort Macro Configuration Guidelines 21 6 Creating SmartPort Macros 21 7 Applying SmartPort Macros 21 8 cisco global 21 9 cisco desktop ...

Page 25: ... About STP 23 1 Understanding the Bridge ID 23 2 Bridge Priority Value 23 2 Extended System ID 23 3 STP MAC Address Allocation 23 3 Bridge Protocol Data Units 23 3 Election of the Root Bridge 23 4 STP Timers 23 4 Creating the STP Topology 23 5 STP Port States 23 5 MAC Address Allocation 23 6 STP and IEEE 802 1Q Trunks 23 6 Per VLAN Rapid Spanning Tree 23 6 Default STP Configuration 23 7 Configurin...

Page 26: ...8 Message Age and Hop Count 23 28 MST Configuration Restrictions and Guidelines 23 28 Configuring MST 23 28 Enabling MST 23 29 Configuring MST Instance Parameters 23 30 Configuring MST Instance Port Parameters 23 31 Restarting Protocol Migration 23 32 Displaying MST Configurations 23 32 About MST to PVST Interoperability PVST Simulation 23 35 Configuring PVST Simulation 23 36 About Detecting Unidi...

Page 27: ...nvergence 25 4 VLAN Load Balancing 25 4 Spanning Tree Interaction 25 6 REP Ports 25 6 Configuring REP 25 7 Default REP Configuration 25 7 REP Configuration Guidelines 25 7 Configuring the REP Administrative VLAN 25 8 Configuring REP Interfaces 25 10 Setting Manual Preemption for VLAN Load Balancing 25 13 Configuring SNMP Traps for REP 25 14 Monitoring REP 25 14 Configuring Optional STP Features 26...

Page 28: ...aces 27 2 Configuring EtherChannels 27 2 EtherChannel Configuration Overview 27 3 Manual EtherChannel Configuration 27 3 Auto LAG 27 3 PAgP EtherChannel Configuration 27 4 IEEE 802 3ad LACP EtherChannel Configuration 27 5 Load Balancing 27 6 EtherChannel Configuration Guidelines and Restrictions 27 6 Configuring EtherChannel 27 7 Configuring Layer 3 EtherChannels 27 7 Creating Port Channel Logical...

Page 29: ...and Filtering and MVR 28 1 About IGMP Snooping 28 1 Immediate Leave Processing 28 3 IGMP Configurable Leave Timer 28 4 IGMP Snooping Querier 28 4 Explicit Host Tracking 28 4 Configuring IGMP Snooping 28 5 Default IGMP Snooping Configuration 28 5 Enabling IGMP Snooping Globally 28 6 Enabling IGMP Snooping on a VLAN 28 6 Configuring Learning Methods 28 7 Configuring PIM DVMRP Learning 28 7 Configuri...

Page 30: ... Trunk Port 28 27 Displaying MVR Information 28 29 Configuring IGMP Filtering 28 30 Default IGMP Filtering Configuration 28 30 Configuring IGMP Profiles 28 31 Applying IGMP Profiles 28 32 Setting the Maximum Number of IGMP Groups 28 33 Displaying IGMP Filtering Configuration 28 34 Configuring IPv6 Multicast Listener Discovery Snooping 29 1 About MLD Snooping 29 1 MLD Messages 29 2 MLD Queries 29 3...

Page 31: ... 30 9 VLAN Mapping Configuration Guidelines 30 9 Configuring VLAN Mapping 30 10 One to One Mapping 30 10 Traditional Q in Q on a Trunk Port 30 11 Selective Q in Q on a Trunk Port 30 12 About Layer 2 Protocol Tunneling 30 13 Configuring Layer 2 Protocol Tunneling 30 15 Default Layer 2 Protocol Tunneling Configuration 30 16 Layer 2 Protocol Tunneling Configuration Guidelines 30 16 Configuring Layer ...

Page 32: ...ng and Maintaining LLDP LLDP MED and Location Service 32 14 Cisco IOS Carries Ethernet Features in Cisco IOS XE 3 1 0SG 32 15 Configuring UDLD 33 1 About UDLD 33 1 UDLD Topology 33 2 Fast UDLD Topology 33 2 Operation Modes 33 3 Default States for UDLD 33 3 Default UDLD Configuration 33 3 Configuring UDLD on the Switch 33 4 Fast UDLD Guidelines and Restrictions 33 4 Enabling UDLD Globally 33 5 Enab...

Page 33: ...ng Physical Layer 3 Interfaces 35 12 Configuring EIGRP Stub Routing 35 13 About EIGRP Stub Routing 35 13 Configuring EIGRP Stub Routing 35 14 Dual Homed Remote Topology 35 16 EIGRP Stub Routing Configuration Tasks 35 18 Monitoring and Maintaining EIGRP 35 19 EIGRP Configuration Examples 35 20 Route Summarization Example 35 20 Route Authentication Example 35 21 Stub Routing Example 35 21 Configurin...

Page 34: ...ere to Use Unicast RPF 37 5 Routing Table Requirements 37 7 Where Not to Use Unicast RPF 37 7 Unicast RPF with BOOTP and DHCP 37 8 Restrictions 37 8 Limitation 37 8 Related Features and Technologies 37 8 Prerequisites to Configuring Unicast RPF 37 9 Unicast RPF Configuration Tasks 37 9 Configuring Unicast RPF 37 9 Verifying Unicast RPF 37 10 Monitoring and Maintaining Unicast RPF 37 11 Unicast RPF...

Page 35: ...guring a Rendezvous Point 38 17 Configuring Auto RP 38 18 Configuring a Single Static RP 38 21 Load Splitting of IP Multicast Traffic 38 22 Monitoring and Maintaining IP Multicast Routing 38 23 Displaying System and Network Statistics 38 24 Displaying the Multicast Routing Table 38 24 Displaying IP MFIB 38 26 Displaying Bidirectional PIM Information 38 27 Displaying PIM Statistics 38 28 Clearing T...

Page 36: ... of Using BFD for Failure Detection 40 7 Hardware Support for BFD 40 7 How to Configure Bidirectional Forwarding Detection 40 8 Configuring BFD Session Parameters on the Interface 40 8 Configuring BFD Support for Dynamic Routing Protocols 40 9 Configuring BFD Support for BGP 40 9 Configuring BFD Support for EIGRP 40 10 Configuring BFD Support for OSPF 40 11 Configuring BFD Support for Static Routi...

Page 37: ...uring Multicast PIM Sparse Mode in Campus Fabric 41 7 Configuring Multicast PIM SSM in Campus Fabric 41 8 Dataplane Security 41 9 Configuring Dataplane Security on Fabric Edge Devices 41 9 Before You Begin 41 9 Campus Fabric Configuration Examples 41 10 Configuring Policy Based Routing 42 1 Policy Based Routing 42 1 Route Maps 42 2 Understanding Route Maps 42 2 PBR Route Map Processing Logic 42 3 ...

Page 38: ... IPv4 43 4 Configuring VRFs 43 4 Configuring VRF Aware Services 43 5 Configuring the User Interface for ARP 43 6 Configuring Per VRF for TACACS Servers 43 6 Configuring Multicast VRFs 43 7 Configuring a VPN Routing Session 43 8 Configuring BGP PE to CE Routing Sessions 43 9 VRF lite Configuration Example 43 10 Configuring Switch S8 43 10 Configuring Switch S20 43 12 Configuring Switch S11 43 12 Co...

Page 39: ...ssification 44 6 Classification Based on QoS ACLs 44 6 Classification Based on Class Maps and Policy Maps 44 7 Policing and Marking 44 8 Queueing and Scheduling 44 8 Active Queue Management 44 9 Sharing Link Bandwidth Among Transmit Queues 44 9 Strict Priority Low Latency Queueing 44 9 Traffic Shaping 44 9 Packet Modification 44 9 Per Port Per VLAN QoS 44 10 Flow based QoS 44 10 Using Metadata in ...

Page 40: ... 44 27 Priority queuing 44 30 Queue limiting 44 31 Active Queue Management AQM via Dynamic Buffer Limiting DBL 44 34 Transmit Queue Statistics 44 35 Enabling Per Port Per VLAN QoS 44 36 Policy Associations 44 39 Software QoS 44 40 Applying Flow based QoS Policy 44 41 Examples 44 42 Configuration Guidelines 44 44 Configuring CoS Mutation 44 45 Configuring System Queue Limit 44 46 Configuring QoS on...

Page 41: ...ority queuing 44 64 Queue limiting 44 65 Active Queue Management AQM via Dynamic Buffer Limiting DBL 44 68 Transmit Queue Statistics 44 69 Enabling Per Port Per VLAN QoS 44 70 Policy Associations 44 73 Software QoS 44 74 Applying Flow based QoS Policy 44 75 Examples 44 76 Configuration Guidelines 44 78 Configuring CoS Mutation 44 79 Configuring System Queue Limit 44 80 Configuring VSS Auto QoS 44 ...

Page 42: ...y QoS Model 45 12 App Class and QoS Traffic Mapping 45 12 Sample QoS Configuration for AVC with DNS AS Classifying Voice Traffic 45 13 Configuring FNF for AVC with DNS AS 45 15 Option Templates 45 15 Sample FNF Configuration for AVC with DNS AS 45 17 Monitoring AVC with DNS AS 45 20 Example show avc dns as client status 45 22 Example show avc dns as client trusted domains 45 22 Example show avc dn...

Page 43: ...Associating a Secondary VLAN with a Primary VLAN 47 16 Configuring a Layer 2 Interface as a PVLAN Promiscuous Port 47 17 Configuring a Layer 2 Interface as a PVLAN Host Port 47 18 Configuring a Layer 2 Interface as an Isolated PVLAN Trunk Port 47 19 Configuring a Layer 2 Interface as a Promiscuous PVLAN Trunk Port 47 21 Permitting Routing of Secondary VLAN Ingress Traffic 47 23 Configuring PVLAN o...

Page 44: ...AP TLS 48 15 Configuring EAP TLS and 802 1x Credentials 48 15 Configuring an Authentication Policy 48 16 Applying the 802 1x and MKA MACsec Configuration on Interfaces 48 17 Example MKA MACsec Switch to Switch Configuration 48 17 Understanding Cisco TrustSec MACsec 48 19 Configuring Cisco TrustSec MACsec 48 21 Configuring Cisco TrustSec Credentials on the Switch 48 21 Configuring Cisco TrustSec Sw...

Page 45: ...Example 49 16 Using 802 1X with Authentication Failed VLAN Assignment 49 16 Usage Guidelines for Using Authentication Failed VLAN Assignment 49 17 Using 802 1X with Port Security 49 18 Using 802 1X Authentication with ACL Assignments and Redirect URLs 49 19 Cisco Secure ACS and AV Pairs for URL Redirect 49 19 ACLs 49 20 Using 802 1X with RADIUS Provided Session Timeouts 49 20 Using 802 1X with Voi...

Page 46: ...le Authentication Bypass 49 62 Configuring 802 1X with Unidirectional Controlled Port 49 66 Configuring 802 1X with VLAN User Distribution 49 68 Configuring the Switch 49 68 ACS Configuration 49 69 Configuring 802 1X with Authentication Failed 49 71 Configuring 802 1X with Voice VLAN 49 73 Configuring Voice Aware 802 1x Security 49 74 Configuring 802 1X with VLAN Assignment 49 75 Cisco ACS Configu...

Page 47: ...ings for All RADIUS Servers 49 110 Configuring the Switch to Use Vendor Specific RADIUS Attributes 49 111 Configuring the Switch for Vendor Proprietary RADIUS Server Communication 49 112 Configuring CoA on the Switch 49 113 Monitoring and Troubleshooting CoA Functionality 49 114 Configuring RADIUS Server Load Balancing 49 115 Displaying the RADIUS Configuration 49 115 Configuring Device Sensor 49 ...

Page 48: ...thentication 50 2 X 509v3 Certificates for SSH Authentication Overview 50 2 Server and User Authentication Using X 509v3 50 2 OCSP Response Stapling 50 3 How to Configure X 509v3 Certificates for SSH Authentication 50 3 Configuring Digital Certificates for Server Authentication 50 3 Configuring Digital Certificates for User Authentication 50 4 Configuration Examples for 509v3 Certificates for SSH ...

Page 49: ...PoE Intermediate Agent 51 8 Troubleshooting Tips 51 9 Configuring Web Based Authentication 52 1 About Web Based Authentication 52 1 Device Roles 52 2 Host Detection 52 2 Session Creation 52 3 Authentication Process 52 3 Customization of the Authentication Proxy Web Pages 52 4 Web Based Authentication Interactions with Other Features 52 4 Port Security 52 4 LAN Port IP 52 5 Gateway IP 52 5 ACLs 52 ...

Page 50: ...ion Examples for Wired Guest Access 53 6 Example Configuring a CAPWAP Tunnel in a Service Template 53 6 Example Configuring the Mobility Agent 53 6 Example Configuring the Mobility Controller 53 7 Example Configuring the Guest Controller 53 8 Example Configuring CAPWAP Forwarding 53 9 Auto Identity 54 1 Information About Auto Identity 54 1 Auto Identity Overview 54 2 Auto Identity Global Template ...

Page 51: ...namic Secure MAC Addresses 55 14 Configuring Port Security on PVLAN Ports 55 14 Configuring Port Security on an Isolated Private VLAN Host Port 55 14 Example of Port Security on an Isolated Private VLAN Host Port 55 16 Configuring Port Security on a Private VLAN Promiscuous Port 55 16 Example of Port Security on a Private VLAN Promiscuous Port 55 17 Configuring Port Security on Trunk Ports 55 17 C...

Page 52: ...31 802 1X Authentication 55 32 Configuring Port Security in a Wireless Environment 55 32 Port Security Configuration Guidelines and Restrictions 55 33 Configuring Auto Security 56 1 About Auto Security 56 1 Feature Interaction 56 1 DHCP Snooping 56 1 Dynamic ARP Inspection 56 2 Port Security 56 2 Configuring Auto Security 56 2 Enabling auto security globally 56 2 Disabling auto security globally 5...

Page 53: ...uring Dynamic ARP Inspection 58 1 About Dynamic ARP Inspection 58 1 ARP Cache Poisoning 58 2 Purpose of Dynamic ARP Inspection 58 2 Interface Trust State Security Coverage and Network Configuration 58 3 Relative Priority of Static Bindings and DHCP Snooping Entries 58 4 Logging of Dropped Packets 58 4 Rate Limiting of ARP Packets 58 4 Port Channels Function 58 5 Configuring Dynamic ARP Inspection ...

Page 54: ...er Options from a Central DHCP Server 59 19 Configuring the Central DHCP Server to Update DHCP Options 59 20 Configuring the Remote Device to Import DHCP Options 59 20 Configuring DHCP Address Allocation Using Option 82 59 21 Enabling Option 82 for DHCP Address Allocation 59 21 Defining the DHCP Class and Relay Agent Information Patterns 59 21 Defining the DHCP Address Pool 59 22 Configuring Stati...

Page 55: ...ing 60 7 Enabling DHCP Snooping on the Aggregation Switch 60 9 Enabling DHCP Snooping and Option 82 60 10 Enabling DHCP Snooping on Private VLAN 60 12 Configuring DHCP Snooping on Private VLAN 60 12 Configuring DHCP Snooping with an Ethernet Channel Group 60 12 Enabling the DHCP Snooping Database Agent 60 13 Limiting the Rate of Incoming DHCP Packets 60 13 Configuration Examples for the Database A...

Page 56: ...elay Agent 61 5 Configuring LDRA Functionality on a VLAN 61 5 Configuring LDRA Functionality on an Interface 61 6 Verifying the LRDA Configuration 61 7 Configuring CAPWAP Access Points 61 8 Configuration Examples for DHCPv6 Options Support 61 9 Example Configuring the DHCPv6 Relay Agent 61 9 Example Configuring LDRA Functionality on a VLAN 61 9 Example Configuring LDRA Functionality on an Interfac...

Page 57: ... Configuration Guidelines 62 22 Creating and Deleting VLAN Maps 62 22 Examples of ACLs and VLAN Maps 62 23 Applying a VLAN Map to a VLAN 62 25 Using VLAN Maps in Your Network 62 25 Denying Access to a Server on Another VLAN 62 27 Displaying VLAN Access Map Information 62 28 Using VLAN Maps with Router ACLs 62 28 Guidelines for Using Router ACLs and VLAN Maps on the Same VLAN 62 29 Examples of Rout...

Page 58: ...onfiguring IPv6 OG ACLs 62 46 Guidelines and Restrictions for Configuring IPv6 OG ACLs 62 46 Creating a IPv6 Address Network Object Group 62 46 Creating an IPv6 Service Object Group 62 47 Configuring an IPv6 OG ACL 62 48 Applying an IPv6 OG ACL to an Interface 62 48 Verifying IPv6 OG ACLs 62 49 Configuring RA Guard 62 49 Introduction 62 50 Deployment 62 50 Configuring RA Guard 62 51 Examples 62 51...

Page 59: ...roadcast Storm Control 65 2 Enabling Multicast Storm Control 65 4 Disabling Broadcast Storm Control 65 5 Disabling Multicast Storm Control 65 6 Displaying Storm Control 65 6 Configuring SPAN and RSPAN 66 1 About SPAN and RSPAN 66 1 SPAN and RSPAN Concepts and Terminology 66 3 SPAN Session 66 3 Traffic Types 66 3 Source Port 66 4 Destination Port 66 5 VLAN Based SPAN 66 5 SPAN Traffic 66 6 SPAN and...

Page 60: ...ing Ports from an RSPAN Session 66 20 Specifying VLANs to Monitor 66 21 Specifying VLANs to Filter 66 23 Displaying SPAN and RSPAN Status 66 24 Configuring ERSPAN 67 1 Prerequisites for ERSPAN 67 1 Restrictions for ERSPAN 67 2 Information About ERSPAN 67 2 ERSPAN Overview 67 2 ERSAN Sources 67 4 How to Configure ERSPAN 67 5 Configuring an ERSPAN Source Session 67 5 Configuration Examples for ERSPA...

Page 61: ...10 Wireshark on VSS 68 11 How to Configure Wireshark 68 11 Default Wireshark Configuration 68 11 Defining Modifying or Deleting a Capture Point 68 12 Examples 68 13 Activating and Deactivating a Capture Point 68 14 Configuring Wireshark on VSS 68 14 Monitoring Wireshark 68 14 Configuration Examples for Wireshark 68 15 Example Displaying a Brief Output from a pcap File 68 15 Example Displaying Deta...

Page 62: ...Boolean Expression 69 5 Configuring a Tracked List with a Weight Threshold 69 6 Configuring a Tracked List with a Percentage Threshold 69 7 Configuring HSRP Object Tracking 69 8 Configuring Other Tracking Characteristics 69 9 Configuring IP SLAs Object Tracking 69 9 Configuring Static Routing Support 69 11 Configuring a Primary Interface 69 11 Configuring a Cisco IP SLAs Monitoring Agent and Track...

Page 63: ...ng OBFL 71 8 Configuration Examples for OBFL 71 9 Enabling OBFL Message Logging Example 71 9 OBFL Message Log Example 71 9 OBFL Component Uptime Report Example 71 10 OBFL Report for a Specific Time Example 71 10 Configuring SNMP 72 1 About SNMP 72 1 SNMP Versions 72 2 SNMP Manager Functions 72 3 SNMP Agent Functions 72 4 SNMP Community Strings 72 4 Using SNMP to Access MIB Variables 72 4 SNMP Noti...

Page 64: ... Usage Guidelines 73 5 Activating Sampling on an Interface or VLAN 73 5 Examples 73 6 Usage Guidelines 73 7 Display Commands 73 8 Clear Commands 73 9 Configuring Flexible NetFlow 74 1 VSS Environment 74 1 Non VSS Environment 74 8 Configuring Ethernet OAM and CFM 75 1 About Ethernet CFM 75 2 Ethernet CFM and OAM Definitions 75 2 CFM Domain 75 3 Maintenance Associations and Maintenance Points 75 4 C...

Page 65: ...t Loopback 75 29 Configuring Y 1731 Fault Management 75 29 Default Y 1731 Configuration 75 29 Configuring ETH AIS 75 29 Using Multicast Ethernet Loopback 75 31 Managing and Displaying Ethernet CFM Information 75 31 About Ethernet OAM Protocol 75 33 OAM Features 75 34 OAM Messages 75 34 Enabling and Configuring Ethernet OAM 75 35 Ethernet OAM Default Configuration 75 35 Ethernet OAM Configuration G...

Page 66: ...Destination Profiles 77 5 Copying a Destination Profile 77 6 Subscribing to Alert Groups 77 6 Configuring Periodic Notification 77 8 Configuring Message Severity Threshold 77 8 Configuring Syslog Pattern Matching 77 8 Configuring General E Mail Options 77 9 Enabling Call Home 77 10 Testing Call Home Communications 77 10 Sending a Call Home Test Message Manually 77 10 Sending a Call Home Alert Grou...

Page 67: ...MON 79 1 About RMON 79 1 Configuring RMON 79 3 Default RMON Configuration 79 3 Configuring RMON Alarms and Events 79 3 Configuring RMON Collection on an Interface 79 5 Displaying RMON Status 79 6 Performing Diagnostics 80 1 Configuring Online Diagnostics 80 1 Configuring On Demand Online Diagnostics 80 2 Scheduling Online Diagnostics 80 2 Performing Diagnostics 80 3 Starting and Stopping Online Di...

Page 68: ...toring WCCP Configuration Settings 81 9 WCCP Configuration Examples 81 9 Example Performing a General WCCP Configuration 81 10 Example Running a Web Cache Service 81 10 Example Running a Reverse Proxy Service 81 10 Example Running TCP Promiscuous Service 81 11 Example Running Redirect Access List 81 12 Example Using Access Lists 81 12 Example Setting a Password for a Switch and Content Engines 81 ...

Page 69: ...Lite Subinterface Configuration EVN Trunk Configuration 83 13 SQoS and EVN 83 14 Configuring Easy Virtual Networks 83 14 Enabling a Subset of VRFs over a Trunk Interface 83 15 Configuring EVN Edge Interfaces 83 16 Verifying EVN Configuration 83 16 Changing the Inherited IP Address for Subinterfaces 83 17 Configuration Examples for Configuring EVN 83 18 Example Virtual Networks Using OSPF with netw...

Page 70: ...15 2 5 Ex ROM Monitor Command Descriptions 84 3 Configuration Register 84 3 Changing the Configuration Register Manually 84 3 Changing the Configuration Register Using Prompts 84 4 Console Download 84 4 Error Reporting 84 5 Debug Commands 84 5 Exiting the ROM Monitor 84 6 ...

Page 71: ...mmand Line Interfaces Describes how to use the CLI Chapter 3 Configuring the Switch for the First Time Describes how to perform a baseline configuration of the switch Chapter 4 Administering the Switch Describes how to administer the switch Chapter 5 Configuring Virtual Switching Systems Describes how to configure Virtual Switching Systems Chapter 7 Configuring the Cisco IOS In Service Software Up...

Page 72: ...e VLANs VTP and VMPS Chapter 18 Configuring IP Unnumbered Interface Describes how to configure IP Unnumbered support Chapter 19 Configuring Layer 2 Ethernet Interfaces Describes how to configure interfaces to support Layer 2 features including VLAN trunks Chapter 20 Configuring EVC Lite Describes how to enable EVC Lite Chapter 21 Configuring SmartPort Macros Describes how to configure SmartPort ma...

Page 73: ... 38 Configuring IP Multicast Describes how to configure IP Multicast Multilayer Switching MMLS Chapter 39 Configuring ANCP Client Describes how to configure ANCP Chapter 40 Configuring Bidirection Forwarding Detection Describes how to configure Bidirectional Forwarding Detection Chapter 42 Configuring Policy Based Routing Describes how to configure policy based routing Chapter 43 Configuring VRF l...

Page 74: ...PAN and RSPAN Describes how to configure the Switched Port Analyzer SPAN Chapter 68 Configuring Wireshark Describes how to configure Wireshark the Ethernet Analyzer on the Catalyst 4500 series switch Chapter 69 Configuring Enhanced Object Tracking Describres how to configure Enhanced Object Tracking Chapter 70 Configuring System Message Logging Describes how to configure system message logging Cha...

Page 75: ...s book Chapter Title Description Convention Description boldface font Commands command options and keywords are in boldface italic font Command arguments for which you supply values are in italics Command elements in square brackets are optional x y z Alternative keywords in command lines are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in bracke...

Page 76: ...500inst html Catalyst 4500 E series Switches Installation Guide http www cisco com en US docs switches lan catalyst4500 hardware catalyst4500e installation g uide Eseries html For information about individual switching modules and supervisors refer to the Catalyst 4500 Series Module Installation Guide at http www cisco com en US docs switches lan catalyst4500 hardware configuration notes OL_25 315...

Page 77: ...talyst 4500 Series Software Configuration Guide http www cisco com en US products hw switches ps4324 products_installation_and_configurati on_guides_list html Catalyst 4500 Series Software Command Reference http www cisco com en US products hw switches ps4324 prod_command_reference_list html Catalyst 4500 Series Software System Message Guide http www cisco com en US products hw switches ps4324 pro...

Page 78: ...r the actual license texts Actually both licenses are BSD style Open Source licenses In case of any license issues related to OpenSSL please contact openssl core openssl org OpenSSL License Copyright 1998 2007 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistri...

Page 79: ...ENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com Original SSLeay License Copyright 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implement...

Page 80: ...NSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The license and distribution...

Page 81: ...rotocol Tunneling page 1 2 Cisco IOS Auto Smartport Macros page 1 2 Cisco Discovery Protocol page 1 2 Cisco Group Management Protocol CGMP server page 1 3 EtherChannel Bundles page 1 3 Ethernet CFM page 1 3 Ethernet OAM Protocol page 1 3 Flex Links and MAC Address Table Move Update page 1 3 Flexible NetFlow Supervisor Engine 7 E 7L E and 8 E only page 1 4 Internet Group Management Protocol IGMP Sn...

Page 82: ...r VLAN ID translation on trunk ports connected to a customer network Packets entering the port are mapped to a service provider VLAN S VLAN based on the port number and the original customer VLAN ID C VLAN of the packet For information on configuring 802 1Q tunneling and VLAN Mapping see Chapter 30 Configuring 802 1Q Tunneling VLAN Mapping and Layer 2 Protocol Tunneling Cisco IOS Auto Smartport Ma...

Page 83: ...tocol that includes proactive connectivity monitoring fault verification and fault isolation End to end can be provider edge to provider edge PE to PE device or customer edge to customer edge CE to CE device Ethernet CFM as specified by IEEE 802 1ag is the standard for Layer 2 ping Layer 2 traceroute and end to end connectivity check of the Ethernet network For information about CFM see Chapter 75...

Page 84: ... It enables a switch to propagate multicast data only to ports that need it IGMPv3 snooping is fully interoperable with IGMPv1 and IGMPv2 Explicit Host Tracking EHT is an extension to IGMPv3 snooping EHT enables immediate leave operations on a per port basis EHT can be used to track per host membership information or to gather statistics about all IGMPv3 group members The IGMP Snooping Querier is ...

Page 85: ...pe zone s elected BSR containing the scope zone s group range In the section Configuring a BSR and Verifying BSR Information in Step 3 under Summary Steps and Detailed Steps the command for configuring a C BSR is listed as ipv6 pim vrf vrf name bsr candidate bsr ipv6 address hash mask length priority priority value Because the original syntax mistakenly excludes scope scope value and the new optio...

Page 86: ...nces section it would be helpful to reference RFC 5059 IPv6 Multicast Listen Discovery MLD and Multicast Listen Discovery Snooping MLD is a protocol used by IPv6 multicast devices to discover the presence of multicast listeners nodes that want to receive IPv6 multicast packets on its directly attached links and to discover which multicast packets are of interest to neighboring nodes MLD snooping i...

Page 87: ...co software release or platform may not support all the features documented in a feature guide See the Feature Information table at the end of the feature guide for information about which features in that guide are supported in your software release Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http ...

Page 88: ...down events through encrypted Network Mobility Services Protocol NMSP location and attachment notifications to the MSE For information on configuring LLDP see Chapter 32 Configuring LLDP LLDP MED and Location Service Multiple Spanning Tree IEEE 802 1s Multiple Spanning Tree MST allows for multiple spanning tree instances within a single 802 1Q or Inter Switch Link ISL VLAN trunk MST extends the IE...

Page 89: ...S CLI MQC is the framework that implements Cisco IOS software QoS MQC allows the user to define a traffic class create a traffic policy containing the QoS feature to be applied to the traffic class and attach the traffic policy to an interface MQC is a cross Cisco baseline that provides a consistent syntax and behavior of QoS features across multiple product families Cisco IOS Software Release 12 ...

Page 90: ...a switched network For information on configuring STP see Chapter 23 Configuring STP and MST The Catalyst 4500 series switch supports the following STP enhancements Spanning tree PortFast PortFast allows a port with a directly attached host to transition to the forwarding state directly bypassing the listening and learning states Spanning tree UplinkFast UplinkFast provides fast convergence after ...

Page 91: ...ugh fiber optic or copper Ethernet cables to monitor the physical configuration of the cables and detect a unidirectional link With standard UDLD the time to detect a unidirectional link can vary from a few seconds to several minutes depending on how the timers are configured Link status messages are exchanged every couple of seconds With Fast UDLD you can detect unidirectional links in under one ...

Page 92: ...lients can use VQP queries to communicate with the VMPS server to obtain a VLAN assignment for the port based on the MAC address of the host attached to that port Virtual Switching Systems Catalyst 4500 X and Supervisor Engine 7 E 7L E and 8 E Network operators increase network reliability by configuring switches and by provisioning links to the redundant pairs Redundant network elements and redun...

Page 93: ...Layer 3 Software Features A Layer 3 switch is a high performance switch that has been optimized for a campus LAN or an intranet and it provides both wirespeed Ethernet routing and switching services Layer 3 switching improves network performance with two software functions route processing and intelligent network services Compared to conventional software based switches Layer 3 switches process mo...

Page 94: ...se intensive web based applications or interactive sessions Although you can use CEF in any part of a network it is designed for high performance highly resilient Layer 3 IP backbone switching For information on configuring CEF see Chapter 36 Configuring Cisco Express Forwarding Device Sensor Device Sensor uses protocols such as Cisco Discovery Protocol CDP Link Layer Discovery Protocol LLDP and D...

Page 95: ...Load Balancing Protocol GLBP feature provides automatic router backup for IP hosts configured with a single default gateway on a LAN Multiple first hop routers on the LAN combine to offer a single virtual first hop IP router while sharing the IP packet forwarding load GLBP devices share packet forwarding responsibilities optimizing resource usage thereby reducing costs Other routers on the LAN may...

Page 96: ...nformation about more than one feature To find information about a specific feature within a feature guide see the Feature Information table at the end of the guide Feature guides document features that are supported on many different software releases and platforms Your Cisco software release or platform may not support all the features documented in a feature guide See the Feature Information ta...

Page 97: ...NBMA network can dynamically learn the NBMA physical address of the other systems that are part of that network allowing these systems to directly communicate NHRP is a client and server protocol where the hub is the Next Hop Server NHS and the spokes are the Next Hop Clients NHCs Catalyst 4500 series switches act as NHRP clients that communicate with the NHRP hub for registration and to request t...

Page 98: ...y change occurs EIGRP checks its topology table for a suitable new route to the destination If such a route exists in the table EIGRP updates the routing table instantly You can use the fast convergence and partial updates that EIGRP provides to route Internetwork Packet Exchange IPX packets EIGRP saves bandwidth by sending routing updates only when routing information changes The updates contain ...

Page 99: ...p of contiguous OSPF networks and hosts OSPF areas are logical subdivisions of OSPF autonomous systems in which the internal topology is hidden from routers outside the area Areas allow an additional level of hierarchy different from that provided by IP network classes and they can be used to aggregate routing information and mask the details of a network These features make OSPF particularly scal...

Page 100: ...ticast traffic Support for IGMPv3 provides constrained flooding of multicast traffic in the presence of IGMPv3 hosts or routers IGMPv3 snooping listens to IGMPv3 query and membership report messages to maintain host to multicast group associations It enables a switch to propagate multicast data only to ports that need it IGMPv3 snooping is fully interoperable with IGMPv1 and IGMPv2 Explicit Host T...

Page 101: ...rvices see Chapter 38 Configuring IP Multicast NSF with SSO Non Stop Forwarding with Stateful Switchover NSF SSO offers continuous data packet forwarding in a Layer 3 routing environment during supervisor engine switchover During supervisor engine switchover NSF SSO continues forwarding data packets along known routes while the routing protocol information is recovered and validated avoiding unnec...

Page 102: ...n other information associated with a packet such as the source interface IP source address Layer 4 ports and so on This feature allows network managers more flexibility in how they configure and design their networks Starting with Release IOS XE 3 4 0SG and IOS 15 1 2 SG the PBR Recursive Next Hop feature enhances route maps to enable configuration of a recursive next hop IP address The recursive...

Page 103: ...tocol Virtual Router Redundancy Protocol VRRP is a standard based first hop redundancy protocol With VRRP a group of routers function as one virtual router by sharing one virtual IP address and one virtual MAC address The master router performs packet forwarding while the backup routers stay idle VRRP is typically used in the multi vendor first hop gateway redundancy deployment For details on VRRP...

Page 104: ...ased automated parsing applications Common uses of this feature may include direct paging of a network support engineer e mail notification to a Network Operations Center XML delivery to a support website and utilization of Cisco Smart Call Home services for direct case generation with the Cisco Systems Technical Assistance Center TAC The Call Home feature can deliver alert messages containing inf...

Page 105: ... Mediatrace for post deployment troubleshooting for any network related performance issues The traffic simulator includes a sophisticated scheduler that allows the user to run several tests simultaneously or periodically and over extended time periods Supported only on switches running the Enterprise Services feature set For information on configuring this feature see the Configuring Cisco IOS IP ...

Page 106: ...pply policies on the media streams Across the Medianet system Flow Metadata is produced transported stored retrieved and acted on consistently by a wide variety of Medianet services The Flow Metadata infrastructure provides a framework that allows data from one component be available to another component on the same network element as well as across network elements Flow Metadata is supported on r...

Page 107: ...only be configured to monitor ingress traffic Packets cannot be monitored by both CEure and the rxSPAN session with encapsulation The first applied configuration takes precedence Not all packets received by an interface can be monitored After a packet is received by an ingress interface it might be either unable to make a forwarding decision or dropped at various stages because of configured secur...

Page 108: ...With this feature your switch the DHCP client is automatically configured at startup with IP address information and a configuration file For DHCP server configuration information refer to the chapter Configuring DHCP in the Cisco IOS IP and IP Routing Configuration Guide at the following URL http www cisco com en US docs ios ipaddr configuration guide iad_dhcp_rdmp_ps6350_TSD_P roducts_Configurat...

Page 109: ...Embedded Event Manager Embedded Event Manager EEM is a distributed and customized approach to event detection and recovery offered directly in a Cisco IOS device EEM offers the ability to monitor events and take informational corrective or any desired EEM action when the monitored events occur or when a threshold is reached An EEM policy is an entity that defines an event and the actions to be tak...

Page 110: ...n to refine the power consumption of an 802 3af compliant PD beyond the granularity of power consumption provided by the 802 3af class Power negotiation also enables the backward compatibility of newer PDs with older modules that do not support either 802 3af or high power levels as required by IEEE standard For more information on Intelligent Power Management see the Intelligent Power Management ...

Page 111: ...d Power over Ethernet supports scalable manageable power delivery and simplifies IP telephony deployments As wireless networking emerged Power over Ethernet began powering wireless devices in locations where local power access did not exist For more information on Power over Ethernet see Chapter 15 Configuring Power over Ethernet Secure Shell Secure Shell SSH is a program that enables you to log i...

Page 112: ...ending on whether the packet is valid Mirror packets sent to or from the CPU out of a SPAN destination port for troubleshooting purposes For information on SPAN see Chapter 66 Configuring SPAN and RSPAN Remote SPAN RSPAN is an extension of SPAN where source ports and destination ports are distributed across multiple switches allowing remote monitoring of multiple switches across the network The tr...

Page 113: ... Note Wireshark is supported only on Supervisor Engine 7 E Supervisor Engine 7L E Supervisor Engine 8 E and Catalyst 4500X Starting with Cisco IOS Release XE 3 3 0SG and the IP Base and Enterprise Services feature sets the Catalyst 4500 series switch supports Wireshark This is a packet analyzer program formerly known as Ethereal that supports multiple protocols and presents information in a graphi...

Page 114: ...his security feature consists of the following 802 1X Authentication for Guest VLANs Allows you to use VLAN assignment to limit network access for certain users 802 1X Authentication Failed Open Assignment Allows you to configure a switch to handle the case when a device fails to authenticate itself correctly through 802 1X for example not providing the correct password 802 1X Authentication with ...

Page 115: ...the Catalyst 4500 series switch will proxy an 802 1X authentication request based on the device s MAC address 802 1X with RADIUS Provided Session Timeouts Allows you to specify whether a switch uses a locally configured or a RADIUS provided reauthentication timeout 802 1X with Unidirectional Controlled Port Allows the Wake on LAN WoL magic packets to reach a workstation attached to an unauthorized...

Page 116: ...e Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path The tag called the security group tag SGT allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic For more information refer to the following URL http www cisco com en US docs switch...

Page 117: ...so that when a switchover occurs the newly active supervisor engine is aware of the DHCP data that was already snooped and the security benefits continue uninterrupted For DHCP server configuration information refer to the chapter Configuring DHCP in the Cisco IOS IP and IP Routing Configuration Guide at the following URL http www cisco com en US docs ios ipaddr configuration guide iad_dhcp_rdmp_p...

Page 118: ... malicious host from attacking a network by hijacking neighbor host s IP address For information on configuring IP Source Guard see Chapter 60 Configuring DHCP Snooping IP Source Guard and IPSG for Static Hosts IP Source Guard for Static Hosts This feature allows you to secure the IP address learned from static hosts by using ARP packets and then bind that IP address to a given MAC address using t...

Page 119: ...level configuration The following caveats are specific for Data Glean Prefix Guard and Source Guard enabled on a Catalyst 4500 series switch First Hop Security FHS cannot be configured on the same port or VLAN as dot1X because the latter asserts control over the MAC table and FHS requires similar control to allow only valid NDP or DHCPv6 hosts If unicast Rpf unicast reverse path forwarding uRPF is...

Page 120: ...witch For additional information refer to the following URL http www cisco com en US docs ios sec_user_services configuration guide sec_cfg_authentifcn_ps635 0_TSD_Products_Configuration_Guide_Chapter html Network Admission Control Network Admission Control consists of two features NAC Layer 2 IP validation NAC Layer 2 IP is an integral part of Cisco Network Admission Control It offers the first l...

Page 121: ...ion on ACLs MACLs VLAN maps MAC address filtering and Port ACLs see Chapter 62 Configuring Network Security with ACLs Port Security Port security restricts traffic on a port based upon the MAC address of the workstation that accesses the port Trunk port security extends this feature to trunks including private VLAN isolated trunks on a per VLAN basis Sticky port security extends port security by s...

Page 122: ...US docs ios xml ios san configuration xe 3se 3850 san overview html Storm Control Broadcast suppression is used to prevent LANs from being disrupted by a broadcast storm on one or more switch ports A LAN broadcast storm occurs when broadcast packets flood the LAN creating excessive traffic and degrading network performance Errors in the protocol stack implementation or in the network configuration...

Page 123: ...ance to the failure point is also supported For information about TDR see Chapter 10 Checking Port Status and Connectivity Debugging Features The switch has several commands to help you debug your initial setup These commands are included in the following command groups platform debug platform For more information refer to the command reference guide Web based Authentication The web based authenti...

Page 124: ...1 44 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 1 Product Overview ...

Page 125: ...d in this chapter see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location http www cisco com en US products hw switches ps4324 index html If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS library See related publications at this location http www cisco com en US products ps6350 index html ...

Page 126: ...ection procedures To access the switch through the console interface perform this task After accessing the switch through the EIA TIA 232 interface you see this display Press Return for Console prompt Switch enable Password Switch Accessing the CLI Through Telnet Note Before you make a Telnet connection to the switch you must set the IP address for the switch See the Configuring Physical Layer 3 I...

Page 127: ...d at the prompt Table 2 1 lists the keyboard shortcuts for entering and editing switch commands Command Purpose Step 1 telnet hostname ip_addr From the remote host enter the telnet command and the name or IP address of the switch you want to access Step 2 Password password Switch At the prompt enter the password for the CLI If no password has been configured press Return Step 3 Enter the necessary...

Page 128: ...mode Only a small subset of commands are available in EXEC mode To have access to all commands you must enter privileged EXEC mode also called enable mode To access the privileged EXEC mode you must enter a password When you are in the privileged EXEC mode you can enter any EXEC command or access global configuration mode Most EXEC commands are one time commands such as show commands which display...

Page 129: ...r sequence enter those characters followed by the question mark Do not include a space before the question mark This form of help is called word help because it completes a word for you Table 2 3 Frequently Used Cisco IOS Command Modes Mode What You Use It For How to Access Prompt User EXEC To connect to remote devices change terminal settings on a temporary basis perform basic tests and display s...

Page 130: ... of the standby supervisor engine You must connect to the standby console to access monitor or debug the standby supervisor Virtual Console for Standby Supervisor Engine enables you to access the standby console from the active supervisor engine without requiring a physical connection to the standby console It uses IPC over EOBC to communicate with the standby supervisor engine and thus emulate th...

Page 131: ...console displays it on the supervisor screen The virtual console is noninteractive Because the virtual console does not detect the interactive nature of a command any command that requires user interaction causes the virtual console to wait until the RPC timer aborts the command The virtual console timer is set to 60 seconds The virtual console returns to its prompt after 60 seconds During this ti...

Page 132: ... or free traces Chuck alloc free traces Process block dump Register memory dump Current proc stack partial decode Interrupt level stack Last 128 memory block dump To display a crash dump do the following Switch show platform crashdump Current Time 9 6 2010 15 47 21 Last Power Failure 09 06 2010 15 03 28 Last Reload Status 00002000 Last Software Reset State 00000000 Crashdump version 1 Last crash 0...

Page 133: ...k 2421FA58 Frame 9 pc 10CD155C stack 2421FA70 Frame 10 pc 1099BCFC stack 2421FB08 Frame 11 pc 10992CEC stack 2421FB10 Pushed stack 2421F930 2421F940 10999E34 2421F940 15868B74 2421F940 2421F948 11B430B8 2421F9B0 10C84444 2421F950 2421F978 00000000 00000000 00000000 2421F960 00000000 2421F9C0 00000000 240CC3C8 2421F970 2421F990 11AE7394 00000006 FFFFFFFF 2421F980 00000000 00000000 00000000 14BE0000...

Page 134: ...C 2421F8E0 2421F8F8 00000000 00000000 00000000 2421F8F0 15868B74 15868B74 2421F910 117CF5C0 2421F900 2421F968 1586A45C 2421F920 15868B74 2421F910 2421F918 00000000 14850000 00000000 2421F920 2421F930 10999978 2421F930 00000000 Malloc and Free Traces MallocFree Trace ixmallocfree 0x2C ptr 0x151A40D8 151A3F78 2366B628 11AF1144 2366B628 11AF1348 2366B66C 60000024 2447A940 11AF1350 151A3F98 2447A940 3...

Page 135: ...10C7F17C 15870340 10C84B24 10C7F17C 151A3950 15870340 10C7FE38 10C7F17C 1586D3B8 10C7FE38 10C7F17C 151A3938 15870340 10C84B24 10C7F17C 1586D760 10C84B24 10C7F17C 151A3920 1586D760 10C7FE38 10C7F17C 151A3C14 15870340 10C7FE38 10C7F17C 1586D760 10C84B24 10C7F17C 151A3BFC 1586D3B8 10C84B24 10C7F17C 1586D3B8 10C7FE38 10C7F17C 151A3BE4 1586D760 10C7FE38 10C7F17C 1586D3B8 10C84B24 10C7F17C 151A3BCC 1587...

Page 136: ...0 2421F7D0 11AD3144 A A 2421F7D8 11C10390 2421F7E0 2421F7DC 11BB0424 2421F7F0 11BB04E4 2433FCD4 FFFFFFFE 2421F800 107CF880 7FFFFFFF 2421F7FC FFFFFFFE 2421F8A8 107CCDF0 20637261 73686475 6D700000 0 2421F840 2421F81C 0 2421F8B0 0 4A 2E8A00 39760000 4A 0 2421F83C 2433FCF0 2421F848 2433FCF0 0 11A12ACC 13CD617C 10C7DAAC 0 2421F85C 2421F8AC 10CD0984 0 156CA504 156CA504 1 0 0 2421F87C 0 0 0 0 0 0 0 15870...

Page 137: ...FFFFF 156DB2E0 0 FFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 156DB300 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 156DB320 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 156DB340 FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 156DB360 15FFFFFF 10 10 10 10 FFFFFFFF FFFFFFFF FFFFFFFF 156DB380 FFFFFFFF FFFFF...

Page 138: ...29C 14BE0000 160BA4D8 13860000 13FA0000 160BA428 160BA4B0 156D6C40 14BABC00 28E47C74 137C0000 13F50000 14BAC400 0 14BE0000 0 156D6C60 84B1B7D 1BB12300 0 84B1B7D 156D6C88 132B2448 156D6C80 156D6C98 156D6C80 156D6C88 11BBE798 156D6D10 132B0C9C A0000 14800000 0 1770 156D6CA0 0 BB8 156D6CD0 1 14BAC400 0 14BE0000 146CF310 156D6CC0 146D0000 151B1AB0 156D6CF0 151B1AB0 156D6CE0 0 156D6D10 146CF310 156D6CE...

Page 139: ...1E Not RAM Addr Reg15 R3 234BBFD8 In malloc Block 0x234BBB54 Last malloc Block 0x234BBB10 Reg16 R4 A Not RAM Addr Reg17 R5 0 Not RAM Addr Reg18 R6 2421F918 Reg19 R7 0 Not RAM Addr Reg20 R8 0 Not RAM Addr Reg21 R9 0 Not RAM Addr Reg22 R10 14850000 Reg23 R11 234BBFD4 Reg24 R12 EB93A100 Not RAM Addr Reg25 R13 B4E9F3F3 Not RAM Addr Reg26 R14 10CD0984 Reg27 R15 0 Not RAM Addr Reg28 R16 156CA504 In mall...

Page 140: ...6198 10999EB4 482E2201 8001000C 7C0803A6 38210008 4E800020 7C681B78 7C6A1B78 39200000 10999ED4 89630000 2F8B0000 419E0078 380BFF9F 2B800005 40BD0010 380BFFD0 2B800009 10999EF4 419D0060 552B2036 880A0000 7C000774 2F800039 419D0014 7D2B0214 3929FFD0 10999F14 394A0001 48000018 892A0000 7D290774 7D2B4A14 3929FFA9 394A0001 896A0000 10999F34 2F8B0000 419E001C 380BFF9F 2B800005 40BDFFB4 380BFFD0 2B800009...

Page 141: ...50 0 0 0 0 0 0 0 0 15870770 0 0 0 0 0 0 0 FD0110DF 15870790 AB1234CD FFFE0000 0 13D9A594 10CA1538 158707DC 1586B958 80000012 158707B0 1 4928F581 0 1 23C0BED0 0 0 0 158707D0 1449E540 F FD0110DF AB1234CD FFFE0000 0 13D2B910 10C89680 158707F0 15870840 158707A4 8000001E 1 38210008 158711F0 13D40DB8 0 15870810 13D3EC78 0 0 0 10CC65BC 7 144B0254 15870868 15870830 158708AC 0 0 FD0110DF AB1234CD FFFE0000 ...

Page 142: ... ios sys 179 Copyright c 1986 2010 by Cisco Systems Inc Compiled Mon 06 Sep 10 22 11 by cisco Sep 6 06 21 23 363 Slot 0 delete Sep 6 06 21 23 363 K5SuperportSetConfig Sep 6 06 21 23 363 num of Superports 4 SuperportIds 57 57 57 57 Sep 6 06 21 23 363 K5SuperportGroupMode XauiK5PortSpeedType 10G10 Sep 6 06 21 23 363 K5SuperportConfig Sep 6 06 21 23 363 K5SuperportUsageState Populated 4K5SuperportMan...

Page 143: ...TURE_ADDRESS 0x0 DDR_CAPTURE_EXT_ADDRESS 0x0 DDR_ERR_SBE 0xff0000 PCI_ERR_DR 0x0 PCI_ERR_ATTRIB 0x0 PCI_ERR_ADDR 0x0 PCI_ERR_EXT_ADDR 0x0 PCI_ERR_DH 0x0PCI_ERR_DL 0x0 Machine Check Interrupt Count 0 L1 Instruction Cache Parity Errors 0 L1 Instruction Cache Parity Errors CPU30 0 L1 Data Cache Parity Errors 0 Jawa Crash Data Interrupt Mask 0xe180 Interrupt 0x0 GalK5DriverMan 0 SlotType 3 State GalK5...

Page 144: ...2 20 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 2 Command Line Interfaces Displaying a Crash Dump for Supervisor Engine 6 E and 6L E ...

Page 145: ...d page 3 25 Modifying the Supervisor Engine Startup Configuration page 3 25 Replacing and Rolling Back Configuration page 3 33 Resetting a Switch to Factory Default Settings page 3 34 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 450...

Page 146: ...ion to Internet hosts and internetworking devices This protocol consists of two components one component for delivering configuration parameters from a DHCP server to a device and another component that is a mechanism for allocating network addresses to devices DHCP is built on a client server model in which designated DHCP servers allocate network addresses and deliver configuration parameters to...

Page 147: ...Configuring the DHCP Server section on page 3 4 If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid if configuration error exists the client returns a DHCPDECLINE broadcast message to the DHCP server The DHCP server sends the client a DHCPNAK denial broadcast message which means that the offered configuration parameters have not been assigned that an err...

Page 148: ...r the switch replies to client requests with only those parameters that are configured If the IP address and subnet mask are not in the reply the switch is not configured If the router IP address or TFTP server name or IP address are not found the switch might send broadcast instead of unicast TFTP requests Unavailability of other lease options does not impact autoconfiguration The DHCP server or ...

Page 149: ...to forward the TFTP packets to the TFTP server For more information see the Configuring the Relay Device section on page 3 5 The preferred solution is to configure either the DHCP server or the DHCP server feature running on your switch with all the required information Configuring the DNS Server The DHCP server or the DHCP server feature running on your switch uses the DNS server to resolve the T...

Page 150: ...med configuration file from the base directory of the server and upon receipt completes its boot up process Only the IP address is reserved for the switch and provided in the DHCP reply The configuration filename is not provided two file read method The switch receives its IP address subnet mask and the TFTP server address from either the DHCP server or the DHCP server feature running on your swit...

Page 151: ... DHCP Based Autoconfiguration Network Example Table 3 2 shows the configuration of the reserved leases on either the DHCP server or the DHCP server feature running on your switch Switch 1 00e0 9f1e 2001 Cisco router 49066 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server DNS server TFTP server maritsu 10 0 0 1 10 0 0 10 10 0 0 2 10 0 0 3 Switch 4 00e0 9f1e 2004 Table 3 2 DHCP Server Conf...

Page 152: ...figuration No configuration file is present on Switch 1 through Switch 4 Configuration Explanation In Figure 3 3 Switch 1 reads its configuration file as follows Switch 1 obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch 1 reads the network confg file from the base directory of the TFTP server Switch 1 adds the contents of t...

Page 153: ... Z Switch config Step 4 At the global configuration mode prompt enter the interface type slot interface command to enter interface configuration mode Switch config interface fastethernet 5 1 Switch config if Step 5 In either of these configuration modes enter changes to the switch configuration Step 6 Enter the end command to exit configuration mode Step 7 Save your settings See the Saving the Run...

Page 154: ...changes to the configuration or changes to the startup configuration in NVRAM enter the copy running config startup config command at the enable prompt as follows Switch copy running config startup config Reviewing the Configuration in NVRAM To display information stored in NVRAM enter the show startup config EXEC command The following example shows a typical system configuration Switch show start...

Page 155: ...ault gateway perform this task This example shows how to configure a default gateway and how to verify the configuration Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip default gateway 172 20 52 35 Switch config end 3d17h SYS 5 CONFIG_I Configured from console by console Switch show ip route Default gateway is 172 20 52 35 Host Gateway Last Use ...

Page 156: ...utput truncated ip default gateway 172 20 52 35 ip classless ip route 171 10 5 10 255 255 255 255 172 20 3 35 no ip http server line con 0 transport input none line vty 0 4 exec timeout 0 0 password lab login transport input lat pad dsipcon mop telnet rlogin udptn nasi end Switch This example shows how to use the ip route command to configure the static route IP address 171 20 5 3 with subnet mask...

Page 157: ...a Static enable Password page 3 13 Using the enable password and enable secret Commands page 3 14 Setting or Changing a Privileged Password page 3 14 Controlling Switch Access with TACACS page 3 15 Encrypting Passwords page 3 22 Configuring Multiple Privilege Levels page 3 23 Setting or Changing a Static enable Password To set or change a static password that controls access to the enable mode ent...

Page 158: ...cessible at various levels If you enable the service password encryption command the password you enter is encrypted When you display the password with the more system running config command the password displays the password in encrypted form If you specify an encryption type you must provide an encrypted password an encrypted password you copy from another switch configuration Note You cannot re...

Page 159: ...age 3 17 Configuring TACACS page 3 17 Displaying the TACACS Configuration page 3 22 Understanding TACACS TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS s...

Page 160: ...ommands access control session duration or protocol support You can also enforce restrictions on the commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user bi...

Page 161: ...s prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again contacted and it returns an ACCEPT or REJECT authorizatio...

Page 162: ... the encryption key perform this task beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identifies the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a list of preferred hosts The software searches for hosts in the order in ...

Page 163: ...ically applied to all ports except those that have a named method list explicitly defined A defined method list overrides the default method list A method list describes the sequence and authentication methods that must be queried to authenticate a user You can designate one or more security protocols for authentication ensuring a backup system for authentication in case the initial method fails T...

Page 164: ...enable password by using the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 3 18 line Use the line password for authentication Before you can use this authenticatio...

Page 165: ...ven if authorization has been configured To specify TACACS authorization for privileged EXEC access and network services perform this task beginning in privileged EXEC mode To disable authorization use the no aaa authorization network exec method1 global configuration command Starting TACACS Accounting The AAA accounting feature tracks the services that users are accessing and the amount of networ...

Page 166: ...sole and virtual terminal line access passwords and Border Gateway Protocol BGP neighbor passwords The service password encryption command keeps unauthorized individuals from viewing your password in your configuration file Caution The service password encryption command does not provide a high level of network security If you use this command you should also take additional network security measu...

Page 167: ...ribe how to configure additional levels of security Setting the Privilege Level for a Command page 3 23 Changing the Default Privilege Level for Lines page 3 23 Logging In to a Privilege Level page 3 24 Exiting a Privilege Level page 3 24 Displaying the Password Access Level and Privilege Level Configuration page 3 24 Setting the Privilege Level for a Command To set the privilege level for a comma...

Page 168: ...nd access level configuration Switch show running config Building configuration Current configuration version 12 0 service timestamps debug datetime localtime service timestamps log datetime localtime no service password encryption hostname Switch boot system flash sup bootflash enable password lab output truncated This example shows how to display the privilege level configuration Switch show pri...

Page 169: ...Step 8 Reboot the system Modifying the Supervisor Engine Startup Configuration These sections describe how the startup configuration on the supervisor engine works and how to modify the BOOT variable and the configuration register Understanding the Supervisor Engine Boot Configuration page 3 25 Configuring the Software Configuration Register page 3 26 Specifying the Startup System Image page 3 31 ...

Page 170: ... always enabled for five seconds after you reboot the switch regardless of whether the configuration register setting has Ctrl C disabled The ROM monitor has these features Power on confidence test Hardware initialization Boot capability manual bootup and autoboot File system read only while in ROMMON Configuring the Software Configuration Register The switch uses a 16 bit software configuration r...

Page 171: ... numbers Table 3 4 Explanation of Boot Field Configuration Register Bits 00 to 03 Boot Field Meaning 00 Stays at the system bootstrap prompt does not autoboot 01 Boots the first file in onboard flash memory 02 Auto boots using image s specified by the BOOT environment variable If more than one image is specified the switch attempts to boot the first image specified in the BOOT variable As long as ...

Page 172: ... configuration file Caution If you set bootfield to a value between 0 0 1 0 and 1 1 1 1 you must specify a value in the boot system command else the switch cannot boot up and remains in ROMMON You can enter the boot command only or enter the command and include additional boot instructions such as the name of a file stored in flash memory or a file that you specify for booting from a network serve...

Page 173: ...nfiguration mode Step 5 Switch reload Reboots the switch to make your changes take effect Command Purpose Step 1 Switch enable Enters the privileged EXEC mode Enter the password if required Step 2 Switch configure terminal Enters configuration mode and specifies the terminal option Step 3 Switch config config register 0x102 Sets the contents of the configuration register to the specified value whe...

Page 174: ...ch uptime is 1 minute System returned to ROM by power on System image file is tftp 172 25 60 31 auto gsg sw interim flo_dsgs7 newest_image ios dev cat4500e entservic es mz Darkside Revision 4 Jawa Revision 20 Tatooine Revision 141 Forerunner Revision 1 83 cisco WS C4503 E MPC8548 processor revision 6 with 1048576K bytes of memory Processor board ID SPE120301X8 MPC8548 CPU at 1 33GHz Supervisor 6 E...

Page 175: ...Last reset from Reload 1 Virtual Ethernet interface 96 Gigabit Ethernet interfaces 4 Ten Gigabit Ethernet interfaces 511K bytes of non volatile configuration memory Configuration register is 0x40 Specifying the Startup System Image You can enter multiple boot commands in the startup configuration file or in the BOOT environment variable to provide backup methods for loading a system image The BOOT...

Page 176: ... section Copy Configuration Files from a Network Server to the Router in chapter Managing Configuration Files of the Managing Configuration Files Configuration Guide at the following URL http www cisco com c en us td docs ios xml ios config mgmt configuration xe 3e config mgmt xe 3e book cm config files html Configure the system to boot automatically from the desired file in flash memory You might...

Page 177: ...d Rolling Back Configuration For detailed information about this feature see the Configuration Replace and Configuration Rollback chapter of the Managing Configuration Files feature guide on cisco com The following restrictions pertain to the use of this feature on a Catalyst 4500 series switch You cannot use this feature to convert a VSS system to a non VSS standalone system or the other way arou...

Page 178: ...g the last power failure timestamp Clearing all ROMMON variables Setting default ROMMON variables ConfigReg 0x2101 PS1 rommon EnableAutoConfig 1 Setting vtp mode to transparent WARNING Please reboot the system for the changes to take effect Switch 00 01 48 SYS 7 NV_BLOCK_INIT Initialized the geometry of nvram Switch If the Catalyst 4500 series switch is accessible to a TFTP server you can copy an ...

Page 179: ... 14 Configuring a System Name and Prompt page 4 21 Creating a Banner page 4 24 Managing the MAC Address Table page 4 28 Managing the ARP Table page 4 44 Configuring Embedded CiscoView Support page 4 44 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the ...

Page 180: ...escribe how many NTP hops away a device is from an authoritative time source A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy eff...

Page 181: ...llows a device to act as if it is synchronized through NTP when it is not Other devices then synchronize to that device through NTP NTP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a public version for systems running UNIX and its various derivatives is also available This software allows host systems to be synchronized as we...

Page 182: ...Default NTP Configuration Feature Default Setting NTP authentication Disabled No authentication key is specified NTP peer or server associations None configured NTP broadcast service Disabled no interface sends or receives NTP broadcast packets NTP access restrictions No access control is specified NTP packet source IP address The source address is set by the outgoing interface Command Purpose Ste...

Page 183: ...tion key 42 in the device s NTP packets Switch configure terminal Switch config ntp authenticate Switch config ntp authentication key 42 md5 aNiceKey Switch config ntp trusted key 42 Switch config end Switch Step 4 ntp trusted key key number Specifies one or more key numbers defined in Step 3 that a peer NTP device must provide in its NTP packets for this switch to synchronize to it By default no ...

Page 184: ...e terminal Enters global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configures the switch system clock to synchronize a peer or to be synchronized by a peer peer association or Configures the switch system clock to be synchronized by a time server server association No peer...

Page 185: ...eceiving NTP broadcast packets To configure the switch to send NTP broadcast packets to peers so that they can synchronize their clock to the switch perform this task To disable the interface from sending NTP broadcast packets use the no ntp broadcast interface configuration command This example shows how to configure a port to send NTP Version 2 packets Switch configure terminal Switch config int...

Page 186: ... can control NTP access on two levels as described in these sections Creating an Access Group and Assigning a Basic IP Access List page 4 9 Disabling NTP Services on a Specific Interface page 4 10 Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Specifies the interface to receive NTP broadcast packets and enter interface configuration mode St...

Page 187: ...ted Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 ntp access group query only serve only serve peer access list number Creates an access group and apply a basic IP access list The keywords have these meanings query only Allows only NTP control queries serve only Allows only time requests serve Allows time requests and NTP control queries but does not allow the s...

Page 188: ...for all NTP packets use the ntp source global configuration command The address is taken from the specified interface This command is useful if the address on an interface cannot be used as the destination for reply packets To configure a specific interface from which the IP source address is to be taken perform this task Command Purpose Step 1 configure terminal Enters global configuration mode S...

Page 189: ...m restart We recommend that you use manual configuration only as a last resort If you have an outside source to which the switch can synchronize you do not need to manually set the system clock These sections contain this configuration information Setting the System Clock page 4 11 Displaying the Time and Date Configuration page 4 12 Configuring the Time Zone page 4 12 Configuring Summer Time Dayl...

Page 190: ...ne perform this task The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent The necessary command is clock timezone AST 3 30 Command Purpose Step 1 co...

Page 191: ...clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Switch config end Switch Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configures summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summe...

Page 192: ...ade or downgrade from one license level to another we recommend that you use the permanent right to use PRTU license instead of the node locked license About a PRTU License page 4 15 Guidelines for the RTU License Model page 4 16 Applying a PRTU License page 4 16 Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 clock summer time zone date month date year hh mm mont...

Page 193: ...other device because the license is bundled with the image So by upgrading the IOS image you obtain the PRTU license Benefits of a PRTU License They are not associated with a specific switch With the node locked license model in a release prior to IOS Cisco XE 3 4 2SG a license was applicable to a specific switch UID Therefore to activate a license on a new switch you had to obtain a new license f...

Page 194: ...switch Step 2 Apply the license by entering the appropriate commands on your switch If you are upgrading a license on a switch enter the activation command to activate the higher license If you are moving a license from one switch to another enter the deactivation command on the first switch and the activation command on the second switch Note Prior to IOS Release XE 3 4 2SG you provided the licen...

Page 195: ...in Use EULA accepted License Count Non Counted License Priority Low Store Index 0 Store Name Dynamic Evaluation License Storage Index 2 Feature entservices Version 1 0 License Type PermanentRightToUse License State Inactive License Count Non Counted Store Index 1 Store Name Dynamic Evaluation License Storage Index 3 Feature ipbase Version 1 0 License Type Permanent Command Purpose license right to...

Page 196: ... 5_MINS WS C4507R EFOX1327G52D xLt5Q1e2VJi03pzp3GSE3PrvxwyfO SLjP0SXuZOq0f4QTXyc1pSQY51xj31fh7ZfTD6AskNyeUYT8sCUesi9IVKB8 5wsZSX1HZiXwOd9RHp3mjmnhxFDnS0e6UxjgXgqvV AQEBIf8B kh4dluXv U xjUPlzoc3 jpV9d8He4jOuba fbkmmOtaOYAoB3inJLnlLyv50VCuRqwInXo3s nsLU7rOtdOxoIxYZAo3LYmUJ MFzsqlhKoJVlPyEvQ8H21MNUjVb hoN0gyIWsyiJaM8AQIkVBQFzhr10GYolVzdzfJfEPQIx6tZ Vtc q3SF 5Ko8XCY Comment Hash Z EY3ce1csQlVpRGc5NNy5...

Page 197: ...XCY Comment Hash S3Ks G07ueugA9hMFPkXGTF12So This is an example of output from the show license statistics command Switch show license statistics Administrative statistics Install success count 4 Install failure count 1 Install duplicate count 0 Comment add count 0 Comment delete count 0 Clear count 0 Save count 0 Save cred count 0 Client status Request success count 1 Request failure count 0 Rele...

Page 198: ...se State Active In Use License Count Non Counted License Priority Medium Index 2 Feature lanbase Period left 0 seconds Index 3 Feature internal_service Period left 0 seconds This is an example of the show license evaluation command Switch show license evaluation License Store Primary License Storage License Store Dynamic License Storage StoreIndex 0 Feature entservices Version 1 0 License Type Eva...

Page 199: ...his is an example of the show license in use command Switch show license in use License Store Primary License Storage StoreIndex 1 Feature ipbase Version 1 0 License Type Permanent License State Active In Use License Count Non Counted License Priority Medium License Store Dynamic License Storage Configuring a System Name and Prompt You configure the system name on the switch to identify it By defa...

Page 200: ...s domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track of domain names IP has defined the concept of a domain name server which holds a cache or database of names mapped to IP addresses To map domain names to IP addresses you must first identify the hostnames specify the name server that is present on your network and enable the DNS These sections c...

Page 201: ...mes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specifies the address of one or more name servers to use for name and address resolution To remove a name server address use the no ip name...

Page 202: ...ssage of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also displays on all connected terminals It appears after the MOTD banner and before the login prompts Note For complete syntax and usage information for the commands used in this s...

Page 203: ...aracter signifies the beginning and end of the banner text Characters after the ending delimiter are discarded Note When configuring a banner using the sign as a delimeter on Supervisor Engine 7 E and Supervisor Engine 7L E you must first turn off shell processing with the no shell processing command Else you can not exit from the banner configuration With shell processing enabled Sup7 conf t Ente...

Page 204: ...dministering the Switch Creating a Banner This example shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is it is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password ...

Page 205: ...nner text Characters after the ending delimiter are discarded Note When configuring a banner using the sign as a delimeter on Supervisor Engine 7 E and Supervisor Engine 7L E you must first turn off shell processing with the no shell processing command Else you can not exit from the banner configuration With shell processing enabled Sup7 conf t Enter configuration commands one per line End with CN...

Page 206: ...ation MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syntax and usage information for the commands used in this section see the command reference for this release These sections contain this configuration information Building the Address Table page 4 28 MAC Addresses and VLANs page 4 29 Default MAC Address Table Confi...

Page 207: ...ed on the destination address of the received packet Using the MAC address table the switch forwards the packet only to the port associated with the destination address If the destination address is on the port that sent the packet the packet is filtered and not forwarded The switch always uses the store and forward method complete packets are stored and checked for errors before transmission MAC ...

Page 208: ... Setting too short an aging time can cause addresses to be prematurely removed from the table When the switch receives a packet for an unknown destination it floods the packet to all ports in the same VLAN as the receiving port This unnecessary flooding can impact performance Setting too long an aging time can cause the address table to be filled with unused addresses which prevents new addresses ...

Page 209: ...rk traffic The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled MAC address notifications are generated for dynamic and static MAC addresses events are not generated for self addresses or multicast addresses To send MAC change notification traps to an NMS host perform this task Step 4 show mac address table aging time Verifies your...

Page 210: ... value specify the maximum number of entries in the MAC notification history table The range is 0 to 500 the default is 1 To disable the MAC change notification feature use the no mac address table notification change global configuration command Step 6 interface interface id Enters interface configuration mode and specifies the interface on which to enable the SNMP MAC change notification trap St...

Page 211: ...ess table notification change history size 100 Switch config interface fastethernet0 2 Switch config if snmp trap mac notification change added Switch config if end Switch show mac address table notification change interface MAC Notification Feature is Enabled on the switch MAC Notification Flags For All Ethernet Interfaces Interface MAC Added Trap MAC Removed Trap GigabitEthernet1 1 Enabled Enabl...

Page 212: ... the name or address of the NMS Specify traps the default to send SNMP traps to the host Specify informs to send SNMP informs to the host Specify the SNMP version to support Version 1 the default is not available with informs For community string specify the string to send with the notification operation Though you can set this string by using the snmp server host command we recommend that you def...

Page 213: ... string to send with the notification operation Though you can set this string by using the snmp server host command we recommend that you define this string by using the snmp server community command before using the snmp server host command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification threshold Enables the switch to send MAC threshold no...

Page 214: ...s and define the forwarding behavior for them The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission Because all ports are associated with at least one VLAN the switch acquires the VLAN ID for the address from the ports that you specify You can specify a different list of destination ports for each source port A packet with a static address t...

Page 215: ...es can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 mac address table static mac addr vlan vlan id interface interface id Adds a static address to the MAC address table For mac addr specify the destination MAC unicas...

Page 216: ...how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3 220a 12f4 When a packet is received in VLAN 4 with this MAC address as its source or destination the packet is dropped Switch configure terminal Switch config mac address table static c2f3 220a 12f4 vlan 4 drop Switch config end Switch Note To filter MAC address...

Page 217: ... page 4 42 Feature Incompatibility page 4 43 Configuring Disable MAC Address Learning To disable MAC address learning on a VLAN perform this task This example shows how to disable learning on any VLAN or range of VLANs Switch configure terminal Switch config no mac address table learning vlan 9 16 Switch config end Switch Switch show mac address table learning Learning disabled on vlans 9 11 13 16...

Page 218: ...ry VLANs Otherwise you encounter traffic flooding in one direction and unicast flooding in the other direction To disable MAC address learning on a VLAN consider the flooding implications Deployment Scenarios This section includes these deployment scenarios Metro Point to Point Links page 4 40 Network Load Balancers page 4 41 Layer 2 Firewall or Cache page 4 42 Metro Point to Point Links In this t...

Page 219: ...sabled on this VLAN the packet is flooded and both devices receive all traffic destined to any MAC address on the VLAN You also can assign a multicast MAC address to both load balancers to ensure that all packets reach them Figure 4 3 Figure 4 3 Disabling MAC Address Learning Network Load Balancers Core Switch R Core Switch R Access Switch External FW interface Internal FW interface External FW in...

Page 220: ...following features are compatible with disabling MAC address learning on a VLAN EtherChannel The learning disable feature has no impact on EtherChannel provided that the MAC learning state is either disabled or enabled for a VLAN on EtherChannel ports Switch Virtual Interface SVI Layer 3 on a VLAN The learning disable feature has no impact on SVI Although disabling MAC address learning on a SVI VL...

Page 221: ...the packet the two features are incompatible Broadcast storm control This feature does not interact with the learning disable feature Flooding of packets in a VLAN domain in which learning is disabled through PVL Partial Feature Incompatibility Although the following features are partially incompatible with disabling MAC address learning they still retain a large portion of their functionality Fle...

Page 222: ...sing the Catalyst Web Interface CWI tool CiscoView is a device management application that can be embedded on the switch flash and provides dynamic status monitoring and configuration information for your switch CiscoView displays a physical view of your switch chassis with color coded modules and ports and monitoring capabilities that display the switch status performance and other statistics Con...

Page 223: ...Purpose Step 1 Switch dir device_name Displays the contents of the device If you are installing Embedded CiscoView for the first time or if the CiscoView directory is empty skip to Step 5 Step 2 Switch delete device_name cv Removes existing files from the CiscoView directory Step 3 Switch squeeze device_name Recovers the space in the file system Step 4 Switch copy tftp bootflash Copies the tar fil...

Page 224: ...del cv Delete filename cv Delete bootflash cv Cat4000IOS 4 0 sgz confirm y Delete bootflash cv Cat4000IOS 4 0_ace html confirm y Delete bootflash cv Cat4000IOS 4 0_error html confirm y Delete bootflash cv Cat4000IOS 4 0_install html confirm y Delete bootflash cv Cat4000IOS 4 0_jks jar confirm y Delete bootflash cv Cat4000IOS 4 0_nos jar confirm y Delete bootflash cv applet html confirm y Delete bo...

Page 225: ...0 cv Cat4000IOS 5 1 sgz 7 rw 7263 Mar 26 2003 05 36 19 00 00 cv Cat4000IOS 5 1_ace html 8 rw 410 Mar 26 2003 05 36 19 00 00 cv Cat4000IOS 5 1_error html 9 rw 2743 Mar 26 2003 05 36 19 00 00 cv Cat4000IOS 5 1_install html 10 rw 20450 Mar 26 2003 05 36 19 00 00 cv Cat4000IOS 5 1_jks jar 11 rw 20782 Mar 26 2003 05 36 19 00 00 cv Cat4000IOS 5 1_nos jar 12 rw 12388 Mar 26 2003 05 36 19 00 00 cv applet ...

Page 226: ...on information Switch show ciscoview package File source CVFILE SIZE in bytes Cat4000IOS 5 1 sgz 1956591 Cat4000IOS 5 1_ace html 7263 Cat4000IOS 5 1_error html 410 Cat4000IOS 5 1_install html 2743 Cat4000IOS 5 1_jks jar 20450 Cat4000IOS 5 1_nos jar 20782 applet html 12388 cisco x509 529 identitydb obj 2523 Switch show ciscoview version Engine Version 5 3 4 ADP Device Cat4000IOS ADP Version 5 1 ADK...

Page 227: ...d usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases This chapter consists of these sections Understanding Virtual Switching Systems page 5 1 VSS Configuration Gu...

Page 228: ...tches and links A VSS combines a pair of Catalyst 4500 or 4500 X series switches into a single network element The VSS manages the redundant links which externally act as a single port channel The VSS simplifies network configuration and operation by reducing the number of Layer 3 routing neighbors and by providing a loop free Layer 2 topology Figure 5 1 Typical Switch Network Design The following...

Page 229: ...he Layer 2 and Layer 3 control protocols for the switching modules on both switches The VSS Active switch also provides management functions for the VSS such as module online insertion and removal OIR and the console interface The VSS Active and VSS Standby switches perform packet forwarding for ingress data traffic on their locally hosted interfaces However the VSS Standby switch sends all contro...

Page 230: ...eive no cdp enable service policy output VSL Queuing Policy In VSL restricted mode only these configuration commands are available channel group default description exit load interval logging no power service policy shutdown Multichassis EtherChannel Note Beginning with Cisco Release IOS XE 3 5 0E and IOS 15 2 1 SG Layer 3 MEC is supported on the Catalyst 4500 series switch Cisco Release IOS XE 3 ...

Page 231: ...re Layer 3 Multichassis EtherChannels see For information on how to configure Layer 3 Multichassis EtherChannels see page 5 5 VSS Functionality The following sections describe the main functionality of a VSS Redundancy and High Availability page 5 5 Packet Handling page 5 6 System Management page 5 6 Quad Supervisor In chassis Standby Supervisor Engine Support page 5 6 Asymmetric chassis support p...

Page 232: ...c that must traverse the VSL System Management The VSS Active supervisor engine acts as a single point of control for the VSS For example the VSS Active supervisor engine handles OIR of switching modules on both switches The VSS Active supervisor engine uses VSL to send messages to and from local ports on the VSS Standby switch The command console on the VSS Active supervisor engine is used to con...

Page 233: ... slot 5 of switch 2 Module Number Convention IOS treats modules in both chassis as if they belong to one single chassis and the module number space is 1 20 Switch 1 receives a module number from 1 10 and switch 2 receives a number from 11 20 irrespective the chassis type supervisor type or number of slots in a chassis For example on a 3 slot chassis VSS the module numbers on switch 1 would be 1 2 ...

Page 234: ... Requirements The following sections describe the hardware requirements of a VSS Chassis and Modules page 5 8 VSL Hardware Requirements page 5 9 Multichassis EtherChannel Requirements page 5 10 Chassis and Modules Table 5 1 describes the hardware requirements for the VSS chassis and modules Table 5 1 VSS Hardware Requirements Hardware Count Requirements Chassis 2 VSS is available on a Catalyst 450...

Page 235: ...to the VSL EtherChannel with the 10 Gigabit Ethernet ports on any supported supervisor engine or linecard Supervisor Engines 2 VSS is available on Supervisor Engine 7 E Supervisor Engine 7L E Supervisor Engine 8 E and on the Catalyst 4500 X switch series All supervisor engines or systems in a VSS must match precisely Linecard 0 to as many linecard slots are available in a chassis WS X4748 12X48U E...

Page 236: ...nts Physical links from any of the supervisor engines or linecard modules can be used to implement a Multichassis EtherChannel MEC Understanding VSL Topology A VSS contains two switches that communicate using the VSL which is a special port group We recommend that you configure at least two of the 10 Gigabit 1 Gigabit Ethernet ports as VSL selecting ports from different modules Figure 5 5 shows a ...

Page 237: ...ss of software upgrade VSL related configuration in the two switches must match SSO and nonstop forwarding NSF must be configured on each switch Note See the SSO Dependencies section on page 5 26 for additional details about the requirements for SSO redundancy on a VSS See Chapter 13 Configuring Cisco NSF with SSO Supervisor Engine Redundancy for information about configuring SSO and NSF With SSO ...

Page 238: ... operates only with the MEC links that terminate on the VSS Active switch The bandwidth of the VSS is reduced until the failed switch has completed its recovery and become operational again Any devices that are connected only to the failed switch experience an outage Note The VSS may experience a brief data path disruption when the switching modules in the VSS Standby switch become operational aft...

Page 239: ...e scenario User Actions From the VSS Active switch command console you can initiate a VSS switchover or a reload If you enter the reload command from the command console it performs a reload on the switch where reload is issued To reload only the VSS Standby switch use the redundancy reload peer command To force a switchover from the VSS Active to the VSS Standby supervisor engine use the redundan...

Page 240: ...k is on the same switch as the ingress link and increases network reliability if one VSS supervisor engine fails the MEC is still operational The following sections describe possible failures and the resulting impacts Single MEC Link Failure page 5 14 All MEC Links to the VSS Active Switch Fail page 5 14 All MEC Links to the VSS Standby Switch Fail page 5 15 All MEC Links Fail page 5 15 VSS Standb...

Page 241: ...l VSS Standby Switch Failure If the VSS Standby switch fails the MEC becomes a regular EtherChannel with operational links on the VSS Active switch Connected peer switches detect the link failures and adjust their load balancing algorithms to use only the links to the VSS Active switch In Quad Supervisor VSS mode the in chassis standby ICS supervisor in the VSS Standby switch becomes the VSS Stand...

Page 242: ... the following examples Traffic within a VLAN where the known destination interface is on the peer switch Traffic that is replicated for a multicast group and the multicast receivers are on the peer switch The known unicast destination MAC address is on the peer switch The packet is a MAC notification frame destined for a port on the peer switch VSL also transports system data such as NetFlow expo...

Page 243: ...s the overhead of transporting packets between the two member switches over VSL Not all frames traverse VSL So packets confined to one of the member switches could have a size of 9216 bytes MTU of 9198 bytes Such frames may require diversion over VSL when a failure occurs This is why the max configured MTU on non VSL front panel ports is 9170 Note The MTU CLI is unavailable on a VSL interface It i...

Page 244: ...cols and performs any required software forwarding All routing protocol packets received on the VSS Standby switch are redirected to the VSS Active supervisor engine across the VSL The VSS Active supervisor engine generates all routing protocol packets to be sent out over ports on either VSS member switch Hardware forwarding is distributed across both members on the VSS The supervisor engine on th...

Page 245: ...ipath ECMP For packets traversing VSL all Layer 3 multicast replication occurs on the egress switch If there are multiple receivers on the egress switch only one packet is replicated and forwarded over the VSL and then replicated to all local egress ports Software Features Software features run only on the VSS Active supervisor engine Incoming packets to the VSS Standby switch that require softwar...

Page 246: ...flash ics Directory or file name bootflash Directory or file name cat4000_flash Directory or file name cns Directory or file name crashinfo Directory or file name kinfo Directory or file name lcfpga Directory or file name null Directory or file name nvram Directory or file name revrcsf Directory or file name slavebootflash ics Directory or file name slavebootflash Directory or file name slavecat40...

Page 247: ...nd the Web Browser User Interface page 5 21 SNMP page 5 21 Command Console page 5 22 Accessing the Remote Console on VSS page 5 22 Copying Files to Bootflash page 5 22 Transferring a Large File over VSL page 5 23 Telnet over SSH Sessions and the Web Browser User Interface A VSS supports remote access using Telnet over SSH sessions and the Cisco web browser user interface All remote access is direc...

Page 248: ...console The following example shows the prompt on the VSS Standby console Switch standby sh clock 14 04 58 705 UTC Tue Nov 20 2012 Accessing the Remote Console on VSS Note The remote login command is not supported on switches running Quad Supervisor VSS mode Remote console the Standby s console can be accessed from the Local Active switch This is available on a standalone system and works similarl...

Page 249: ...anced PAgP and Fast Hello for detecting a dual active scenario PAgP uses messaging over the MEC links to communicate between the two switches through a neighbor switch Enhanced PAgP requires a neighbor switch that supports the PAgP enhancements The dual active detection and recovery methods are described in the following sections Dual Active Detection Using Enhanced PAgP page 5 23 Dual Active Dete...

Page 250: ...cription Describes the interface dual active Specifies a virtual switch dual active config exit Exits from the fast hello interface configuration mode load interval Specifies the interval for load calculation on an interface logging Configures logging for interface no Negates a command or set its defaults shutdown Shuts down the selected interface No data traffic other than fast hello can be used ...

Page 251: ...gure terminal Switch config switch virtual domain 19 Switch config vs domain dual active recovery ip address 1 1 1 1 255 255 255 0 By default ip address is not configured for recovery mode So the switch fa1 interface is not associated with an IP address while the switch is in recovery mode This ensures that two devices do not respond to the same IP address Without the switch n option the same reco...

Page 252: ... VSL interfaces VSS initialization is described in the following sections Virtual Switch Link Protocol page 5 26 SSO Dependencies page 5 26 Initialization Procedure page 5 27 Virtual Switch Link Protocol The Virtual Switch Link Protocol VSLP consists of several protocols that contribute to virtual switch initialization The VSLP includes the following protocols Role Resolution Protocol The peer swi...

Page 253: ... NSF see Chapter 13 Configuring Cisco NSF with SSO Supervisor Engine Redundancy If these conditions are unsatisfied the VSS stops booting and ensures that the forwarding plane is not performing forwarding For a description of SSO and RPR see the VSS Redundancy section on page 5 10 Initialization Procedure The following sections describe the VSS initialization procedure VSL Initialization page 5 27...

Page 254: ...her switch initiates recovery from the dual active scenario For further information see the Configuring Dual Active Detection section on page 5 52 VSS Configuration Guidelines and Restrictions The following sections describe restrictions and guidelines for VSS configuration General VSS Restrictions and Guidelines page 5 28 Multichassis EtherChannel Restrictions and Guidelines page 5 29 Dual Active...

Page 255: ...us reloads on the standby supervisor engine When an aymmetric virtual switch i e a VSS comprising of chassis with different slot capacities boots initially after conversion from standalone mode the entPhysicalDescr object for the standby chassis does not hold the correct value The entPhysicalDescr objects for both the active and standby chassis will match and hold the value for the active chassis ...

Page 256: ...nnels page 5 48 Configuring Dual Active Detection page 5 52 Configuring Easy VSS Beginning with Cisco IOS XE 3 6 0E IOS 15 2 2 E the Catalyst 4500 series switch supports Easy VSS which enables you to configure VSS with a single command on the active switch and no action on the VSS standby switch The active switch can gather information from all switches that are Layer 3 reachable Note Quad Supervi...

Page 257: ...hat belong to the switch where we are executing the command Perform the following task on the VSS active switch that you want to make the master switch which manages the standby switch after VSS boot up The following example illustrates use of the vsl command SwitchA switch convert mode easy virtual switch easy vss VLS Local Interface Remote Interface Hostname Standby IP GigabitEthernet2 15 Gigabi...

Page 258: ...e mode the switch works independently The VSS combines two standalone switches into one virtual switch operating in virtual switch mode Note When you convert two standalone switches into one VSS all non VSL configuration settings on the VSS Standby switch will revert to the default configuration Note Preferably conversion to VSS should be done on a maintenance window If you plan to use the same po...

Page 259: ...Up the Standalone Configuration Save the configuration files for both switches operating in standalone mode You need these files to revert to standalone mode from virtual switch mode Perform this task on both switches 181325 Virtual switch link VSL Chassis A Switch 1 Chassis B Switch 2 T 5 1 T 5 2 Command Purpose Step 1 Switch 1 copy running config startup config Optional Saves the running configu...

Page 260: ...t Channel and Ports The VSL is configured with a unique port channel on each switch During the conversion the VSS configures both port channels on the VSS Active switch If the VSS Standby switch VSL port channel number has been configured for another use the VSS comes up in RPR mode To avoid this situation check that both port channel numbers are available on both of the switches Check the port ch...

Page 261: ... from 10G ports using a connector are not supported for VSL This impacts Sup7 E and Sup7L E ports Command Purpose Step 1 Switch 1 config interface port channel 10 Configures port channel 10 on Switch 1 Step 2 Switch 1 config switchport Convert to a Layer 2 port Step 3 Switch 1 config if switch virtual link 1 Associates Switch 1 as owner of port channel 10 Step 4 Switch 1 config if no shutdown Acti...

Page 262: ...t Switch 1 to virtual switch mode perform this task To convert Switch 2 to virtual switch mode perform this task on Switch 2 Command Purpose Step 1 Switch 2 config interface range tengigabitethernet 5 2 3 Enters configuration mode for interface range tengigabitethernet 5 2 3 on Switch 2 Step 2 Switch 2 config if channel group 20 mode on Adds this interface to channel group 20 Command Purpose Switc...

Page 263: ...e switch reaches Stateful Switchover SSO in the VSS The BOOT variable must point to the path of the Cisco IOS XE image and must be saved in the startup configuration For more information about ISSU upgrade see In Service Software Upgrade ISSU on a VSS page 5 56 Step 2 Insert the redundant supervisors in the appropriate slots Configure ROM monitor to auto boot on the standby supervisors of both the...

Page 264: ...resses Hw Fw Sw Status 1 885a 9244 d734 to 885a 9244 d763 1 3 Ok 2 4c00 821a 6dc0 to 4c00 821a 6dd7 0 3 Ok 3 c067 af69 c400 to c067 af69 c407 1 1 15 1 1r SG5 03 08 00 E Ok 4 c067 af69 c408 to c067 af69 c40f Provision Mod Redundancy role Operating mode Redundancy status 3 Active Supervisor SSO Active 4 ICS Supervisor RPR Standby Cold Switch Number 2 Role Virtual Switch Standby Chassis Type WS C4507...

Page 265: ...e 225 port type 61 number 48 virtual slot 36 slot 5 slot type 82 port type 31 number 2 virtual slot 37 These commands are not available to the user and that various numbers used in these commands are internal to the system and used to identify a module These commands are written to the startup config when a switch detects a given module while it is running in VSS mode When reconverted to standalon...

Page 266: ... Oper Conf SID SID LOCAL 1 UP FALSE N 100 100 ACTIVE 0 0 REMOTE 2 UP FALSE N 100 100 STANDBY 7496 7678 Peer 0 represents the local switch Flags V Valid In dual active recovery mode No Executing the command on VSS member switch role VSS Standby id 2 RRP information for Instance 2 Valid Flags Peer Preferred Reserved Count Peer Peer TRUE V 1 1 1 Switch Switch Status Preempt Priority Role Local Remote...

Page 267: ...the peer chassis modules saves the configuration file and performs a reload The switch comes up in standalone mode with only the configuration data relevant to the standalone system The VSS Standby switch of the VSS becomes VSS Active VSL links on this switch are down because the peer is now unavailable To convert the VSS Active switch to standalone mode perform this task on the VSS Active switch ...

Page 268: ...n file and performs a reload The switch comes up in standalone mode with only its own provisioning and configuration data To convert the peer switch to standalone perform this task on the VSS Standby switch Configuring VSS Parameters These sections describe how to configure VSS parameters Configuring VSL Switch Priority page 5 43 Configuring a VSL page 5 44 Adding and Deleting a VSL Port After the...

Page 269: ...on ID Number Oper Conf Oper Conf Local Remote LOCAL 1 UP FALSE N 100 200 ACTIVE 0 0 REMOTE 2 UP FALSE N 100 100 STANDBY 8158 1991 In dual active recovery mode No Command Purpose Step 1 Switch config switch virtual domain 100 Enters configuration mode for the virtual switch domain Step 2 Switch config vs domain switch 1 2 priority priority_num Configures the priority for the switch The switch with ...

Page 270: ...ter the Bootup At any time you can add and delete VSL ports from a port channel to increase the nunber of links in the VSL to move the port from one port to another or to remove it from VSL Before adding or deleting VSL ports do the following Ensure all ports are physically connected to the peer switch The peer port must also be configured for VSL Shutdown the port before configuring VSL When both...

Page 271: ...t met u unsuitable for bundling w waiting to be aggregated Group Port channel Protocol Ports 10 Po10 RU Te1 5 4 P Te1 5 5 P 20 Po20 RU Te2 5 4 P Te2 5 5 P Switch show switch virtual link port LMP summary Link info Configured 1 Operational 1 Peer Peer Peer Peer Timer s running Interface Flag State Flag MAC Switch Interface Time remaining Gi1 3 11 vfsp operational vfsp f866 f296 be00 2 Gi2 1 11 T4 7...

Page 272: ...aranteed to the class during congestion The VSL link uses Transmit Queue Sharing where the output link bandwidth is shared among multiple queues of a given VSL port Any modification or removal of VSL Queuing policy is restricted in a VSS system The following command sequence is inserted automatically by software interface TenGigabitEthernet1 1 1 switchport mode trunk switchport nonegotiate no lldp...

Page 273: ... match dscp cs5 class map match any VSL SIGNALING NETWORK MGMT match dscp cs2 match dscp cs3 match dscp cs6 match dscp cs7 Configuring the Router MAC Address On VSS all routing protocols are centralized on the active supervisor engine A common router MAC address is used for Layer 3 interfaces on both active and standby switches Additionally to ensure non stop forwarding the same router MAC address...

Page 274: ...the physical interface before configuring it on the port channel interface To create a port channel interface for a Layer 3 EtherChannel perform this task This example shows how to create port channel interface 1 Switch configure terminal Switch config interface port channel 1 Command Purpose Switch config switch virtual domain domain_id Enters VSS configuration mode Switch config vs domain mac ad...

Page 275: ...onfig if channel group 1 mode desirable Switch config if exit Switch config int gigabitEthernet 2 2 6 Switch config if no switchport Command Purpose Step 1 Switch config interface fastethernet gigabitethernet tengigabitethernet slot port Selects a physical interface to configure Step 2 Switch config if no switchport Makes this a Layer 3 routed port Step 3 Switch config if no ip address Ensures tha...

Page 276: ... port channel Po1 Port index 0 Load 0x00 Protocol PAgP Flags S Device is sending Slow hello C Device is in Consistent state A Device is in Auto mode P Device learns on physical port d PAgP is down Timers H Hello timer is running Q Quit timer is running S Switching timer is running I Interface timer is running Local information Hello Partner PAgP Learning Group Port Flags State Timers Interval Coun...

Page 277: ...imum links not met u unsuitable for bundling w waiting to be aggregated d default port Number of channel groups in use 3 Number of aggregators 3 Group Port channel Protocol Ports 1 Po1 RU PAgP Gi1 3 26 P Gi2 2 26 P 10 Po10 SU Te1 1 1 P Te1 1 4 D 20 Po20 SU Te2 1 1 P Prior to Cisco Release IOS XE 3 5 0E and IOS 15 2 1 SG when you tried to add a port to an EtherChannel from different chassis of the ...

Page 278: ...t channel when you are finished configuring dual active detection To enable or disable PAgP dual active detection perform this task You must configure trust mode on the port channels that will detect PAgP dual active detection By default trust mode is disabled Note If PAgP dual active detection is enabled you must place the port channel in administrative down state before changing the trust mode U...

Page 279: ...ve detection pair you need to configure dual active fast hello on the interface Although fast hello dual active detection is enabled by default you must configure dual active interface pairs to act as fast hello dual active messaging links To enable or disable fast hello dual active detection perform this task Command Purpose Step 1 Switch config switch virtual domain domain_id Enters virtual swit...

Page 280: ...to a loss of fast hello messages impacting the functionality of fast hello based dual active detection This example shows how to configure an interface for fast hello dual active detection Switch config switch virtual domain 255 Switch config vs domain dual active detection fast hello Switch config vs domain exit Switch config interface fastethernet 1 2 40 Switch config if dual active fast hello W...

Page 281: ...ctive Partner Partner Partner Port Detect Capable Name Port Version Gi1 3 11 Yes g9 68 Gi1 11 1 1 Gi2 2 12 Yes g9 68 Gi1 12 1 1 This example shows how to display the status of links configured as fast hello Switch show switch virtual dual active fast hello Executing the command on VSS member switch role VSS Active id 2 Fast hello dual active detection enabled Yes Fast hello dual active interfaces ...

Page 282: ...l active fast hello packet counters SwitchId 1 Transmitted total 465 Received total 465 In Service Software Upgrade ISSU on a VSS Topics include VSS ISSU Concept page 5 56 Traffic and Network Protocol Disruption During ISSU in a VSS page 5 57 Related Documents page 5 58 Prerequisites to Performing ISSU page 5 58 About Performing ISSU page 5 59 How to Perform the ISSU Process page 5 64 License inst...

Page 283: ...eans that network devices that are connected to the switch that is rebooting will observe a disruption in service unless the connection is over an MEC that contains at least one link that terminates Active version X VSL Standby version X Active version X VSL Reboot Active version X VSL Stateful Switchover Standby version Y Reboot VSL Active version Y Standby version X VSL Active version Y Reboot V...

Page 284: ...ing the IOS copy command so that the boot variable has a valid path to point to You can enter various commands on the switch to determine supervisor engine versioning and Cisco IOS XE software compatibility Alternatively you can use the ISSU application on Cisco Feature Navigator to determine this The type of the pre and post upgrade images must match precisely Identical ISSU is not supported from...

Page 285: ...o confirm this It is advisable to take measures to mitigate the effects of switch down time ISSU in a VSS will result in loss of service on non MEC links and peers must be prepared for this On links connected over MECs Nonstop Forwarding NSF must be configured and working properly If you do not have NSF enabled see the Cisco Nonstop Forwarding document for further information on how to enable and ...

Page 286: ...SSU upgrade process at any time and to revert to the initial system state These four commands take the VSS through a series of states that culminate in the Active and standby supervisor engines running the post upgrade IOS XE image The VSS continues to operate throughout the entire process however as explained in Traffic and Network Protocol Disruption During ISSU in a VSS page 5 57 service is dis...

Page 287: ... switches In these cases we recommend that you first perform the manual four command ISSU upgrade procedure on one VSS possibly in a lab environment to verify successful upgrade Then use the single issu changeversion procedure to perform an automatic ISSU on the rest of the Catalyst 4500 switches in the network The issu changeversion command launches a single step complete ISSU upgrade cycle It pe...

Page 288: ...igure but the runversion and commitversion stages are combined This progression skips the step in the upgrade procedure that loads the old software version on the new standby old active supervisor thereby reducing the time required for the automatic ISSU upgrade by about a third Scheduled Changeversion in and at Options issu changeversion provides in and at command options that enable you to sched...

Page 289: ...upervisors engines in the two switches The compatibility matrix represents the compatibility relationship a Cisco IOS XE software image has with all of the other Cisco IOS XE software versions within the designated support window for example all of those software versions the IOS XE software image knows about and is populated and released with every IOS XE software image The matrix stores compatib...

Page 290: ...ftware bundle Identify which software images are compatible with the selected software image Compare two IOS XE software images and understand the compatibility level of the software images that is compatible base level compatible and incompatible or dynamically determined Compare two software images and see the client compatibility for each ISSU client Provide links to release notes for the softw...

Page 291: ... ISSU context is lost and the system returns to the Init state Both supervisor engines return to the old software You can verify the ISSU software upgrade by entering show commands to provide information on the state of the during the ISSU process This example shows how to display the state and the current status of the supervisor engine during the ISSU process Switch enable Switch show issu state...

Page 292: ...ndancy Mode Stateful Switchover Maintenance Mode Disabled Communications Up Current Processor Information Active Location slot 1 1 Current Software state ACTIVE Uptime in current state 9 minutes Image Version Cisco IOS Software IOS XE Software Catalyst 4500 L3 Switch Software cat4500e UNIVERSAL M Version 03 03 00 SGN1 33 CISCO INTERNAL USE ONLY UNIVERSAL PRODUCTION K10 IOSD VERSION synced to END_O...

Page 293: ...isor engines are running the same current image The following example displays the ISSU state before the process begins Switch show issu state detail Slot 1 RP State Active ISSU State Init Operating Mode Stateful Switchover Current Image bootflash cat4500e universal SSA 03 03 00 SGN1 33 151 2 SGN1 33 bin Pre ISSU Original Image N A Post ISSU Targeted Image N A Slot 11 RP State Standby ISSU State I...

Page 294: ...03 03 00 SGN1 34 151 2 SGN1 34 bin 29125 rw 119286584 Aug 13 2012 22 30 02 00 00 cat4500e universal SSA 03 03 00 SGN1 33 151 2 SGN1 33 bin 820875264 bytes total 581672960 bytes free Switch dir slavebootflash Directory of slavebootflash 58370 rw 119286584 Aug 14 2012 11 25 38 00 00 cat4500e universal SSA 03 03 00 SGN1 33 151 2 SGN1 33 bin 58372 rw 119519232 Aug 14 2012 11 40 47 00 00 cat4500e unive...

Page 295: ...ompted Step 2 Switch issu loadversion active slot active image new standby slot standby image new Starts the ISSU process and optionally overrides the automatic rollback when the new Cisco IOS XE software version is detected to be incompatible It may take several minutes after entering the issu loadversion command for Cisco IOS XE software to load onto the standby supervisor engine and for the sta...

Page 296: ... of the loadversion step the following message is logged Aug 14 13 07 08 240 INSTALLER 7 ISSU_OP_SUCC Peer state is STANDBY SSO Please issue the runversion command Now you are ready to proceed to the next step Perform the following steps at the active supervisor engine Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch issu run...

Page 297: ..._image Post ISSU Targeted Image bootflash new_image Note The new active supervisor engine is now running the new version of software and the standby supervisor engine is running the old version of software and is in the standby hot state Switch show redundancy states my state 13 ACTIVE peer state 8 STANDBY HOT Mode Duplex Unit Primary Unit ID 11 Redundancy Mode Operational Stateful Switchover Redu...

Page 298: ...efore you stop it In the following example the Automatic Rollback Time information indicates the amount of time remaining before an automatic rollback will occur Switch enable Switch show issu rollback timer Rollback Process State 00 31 09 remaining Configured Rollback Time 00 45 00 Switch issu acceptversion 611 bootflash new_image Rollback timer stopped Please issue the commitversion command Swit...

Page 299: ...SSU process has completed At this stage any further Cisco IOS XE software version upgrade or downgrade will require that a new ISSU process be invoked anew Using changeversion to Automate an ISSU Upgrade This task describes how to use the issu changeversion command to perform a one step ISSU upgrade Please ensure that you have read Prerequisites to Performing ISSU page 5 58 and implemented the app...

Page 300: ... mm quick Initiates a single step complete upgrade process cycle Performs the logic of the four standard commands issu loadversion issu runversion issu acceptversion and issu commitversion without user intervention active slot Defines the active slot number the Virtual slot number Use the show switch virtual slot map command to determine the virtual slot number from the physical slot number new im...

Page 301: ...rmation Active Location slot 1 1 Current Software state ACTIVE Uptime in current state 45 minutes Image Version Cisco IOS Software IOS XE Software Catalyst 4500 L3 Switch Software cat4500e UNIVERSAL M Version 03 03 00 SGN1 33 CISCO INTERNAL USE ONLY UNIVERSAL PRODUCTION K10 IOSD VERSION synced to END_OF_FLO_ISP Copyright c 1986 2012 by Cisco Systems Inc Compiled Thu 09 Aug BOOT bootflash cat4500e ...

Page 302: ...rtual slot map Virtual Slot to Remote Switch Physical Slot Mapping Table Virtual Remote Physical Module Slot No Switch No Slot No Uptime 1 1 1 00 44 19 2 1 2 00 44 05 3 1 3 00 43 49 4 1 4 5 1 5 6 1 6 7 1 7 8 1 8 9 1 9 10 1 10 11 2 1 00 26 40 12 2 2 00 44 48 13 2 3 00 44 48 14 2 4 15 2 5 16 2 6 17 2 7 18 2 8 19 2 9 20 2 10 Switch dir bootflash Directory of bootflash 29122 rw 119519232 Aug 13 2012 1...

Page 303: ...m A Stateful Switchover occurs Switch 2 takes over as the Active switch Switch 1 goes down then reboots still with the pre upgrade image and reaches SSO Hot Standby state From this point on the console logs are gathered on Switch 2 Aug 14 15 54 49 164 INSTALLER 7 ISSU_OP_SUCC issu changeversion is now executing issu commitversion Switch 1 goes down again then boots up this time with the post upgra...

Page 304: ...ancy Mode Configured Stateful Switchover Redundancy State Stateful Switchover Manual Swact enabled Communications Up client count 74 client_notification_TMR 240000 milliseconds keep_alive TMR 9000 milliseconds keep_alive count 0 keep_alive threshold 18 RF debug mask 0 Switch show redundancy Redundant System Information Available system uptime 4 hours 16 minutes Switchovers system experienced 3 Sta...

Page 305: ...ure to automatically start at the specified time This example specifies that the ISSU upgrade should be started at 16 30 24 hour format Switch enable Switch issu changeversion 1 bootflash y bin 11 slavebootflash y at 16 30 issu changeversion was executed at Aug 12 16 27 43 The planned ISSU changeversion is to occur in hh mm ss 00 03 00 at Apr 12 16 30 43 Current system time Aug 12 16 27 43 Planned...

Page 306: ...before you complete the ISSU process with the issu commitversion command Perform the following task on the active supervisor engine This example shows how to abort the ISSU process on slot number 11 the slot for the current active supervisor engine In this example the ISSU upgrade process is in the Runversion state when the issu abortversion command is entered Switch enable Switch show issu state ...

Page 307: ...ation of the new Cisco IOS XE software before committing the new software image The ISSU rollback timer kicks in immediately after issu run version is entered so that the minimum value configured should be more than the time required for a chassis reload Else the process fails Note The valid timer value range is from 0 to 7200 seconds two hours A value of 0 seconds disables the rollback timer Once...

Page 308: ...otflash old_image Post ISSU Targeted Image bootflash new_image Slot 11 RP State Standby ISSU State Load Version Operating Mode Stateful Switchover Current Image bootflash new_image Pre ISSU Original Image bootflash old_image Post ISSU Targeted Image bootflash new_image Switch show issu rollback timer Rollback Process State Not in progress Configured Rollback Time 60 00 Switch configure terminal En...

Page 309: ...E My Image ver 03 03 01 SG Peer Version Compatibility 03 02 00 SG Dynamic 0 03 02 01 SG Dynamic 0 03 02 00 XO Dynamic 0 03 02 02 SG Dynamic 0 03 02 03 SG Dynamic 0 03 02 04 SG Dynamic 0 03 03 00 SG Dynamic 0 03 03 01 SG Comp 3 The above Stored Compatibility Matrix is for IOS XE version 03 03 01 SG The Comp 3 entry shows that IOS XE version 03 03 01 SG is compatible with this version and the end re...

Page 310: ...GrpId Sid pSid pUid Nego Result 2 1 1 131111 4 1 Y 3 1 1 65617 7 1 Y 4 1 1 131085 11 1 Y 5 1 1 131115 13 1 Y 7200 1 1 131105 75 1 Y 7201 1 1 131151 76 1 Y 7203 1 1 131127 74 1 Y 7301 1 1 131137 77 1 Y List of Clients Cid Client Name Base Non Base 2 ISSU Proto client Base Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch show i...

Page 311: ...both VSS active Switch 1 and VSS standby Switch 2 If your device supports using Right to use RTU licensing use the following command to activate the new license on both switches Switch license right to use activate ipbase entservices lanbase acceptEULA Step 2 Run the Switch write memory command to save the configuration Step 3 On Switch 2 the VSS standby shutdown all the non VSL ports Caution Shut...

Page 312: ...5 86 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 5 Configuring Virtual Switching Systems License Upgrade on a VSS ...

Page 313: ...on page 6 28 About Programmability Overview page 6 1 Programmability Components page 6 2 Protocols and Data Models for Programmatic Device Configuration page 6 2 Default Configuration page 6 3 Overview Programmability is the capability to configure and manage networking devices using protocols that are specifically designed to be consumed by software that is machine to machine interfaces The tradi...

Page 314: ...n the switch You can install an application within a virtual services container The application then runs in the virtual services container of the operating system of a switch The application is delivered as an open virtual application OVA which is a tar file with a ova extension The OVA package is installed and enabled on the switch through the device CLI The Data Model Interface DMI A container ...

Page 315: ...CONF and RESTCONF APIs The following data models are supported The ned yang model A Cisco specific configuration data model that enables to you perform write SET operations The Operational Data Manager ODM Enables you to read operational state data GET operations using YANG models Figure 6 1 shows how the different components of Programmability come together Figure 6 1 Programmability Components D...

Page 316: ...rogrammability Prerequisites for NETCONF and RESTCONF Your access to the switch is configured with privilege level 15 This is required to start working with NETCONF and RESTCONF interfaces See Providing Privilege Access to Use NETCONF and RESTCONF page 6 11 To use the programmability feature you must use the Universal Crypto Image See section Orderable Product Numbers in the corresponding release ...

Page 317: ...ontainer is not supported AAA remote authentication is not supported Zero Touch Provisioning Requirements Zero Touch Provisioning is achieved by using the PXE boot feature Ensure that you have completed the following Set the boot field value See Boot Field page 6 6 Configured the DHCP server and an HTTP or TFTP server See PXE Boot Requirements Configuring the DHCP Server page 6 6 and PXE Boot Proc...

Page 318: ... enable autoboot and set the boot field 04 05 or 06 This automatically sets the corresponding configuration register value The PXE boot feature requires ROMMON version 15 0 1r SG14 on Catalyst 4500 X Series Switches and ROMMON version 15 1 1r SG8 on Catalyst 4500 E Series Switches For detailed information about the various boot fields see table Explanation of Boot Field Configuration Register Bits...

Page 319: ...on When the DHCP server responds successfully the output displays Received DHCP_ACK If you receive a TFTP timeout error increase the DHCP timeout by using the ROMMON variable DhcpTimeout The default DHCP timeout is 5 seconds You can increase it by a maximum of 30 seconds For example if DhcpTimeout 20 the DHCP timeout increases by 20 seconds Enter the set command to verify the change rommon DhcpTim...

Page 320: ...s mentioned the Option 43 list are present in the specified location the switch downloads them The script file is downloaded to bootflash pxe scripts folder The ova file is downloaded to bootflash pxe ova folder Figure 6 2 PXE Boot Process Flow 354901 ROMMON DHCP Server DNS Server TFTP or HTTP Server Autoboot with option 4 5 or 6 Validate data DHCP_DISCOVER DHCP_OFFER DHCP_REQUEST DHCP_ACK Configu...

Page 321: ...Step 1 enable Example Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 virtual service install name virtual services name package file Example Switch virtual service install name dmi package bootflash dmi ova Installs an OVA package from the specified location onto a device Ensure that the ova file is located in the root directory of the storage device Step 3 confi...

Page 322: ...ig virt serv ip shared host interface gigabitethernet 3 47 Maps the virtual service container to the interface that you specify The IP address of the interface you specify here is used for NETCONF and RESTCONF communication Observe these guidelines Note You cannot configure a port channel interface as a shared interface All other interface types are supported Note If you want to change the shared ...

Page 323: ... virtual terminal Step 5 end Example Switch end Exits the onep configuration mode and enters the privileged EXEC mode Command or Action Purpose Command or Action Purpose Step 1 enable Example Switch enable Enables the privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Switch configure terminal Enters the global configuration mode Step 3 username name privilege l...

Page 324: ...pose Step 1 enable Example Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Example Switch configure terminal Enters the global configuration mode Step 3 netconf yang Example Switch config netconf yang Enables the NETCONF interface on your network device After you have completed this step you can manage network devices through a model based inter...

Page 325: ...Switch config ip http server OR Switch config ip http secure server The ip http server command enables the HTTP server on your system The ip http secure server command enables a secure HTTP HTTPS server Note When enabling an HTTPS server you should always disable the standard HTTP server to prevent unsecured connections to the same services Disable the standard HTTP server using the no ip http ser...

Page 326: ...el Revision dates for each model are shown in the capabilities response Data models are available for optional download from a device using the get schema rpc You can use these YANG models to understand or export the data model The following shows sample RPCs you can send and the kind of action that is performed Examples for NETCONF RPCs page 6 14 Examples for RESTCONF RPCs page 6 15 Examples for ...

Page 327: ...g RPC PATCH http 10 106 30 33 80 restconf api running native ip tftp source interface GigabitEth ernet payload n GigabitEthernet 2 2 n Enter an HTTP delete request by sending the following RPC DELETE http 10 106 30 33 55080 api running native ip tftp source interface Note For the HTTP delete request do not use http 10 106 30 33 80 restconf api running native ip tftp source interface Using ODM Mode...

Page 328: ... processes cpu command which displays CPU utilization to identify the causes of high CPU utilization 6 parse showIpRoute ietf routing yang Corresponds to the show ip route command which displays the current state of the routing table to verify the configuration 7 parse showInterfaces ietf interfaces yang Corresponds to the show interfaces command which displays statistics for all interfaces config...

Page 329: ...age id 101 data 14 parse showInventory cisco inventory entities yang Corresponds to the show inventory command which displays product identification PID information for the hardware 15 parse showIntTransciver cisco interface transciver yang Corresponds to the show interfaces transceiver detail command which displays information about the optical transceivers that have digital optical monitoring DO...

Page 330: ...g xmlns xc urn ietf params xml ns netconf base 1 0 cisco ia xmlns http cisco com yang cisco ia odm control true odm control cisco ia config edit config rpc Output NETCONF RETURN rpc reply xmlns urn ietf params xml ns netconf base 1 0 message id 101 ok rpc reply To deactivate or stop the ODM send the following RPC Input rpc message id 101 xmlns urn ietf params xml ns netconf base 1 0 edit config ta...

Page 331: ... get filter cisco odm xmlns http cisco com yang cisco odm polling enable cisco odm filter get rpc Output NETCONF RETURN rpc reply xmlns urn ietf params xml ns netconf base 1 0 message id 101 data cisco odm xmlns http cisco com yang cisco odm polling enable true polling enable cisco odm data rpc reply Example Enabling or Changing the Polling Mode of the ODM Models Input rpc message id 101 xmlns urn...

Page 332: ...isco odm actions action name parse showArchive action name polling interval 110000 polling interval actions cisco odm config edit config rpc Output NETCONF RETURN rpc reply xmlns urn ietf params xml ns netconf base 1 0 message id 101 ok rpc reply Displaying Supported Parsers and Polling Intervals To retrieve information about all the supported parsers and their polling intervals send the following...

Page 333: ...ling interval mode poll mode actions actions action name parse showIgmpGroup action name polling interval 120000 polling interval mode poll mode actions actions action name parse showIntTransciver action name polling interval 120000 polling interval mode poll mode actions actions action name parse showInterfaces action name polling interval 120000 polling interval mode poll mode actions actions ac...

Page 334: ...me parse showProcessesCPU action name polling interval 120000 polling interval mode poll mode actions actions action name parse showProcessesMemory action name polling interval 120000 polling interval mode poll mode actions actions action name parse showVersion action name polling interval 120000 polling interval mode poll mode actions actions action name parse showVirtualService action name polli...

Page 335: ...ured correctly ensure that these three sessions are listed NetworkElementSynchronizer SyncFromDaemon and CiaAuthDaemon The following is sample output for this command Switch show onep session all ID Username State ReconnectTimer ConnectTime ApplicationName 8145 Connected 0 Thu Jul 28 06 07 05 304 com cisco NetworkElementSynchronizer 3234 Connected 0 Thu Jul 28 06 07 06 504 com cisco SyncFromDaemon...

Page 336: ...virtual service storage pool list Displays an overview of storage locations pools used for virtual service containers show virtual service storage volume list Displays an overview of storage volume information for virtual service containers show virtual service version name virtual services name installed Displays the version of an installed application For example Switch show virtual service vers...

Page 337: ...Loading from TftpServer 10 106 24 187 TftpBlkSize 1468 RxDataPacket 130207 Loaded 191143008 bytes successfully Checking digital signature cat4500e universalk9 SSA 03 09 00 PR4 46 152 5 0 46 PR4 bin Digitally Signed Development Software with key version A Rommon reg 0x00084F80 Reset2Reg 0x00004F00 Image load status 0x00000000 Winter 110 controller 0x0468AFAC 0x047F4313 Size 0x002FDB9D Program Done ...

Page 338: ...500 L3 Switch Software cat4500e UNIVERSALK9 M Version 03 09 00 PR4 46 EARLY DEPLOYMENT PROD IMAGE ENGINEERING NOVA_WEEKLY BUILD synced to V152_5_1_E Technical Support http www cisco com techsupport Copyright c 1986 2016 by Cisco Systems Inc Compiled Sun 31 Jul 16 16 31 by sabind Cisco IOS XE software Copyright c 2005 2015 by cisco Systems Inc All rights reserved Certain components of Cisco IOS XE ...

Page 339: ...tainer perform the following task Step 1 Set the logging level to debug in cisco ia yang model Step 2 In the privilege EXEC Mode on the switch CLI enter one of these commands and use NETCONF to read the responses The debug remotemanagement command The show remotemanagement command Step 3 To display NETCONF statistical information such as the number of sessions netconf RPCs packets and so on use th...

Page 340: ...th Note You must restart the DHCP service every time you make a change in the dhcpd conf file Depending on whether you are using HTTP or TFTP to download files refer to the corresponding sample configuration file Using HTTP page 6 28 Using TFTP page 6 30 Using HTTP allow booting allow bootp ddns update style none DEFINE AN OPTION SPACE EXAMPLE IS USED HERE IT IS A VARIABLE YOU CAN SET MAINTAIN cod...

Page 341: ... WS X45 SUP8L E vendor option space EXAMPLE SPECIFY THE PATH OF THE FILES YOU WANT TO SEND HTTP MAKE SURE THESE FILES RESIDE IN IDENTICAL FOLDERS configs scripts container IN the HTTP ROOT FOLDER YOU MUST CREATE THE IDENTICAL FOLDERS WITH THE SAME NAME AND CASE ENTER A FILE NAME MAKE SURE THAT CONFIG SCRIPT AND OVA FILE EXTENTIONS ARE config file config script file script container file ova RESPEC...

Page 342: ...members of WS 4500X 16 range 192 0 2 51 192 0 2 100 subnet 203 0 113 0 netmask 255 255 255 0 range 203 0 113 12 203 0 113 100 option routers 198 51 100 3 option subnet mask 255 255 255 0 server identifier 198 51 100 2 next server 198 51 100 2 Using TFTP allow booting allow bootp ddns update style none DEFINE AN OPTION SPACE EXAMPLE IS USED HERE IT IS A VARIABLE YOU CAN SET MAINTAIN code 1 2 AND 3 ...

Page 343: ...TO BE SENT TO THE CLIENT SWITCH option dhcp parameter request list 43 3 option vendor class identifier WS X45 SUP8L E vendor option space EXAMPLE SPECIFY THE PATH OF THE FILES YOU WANT TO SEND TFTP MAKE SURE THESE FILES RESIDE IN IDENTICAL FOLDERS configs scripts container IN the TFTP BOOT FOLDER YOU MUST CREATE THE IDENTICAL FOLDERS WITH THE SAME NAME AND CASE ENTER A FILE NAME MAKE SURE THAT CON...

Page 344: ...er 198 51 100 2 next server 198 51 100 2 Configuring DHCP Option 43 for Microsoft Windows DHCP Option 43 is used by clients and servers to exchange vendor specific information RFC 2132 This section describes the DHCP Option 43 configuration information that pertains to sending device configuration files script files and ova files to the switch It is applicable only if you use OpenDhcpServer as the...

Page 345: ... product recommendations Figure 6 3 Solarwinds TFTP Server The important sections of this sample configuration are highlighted bold This is a configuration file Lines starting with punctuation marks are comments This file should be saved in the same folder as the exe file Remove and replace the sample value with your own to change a setting LISTEN_ON Specify the interfaces that the server should l...

Page 346: ...all RANGE_SET s is also 125 and you can also have a maximum of 125 RANGE_SET s You can specify one or more ranges in each RANGE_SET section in the specified format Open DHCP Server allots addresses from these ranges Static Hosts and BootP clients do not require ranges You do not have to specify a RANGE_SET or a DHCP_Range if all clients are Static The dynamic address allocation policy is 1 Look to...

Page 347: ...d 73 63 72 69 70 74 2e 70 79 03 19 65 78 61 6d 70 6c 65 5f 64 6d 69 5f 63 6f 6e 74 61 69 6e 65 72 2e 6f 76 61 ff 43 example config config 65 78 61 6d 70 6c 65 2d 63 6f 6e 66 69 67 2e 63 6f 6e 66 69 67 example script py 65 78 61 6d 70 6c 65 2d 73 63 72 69 70 74 2e 70 79 example_dmi_container ova 05 78 61 6d 70 6c 65 5f 64 6d 69 5f 63 6f 6e 74 61 69 6e 65 72 2e 6f 76 61 The following are the range s...

Page 348: ...ubNetMask 255 255 255 0 DomainServer 198 51 100 3 Router 192 0 2 254 AddressTime is default lease time for server specify 0 for infinity lease time AddressTime 36000 RenewalTime 0 RebindingTime 0 NextServer is PXEBoot TFTP Server NextServer 198 51 100 2 Trailers yes ARPTimeout 3453 Ethernet yes DefaultTCPTTL 21 KeepaliveTime 120 KeepaliveData yes TFTPServerName MyTFTPServer BootFileName example io...

Page 349: ... httpserver url com The image configuration script and ova files being downloaded are example ios image bin example config config example script py and example_dmi_container ova respectively rommon 1 reset Resetting rommon 2 Rommon G Signature verification PASSED Rommon P Signature verification PASSED FPGA P Signature verification PASSED Welcome to Rom Monitor for WS C4500X 16 System Copyright c 2...

Page 350: ...g class b20 doesn t match header type 01 0 181505 pci 0001 04 00 0 ignoring class b20 doesn t match header type 01 0 274669 pci 0002 0c 00 0 ignoring class b20 doesn t match header type 01 Starting System Services devpts dev pts devpts rw nosuid noexec relatime gid 4 mode 600 ptmxmode 000 0 0 diagsk10 post version 5 1 4 1 prod WS C4500X 16 part 73 13860 03 serial JAE155209ZD Power on self test for...

Page 351: ...M Version 03 09 01 E 179 EARLY DEPLOYMENT PROD IMAGE ENGINEERING NOVA_WEEKLY BUILD synced to V152_5_1_68_E1 Technical Support http www cisco com techsupport Copyright c 1986 2016 by Cisco Systems Inc Compiled Sat 12 Nov 16 19 26 by sdcunha Cisco IOS XE software Copyright c 2005 2015 by cisco Systems Inc All rights reserved Certain components of Cisco IOS XE software are licensed under the GNU Gene...

Page 352: ...re being downloaded is 198 51 100 2 The image configuration script and ova files being downloaded are example2 ios image bin example2 config config example2 script py and example2_dmi_container ova respectively rommon 1 reset Resetting Verifying FPGA P Signature PASSED Verifying ROMMON P Signature PASSED Rom Monitor Copyright c 2012 2015 by cisco Systems Inc All rights reserved Rom Monitor P Versi...

Page 353: ...pci 0001 02 00 0 ignoring class b20 doesn t match header type 01 pci 0002 04 00 0 ignoring class b20 doesn t match header type 01 audit cannot initialize inotify handle All packages are Digitally Signed Starting System Services devpts dev pts devpts rw nosuid noexec relatime gid 4 mode 600 ptmxmode 000 0 0 diagsk10 post version 6 2 0 0 prod WS X45 SUP8L E part 73 16780 03 serial CAT1940L26Y Power ...

Page 354: ... sdcunha Cisco IOS XE software Copyright c 2005 2015 by cisco Systems Inc All rights reserved Certain components of Cisco IOS XE software are licensed under the GNU General Public License GPL Version 2 0 The software code licensed under GPL Version 2 0 is free software that comes with ABSOLUTELY NO WARRANTY You can redistribute and or modify such GPL code under the terms of GPL Version 2 0 http ww...

Page 355: ...ference Information 1 Virtual Ethernet interface 48 Gigabit Ethernet interfaces 8 Ten Gigabit Ethernet interfaces 511K bytes of non volatile configuration memory WARNING WARNING WARNING The ISSU compatibility matrix check has been disabled No image version compatibility checking will be done Please be sure this is your intention Press RETURN to get started Switch ...

Page 356: ...6 44 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 6 Programmability Sample Configuration and Reference Information ...

Page 357: ... information about ISSU concepts and describes the steps taken to perform ISSU in a system This section includes these topics Prerequisites to Performing ISSU page 7 1 About ISSU page 7 2 Performing the ISSU Process page 7 15 Related Documents page 7 42 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Cat...

Page 358: ...st be configured and working properly If you do not have NSF enabled see the Cisco Nonstop Forwarding document for further information on how to enable and configure NSF Before you perform ISSU ensure that the system is configured for redundancy mode SSO and that the file system for both the active and the standby supervisor engines contains the new ISSU compatible image The current Cisco IOS vers...

Page 359: ...r engine state information between them in real time A switchover from the active to the standby processor occurs when the active supervisor engine fails or is removed from the networking device Cisco NSF is used with SSO Cisco NSF allows the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover With Cisco NSF peer...

Page 360: ...deployment strategy that applies Cisco NSF with SSO at the enterprise network access layer In this example each access point in the enterprise network represents another single point of failure in the network design In the event of a switchover or a planned software upgrade enterprise customer sessions continue uninterrupted through the network in this example Service provider core layer Service p...

Page 361: ...co NSF helps to suppress routing flaps in SSO enabled devices thus reducing network instability Cisco NSF allows for the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover With Cisco NSF peer networking devices do not experience routing flaps Data traffic is forwarded while the standby supervisor engine assumes ...

Page 362: ...iated with software upgrades or version changes by allowing changes while the system remains in service see Figure 7 3 SSO and NSF mode support configuration and runtime state synchronization from the active to the standby supervisor engine For this process to happen the images on both the active and the standby supervisor engines must be the same When images on active and standby supervisor engin...

Page 363: ...oftware into the file systems of both supervisor engines see Figure 7 4 Note In the following figure Cisco IOS 12 x y S represents the current version of Cisco IOS Figure 7 4 Install Copy New Version of Cisco IOS Software on Both Supervisor Engines Line cards Active Supervisor Engine Cisco IOS 12 x y S Cisco IOS 12 x y S Cisco IOS 12 x z S Cisco IOS 12 x z S Cisco IOS 12 x y S Install new version ...

Page 364: ...isor engine see Figure 7 5 Note Without the ISSU feature you cannot have SSO or NSF functioning between the active and standby supervisor engines when they are running two different versions of Cisco IOS image Figure 7 5 Load New Version of Cisco IOS Software on the Standby Supervisor Engine Line cards Active Supervisor Engine Cisco IOS 12 x y S Cisco IOS 12 x y S Cisco IOS 12 x z S Cisco IOS 12 x...

Page 365: ...witchover NSF or SSO not RPR the standby supervisor engine takes over as the new active supervisor engine see Figure 7 6 Figure 7 6 Switch Over to Standby Supervisor Engine Line cards Old Active Supervisor Engine Cisco IOS 12 x y S Cisco IOS 12 x y S Cisco IOS 12 x y S NSF SSO Switchover NSF SSO Switchover Run new version of Cisco IOS on standby Cisco IOS 12 x z S New Active Supervisor Engine 1802...

Page 366: ...ct a switchover to the former active which is already running the old image Next the former active supervisor engine is loaded with the new version of Cisco IOS software and becomes the new standby supervisor engine see Figure 7 7 Figure 7 7 Load New Standby Supervisor Engine with New Cisco IOS Software Figure 7 8 shows the steps during the ISSU process Line cards Standby Supervisor Engine Cisco I...

Page 367: ...f care to ensure no service disruption However in some scenarios this upgrade procedure might be cumbersome and of minimal value A typical example is during a network upgrade that involves performing an ISSU upgrade on a large number of Catalyst 4500 switches In these cases we recommend that you first perform the normal four command ISSU upgrade procedure on one switch possibly in a lab environmen...

Page 368: ...rade process reports them and their side effects and allows the user to abort the upgrade While performing a single step upgrade process when the process reaches the runversion state it will either automatically continue with the upgrade provided the base clients are compatible or automatically abort because of client incompatibility If the user wants to continue the upgrade procedure in RPR mode ...

Page 369: ...lines for Performing ISSU Be aware of the following guidelines while performing the ISSU process Even with ISSU it is recommended that upgrades be performed during a maintenance window The new features should not be enabled if they require change of configuration during the ISSU process Note Enabling them will cause the system to enter RPR mode because commands are only supported on the new versio...

Page 370: ...ience some functionality loss if the newer image had additional functionality Incompatible A core set of system infrastructure exists in Cisco IOS that must be able to interoperate in a stateful manner for SSO to function correctly If any of these required features or subsystems is not interoperable then the two versions of the Cisco IOS software images are declared to be incompatible An in servic...

Page 371: ...t image Compare two images and understand the compatibility level of the images that is compatible base level compatible and incompatible Compare two images and see the client compatibility for each ISSU client Provide links to release notes for the image Performing the ISSU Process Unlike SSO which is a mode of operation for the device and a prerequisite for performing ISSU the ISSU process is a ...

Page 372: ...ress 10 1 1 1 255 255 255 0 speed auto duplex auto ipv6 address 2000 1 64 Step 1 Perform an ISSU upgrade to a Cisco IOS XE 3 4 0SG 15 1 2 SG image Step 2 Run the VRF upgrade command Switch config t Enter configuration commands one per line End with CNTL Z Switch config vrf upgrade cli multi af mode common policies vrf mgmtVrf You are about to upgrade to the multi AF VRF syntax commands You will lo...

Page 373: ...ormat to older CLI format removing any IPv6 addresses on the interface Downgrading the image on your switch to a prior release Reconfiguring the IPv6 addresses on fa1 A configuration like the following will appear on a switch running a Cisco IOS XE 3 4 0SG 15 1 2 SG image vrf definition mgmtVrf address family ipv4 exit address family address family ipv6 exit address family interface FastEthernet1 ...

Page 374: ...pv6 address 2000 1 64 Verifying the ISSU Software Installation During the ISSU process five valid states exist disabled init load version run version and system reset Use the show issu state command to obtain the current ISSU state Disabled state The state for the standby supervisor engine while this engine is resetting Init state The initial state is two supervisor engines one active and one stan...

Page 375: ...show redundancy states my state 13 ACTIVE peer state 8 STANDBY HOT Mode Duplex Unit Primary Unit ID 1 Redundancy Mode Operational Stateful Switchover Redundancy Mode Configured Stateful Switchover Redundancy State Stateful Switchover Maintenance Mode Disabled Manual Swact enabled Communications Up client count 39 client_notification_TMR 240000 milliseconds keep_alive TMR 9000 milliseconds keep_ali...

Page 376: ...RELEASE SOFTWARE fc1 Technical Support http www cisco com techsupport Copyright c 1986 2006 by Cisco Systems Inc Compiled Tue 05 Sep 06 16 16 by sanjdas BOOT bootflash old_image 1 Configuration register 0x822 Verifying the ISSU State Before Beginning the ISSU Process Ensure that the active and standby supervisor engines are up and in ISSU Init state and that the boot variables are set and pointing...

Page 377: ... is already present in the file system of both the active and standby supervisor engines Also ensure that appropriate boot parameters BOOT string and config register are set for the standby supervisor engine Note The switch must boot with the BOOT string setting before the ISSU procedure is attempted Note auto boot must be enabled for ISSU to succeed Optionally perform additional tests and command...

Page 378: ...ve slot active image new standby slot standby image new forced Starts the ISSU process and optionally overrides the automatic rollback when the new Cisco IOS software version is detected to be incompatible It may take several seconds after the issu loadversion command is entered for Cisco IOS software to load onto the standby supervisor engine and for the standby supervisor engine to transition to...

Page 379: ... the system in RPR mode Switch enable Switch issu loadversion 1 bootflash new_image 2 slavebootflash new_image forced Switch show issu state detail Slot 1 RP State Active ISSU State Load Version Boot Variable bootflash old_image 12 Operating Mode RPR Primary Version bootflash old_image Secondary Version bootflash new_image Current Version bootflash old_image Slot 2 RP State Standby ISSU State Load...

Page 380: ...he new active supervisor engine after old active supervisor engine comes up as the standby engine do the following Switch show issu state detail Slot 2 RP State Active ISSU State Run Version Boot Variable bootflash new_image 12 bootflash old_image 12 Operating Mode Stateful Switchover Primary Version bootflash new_image Secondary Version bootflash old_image Current Version bootflash new_image Slot...

Page 381: ..._alive threshold 18 RF debug mask 0x0 Once runversion command completes the new active supervisor engine is running the new version of software and the previously active supervisor engine now becomes the standby supervisor engine The standby is reset and reloaded but remains on the previous version of software and come back online in standbyhot status The following example shows how to verify thes...

Page 382: ... rollback timer then validate and run the acceptversion command directly If you want to proceed to the following step running commitversion within the rollback timer window of 45 minutes you do not need to stop the rollback timer Note The issu acceptversion command can be optionally executed after the issu runversion command This example displays the timer before you stop it In the following examp...

Page 383: ...n 1 slavebootflash new_image Wait till standby supervisor is reloaded with the new image Then apply the following Switch show redundancy states 00 17 12 RF 5 RF_TERMINAL_STATE Terminal state reached for SSO my state 13 ACTIVE peer state 8 STANDBY HOT Mode Duplex Unit Secondary Unit ID 2 Redundancy Mode Operational Stateful Switchover Redundancy Mode Configured Stateful Switchover Redundancy State ...

Page 384: ...sh new_image 12 bootflash old_image 1 Configuration register 0x822 Peer Processor Information Standby Location slot 1 Current Software state STANDBY HOT Uptime in current state 12 minutes Image Version Cisco IOS Software Catalyst 4500 L3 Switch Software cat4500 ENTSERVICES M Version 12 2 31 SGA RELEASE SOFTWARE fc1 Technical Support http www cisco com techsupport Copyright c 1986 2006 by Cisco Sys...

Page 385: ...11 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6 E and Supervisor Engine 6L E For ISSU to function the IOS XE software image file names on the active and standby supervisor engines must match Perform the following steps at the active supervisor engine Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step...

Page 386: ...over Current Image bootflash x bin Pre ISSU Original Image N A Post ISSU Targeted Image N A Switch show redundancy Redundant System Information Available system uptime 12 minutes Switchovers system experienced 0 Standby failures 0 Last switchover reason none Hardware Mode Duplex Configured Redundancy Mode Stateful Switchover Operating Redundancy Mode Stateful Switchover Maintenance Mode Disabled C...

Page 387: ...shed executing loadversion waiting for standby to reload and reach SSO Note Standby reloads with target image Feb 25 20 41 00 479 INSTALLER 7 ISSU_OP_SUCC issu changeversion is now executing issu runversion Feb 25 20 41 03 639 INSTALLER 7 ISSU_OP_SUCC issu changeversion successfully executed issu runversion Note Switchover occurs Look at the console of new active supervisor engine Feb 25 20 47 39 ...

Page 388: ... 1 68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright c 1986 2010 by Cisco Systems Inc Compiled Sun 29 Aug 10 03 57 by gsbuprod Configuration register 0x2920 Peer Processor Information Standby Location slot 5 Current Software state STANDBY HOT Uptime in current state 2 minutes Image Version Cisco IOS Software IOS XE Software Catalyst 4500 L3 Switch Software cat4500e UNIVERSALK9 M Versi...

Page 389: ...ware cat4500e UNIVERSALK9 M Version 03 00 00 1 68 CISCO UNIVERSAL DEVELOPMENT K10 IOSD TEST VERSION Copyright c 1986 2010 by Cisco Systems Inc Compiled Sun 29 Aug 10 03 57 by gsbuprod Configuration register 0x2920 Peer Processor Information Standby Location slot 6 Current Software state STANDBY HOT Uptime in current state 2 minutes Image Version Cisco IOS Software IOS XE Software Catalyst 4500 L3 ...

Page 390: ...ded with the original software If the process is aborted after you enter either the issu runversion or issu acceptversion command then a second switchover is performed to the new standby supervisor engine that is still running the original software version The supervisor engine that had been running the new software is reset and reloaded with the original software version Note Ensure that the stan...

Page 391: ...ce by entering the issu acceptversion command which stops the rollback timer Entering the issu acceptversion command is extremely important in advancing the ISSU process Entering the issu commitversion command at this stage is equal to entering both the issu acceptversion and the issu commitversion commands Use the issu commitversion command if you do not intend to run in the current state now and...

Page 392: ...NTL Z Switch config issu set rollback timer 20 ISSU state should be init to set the rollback timer Displaying ISSU Compatibility Matrix Information The ISSU compatibility matrix contains information about other software images about the version in question This compatibility matrix represents the compatibility of the two software versions one running on the active and the other on the standby supe...

Page 393: ...2168 27 1 COMPATIBLE 2010 1 262171 32 1 COMPATIBLE 2012 1 262180 31 1 COMPATIBLE 2021 1 262170 41 1 COMPATIBLE 2022 1 262152 42 1 COMPATIBLE 2023 1 UNAVAILABLE 2024 1 UNAVAILABLE 2025 1 UNAVAILABLE 2026 1 UNAVAILABLE 2027 1 UNAVAILABLE 2028 1 UNAVAILABLE 2054 1 262169 8 1 COMPATIBLE 2058 1 262154 29 1 COMPATIBLE 2059 1 262179 30 1 COMPATIBLE 2067 1 262153 12 1 COMPATIBLE 2068 1 196638 40 1 COMPATI...

Page 394: ...te 2054 1 1 262169 8 1 Y 2058 1 1 262154 29 1 Y 2059 1 1 262179 30 1 Y 2067 1 1 262153 12 1 Y 2068 1 1 196638 40 1 Y 2070 1 1 262145 21 1 Y 2071 1 1 262178 11 1 Y 2072 1 1 262162 28 1 Y 2073 1 1 262177 33 1 Y 2077 1 1 262165 35 1 Y 2078 1 1 196637 34 1 Y 2079 1 1 262176 36 1 Y 2081 1 1 262150 37 1 Y 2082 1 1 262161 39 1 Y 2083 1 1 262184 20 1 Y 2084 1 1 262183 38 1 Y 4001 101 1 262181 17 1 Y 4002 ...

Page 395: ...TP Non Base 2077 ISSU STP MSTP Non Base 2078 ISSU STP IEEE Non Base 2079 ISSU STP RSTP Non Base 2081 ISSU DHCP Snooping clientNon Base 2082 ISSU IP Host client Non Base 2083 ISSU Inline Power client Non Base 2084 ISSU IGMP Snooping clientNon Base 4001 ISSU C4K Chassis client Base 4002 ISSU C4K Port client Base 4003 ISSU C4K Rkios client Base 4004 ISSU C4K HostMan client Base 4005 ISSU C4k GaliosRe...

Page 396: ...the other on the standby supervisor engine and the matrix allows the system to determine the highest operating mode it can achieve This information helps the user identify whether to use ISSU This task shows how to display information about the ISSU compatibility matrix This example shows how to display negotiated information regarding the compatibility matrix Switch enable Switch show issu comp m...

Page 397: ... SG Comp 3 Switch With Dynamic Image Version Compatibility DIVC Dynamic 0 is stored instead of Incomp 1 Base 2 or Comp 3 Compatibility is determined during runtime when two different DIVC capable images are running in the active and standby supervisor engines during ISSU For Catalyst 4500 switches a value of Dynamic 0 in the stored compatibility matrix normally results in Base 2 or Comp 3 upon run...

Page 398: ...ts Related Topic Document Title Performing ISSU Cisco IOS Software Guide to Performing In Service Software Upgrades Information about Cisco Nonstop Forwarding Cisco Nonstop Forwarding http www cisco com en US docs ios 12_2s feature guide fsnsf20s html Information about Stateful Switchover Stateful Switchover http www cisco com en US docs ios 12_0s feature guide sso120s html ISSU and MPLS clients I...

Page 399: ...st networks planned software upgrades are a significant cause of downtime ISSU allows Cisco IOS XE software to be upgraded while packet forwarding continues This increases network availability and reduces downtime caused by planned software upgrades This document provides information about ISSU concepts and describes the steps taken to perform ISSU in a system Topics include Prerequisites to Perfo...

Page 400: ...a release after IOS XE 3 6 0E for example 3 7 0 when released you cannot perform an ISSU downgrade to IOS XE 3 5 0E The type of the existing and target image must match You cannot upgrade from a Universal Lite image to a Universal image and vice versa without experiencing several minutes of traffic loss The same restriction applies between crypto and non crypto images The active and the standby su...

Page 401: ... in the system must also support ISSU You can enter various commands on the Catalyst 4500 series switch to determine supervisor engine versioning and Cisco IOS XE software compatibility Alternatively you can use the ISSU application on Cisco Feature Navigator to determine this If you enter the no ip routing command ISSU falls back from SSO to RPR mode resulting in traffic loss Autoboot is turned o...

Page 402: ...n the active supervisor engine fails or is removed from the networking device Cisco NSF is used with SSO Cisco NSF allows the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover With Cisco NSF peer networking devices do not experience routing flaps which reduce loss of service outages for customers Figure 8 1 ill...

Page 403: ...nal deployment strategy that applies Cisco NSF with SSO at the enterprise network access layer In this example each access point in the enterprise network represents another single point of failure in the network design In the event of a switchover or a planned software upgrade enterprise customer sessions would continue uninterrupted through the network in this example Service provider core layer...

Page 404: ...to the overall network performance Cisco NSF helps to suppress routing flaps in SSO enabled devices thus reducing network instability Cisco NSF allows for the forwarding of data packets to continue along known routes while the routing protocol information is being restored following a switchover With Cisco NSF peer networking devices do not experience routing flaps Data traffic is forwarded while ...

Page 405: ... associated with software upgrades by allowing changes while the system remains in service see Figure 8 3 SSO and NSF mode support configuration and runtime state synchronization from the active to the standby supervisor engine For this process the IOS XE software image on both the active and the standby supervisor engines must be the same When images on active and standby supervisor engines are d...

Page 406: ...ote In the following figure Cisco IOS XE 3 x y SG represents the current version of Cisco IOS XE 3 z y SG represents the image you are migrating to Figure 8 4 Copy New Version of Cisco IOS XE Software on Both Supervisor Engines Line cards Active Supervisor Engine Cisco IOS XE Cisco IOS XE 3 x y SG 3 x y SG Cisco IOS XE 3 x y SG Copy new version of Cisco IOS XE on active and standby Supervisor Engi...

Page 407: ...ote Without the ISSU feature SSO NSF cannot function between the active and standby supervisor engines when they are running different versions of the Cisco IOS XE image Figure 8 5 Load New Version of Cisco IOS XE Software on the Standby Supervisor Engine Line cards Active Supervisor Engine Load new version of Cisco IOS XE on standby Standby Supervisor Engine 207610 NSF SSO Cisco IOS XE Cisco IOS ...

Page 408: ...RPR the standby supervisor engine takes over as the new active supervisor engine see Figure 8 6 Figure 8 6 Switch Over to Standby Supervisor Engine Line cards Old Active Supervisor Engine NSF SSO Switchover NSF SSO Switchover Run new version of Cisco IOS XE the new active New Active Supervisor Engine 208665 Cisco IOS XE Cisco IOS XE 3 x y SG 3 x y SG Cisco IOS XE 3 x y SG Cisco IOS XE Cisco IOS XE...

Page 409: ...t a switchover to the former active which is already running the old software image Next the former active supervisor engine is loaded with the new version of Cisco IOS XE software and becomes the new standby supervisor engine see Figure 8 7 Figure 8 7 Load New Standby Supervisor Engine with New Cisco IOS XE Software Line cards Standby Supervisor Engine Standby is reset and reloaded with new softw...

Page 410: ...cated you should not expect disruption of service The use of multiple ISSU commands dictates an additional level of care to ensure no service disruption However in some scenarios this upgrade procedure might be cumbersome and of minimal value A typical example is during a network upgrade that involves performing an ISSU upgrade on a large number of Catalyst 4500 switches In these cases we recommen...

Page 411: ...lows the user to abort the upgrade While performing a single step upgrade process when the process reaches the runversion state it will either automatically continue with the upgrade provided the base clients are compatible or automatically abort because of client incompatibility If the user wants to continue the upgrade procedure in RPR mode the user must use the normal ISSU command set and speci...

Page 412: ...ther parts of the network you can use the issu abortversion command to manually abort the upgrade at any point in the process prior to the commitversion operation Guidelines for Performing ISSU Be aware of the following guidelines while performing the ISSU process Even with ISSU it is recommended that upgrades be performed during a maintenance window The new features should not be enabled if they ...

Page 413: ...intain state always during the transition from the old to the new version of Cisco IOS XE The matrix entry designates the images to be base level compatible B Incompatible A core set of system infrastructure exists in Cisco IOS XE that must be able to interoperate in a stateful manner for SSO to function correctly If any of these required features or subsystems is not interoperable then the two ve...

Page 414: ...fying the ISSU Software Installation page 8 19 Loading New Cisco IOS XE Software on the Standby Supervisor Engine page 8 21 required Switching to the Standby Supervisor Engine page 8 25 required Stopping the ISSU Rollback Timer Optional page 8 27 optional Loading New Cisco IOS XE Software on the New Standby Supervisor Engine page 8 28 required Using changeversion to Automate an ISSU Upgrade page 8...

Page 415: ...config exit Your configuration will appear as follows vrf definition mgmtVrf address family ipv4 exit address family interface FastEthernet1 vrf forwarding mgmtVrf ip address 10 1 1 1 255 255 255 0 speed auto duplex auto Step 3 Configure the switch to enable the IPv6 address family and add the IPv6 address Switch config t Enter configuration commands one per line End with CNTL Z Switch config vrf ...

Page 416: ...y interface FastEthernet1 vrf forwarding mgmtVrf ip address 10 1 1 1 255 255 255 0 speed auto duplex auto ipv6 address 2000 1 64 Step 1 Perform a downgrade to a release prior to Cisco IOS XE 3 4 0SG 15 1 2 SG Switch config t Enter configuration commands one per line End with CNTL Z Switch config no vrf upgrade cli multi af mode common policies vrf mgmtVrf You are about to downgrade to the single A...

Page 417: ...n of Cisco IOS XE software Run version RV state The issu runversion command forces the switchover of the supervisor engines The newly active supervisor engine runs the new Cisco IOS XE software image While running ISSU if both supervisor engines are reset due to power outage for example the ISSU context is lost and returns to the init state Both supervisor engines return to the old software You ca...

Page 418: ...inute Switchovers system experienced 2 Standby failures 1 Last switchover reason user_forced Hardware Mode Duplex Configured Redundancy Mode Stateful Switchover Operating Redundancy Mode Stateful Switchover Maintenance Mode Disabled Communications Up Current Processor Information Active Location slot 5 Current Software state ACTIVE Uptime in current state 7 hours 31 minutes Image Version Cisco IOS...

Page 419: ...e Pre ISSU Original Image N A Post ISSU Targeted Image N A Slot 6 RP State Standby ISSU State Init Operating Mode Stateful Switchover Current Image bootflash old_image Pre ISSU Original Image N A Post ISSU Targeted Image N A The new version of the Cisco IOS XE software must be present on both of the supervisor engines The directory information displayed for each of the supervisor engines shows tha...

Page 420: ...r document for more details on how to configure SSO mode on supervisor engines For ISSU to function the IOS XE file names on the active and standby supervisor engines must match Perform the following steps at the active supervisor engine Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch issu loadversion active slot active imag...

Page 421: ... Original Image bootflash old_image bin Post ISSU Targeted Image bootflash new_image bin Switch show redundancy states my state 13 ACTIVE peer state 8 STANDBY HOT Mode Duplex Unit Primary Unit ID 5 Redundancy Mode Operational Stateful Switchover Redundancy Mode Configured Stateful Switchover Redundancy State Stateful Switchover Manual Swact enabled Communications Up client count 81 client_notifica...

Page 422: ...bootflash new_image bin The following example shows the redundancy mode as RPR Switch show redundancy states my state 13 ACTIVE peer state 4 STANDBY COLD Mode Duplex Unit Primary Unit ID 3 Redundancy Mode Operational RPR Redundancy Mode Configured Stateful Switchover Redundancy State RPR Manual Swact enabled Communications Up client count 64 client_notification_TMR 240000 milliseconds keep_alive T...

Page 423: ...ing the new Cisco IOS XE software image Perform the following steps at the active supervisor engine This example shows how to cause a switchover to the former standby supervisor engine slot 6 reset the former active supervisor engine and reload it with the old IOS XE software image so it becomes the standby supervisor engine Switch enable Switch issu runversion 6 slavebootflash new_image issu runv...

Page 424: ...plex Unit Primary Unit ID 6 Redundancy Mode Operational Stateful Switchover Redundancy Mode Configured Stateful Switchover Redundancy State Stateful Switchover Manual Swact enabled Communications Up client count 88 client_notification_TMR 240000 milliseconds keep_alive TMR 9000 milliseconds keep_alive count 0 keep_alive threshold 9 RF debug mask 0 Once Runversion has completed the new active super...

Page 425: ...http www cisco com techsupport Copyright c 1986 2016 by Cisco Systems Inc Compiled Wed 12 Oct 16 02 37 by p BOOT bootflash old_image bin 12 Configuration register 0x2102 Stopping the ISSU Rollback Timer Optional This optional task describes how to stop the rollback timer If you do not run the following procedure before the rollback timer timeout the system automatically aborts the ISSU process and...

Page 426: ...w standby supervisor engine Perform the following steps at the active supervisor engine Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch issu acceptversion active slot active image new Halts the rollback timer and ensures the new Cisco IOS XE ISSU process is not automatically aborted during the ISSU process Enter the issu acc...

Page 427: ...DBY HOT Mode Duplex Unit Primary Unit ID 6 Redundancy Mode Operational Stateful Switchover Redundancy Mode Configured Stateful Switchover Redundancy State Stateful Switchover Manual Swact enabled Communications Up client count 88 client_notification_TMR 240000 milliseconds keep_alive TMR 9000 milliseconds keep_alive count 0 keep_alive threshold 9 RF debug mask 0 Switch show redundancy Redundant Sy...

Page 428: ... 2016 by Cisco Systems Inc Compiled Sun 06 Nov 16 13 49 by pr BOOT bootflash new_image bin 12 bootflash old_image bin 12 Configuration register 0x2102 Switch show issu state detail Slot 6 RP State Active ISSU State Init Operating Mode Stateful Switchover Current Image bootflash new_image Pre ISSU Original Image N A Post ISSU Targeted Image N A Slot 5 RP State Standby ISSU State Init Operating Mode...

Page 429: ...splayed after some delay because the ISSU upgrade procedure progresses through the ISSU states Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch issu changeversion active slot active image new standby slot standby image new at hh mm in hh mm quick Initiates a single step complete upgrade process cycle Performs the logic of the...

Page 430: ...p Current Processor Information Active Location slot 6 Current Software state ACTIVE Uptime in current state 31 minutes Image Version Cisco IOS Software IOS XE Software Catalyst 4500 L3 Switch Software cat4500e UNIVERSALK9 M Version 03 08 03 E RELEASE SOFTWARE fc2 Technical Support http www cisco com techsupport Copyright c 1986 2016 by Cisco Systems Inc Compiled Sun 06 Nov 16 13 49 by prod BOOT b...

Page 431: ...SSO Feb 25 20 47 39 971 INSTALLER 7 ISSU_OP_SUCC issu changeversion is now executing issu commitversion Note The new standby supervisor engine reloads with target image changeversion is successful upon SSO terminal state is reached Feb 25 20 54 16 092 HA_CONFIG_SYNC 6 BULK_CFGSYNC_SUCCEED Bulk Sync succeeded Feb 25 20 54 16 094 RF 5 RF_TERMINAL_STATE Terminal state reached for SSO Switch Switch sh...

Page 432: ...ion Cisco IOS Software IOS XE Software Catalyst 4500 L3 Switch Software cat4500e UNIVERSALK9 M Version 03 08 03 E RELEASE SOFTWARE fc2 Technical Support http www cisco com techsupport Copyright c 1986 2016 by Cisco Systems Inc Compiled Sun 06 Nov 16 13 49 by pr BOOT bootflash new_image bin 12 bootflash old_image bin 12 Configuration register 0x2102 This example shows how to use issu changeversion ...

Page 433: ...Location slot 5 Current Software state STANDBY HOT Uptime in current state 3 minutes Image Version Cisco IOS Software IOS XE Software Catalyst 4500 L3 Switch Software cat4500e UNIVERSALK9 M Version 03 08 03 E RELEASE SOFTWARE fc2 Technical Support http www cisco com techsupport Copyright c 1986 2016 by Cisco Systems Inc Compiled Sun 06 Nov 16 13 49 by pr BOOT bootflash new_image bin 12 bootflash o...

Page 434: ...isor engine that had been running the new software is reset and reloaded with the original software version Note Ensure that the standby supervisor is fully booted before issuing the abortversion command on an active supervisor engine The following task describes how to abort the ISSU process before you complete the ISSU process with the issu commitversion command Perform the following task on the...

Page 435: ... configure the rollback timer to fewer than 45 minutes the default so that the user need not wait in case the new software is not committed or the connection to the switch was lost while it was in runversion mode A user may want to configure the rollback timer to more than 45 minutes in order to have enough time to verify the operation of the new Cisco IOS XE software before committing the new sof...

Page 436: ...mage Pre ISSU Original Image bootflash old_image Post ISSU Targeted Image bootflash new_image Slot 6 RP State Standby ISSU State Load Version Operating Mode Stateful Switchover Current Image bootflash new_image Pre ISSU Original Image bootflash old_image Post ISSU Targeted Image bootflash new_image Switch show issu rollback timer Rollback Process State Not in progress Configured Rollback Time 60 0...

Page 437: ...ch enable Switch show issu comp matrix negotiated CardType WS C4507R E 182 Uid 4 Image Ver 03 00 00 1 68 Image Name cat4500e UNIVERSALK9 M Cid Eid Sid pSid pUid Compatibility 2 1 131078 3 3 COMPATIBLE 3 1 131100 5 3 COMPATIBLE 4 1 131123 9 3 COMPATIBLE Message group summary Cid Eid GrpId Sid pSid pUid Nego Result 2 1 1 131078 3 3 Y 3 1 1 131100 5 3 Y 4 1 1 131123 9 3 Y List of Clients Command or A...

Page 438: ... Dynamic Image Version Compatibility DIVC feature is supported in IOS XE releases With DIVC we store Dynamic 0 rather than Incomp 1 Base 2 or Comp 3 and determine compatibility during run time when two different DIVC capable IOS XE software images are running in the active and standby supervisor engines during ISSU For Catalyst 4500 switches a value of Dynamic 0 in the stored compatibility matrix ...

Page 439: ...d of the guide Feature guides document features that are supported on many different software releases and platforms Your Cisco software release or platform may not support all the features documented in a feature guide See the Feature Information table at the end of the feature guide for information about which features in that guide are supported in your software release Use Cisco Feature Naviga...

Page 440: ...eries Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 8 Configuring the Cisco IOS XE In Service Software Upgrade Process Cisco High Availability Features in Cisco IOS XE 3 1 0SG ...

Page 441: ... page 9 13 Configuring MultiGigabit Ports on WS X4748 12X48U E page 9 15 Invoking Shared Backplane Uplink Mode on Supervisor Engine 6 E and Supervisor Engine 6L E page 9 19 Limitation and Restrictions on Supervisor Engine 7 E and Supervisor Engine 7L E page 9 20 Selecting Uplink Mode on a Supervisor Engine 6 E page 9 20 Selecting the Uplink Port on a Supervisor Engine 7L E page 9 25 Digital Optica...

Page 442: ...n the switch You can also use the Cisco IOS show commands to display information about a specific interface or all the interfaces Using the interface Command These general instructions apply to all interface configuration processes Step 1 At the privileged EXEC prompt enter the configure terminal command to enter global configuration mode Switch configure terminal Enter configuration commands one ...

Page 443: ...0 packets output 0 bytes 0 underruns 0 output errors 0 collisions 0 interface resets 0 babbles 0 late collision 0 deferred 0 lost carrier 0 no carrier 0 output buffer failures 0 output buffers swapped out GigabitEthernet1 2 is up line protocol is down Hardware is Gigabit Ethernet Port address is 0004 dd46 7701 bia 0004 dd46 7701 MTU 1500 bytes BW 1000000 Kbit DLY 10 usec reliability 255 255 txload...

Page 444: ...s within that range until you exit interface range configuration mode To configure a range of interfaces with the same configuration enter this command Note When you use the interface range command you must add a space between the vlan fastethernet gigabitethernet tengigabitethernet or macro keyword and the dash For example the command interface range fastethernet 5 1 5 specifies a valid range the...

Page 445: ...rnet5 1 changed state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface FastEthernet5 2 changed state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface FastEthernet5 3 changed state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface FastEthernet5 4 changed state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface FastEthernet5 5 changed state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface GigabitEthernet1 1 changed state ...

Page 446: ...e routing domain or VRF domain called mgmtVrf You observe the ip Vrf forwarding mgmtVrf line in the running configuration when you boot up For details read the Fa1 Interface and mgmtVrf section on page 9 7 Even though the Ethernet management port does not support routing you might need to enable routing protocols on the port As illustrated in Figure 9 2 you must enable routing protocols on the Eth...

Page 447: ...to traffic incoming on the management port All features that use fa1 now need to be VRF aware Note You cannot configure any other interface in the same routing domain and you cannot configure a different routing domain for the Fa1 interface On bootup the fa1 port assumes the following default configuration Images prior to Cisco IOS XE 3 4 0SG 15 1 2 SG use the old VRF definition format for managem...

Page 448: ...nter the following command Switch ping vrf mgmtVrf ip address For example Switch ping vrf mgmtVrf 20 20 20 1 Type escape sequence to abort Sending 5 100 byte ICMP Echos to 20 20 20 1 timeout is 2 seconds Success rate is 100 percent 5 5 round trip min avg max 1 2 4 ms TraceRoute Switch traceroute vrf mgmtVrf ip address For example Eg Switch traceroute vrf mgmtVrf 20 20 20 1 Type escape sequence to ...

Page 449: ...ctive is enabled and can be used to switch traffic while the management port on the old active supervisor engine is disabled Note The Cisco IOS configuration for the management port is synchronized between the two supervisor engines Under Cisco IOS they possess the same IP address To avoid address overlapping during a switchover on a redundant chassis you should assign a different IP address on th...

Page 450: ...re on an Ethernet management port the feature might not work properly and the switch might fail Configuring the Ethernet Management Port To specify the Ethernet management port enter fastethernet1 To disable the port use the shutdown interface configuration command To enable the port use the no shutdown interface configuration command To determine the link status to the PC you can monitor the LED ...

Page 451: ...Deploying SFP in X2 Ports Note This feature is supported on Supervisor Engine 6 E and 6L E as well as on WS X4606 X2 E WS X4908 10GE WS X4904 10GE and WS C4900M To use an SFP in an X2 port to obtain 10 Gigabit Ethernet bandwidth the Catalyst 4500 series switch supports OneX Convertor modules When you plug a OneX Convertor module into an X2 port it converts the X2 port into an SFP port into which y...

Page 452: ...SFP ports on the Catalyst 4503 Catalyst 4506 and Catalyst 4507R chassis When you deploy a Catalyst 4510R chassis one of the following configurations is supported Dual 10 Gigabit Ethernet ports X2 optics only Four Gigabit Ethernet ports SFP optics only Both the dual 10 Gigabit Ethernet and the four Gigabit Ethernet ports The tenth slot Flex Slot only supports a 2 port gigabit interface converter GB...

Page 453: ...d the SFP ports are named Gigabit slot num 7 18 Figure 9 3 Faceplate for WS X4606 10GE In Cisco IOS ports 1 through 18 always exist This means that you can apply configurations on them and they display in the CLI output However only the X2 or the SFP ports can be active at any particular time For example if an X2 is plugged into the second hole the X2 port 2 is active and SFP ports 9 and 10 are in...

Page 454: ...Switch show int status mod 1 Port Name Status Vlan Duplex Speed Type Te1 1 notconnect 1 full 10G 10GBase LR Te1 2 connected 1 full 10G 10GBase LR Te1 3 notconnect 1 full 10G No X2 Te1 4 notconnect 1 full 10G No X2 Te1 5 notconnect 1 full 10G No X2 Te1 6 notconnect 1 full 10G No X2 Gi1 7 inactive 1 full 1000 No Gbic Gi1 8 inactive 1 full 1000 No Gbic Gi1 9 inactive 1 full 1000 No Gbic Gi1 10 inacti...

Page 455: ...S XE Release 3 7 1E you can configure the WS X4748 12X48U E module to auto negotiate multiple speeds on switch ports and support 100 Mbps 1 Gbps 2 5 Gbps and 5 Gbps speeds on Category 5e cables and up to 10 Gbps over Category 6 and Category 6a cables For more information on supported cables see Supported Cable Types and Speed page 9 17 Beginning in Cisco IOS XE 3 9 1E by default downshift is enabl...

Page 456: ... UPOE ports with no oversubscription Mode 2 Multigigabit Enhanced Ports 1 to 12 are 100 1000 2 5G 5G 10G Ethernet UPOE ports oversubscribed 5 1 for 10Gbps port speed Ports 1 to 6 share 12G aggregate bandwidth and ports 7 to 12 share 12G aggregate bandwidth Ports 13 to 24 are inactive disabled The LED display for these ports on the front panel of the device is Off Ports 25 to 48 are 10 100 1000 UPO...

Page 457: ...igabit Ports Note These restrictions do not apply to ports 13 to 48 that do not support Multigigabit Ethernet Ports 1 to12 do not support 10Mbps speed Ports 1 to 12 do not support half duplex mode for 100Mbps speed Ports 1 to 12 do not support Energy Efficient Ethernet Supported Cable Types and Speed Supported Hardware and Power Supply Table 9 1 Cable types and speed Cable Type 100Mbps 1G 2 5G 5G ...

Page 458: ...ltiGigabit ports 2 5 1 oversubscribed only For information about setting interface speeds to 2 5G 5G or 10G see Setting the Interface Speed page 9 28 Upgrading the Line Card FPGA Image on WS X4748 12X48U E Beginning in Cisco IOS Release 3 7 1E a new function to upgrade the line card FPGA on the WS X4748 12X48U E module has been introduced to handle oversubscription on multigigabit ports This upgra...

Page 459: ...uld deploy all four 10 Gigabit Ethernet ports two blocking ports on an active supervisor engine and two blocking ports on the standby supervisor engine or all eight Gigabit Ethernet SFP ports four on the active supervisor and four on the standby supervisor engine This capability is supported on all Catalyst 4500 and 4500E series chassis To enable shared backplane mode enter this command To disable...

Page 460: ...d backplane mode do the following Switch config hw module uplink mode shared backplane A reload of the active supervisor is required to apply the new configuration Switch config exit Switch On a Supervisor Engine 6 E in a 6 or 7 slot chassis Catalyst 4506 E 4507R E and 4507R E the default uplink mode does not allow a WS X4640 CSFP E linecard to boot in the last slot because of a hardware limitatio...

Page 461: ...ation to be copied to the startup config In this mode only the first five slots of the chassis are eligible for the line cards The remaining three slots are unuseable by any other line card including WS X4640 CSFP E effectively reducing a 10 slot chassis to a 7 slot You can place WS X4640 CSFP E in the top five slots enabling you to use C Sfp and thereby allow the max 80 ports on each WS X4640 CSF...

Page 462: ...ndwidth is restricted to 40GB as the default configuration in a ten slot chassis In non redundancy mode the supervisor can supports the first four active interfaces In redundancy mode this mode supports the first two interfaces on both active and standby supervisors All line cards are supported in all ten slots in the chassis with no restriction on the tenth slot To enable Sup7 E mode you must dis...

Page 463: ...No restriction Single Supervisor 8x10GE 10 slot Chassis Restriction on the 10th slot Wireless Daughter Card enabled Default configuration in Install Boot mode Requires CLI configuration to force disable the daughter card followed by a supervisor engine reload 20GE 3 6 and 7 Slot Chassis No restriction Default configuration in Install Boot mode Dual Supervisor Sup 7 E mode Active Supervisor 2x10GE ...

Page 464: ...gine 8 E Note Before you begin ensure that the daughter card is disabled on the switch By default the daughter card is enabled when the supervisor engine is booted in Install Boot mode and you cannot configure Supervisor Engine 7 E Sup 7 E mode until you disable the daughter card on the switch Note Ensure that the supervisor engine is reloaded each time you make uplink configuration changes To dis...

Page 465: ...gabitethernet Select the gigabit uplinks tengigabitethernet Select the 10G uplinks Note Supervisor Engine 7L E is not supported on a ten slot chassis USB device and SD card support is applicable to Supervisor Engine 7 E and Supervisor Engine 8 E only Note Supervisor Engine 8 E is supported on a 10 slot chassis Single Supervisor Mode In single supervisor mode WS X45 SUP 7L E supports the uplink con...

Page 466: ...s for all sensor on a particular interface transceiver show interfaces int name transceiver detail threshold Enables or disables the entSensorThresholdNotification for all sensors in all the transceivers snmp server enable trap transceiver Enables or disables transceiver monitoring transceiver type all monitoring Table 9 5 Uplink Options for Single Supervisor Mode Supervisor Engine Uplink Ports Sp...

Page 467: ...39 Configuring Ethernet Interface Speed and Duplex Mode Topics include Speed and Duplex Mode Configuration Guidelines page 9 27 Setting the Interface Speed page 9 28 Setting the Interface Duplex Mode page 9 30 Displaying the Interface Speed and Duplex Mode Configuration page 9 30 Adding a Description for an Interface page 9 32 Speed and Duplex Mode Configuration Guidelines Note You do not configur...

Page 468: ...gotiate the speed and duplex mode Switch config interface fastethernet 5 4 Switch config if speed auto Note The preceding CLI is analogous to speed auto 10 100 This example shows how to limit the interface speed to 10 and 100 Mbps on the Gigabit Ethernet interface 1 1 in auto negotiation mode Switch config interface gigabitethernet 1 1 Switch config if speed auto 10 100 This example shows how to l...

Page 469: ...utonegotiation is enabled by default and the link is active if both peers are Multigigabit Ehternet ports and if forced speed is configured For 1 Gigabit Ethernet ports 13 to 48 the link is active only if autonegotiation is enabled at least at one end and forced speed is configured This example shows how to set the interface speed to 5G on the Multigigabit Ethernet interface 3 1 Switch config inte...

Page 470: ...disable downshift Setting the Interface Duplex Mode Note When the interface is set to 1000 Mbps you cannot change the duplex mode from full duplex to half duplex To set the duplex mode of a Fast Ethernet interface perform this task This example shows how to set the interface duplex mode to full on Fast Ethernet interface 5 4 Switch config interface fastethernet 5 4 Switch config if duplex full Dis...

Page 471: ... 0 deferred 1 lost carrier 0 no carrier 0 output buffer failures 0 output buffers swapped out Switch This example shows how to display the interface speed and duplex mode of 10 Gigabit Ethernet interface 1 5 Switch show interface tengigabitethernet 1 5 TenGigabitEthernet1 5 is up line protocol is up connected Hardware is Ten Gigabit Ethernet Port address is 0022 bde2 0f6d bia 0022 bde2 0f6d MTU 15...

Page 472: ...This special packet is called a pause frame The default settings for Gigabit Ethernet interfaces are as follows Sending pause frames is off Non oversubscribed Gigabit Ethernet interfaces Receiving pause frames is desired Non oversubscribed Gigabit Ethernet interfaces Sending pause frames is on Oversubscribed Gigabit Ethernet interfaces Receiving pause frames is desired Oversubscribed Gigabit Ether...

Page 473: ... yes Inline power no SPAN source destination UDLD yes Link Debounce no Link Debounce Time no Port Security yes Dot1x yes Maximum MTU 1552 bytes Baby Giants Multiple Media Types no Diagnostic Monitoring N A Switch show flowcontrol interface GigabitEthernet 7 5 Port Send FlowControl Receive FlowControl RxPause TxPause admin oper admin oper Gi7 5 on off desired off 0 0 This example shows the output o...

Page 474: ...cap type 802 1Q ISL Trunk mode on off desirable nonegotiate Channel yes Broadcast suppression percentage 0 100 sw Flowcontrol rx none tx none VLAN Membership static dynamic Fast Start yes Queuing rx N A tx 1p3q1t Shaping CoS rewrite yes ToS rewrite yes Inline power no SPAN source destination UDLD yes Link Debounce no Link Debounce Time no Port Security yes Dot1x yes Maximum MTU 1552 bytes Baby Gia...

Page 475: ...red one for IPv4 and one for IPv6 This further reduces the number of slots available out of 32 However only a single MTU value is stored for each ip mtu and ipv6 mtu commands If the new MTU value you are configuring is already present in the system that is configured on some other interface then no new slot s are allocated to store it again If the maximum limit of 32 is reached and an attempt is m...

Page 476: ... Gigabit Ethernet Layer 3 and Layer 2 EtherChannels Starting with Release Cisco IOS Release 12 2 31 SGA you could configure all the interfaces in an EtherChannel provided that they have the same MTU Changing the MTU of an EtherChannel changes the MTU of all member ports If the MTU of a member port cannot be changed to the new value that port is suspended administratively shut down A port cannot jo...

Page 477: ...ernet 1 2 GigabitEthernet1 2 is administratively down line protocol is down Hardware is C6k 1000Mb 802 3 address is 0030 9629 9f88 bia 0030 9629 9f88 MTU 9216 bytes BW 1000000 Kbit DLY 10 usec Output Truncated switch Interacting with Baby Giants The baby giants feature introduced in Cisco IOS Release 12 1 12c EW uses the global command system mtu size to set the global baby giant MTU This feature ...

Page 478: ... and Layer 3 protocols To configure the debounce timer on a port perform this task Note The default time is 10ms for E series supervisor engines and line cards When configuring the debounce timer on a port you can increase the port debounce timer value between 10 milliseconds and 5000 milliseconds on the 10 Gigabit Ethernet ports This example shows how to enable the port debounce timer on 10 Gigab...

Page 479: ... must also set the speed on the port to auto so that for the feature to operate correctly auto MDIX is supported on copper media ports It is not supported on fiber media ports Note The following line cards support Auto MDIX by default when port auto negotiation is enabled WS X4424 GB RJ45 WS X4448 GB RJ45 WS X4548 GB RJ45 and WS X4412 2GB T You cannot disable them with the mdix command Note The fo...

Page 480: ...nterface configuration mode for the physical interface to be configured Step 3 Switch config if speed auto Configures the port to autonegotiate speed with the connected device Step 4 Switch config if mdix auto Enables auto MDIX on the port Step 5 Switch config if end Returns to privileged EXEC mode Step 6 Switch show interfaces interface id Verifies the configuration of the auto MDIX feature on th...

Page 481: ...late collision 0 deferred 1 lost carrier 0 no carrier 0 output buffer failures 0 output buffers swapped out Switch Understanding Online Insertion and Removal The online insertion and removal OIR feature supported on the Catalyst 4500 series switch allows you to remove and replace modules while the system is online You can shut down the module before removal and restart it after insertion without c...

Page 482: ...commands are only enabled on the uplink module of WS 4500X 32 For details please refer to the hardware portion of the documentation library http www cisco com en US products hw switches ps4324 prod_installation_guides_list html Shutting down a Module To shut down a module safely either enter the hw module module stop command or press the OIR button for 5 seconds Note The hw module module stop comm...

Page 483: ...JAE15340C0J M MAC addresses Hw Fw Sw Status 1 0022 bde2 1061 to 0022 bde2 1080 0 2 15 0 1r SG 0 0 DEV 0 Ok 2 0022 bde2 1579 to 0022 bde2 1580 0 1 Ok Switch The following example shows what happens if a module has not been stopped and you enter this command Switch hw module module 2 start Module 2 not stopped Common Scenarios Table 9 9 lists the common scenarios associated with an OIR on a WS 4500X...

Page 484: ...nd at the EXEC prompt To display information about the interface enter one of the following commands This example shows how to display the status of Fast Ethernet interface 5 5 Switch show protocols fastethernet 5 5 FastEthernet5 5 is up line protocol is up Switch Clearing and Resetting the Interface To clear the interface counters shown with the show interfaces command enter this command Know if ...

Page 485: ...ork servers through all dynamic routing protocols The interface is not mentioned in any routing updates To shut down an interface and then restart it perform this task This example shows how to shut down Fast Ethernet interface 5 5 Switch config interface fastethernet 5 5 Switch config if shutdown Switch config if Sep 30 08 33 47 LINK 5 CHANGED Interface FastEthernet5 5 changed state to a administ...

Page 486: ...ng event setting The interface trunk status logging event can be configured in the same configuration states Configuring Link Status Event Notification for an Interface To enable or disable a link status logging event enter one of the following commands Global Settings You can also provide a global configuration for the corresponding logging event A global configuration provides default logging se...

Page 487: ...k status and trunk status logging settings are set to default values which follow regardless of the global setting Switch show running interface g1 4 Building configuration Current configuration 97 bytes interface GigabitEthernet1 4 switchport trunk encapsulation dot1q switchport mode trunk end Switch The trunk status logging messages for the interface are displayed whenever the interface trunking...

Page 488: ...Port Gi1 4 has become dot1q trunk 3d00h LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet1 4 changed state to up Resetting the Interface to the Default Configuration If you have configured a interface with many command lines and you want to clear all the configuration on that interface use the default interface global configuration command as follows Switch config default interface fas...

Page 489: ...page 10 6 Using Ping page 10 7 Using IP Traceroute page 10 8 Using Layer 2 Traceroute page 10 9 Configuring ICMP page 10 12 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the C...

Page 490: ...to see detailed information about the specified port To apply configuration commands to a particular port you must specify the appropriate logical module For more information see the Checking Module Status section on page 10 1 This example shows how to display the status of all interfaces on a Catalyst 4500 series switch including transceivers Output of this command displays Unapproved GBIC for no...

Page 491: ...0050 3e8d 6400 static ipx Switch 200 0050 3e8d 6400 static ipx Switch 100 0050 3e8d 6400 static other Switch 200 0050 3e8d 6400 static other Switch 5 0050 3e8d 6400 static other Switch 4 0050 3e8d 6400 static ip Switch 1 0050 3e8d 6400 static ip Route 1 0050 3e8d 6400 static other Switch 4 0050 3e8d 6400 static other Switch 5 0050 3e8d 6400 static ip Switch 200 0050 3e8d 6400 static ip Switch 100 ...

Page 492: ...ong its wires and depending on the reflected signal it can determine roughly where a cable fault could be The variations on how TDR signal is reflected back determine the results on TDR On cat4k products we only support cable fault types OPEN or SHORT We do display Terminated status in case cable is proper terminated and this is done for illustrative purpose Running the TDR Test To start the TDR t...

Page 493: ...DR test multiple times to get accurate results Do not change port status for example remove the cable at the near or far end because the results might be inaccurate TDR works best if the test cable is disconnected from the remote port Otherwise it might be difficult for you to interpret results correctly TDR operates across four wires Depending on the cable conditions the status might show one pai...

Page 494: ...specified time To set the logout timer enter this command Monitoring User Sessions You can display the currently active user sessions on the switch using the show users command The command output lists all active console port and Telnet sessions on the switch To display the active user sessions on the switch enter this command This example shows the output of the show users command when local auth...

Page 495: ...r Location telnet jake jake mac bigcorp com telnet suzy suzy pc bigcorp com Switch Using Ping These sections describe how to use IP ping Understanding How Ping Works page 10 7 Running Ping page 10 8 Understanding How Ping Works The ping command allows you to verify connectivity to remote hosts If you attempt to ping a host in a different IP subnetwork you must define a static route to the network ...

Page 496: ... 3 12 16 10 3 is alive Switch This example shows how to use a ping command in privileged EXEC mode to specify the number of packets the packet size and the timeout period Switch ping Target IP Address 12 20 5 19 Number of Packets 5 10 Datagram Size 56 100 Timeout in seconds 2 10 Source IP Address 12 20 2 18 12 20 2 18 12 20 2 19 PING Statistics 10 packets transmitted 10 packets received 0 packet l...

Page 497: ...on host is unlikely to be using When a host receives a datagram with an unrecognized port number it sends an ICMP Port Unreachable error message to the source The Port Unreachable error message indicates to traceroute that the destination has been reached Running IP Traceroute To trace the path that packets take through the network enter this command in EXEC or privileged EXEC mode This example sh...

Page 498: ...he source device to the destination device All switches in the path must be reachable from this switch The traceroute mac command output shows the Layer 2 path only when the specified source and destination MAC addresses belong to the same VLAN If you specify source and destination MAC addresses that belong to different VLANs the Layer 2 path is not identified and an error message appears If you s...

Page 499: ...2 con2 2 2 2 2 Gi0 2 Fa0 1 Destination 0000 0201 0201 found on con2 WS C3550 24 2 2 2 2 Layer 2 trace completed Switch Switch traceroute mac ip 2 2 66 66 2 2 22 22 detail Translating IP to mac 2 2 66 66 0000 0201 0601 2 2 22 22 0000 0201 0201 Source 0000 0201 0601 found on con6 WS C2950G 24 EI 2 2 6 6 con6 WS C2950G 24 EI 2 2 6 6 Fa0 1 auto auto Fa0 3 auto auto con5 WS C2950G 24 EI 2 2 5 5 Fa0 3 a...

Page 500: ... might be forced to fragment packets To limit the rate that Internet Control Message Protocol ICMP destination unreachable messages are generated enter the following command Enabling ICMP Redirect Messages Data routes are sometimes less than optimal For example it is possible for the router to be forced to resend a packet through the same interface on which it was received If this occurs the Cisco...

Page 501: ...interface configuration mode Enabling ICMP Mask Reply Messages Occasionally network devices must know the subnet mask for a particular subnetwork in the internetwork To obtain this information devices can send ICMP Mask Request messages These messages are responded to by ICMP Mask Reply messages from devices that have the requested information The Cisco IOS software can respond to ICMP Mask Reques...

Page 502: ...10 14 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 10 Checking Port Status and Connectivity Configuring ICMP ...

Page 503: ...the Catalyst 4507R and Catalyst 4510R switches Note For information on Cisco nonstop forwarding NSF with SSO see Chapter 12 Configuring Cisco NSF with SSO Supervisor Engine Redundancy This chapter contains these major sections About Supervisor Engine Redundancy page 11 2 About Supervisor Engine Redundancy Synchronization page 11 4 Supervisor Engine Redundancy Guidelines and Restrictions page 11 5 ...

Page 504: ...ects its presence and the redundant supervisor engine boots into a partially initialized state in RPR mode and a fully initialized state in SSO mode Software upgrade See the Performing a Software Upgrade section on page 11 13 To minimize down time during software changes on the supervisor engine load the new image on the redundant supervisor engine and conduct a switchover When power is first appl...

Page 505: ... stateful switchover are kept in synchronization Consequently it offers zero interruption to Layer 2 sessions in a redundant supervisor engine configuration Because the redundant supervisor engine recognizes the hardware link status of every link ports that were active before the switchover remain active including the uplink ports However because uplink ports are physically on the supervisor engin...

Page 506: ...are learned on the redundant supervisor engine if the SSO feature is enabled All Layer 3 protocols on Catalyst 4500 series switches Switch Virtual Interfaces About Supervisor Engine Redundancy Synchronization During normal operation the persistent configuration RPR and SSO and the running configuration SSO only are synchronized by default between the two supervisor engines In a switchover the new ...

Page 507: ...When real time changes occur the active supervisor engine synchronizes the running config and or the persistent configuration if necessary with the redundant supervisor engine When you change the configuration you must use the write command to allow the active supervisor engine to save and synchronize the startup configuration of the redundant supervisor engine Supervisor Engine Redundancy Guideli...

Page 508: ...cy In Cisco IOS Release 12 2 25 SG and later releases on a Catalyst 4507R series switch 10 Gigabit Ethernet and Gigabit Ethernet uplinks are concurrently usable Redundancy requires both supervisor engines in the chassis to have the same components model memory NFL daughter card and to use the same Cisco IOS software image When the WS X4516 active and redundant supervisor engines are installed in t...

Page 509: ...the redundant supervisor engine Even though you can still perform SNMP set operations in SSO mode you might experience unexpected behavior After you configure the switch through SNMP in SSO mode copy the running config file to the startup config file on the active supervisor engine to trigger synchronization of the startup config file on the redundant supervisor engine Reload the redundant supervi...

Page 510: ... 0 Last switchover reason none Hardware Mode Duplex Configured Redundancy Mode Stateful Switchover Operating Redundancy Mode Stateful Switchover Maintenance Mode Disabled Communications Up Current Processor Information Active Location slot 1 Current Software state ACTIVE Uptime in current state 2 days 2 hours 39 minutes Image Version Cisco Internetwork Operating System Software IOS tm Catalyst 400...

Page 511: ...tchover Redundancy Mode Configured Stateful Switchover Redundancy State Stateful Switchover Maintenance Mode Disabled Manual Swact enabled Communications Up client count 21 client_notification_TMR 240000 milliseconds keep_alive TMR 9000 milliseconds keep_alive count 0 keep_alive threshold 18 RF debug mask 0x0 Switch This example shows how to change the system configuration from RPR to SSO mode Swi...

Page 512: ...sor engine You must be in privilege EXEC mode level 15 to run these commands to access the standby console Once you enter the standby virtual console the terminal prompt automatically changes to hostname standby console where hostname is the configured name of the switch The prompt is restored back to the original prompt when you exit the virtual console You exit the virtual console with the exit ...

Page 513: ...t synchronized to the redundant supervisor engine For information on how to handle this situation see the Supervisor Engine Redundancy Guidelines and Restrictions section on page 11 5 Note The auto sync command controls the synchronization of the config reg bootvar and startup private configuration files only The calendar and VLAN database files are always synchronized when they change In SSO mode...

Page 514: ...ngine for test purposes We recommend that you perform a manual switchover prior to deploying SSO in your production environment Note This discussion assumes that SSO has been configured as the redundant mode To perform a manual switchover perform this task on the active supervisor engine Be aware of these usage guidelines To force a switchover the redundant supervisor engine must be in a standby h...

Page 515: ...eloads the active supervisor engine once The following scenario is not supported An active supervisor engine running Cisco IOS Release 12 1 x E and a standby supervisor engine running Cisco IOS Release 12 2 x S The standby supervisor engine resets repeatedly If you are trying to upgrade redundant supervisor engines from Cisco IOS Release 12 1 x E to 12 2 x S this requires a full system reboot To p...

Page 516: ...5 CONFIGSYNC The config reg has been successfully synchronized to the standby supervisor 4d01h C4K_REDUNDANCY 5 CONFIGSYNC The startup config has been successfully synchronized to the standby supervisor 4d01h C4K_REDUNDANCY 5 CONFIGSYNC The private config has been successfully synchronized to the standby supervisor The example above shows that the boot variable the config register and the startup ...

Page 517: ...ame Deletes specific files from the slot0 device on the redundant supervisor engine Deletes specific files from the bootflash device on the redundant supervisor engine Switch squeeze slaveslot0 or Switch squeeze slavebootflash Squeezes the slot0 device on the redundant supervisor engine Squeezes the bootflash device on the redundant supervisor engine Switch format slaveslot0 or Switch format slave...

Page 518: ...o IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 11 Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6 E and Supervisor Manipulating Bootflash on the Redundant Supervisor Engine ...

Page 519: ...visor engine redundancy on the Catalyst 4507R and Catalyst 4510R switches Note For information on Cisco nonstop forwarding NSF with SSO see Chapter 13 Configuring Cisco NSF with SSO Supervisor Engine Redundancy This chapter contains these major sections About Supervisor Engine Redundancy page 12 2 About Supervisor Engine Redundancy Synchronization page 12 4 Supervisor Engine Redundancy Guidelines ...

Page 520: ...ts its presence and the redundant supervisor engine boots into a partially initialized state in RPR mode and a fully initialized state in SSO mode Software upgrade See the Performing a Software Upgrade section on page 12 12 To minimize down time during software changes on the supervisor engine load the new image on the standby supervisor engine and conduct a switchover When power is first applied ...

Page 521: ...sted below and all changes in hardware and software states for features that support stateful switchover are kept in synchronization Consequently it offers zero interruption to Layer 2 sessions in a redundant supervisor engine configuration Because the standby supervisor engine recognizes the hardware link status of every link ports that were active before the switchover will remain active includi...

Page 522: ...rol broadcast storm control SSO is compatible with the following list of features However the protocol database for these features is not synchronized between the standby and active supervisor engines 802 1Q tunneling with Layer 2 Protocol Tunneling L2PT Baby giants Jumbo frame support CDP Flood blocking UDLD SPAN RSPAN NetFlow The following features are learned on the standby supervisor engine if...

Page 523: ...ting startup configuration file on the standby supervisor engine When you make changes to the configuration you must use the write command to save and synchronize the startup configuration to the standby supervisor engine SSO Supervisor Engine Configuration Synchronization When a standby supervisor engine runs in SSO mode the following events trigger synchronization of the configuration informatio...

Page 524: ... engine are available The second two uplinks are unavailable with Supervisor Engine 8 E only the first four uplinks on each supervisor engine are available provided a 47xx line card is inserted on slot 10 The second set of four uplinks are unavailable Only the first two uplinks on each supervisor are available unless the requirement is met i e 47xx linecard in 4510 chassis SSO requires both superv...

Page 525: ... remove a line card from a redundant switch and initiate an SSO switchover then reinsert the line card and all interfaces are shutdown The rest of the original line card configuration is preserved This situation only occurs if a switch had reached SSO before you removed the line card Configuring Supervisor Engine Redundancy These sections describe how to configure supervisor engine redundancy Conf...

Page 526: ...on Cisco IOS Software Catalyst 4500 L3 Switch Software cat4500e UNIVERSALK9 M Version 15 0 100 XO 1 42 INTERIM SOFTWARE Copyright c 1986 2010 by Cisco Systems Inc Compiled Sun 01 Aug 10 04 12 by gsbuprod Configuration register 0x920 Peer Processor Information Standby Location slot 4 Current Software state STANDBY HOT Uptime in current state 0 minute Image Version Cisco IOS Software Catalyst 4500 L...

Page 527: ...access monitor or debug the standby supervisor Virtual Console for Standby Supervisor Engine enables you to access the standby console from the active supervisor engine without requiring a physical connection to the standby console It uses IPC over EOBC to communicate with the standby supervisor engine and thus emulate the standby console on the active supervisor engine Only one standby console se...

Page 528: ...ractive nature of a command any command that requires user interaction causes the virtual console to wait until the RPC timer aborts the command The virtual console timer is set to 60 seconds The virtual console returns to its prompt after 60 seconds During this time you cannot abort the command from the key board You must wait for the timer to expire before you continue You cannot use virtual con...

Page 529: ... variables are automatic and cannot be disabled Switch config redundancy Switch config red main cpu Switch config r mc auto sync standard Switch config r mc end Switch copy running config startup config Note To manually synchronize individual elements of the standard auto sync configuration disable the default automatic synchronization feature Note When you configure the auto sync standard the ind...

Page 530: ...the active supervisor engine Use the show module command to see which slot contains the active supervisor engine and force another switchover if necessary Performing a Software Upgrade This is useful only if IOS XE software is running in LAN Base mode For Enterprise Services or IP Base mode use ISSU to upgrade software for both RPR and SSO redundant mode The software upgrade procedure supported by...

Page 531: ...CY 5 CONFIGSYNC The startup config has been successfully synchronized to the standby supervisor 4d01h C4K_REDUNDANCY 5 CONFIGSYNC The private config has been successfully synchronized to the standby supervisor Step 3 Switch config terminal Switch config config register 0x2 Switch config boot system flash device file_name Configures the supervisor engines to boot the new image If your system was co...

Page 532: ...flash device on the standby supervisor engine Switch delete slaveslot0 target_filename or Switch delete slavebootflash target_filename Deletes specific files from the slot0 device on the standby supervisor engine Deletes specific files from the bootflash device on the standby supervisor engine Switch squeeze slaveslot0 target_filename or Switch squeeze slavebootflash target_filename Squeezes the s...

Page 533: ...e Redundancy page 13 9 Cisco High Availability Features in Cisco IOS XE 3 1 0SG page 13 17 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All ...

Page 534: ...ighboring NSF router Note OSPF Version2 fast hellos generate false alarms We recommend that you use Bidirectional Forwarding Detection BFD instead NSF capability NSF works with SSO to minimize the amount of time that a Layer 3 network is unavailable following a supervisor engine switchover by continuing to forward IP packets Reconvergence of Layer 3 routing protocols BGP EIGRP OSPF v2 and IS IS is...

Page 535: ...NSF with SSO Supervisor Engine Redundancy Overview Catalyst 4500 series switch support fault resistance by allowing a redundant supervisor engine to take over if the primary supervisor engine fails NSF works with SSO to minimize the amount of time a network is unavailable to its users following a switchover NSF provides these benefits Improved network availability NSF continues forwarding network ...

Page 536: ... two supervisor engines SSO maintains state information between them including forwarding information During switchover system control and routing protocol execution is transferred from the active supervisor engine to the redundant supervisor engine Note Use the no service slave log configuration command to forward all error messages from the standby supervisor engine to the active engine By defau...

Page 537: ...e The supervisor engine signals when the RIB has converged The software removes all FIB and adjacency entries that have an epoch older than the current switchover epoch The FIB now represents the newest routing protocol forwarding information Routing Protocols Note Use of the routing protocols require the Enterprise Services Cisco IOS Software image for the Catalyst 4500 series switch The routing ...

Page 538: ...NSF requires that neighbor networking devices be NSF aware that is the devices must have the graceful restart capability and advertise that capability in their OPEN message during session establishment If an NSF capable router discovers that a particular BGP neighbor does not have graceful restart capability it does not establish an NSF capable session with that neighbor All other neighbors that h...

Page 539: ... a proposed standard Note If you configure IETF on the networking device but neighbor routers are not IETF compatible NSF aborts following a switchover If the neighbor routers on a network segment are not NSF aware you must use the Cisco configuration option The Cisco IS IS configuration transfers both protocol adjacency and link state information from the active to the redundant supervisor engine...

Page 540: ...isor engine however a new NSF restart is not attempted by IS IS until the interval time expires This functionality prevents IS IS from attempting back to back NSF restarts EIGRP Operation When an EIGRP NSF capable router initially re boots after an NSF restart it has no neighbor and its topology table is empty The router is notified by the redundant now active supervisor engine when it needs to br...

Page 541: ...elines and Restrictions NSF with SSO has these restrictions With aggressive protocol timers such as when the default exceeds the timer value upon switchover the protocol software running on the new active supervisor engine might not initialize in time to send hello packets to its neighboring switches or routers If the protocol takes longer time to initialize because of other CPU demanding tasks th...

Page 542: ...state Switch enable Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config redundancy Switch config red mode sso Switch config red end Switch show redundancy states my state 13 ACTIVE peer state 8 STANDBY HOT Mode Duplex Unit Primary Unit ID 5 Redundancy Mode Operational sso Redundancy Mode Configured sso Split Mode Disabled Manual Swact Enabled Communica...

Page 543: ...e show cef state command Switch show cef state CEF Status RP CEF enabled running dCEF enabled running CEF switching enabled running CEF default capabilities Always FIB switching yes Default CEF switching yes Default dCEF switching yes Update HWIDB counters no Drop multicast packets no CEF NSF capable yes IPC delayed func on SSO no RRP state I am standby RRP no My logical slot 0 RF PeerComm no Conf...

Page 544: ... families are listed BGP NSF does not occur either Switch show ip bgp neighbors x x x x BGP neighbor is 192 168 2 2 remote AS YY external link BGP version 4 remote router ID 192 168 2 2 BGP state Established up for 00 01 18 Last read 00 00 17 hold time is 180 keepalive interval is 60 seconds Neighbor capabilities Route refresh advertised and received new Address family IPv4 Unicast advertised and ...

Page 545: ...F follow these steps Step 1 Verify that nsf appears in the OSPF configuration of the SSO enabled device by entering the show running config command Switch show running config route ospf 120 log adjacency changes nsf network 192 168 20 0 0 0 0 255 area 0 network 192 168 30 0 0 0 0 255 area 1 network 192 168 40 0 0 0 0 255 area 2 Step 2 Enter the show ip ospf command to verify that NSF is enabled on...

Page 546: ... NSF operation for IS IS Enter the ietf keyword to enable IS IS in a homogeneous network where adjacencies with networking devices supporting IETF draft based restartability is guaranteed Enter the cisco keyword to run IS IS in heterogeneous networks that might not have adjacencies with NSF aware networking devices Step 4 Switch config router nsf interval minutes Optional Specifies the minimum tim...

Page 547: ... In this example note the presence of NSF restart enabled Switch show isis nsf NSF is ENABLED mode cisco RP is ACTIVE standby ready bulk sync complete NSF interval timer expired NSF restart enabled Checkpointing enabled no errors Local state ACTIVE Peer state STANDBY HOT Mode SSO The following display shows sample output for the Cisco configuration on the standby RP In this example note the presen...

Page 548: ...ate Running NSF L1 Restart retransmissions 0 Maximum L1 NSF Restart retransmissions 3 L1 NSF ACK requested FALSE L1 NSF CSNP requested FALSE NSF L2 Restart state Running NSF L2 Restart retransmissions 0 Maximum L2 NSF Restart retransmissions 3 L2 NSF ACK requested FALSE L2 NSF CSNP requested FALSE Configuring EIGRP NSF To configure EIGRP NSF perform this task Verifying EIGRP NSF To verify EIGRP NS...

Page 549: ...High Availability Features in Cisco IOS XE 3 1 0SG This section provides a list of High Availability software features that are supported in Cisco IOS XE 3 1 0SG Links to the feature documentation are included Feature guides may contain information about more than one feature To find information about a specific feature within a feature guide see the Feature Information table at the end of the gui...

Page 550: ...with Stateful Switchover http www cisco com en US docs ios xml ios ha configuration xe 3s ha config nonstop forwarding ht ml SSO HDLC http www cisco com en US docs ios xml ios ha configuration xe 3s ha config stateful switchover ht ml SSO HSRP http www cisco com en US docs ios xml ios ha configuration xe 3s ha config stateful switchover ht ml SSO Multilink PPP MLP http www cisco com en US docs ios...

Page 551: ...and configuration examples This chapter consists of the following major sections About Environmental Monitoring page 14 1 Power Management page 14 7 IEEE 802 3az Energy Efficient Ethernet page 14 23 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cis...

Page 552: ...ne 7L E and their associated line cards support multiple temperature sensors per card The environment condition output includes the temperature reading from each sensor and the temperature thresholds for each sensor These line cards support three thresholds warning critical and shutdown The following example illustrates how to display the environment condition on a Supervisor Engine 6 E and Superv...

Page 553: ...Module Sensor Temperature Status 1 Xgstub A 39C 48C 62C 65C ok 1 Xgstub B 32C 45C 60C 63C ok 1 XPP 47C 62C 75C 78C ok 1 VFE2 59C 74C 85C 88C ok 1 NFE 44C 63C 75C 78C ok 1 CPU 55C 57C 72C 75C ok 1 FPGA 37C 52C 66C 69C ok 4 Power macro 30C 56C 68C 71C ok 4 Air inlet 27C 46C 59C 62C ok 4 Xgstub 31C 66C 76C 79C ok 4 Air outlet 30C 60C 71C 74C ok Power Fan Inline Supply Model No Type Status Sensor Stat...

Page 554: ...ne PS2 PWR C49X 750AC R AC 750W good good n a Power supplies needed by system 1 Power supplies currently available 1 Chassis Type WS C4500X 32 Power consumed by backplane 0 Watts Switch Bandwidth Utilization 0 Supervisor Led Color Green Module 1 Status Led Color Green Module 2 Status Led Color Green Beacon Led Status off Fan trays needed by system 4 Fan trays currently available 5 Chassis fan tray...

Page 555: ...nt s detected Slo t 1 Input 3 09 09 2012 21 32 32 CAT4K 2 POWER_SURGE 5 Power Surge event s detected Slo t 1 Input 3 09 10 2012 00 05 49 CAT4K 2 POWER_SAG 1 Power Sag event s detected Slot 1 Input 1 09 10 2012 00 05 49 CAT4K 2 POWER_SURGE 1 Power Surge event s detected Slo t 1 Input 1 Emergency Actions Catalyst 4500 chassis can power down a single card providing a detailed response to over tempera...

Page 556: ...ee C is a hysteresis value designed to prevent toggling alarms An LED on the supervisor engine indicates whether an alarm has been issued When the system issues a major alarm it starts a timer whose duration depends on the alarm If the alarm is not canceled before the timer expires the system takes emergency action to protect itself from the effects of overheating The timer values and the emergenc...

Page 557: ...talyst 4500 Switch page 14 9 Selecting a Power Management Mode page 14 10 Power Management Limitations in Catalyst 4500 series switches page 14 10 Available Power for Catalyst 4500 Series Switches Power Supplies page 14 14 Table 14 4 Alarms on Supervisor Engine 6 E Supervisor Engine 6L E and Supervisor Engine 7 E Event Alarm Type Supervisor LED Color Timeout Description and Action Card temperature...

Page 558: ...orted 1400 W AC Supports up to 1400 W system power PoE not supported 2800 W AC Supports up to 1400 W of system power and up to 1400 W of PoE Variable Wattage These power supplies automatically adjust the wattage to accommodate PoE and system power requirements 1300 W AC Supports up to 1050 W of system power and 800 W of PoE limited to a total of 1300 W 1400 W DC Supports up to 1400 W of system pow...

Page 559: ... currently available 1 Power Summary Maximum in Watts Used Available System Power 12V 328 1360 Inline Power 50V 0 1400 Backplane Power 3 3V 10 40 Total Used 338 not to exceed Total Maximum Available 750 Switch Power Management Modes for the Catalyst 4500 Switch The Catalyst 4500 series switches support two power management modes Redundant mode Redundant mode uses one power supply as a primary powe...

Page 560: ... modules Power Management Limitations in Catalyst 4500 series switches Limitation 1 It is possible to configure a switch that requires more power than the power supplies provide The two ways you could configure a switch to exceed the power capabilities are as follows The power requirements for the installed modules exceed the power provided by the power supplies If you insert a single power supply...

Page 561: ... The 802 3af compliant PoE modules can consume up to 20 W of PoE to power FPGAs and other hardware components on the module Be sure to add at least 20 W to your PoE requirements for each 802 3af compliant PoE module to ensure that the system has adequate power for the PDs connected to the switch On the WS X4148 RJ45V PoE module PoE consumption cannot be measured For all PoE calculations the PoE co...

Page 562: ...slots are required only one WS X4448 GB RJ45 line card can be used Configuring Redundant Mode on a Catalyst 4500 Series Switch By default the power supplies in a Catalyst 4500 series switch are set to operate in redundant mode To effectively use redundant mode follow these guidelines Use two power supplies of the same type If you have the power management mode set to redundant mode and only one po...

Page 563: ...ttage fixed or variable and AC or DC If you use power supplies with different types or wattages the switch utilizes only one of the power supplies For variable power supplies choose a power supply that provides enough power so that the chassis and PoE requirements are less than the maximum available power Variable power supplies automatically adjust the power resources at startup to accommodate th...

Page 564: ...r in not the mathematical sum of the individual power supplies The power supplies have a sharing ratio predetermined by the hardware In combined mode the total power available is P P sharing ratio where P is the amount of power in the power supply Command Purpose Step 1 Switch configure terminal Enters configuration mode Step 2 Switch config power redundancy mode combined Sets the power management...

Page 565: ...5 4200ACV AC 4200W bad off good bad off PS2 1 220V good PS2 2 220V bad Power supplies needed by system 1 Power supplies currently available 2 Power Summary Maximum in Watts Used Available System Power 12V 140 1360 Inline Power 50V 0 1850 Backplane Power 3 3V 0 40 Total 140 not to exceed Total Maximum Available 2100 Switch Switch show power Power Fan Inline Supply Model No Type Status Sensor Status...

Page 566: ... powered in redundant mode the power values is based on the power supply with the higher output wattage Note When the system is powered with a 4200 W 6000 W or 9000W power supply either in 110 V or 220 V combined mode operation the available power is determined by the configuration of the system the type of line cards the number of line cards number of ports consuming inline power etc and does not...

Page 567: ...1818 2301 2660 Both sides at 220 V AC 2448 3071 3570 Both sides at 220 V AC 220 V AC 2448 6142 7070 Both sides at 220 V AC 220 V AC the other at 220 V AC 2447 4607 5320 Table 14 8 Output Power in Redundant Mode for the 6000 W AC Power Supply Power Supply 12 V data W 50V PoE W Total Power W 1 1 Power supply outputs drawing should not exceed the total power 110 V AC 850 922 1050 110 V AC 110 V AC 17...

Page 568: ...AC 220VAC 220VAC 1960 7500 9000 Table 14 11 Power Output in Combined Mode for the 9000 W AC Power Supply Power Supply 12V data W 50V PoE W 1 Total Power W 1 Power supply output drawings should not exceed the total power Both sides at 110 VAC 1594 1660 1790 Both sides at 110VAC 110VAC 2424 3320 3610 Both sides at 110VAC 110VAC 110VAC 2424 4150 5420 One side at 110VAC 110VAC 110VAC the other at 110V...

Page 569: ...inputs and you limit the user to 5500 W instead of 7600 W and one subunit fails or is powered off you have three quality inputs providing 5500 W and the chassis is powered at the same rate as it was prior to the failure event Switch configuration terminal Enter configuration commands one per line End with CNTL Z Switch config power redundancy combined max inputs 3 Switch config end Switch 14 32 01...

Page 570: ...3 Switch show power sh power Power Fan Inline Supply Model No Type Status Sensor Status PS1 PWR C45 4200ACV AC 4200W good good good PS1 1 110V good PS1 2 110V good PS2 PWR C45 4200ACV AC 4200W good good good PS2 1 110V good PS2 2 110V good Power supplies needed by system 2 Maximum Inputs 3 Power supplies currently available 2 Power Summary Maximum in Watts Used Available System Power 12V 140 2400 ...

Page 571: ...adjusts between system power for modules backplane and fans and PoE Although PoE is 96 percent efficient system power has only 75 percent efficiency For example each 120 W of system power requires 160 W from the DC input This requirement is reflected in the Power Used column of the output for the show power available command The 1400 W DC power supply has a separate power on or off switch for PoE ...

Page 572: ...s wiring to connect the power supplies to rails to minimize the inrush current drawn during an initial power up In this situation you should configure the switch in combined mode before you take a rail down for maintenance Ordinarily when configured for redundancy two power supplies must be matched have identical inputs For example you might provide power to inputs 1 and 3 on both PS1 and PS2 If p...

Page 573: ...Switch The Catalyst 4948 switches support the redundant power management mode In this mode if both power supplies are operating normally each provides from 20 80 to 45 55 percent of the total system power requirements at all times If one power supply fails the other unit increases power to 100 percent of the total power requirement IEEE 802 3az Energy Efficient Ethernet Note EEE is supported on WS...

Page 574: ...uplex half full auto Auto MDIX yes EEE yes 100 Tx and 1000 T auto mode Enabling EEE To enable EEE on a given port use the power efficient ethernet auto command The following example shows how to enable EEE Switch config t Switch config interface gigabitethernet 1 1 Switch config if power efficient ethernet auto Switch config if exit Determining EEE Status To determine EEE status use the show platf...

Page 575: ...EE 802 3az Energy Efficient Ethernet EEE status can have the following values EEE N A The port is not capable of EEE EEE Disabled The port EEE is disabled EEE Disagreed The port EEE is not set because a remote link partner might be incompatible with EEE either it is not EEE capable or it s EEE setting is incompatible EEE Operational The port EEE is enabled and operating ...

Page 576: ... 26 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 14 Environmental Monitoring and Power Management IEEE 802 3az Energy Efficient Ethernet ...

Page 577: ...ts page 15 7 Displaying the PoE Consumed by a Module page 15 8 PoE Policing and Monitoring page 15 12 Enhanced Power PoE Support on the E Series Chassis page 15 15 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Comm...

Page 578: ... module They can supply PoE to the powered device if there is no power on the circuit If there is power on the circuit the switch does not supply it The powered device can also be connected to an AC power source and supply its own power to the voice circuit Note You should select the amount of PoE desired using the Cisco Power Calculator http tools cisco com cpc Hardware Requirements To power a de...

Page 579: ...tion for an 802 3af compliant PoE module and displays this in the show power module command PoE consumption cannot be measured on the WS X4148 RJ45V PoE module For all PoE calculations the PoE consumption on this module is presumed to be equal to its administrative PoE For more information see the Displaying the PoE Consumed by a Module section on page 15 8 For most users the default configuration...

Page 580: ...ows how to configure an interface so that it never supplies power through the interface Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface fastethernet 5 2 Switch config if power inline never Switch config if end Switch Intelligent Power Management All Catalyst 4500 PoE capable modules use Intelligent Power Management to provide power on eac...

Page 581: ...ntee safe operation of the system ensure that the value configured here is no less than the actual power requirement of the attached device If the power drawn by the inline powered devices exceeds the capability of the power supply it could trip the power supply To change the power consumption of a single powered device perform this task This example shows how to set the PoE consumption to 5000 mi...

Page 582: ... AdminPowerMax AdminConsumption Watts Watts Gi7 1 15 4 5 0 Displaying the Operational Status for an Interface Each interface has an operational status which reflects the PoE status for an interface The operational status for an interface is defined as one of the following on Power is supplied by the port off Power is not supplied by the port If a powered device is connected to an interface with ex...

Page 583: ...n a n a Fa3 12 auto off 0 0 n a n a Fa3 13 auto off 0 0 n a n a Fa3 14 auto off 0 0 n a n a Fa3 15 auto off 0 0 n a n a Fa3 16 auto off 0 0 n a n a Fa3 17 auto off 0 0 n a n a Fa3 18 auto off 0 0 n a n a Totals 10 on 117 5 104 6 Switch This example shows how to display the operational status for Fast Ethernet interface 4 1 Switch show power inline fa4 1 Available 677 w Used 11 w Remaining 666 w In...

Page 584: ...the PDs connected to the switch add at least 20 W to your PoE requirements for each 802 3af compliant PoE module The following example uses the show power module command to display the PoE consumption for an 802 3af compliant module Switch show power module Watts Used of System Power 12V Mod Model currently out of reset in reset 1 WS X4013 TS 330 330 330 2 WS X4548 GB RJ45V 60 60 20 3 WS X4548 GB ...

Page 585: ...tus PS1 PWR C45 1300ACV AC 1300W good good good PS2 none Power supplies needed by system 1 Power supplies currently available 1 Power Summary Maximum in Watts Used Available System Power 12V 480 1000 Inline Power 50V 138 800 Backplane Power 3 3V 0 0 Total 618 not to exceed Total Maximum Available 1300 Module Inline Power Summary Watts 12V 48V on board conversion Maximum Mod Used Available 1 128 15...

Page 586: ...e Class From PS To Device Gi2 1 auto on 11 5 10 2 CNU Platform n a Interface AdminPowerMax AdminConsumption Watts Watts Gi2 1 15 4 15 4 Switch show power inline module 1 Module 1 Inline Power Supply Available 158 w Used 128 w Remaining 30 w Interface Admin Oper Power Watts Device Class From PS To Device Gi1 1 auto on 10 3 10 3 CNU Platform 3 Gi1 2 auto on 10 3 10 3 CNU Platform 3 Gi1 3 auto on 10 ...

Page 587: ... 15 auto on 11 5 10 2 CNU Platform 3 Gi2 16 auto on 11 5 10 2 CNU Platform 3 Gi2 17 auto off 0 0 0 0 n a n a Gi2 18 auto off 0 0 0 0 n a n a Interface Admin Oper Power Watts Device Class From PS To Device Gi2 19 auto off 0 0 0 0 n a n a Gi2 20 auto off 0 0 0 0 n a n a Gi2 21 auto off 0 0 0 0 n a n a Gi2 22 auto off 0 0 0 0 n a n a Gi2 23 auto off 0 0 0 0 n a n a Gi2 24 auto off 0 0 0 0 n a n a Gi2...

Page 588: ...ed or a message might be logged to the console and the port restarted PoE monitoring lets you display the true power consumption of inline powered devices attached to the switch allowing you determine your actual power consumption This section includes these topics PoE Policing Modes page 15 12 Configuring Power Policing on an Interface page 15 13 Displaying Power Policing on an Interface page 15 ...

Page 589: ...llustrates The following example illustrates how to configure the logging policing action Switch conf t Enter configuration commands one per line End with CNTL Z Switch config int g2 1 Switch config if power inline police action log Switch config if end Switch show power inline police g2 1 Available 800 w Used 32 w Remaining 768 w Interface Admin Oper Admin Oper Cutoff Oper State State Police Poli...

Page 590: ... If you enter the show power inline command at the global level show power inline police the last line of the output under the Oper Power field displays the total of true inline power consumption of all devices connected to the switch Configuring Errdisable Recovery By default errdisable auto recovery for inline power is disabled when an interface is placed in an errdisable state because of an inl...

Page 591: ...Switch config terminal Enter configuration commands one per line End with CNTL Z Switch config errdisable detect cause inline power Switch config end Switch show errdisable recovery ErrDisable Reason Timer Status inline power Enabled Enhanced Power PoE Support on the E Series Chassis The WS X4648 RJ45V E WS X4648 RJ45V E and WS X4548 RJ45V switching modules support IEEE 802 3af PoE as well as the ...

Page 592: ...re is only available on Supervisor Engine 7 E Supervisor Engine 7L E and Supervisor Engine 8 E Although IEEE 802 at only provides for power up to 30W per port the WS X4748 UPOE E module can provide up to 60W using the spare pair of an RJ45 cable wires 4 5 7 8 with the signal pair wires 1 2 3 6 Power on the spare pair is enabled when the switch port and end device mutually identify themselves as Un...

Page 593: ...al and spare pairs from switch port gigabit ethernet 2 1 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 2 1 Switch config if power inline four pair forced Switch config if shutdown Switch config if no shutdown Switch config if end Switch Do not enter this command if the end device is incapable of sourcing inline power on ...

Page 594: ...5 18 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 15 Configuring Power over Ethernet Enhanced Power PoE Support on the E Series Chassis ...

Page 595: ... for Network Assistant page 16 4 Managing a Network Using Community page 16 6 Converting a Cluster into a Community page 16 10 Managing a Network Using Cluster page 16 11 Configuring Network Assistant in Community or Cluster Mode page 16 13 Note The Network Assistant is not bundled with an online software image on Cisco com You can download the Network Assistant at this location http www cisco com...

Page 596: ...ach member must have an IP address assigned to it When you use communities you need to have an HTTP server and you need to configure an IP address on each switch Clustering Overview A switch cluster is a set of up to 16 connected cluster capable Catalyst switches that are managed as a single entity The switches in the cluster use the switch clustering technology so that you can configure and troub...

Page 597: ...sistant and on the Catalyst 4500 series switch must match Value can be changed to any non default number above 1024 IP HTTP server Disabled Enabled4 4 Required for Network Assistant to access the device Cluster run Disabled Enabled5 5 Enabled only if you want to manage a cluster of devices Table 16 2 CLI Commands Command Functions no cluster enable Names the cluster no cluster run Enables clusteri...

Page 598: ...ch perform this task line vty Configures additional VTYs for use by Cisco Network Assistant show version Displays the Cisco IOS release show running config Displays the switch configuration vtp domain Creates a VTP domain to manage VLANs vtp mode Sets the behavior for VTP management of the VLANs Table 16 2 CLI Commands continued Command Functions Command Purpose Step 1 Switch configure terminal En...

Page 599: ...pecifies the maximum amount of time a connection can stay idle A idle value of 180 seconds is recommended The life keyword specifies the maximum amount of time a connection can stay open since it was established A life value of 180 seconds is recommended The requests keyword specifies the maximum amount of requests on a connection The recommended maximum number of requests allowed is 25 Step 6 Swi...

Page 600: ...mplete procedures for using Network Assistant to configure switch communities refer to Getting Started with Cisco Network Assistant available at http www cisco com en US products ps5931 prod_installation_guides_list html Command Purpose Step 1 Switch configuration terminal Enters global configuration mode Step 2 Switch config cluster run Enables clustering Note Enable clustering on all switches th...

Page 601: ...ry Protocol CDP version 2 is enabled the default if you want the device to be auto discovered HTTP or HTTPS is enabled Note A cluster member can be added to a community but the reverse is not possible Note If a cluster commander is added to a community the other member devices of the cluster are not added automatically The cluster members must be added to the community on an individual basis in or...

Page 602: ...tion information to the list of member devices Network Assistant requests that you enter a name or IP address for the community You need to assign a name to the community before you can manage it Network Assistant saves the name to your PC The community name can consist of the characters 0 through 9 a through z and A through Z with spaces allowed between the characters Note You can connect to a cl...

Page 603: ...dow select the candidate devices that you want to add To add more than one candidate press Ctrl and make your choices or press Shift and choose the first and last device in a range Click Add Use the Modify Community window to add devices to an existing community Choose Application Communities to open the Communities window In the Communities window select the name of the community to which you wan...

Page 604: ...the Cluster Conversion Wizard follow these steps Step 1 Start Network Assistant and connect to an existing cluster through its commander IP address Step 2 In the feature bar choose Configure Cluster Cluster Conversion Wizard You see the query or you want to convert this cluster to a community Step 3 Select Yes to proceed or No if you want to manually bring up the Cluster Conversion Wizard If you s...

Page 605: ...hanism used in CNA 1 0 Note For complete procedures for using Network Assistant to configure switch clusters refer to Getting Started with Cisco Network Assistant available at http www cisco com en US products ps5931 prod_installation_guides_list html This section contains the following topics Understanding Switch Clusters page 16 11 Using the CLI to Manage Switch Clusters page 16 13 Understanding...

Page 606: ...ies switch to support an appropriate number of VTY lines with the line vty configuration command For example the line vty 6 15 command configures the switch to include 9 VTY lines Note If your existing VTY lines have nondefault configurations you might want to apply those configurations to the new VTY lines Candidate Switch and Cluster Member Switch Requirements Candidate switches are cluster capa...

Page 607: ...lnet session accesses the member switch CLI at the same privilege level as on the cluster command switch The Cisco IOS commands will operate as usual For instructions on configuring the switch for a Telnet session see the Accessing the CLI Through Telnet section on page 2 2 Note CISCO CLUSTER_MIB is not supported Configuring Network Assistant in Community or Cluster Mode This section provides a de...

Page 608: ...le value of 180 seconds is recommended The life keyword specifies the maximum amount of time a connection can stay open since it was established A life value of 180 seconds is recommended The requests keyword specifies the maximum number of requests on a connection A requests value of 25 recommended Step 15 Switch config if ip http secure server Optionally Enables the switch to accept HTTPS connec...

Page 609: ... server Switch config ip http max connections 16 Switch config ip http timeout policy idle 180 life 180 requests 25 Switch config ip route 0 0 0 0 0 0 0 0 123 123 123 2 Switch config line con 0 Switch config line exec timeout 0 0 Switch config line password keepout Switch config line login Switch config line line vty 5 15 Switch config line password keepout Switch config line login Switch config l...

Page 610: ...525 94CF24CF 7B313C01 BF177A73 494B1096 B4D24729 E087B39C E44ED9F3 FCCD04BB 4AD3C6BF 66E0902D E234D08F E6F6C001 BAC80854 D4668160 9299FC73 C14A33F3 51A17BF5 8C0BEA07 3AC03D84 889F2661 02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 11041830 16821456 61646572 2D343531 302E6369 73636F2E 636F6D30 1F060355 1D230418 30168014 BB013B0D 00391D79 B628F2B3 74FC62B4 077AD908 301D0603 ...

Page 611: ...e server ip http max connections 16 ip http timeout policy idle 180 life 180 requests 25 line con 0 password cna login stopbits 1 line vty 0 4 password cna login line vty 5 15 password cna login end Switch Configuring Network Assistant in a Networked Switch in Cluster Mode To configure Network Assistant on a networked switch in cluster mode perform this task on the switch Command Purpose Step 1 Sw...

Page 612: ...ables the interface Step 12 Switch config if ip http server Starts the HTTP server so that Network Assistant can talk to the switch Step 13 Switch config ip http secure server Optionally Enables the switch to accept HTTPS connections from Network Assistant Step 14 Switch config ip route a b c Establishes the route to the default router usually supplied by the local Internet provider Note This line...

Page 613: ...g configuration Current configuration 1469 bytes version 12 2 no service pad service timestamps debug uptime service timestamps log uptime no service password encryption service compress config hostname Switch boot start marker boot end marker enable password cna no aaa new model ip subnet zero vtp domain cnadoc vtp mode transparent cluster run cluster enable cnadoccluster 0 power redundancy mode ...

Page 614: ... interface GigabitEthernet1 10 interface GigabitEthernet1 11 interface GigabitEthernet1 12 interface GigabitEthernet1 13 interface GigabitEthernet1 14 interface GigabitEthernet1 15 interface GigabitEthernet1 16 interface GigabitEthernet1 17 interface GigabitEthernet1 18 interface GigabitEthernet1 19 interface GigabitEthernet1 20 interface Vlan1 no ip address interface Vlan2 ip address 123 123 123 ...

Page 615: ...isco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases VLANs This section includes the following major subsections About VLANs page 17 1 VLAN Configuration Guidelines and Restrictions page 17 3 VLAN Default Configuration page 17 4 Configu...

Page 616: ...ectly to another VLAN between broadcast domains within the switch or between two switches To interconnect two different VLANs you must use switches or Layer 3 switches See the About Layer 3 Interfaces section on page 35 1 for information on inter VLAN routing on Catalyst 4500 series switches Figure 17 1 shows an example of three VLANs that create logically defined networks Figure 17 1 Sample VLANs...

Page 617: ...VLANs 4094 is in the path of two HSRP peers with the timeout set below 500 ms HSRP flaps Workarounds Use fewer VLANs Set the timers greater than 600 ms Enter the no igmp snooping globally and access list hardware capture mode VLAN commands VLAN Ranges Note You must enable the extended system ID to use 4094 VLANs See the Understanding the Bridge ID section on page 23 2 With Cisco IOS Release 12 2 3...

Page 618: ... range VLANs note the following Layer 3 ports and some software features require internal VLANs Internal VLANs are allocated from 1006 and up You cannot use a VLAN that has been allocated for such use To display the VLANs used internally enter the show vlan internal usage command Switches running the Catalyst operating system do not support configuration of VLANs 1006 1024 If you configure VLANs 1...

Page 619: ... the VLAN configuration or VTP use the commands described in the following sections and in the command reference guide The following sections describe how to configure VLANs Configuring VLANs in Global Configuration Mode page 17 5 Assigning a Layer 2 LAN Interface to a VLAN page 17 7 Configuring VLANs in Global Configuration Mode If the switch is in VTP server or transparent mode see the VLAN Trun...

Page 620: ...odify an Ethernet VLAN note the following Because Layer 3 ports and some software features require internal VLANs allocated from 1006 and up configure extended range VLANs starting with 4094 and work downward You can configure extended range VLANs only in global configuration mode You cannot configure extended range VLANs in VLAN database mode Layer 3 ports and some software features use extended ...

Page 621: ...itching section on page 19 5 VLAN Trunking Protocol This section describes the VLAN Trunking Protocol VTP on the Catalyst 4500 series switches and includes the following major subsections About VTP page 17 7 VTP Configuration Guidelines and Restrictions page 17 12 VTP Default Configuration page 17 13 Configuring VTP page 17 13 About VTP VTP is a Layer 2 messaging protocol that maintains VLAN confi...

Page 622: ...can create and modify VLANs but the changes affect only the individual switch When you make a change to the VLAN configuration on a VTP server the change is propagated to all network devices in the VTP domain VTP advertisements are transmitted out all Inter Switch Link ISL and IEEE 802 1Q trunk connections VTP maps VLANs dynamically across multiple LAN types with unique names and internal index as...

Page 623: ...r each VLAN Frame format Understanding VTP Versions VTP Version 2 If you use VTP in your network you must decide whether to use VTP version 2 or version 3 Note Catalyst 4500 series switches do not support Token Ring or FDDI media The switch does not forward FDDI FDDI Net Token Ring Concentrator Relay Function TrCRF or Token Ring Bridge Relay Function TrBRF traffic but it does propagate the VLAN co...

Page 624: ... VTP When VTP is disabled on a trunking port it applies to all VTP instances on that port When VTP is disabled globally the setting applies to all the trunking ports in the system In VTP version 1 and VTP version 2 the role of a VTP server is to back up the database to NVRAM and to allow the administrator to change database information VTP version 3 introduces the roles of VTP primary server and V...

Page 625: ... VTP pruning enabled The broadcast traffic from Switch 1 is not forwarded to Switches 3 5 and 6 because traffic for the Red VLAN has been pruned on the links indicated Interface 5 on Switch 2 and Interface 4 on Switch 4 Figure 17 3 Flooding Traffic with VTP Pruning Enabling VTP pruning on a VTP server enables pruning for the entire management domain VTP pruning takes effect several seconds after y...

Page 626: ...version 3 device does not accept configuration information from a VPT version 2 or version 1 device Unlike in VPT version 2 when VTP is configured to be version 3 this does not configure all the version 3 capable devices in the domain to start behaving as VPT version 3 systems When a VTP version 1 device capable of version 2 or version 3 receives a VTP version 3 packet the device is configured as ...

Page 627: ...wly manufactured Catalyst 4500 supervisor engines Catalyst 4900 series switches and the Cisco ME 4924 10GE switch is transparent Deleting vlan dat or entering the erase cat4000_flash command and resetting the switch changes the VTP mode to server Configuring VTP These sections describe how to configure VTP Configuring VTP Global Parameters page 17 13 Configuring the VTP Mode page 17 16 Starting a ...

Page 628: ...n password Switch configure terminal Switch config vtp password WATER hidden Generating the secret associated to the password Switch config This example shows how the password WATER is displayed when it is configured with the hidden keyword Switch show vtp password VTP Password 89914640C8D90868B6A0D8103847A733 Switch Command Purpose Switch config vtp password password_string hidden secret Sets a p...

Page 629: ...disabled by default on VTP version 2 capable network devices When you enable VTP version 2 on a network device every VTP version 2 capable network device in the VTP domain enables version 2 Caution VTP version 1 and VTP version 2 are not interoperable on network devices in the same VTP domain Every network device in the VTP domain must use the same VTP version Do not enable VTP version 2 unless ev...

Page 630: ...le This example shows how to configure the switch as a VTP server Switch configure terminal Switch config vtp mode server Setting device to VTP SERVER mode Switch config vtp domain Lab_Network Setting VTP domain name to Lab_Network Switch config end Switch This example shows how to configure the switch as a VTP client Switch configure terminal Switch config vtp mode client Setting device to VTP CL...

Page 631: ...ing Mode Enabled VTP Traps Generation Disabled Device ID 0016 9c6d 5300 Configuration last modified by 127 0 0 12 at 10 18 07 10 12 42 Local updater ID is 127 00 12 at 10 18 07 10 2 42 Feature VLAN VTP Operating Mode Server Maximum number of existing VLANs 5 Configuration Revision 1 MD5 digest 0x92 0xF1 0xE8 0x52 0x2E ox5C 0x36 0x10 0x70 0x61 0xB8 0x24 0xB6 0x93 0x21 0x09 Switch This example shows...

Page 632: ...mple shows how to start a takeover and direct it to the vlan database Switch vtp primary server vlan Enter VTP password password This system is becoming primary for feature vlan VTP Feature Conf Revision Primary Server Device ID Description MST Yes 4 0012 4371 9ec0 0012 4371 9ec0 R1 Do you want to continue confirm Switch Command Purpose Switch vtp primary server vlan mst force Changes the operatio...

Page 633: ...vertisements transmitted 3 Number of config revision errors 0 Number of config digest errors 0 Number of V1 summary errors 0 VTP pruning statistics Trunk Join Transmitted Join Received Summary advts received from non pruning capable device Fa5 8 43071 42766 5 Displaying VTP Devices in a Domain To display information for all the VTP devices in a domain perform this task Command Purpose Switch show ...

Page 634: ...page 17 22 Illegal VMPS Client Requests page 17 22 Understanding the VMPS Server A VLAN Membership Policy Server VMPS provides a centralized server for selecting the VLAN for a port dynamically based on the MAC address of the device connected to the port When the host moves from a port on one switch in the network to a port on another switch in the network that switch dynamically assigns the new p...

Page 635: ...t entry in the configuration table to deny access to specific MAC addresses for security reasons If you enter the none keyword for the VLAN name the VMPS sends an access denied or port shutdown response Security Modes for VMPS Server VMPS operates in three different modes The way a VMPS server responds to illegal requests depends on the mode in which the VMPS is configured Open Mode page 17 21 Sec...

Page 636: ...ing system software support VMPS in all three operation modes the User Registration Tool URT supports open mode only Fallback VLAN You can configure a fallback VLAN name on a VMPS server If no VLAN has been assigned to this port VMPS compares the requesting MAC address to this port If you connect a device with a MAC address that is not in the database the VMPS sends the fallback VLAN name to the c...

Page 637: ...tion on page 17 20 for a complete description of possible VMPS responses Multiple hosts MAC addresses can be active on a dynamic port if all are in the same VLAN If the link goes down on a dynamic port the port returns to the unassigned state and does not belong to a VLAN Any hosts that come online through the port are checked again with the VMPS before the port is assigned to a VLAN For this oper...

Page 638: ...terminal Enter configuration commands one per line End with CNTL Z Switch config vmps server 172 20 128 179 primary Switch config vmps server 172 20 128 178 Switch config end Note You can configure up to four VMPS servers using this CLI on the VMPS client Switch show vmps VQP Client Status VMPS VQP Version 1 Reconfirm Interval 60 min Server Retry Count 3 VMPS domain server 172 20 128 179 primary c...

Page 639: ...an belong to both an access VLAN and a voice VLAN Consequently an access port configured for connecting an IP phone can have separate VLANs for the following Data traffic to and from the PC that is connected to the switch through the access port of the IP phone access VLAN Voice traffic to and from the IP phone voice VLAN Reconfirming VLAN Memberships To confirm the dynamic port VLAN membership as...

Page 640: ... status VMPS Action No Host Configuring the Retry Interval You can set the number of times that the VMPS client attempts to contact the VMPS before querying the next server To configure the retry interval perform this task This example shows how to change the retry count to 5 and to verify the change Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ...

Page 641: ...lay VMPS statistics Switch show vmps statistics VMPS Client Statistics VQP Queries 0 VQP Responses 0 VMPS Changes 0 VQP Shutdowns 0 VQP Denied 0 VQP Version The version of VQP used to communicate with the VMPS The switch queries the VMPS using VQP Version 1 Reconfirm Interval The number of minutes the switch waits before reconfirming the VLAN to MAC address assignments Server Retry Count The numbe...

Page 642: ...disabled state refer to Chapter 10 Checking Port Status and Connectivity To recover an errdisabled port use the errdisable recovery cause vmps global configuration command Dynamic Port VLAN Membership Configuration Example Figure 17 4 on page 17 29 shows a network with a VMPS servers and VMPS client switches with dynamic ports In this example these assumptions apply The VMPS server and the VMPS cl...

Page 643: ...lyst 4500 series switch Figure 17 5 Topology with an End Station Attached Directly to a Catalyst 4500 Series Switch Operating as a VMPS Client Primary VMPS Server 1 Secondary VMPS Server 2 Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 4000 CatOS Catalyst 6000 CatOS URT 172 20 26 152 Ethernet segment 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 ...

Page 644: ... VMPS server IP address switch config vmps server 172 20 26 150 primary c Enter the secondary VMPS server IP addresses switch config vmps server 172 20 26 152 d To verify your entry of the VMPS IP addresses return to privileged EXEC mode switch config exit e Display VMPS information configured for the switch switch show vmps VQP Client Status VMPS VQP Version 1 Reconfirm Interval 60 min Server Ret...

Page 645: ...the VLAN to MAC address assignments switch config terminal switch config vmps reconfirm 60 Step 5 Confirm the entry from privileged EXEC mode switch show vmps VQP Client Status VMPS VQP Version 1 Reconfirm Interval 60 min Server Retry Count 3 VMPS domain server Reconfirmation status VMPS Action No Dynamic Port Step 6 Repeat Steps 1 and 2 to configure the VMPS server addresses and assign dynamic po...

Page 646: ...ce id port port name all ports vmps port group WiringCloset1 device 198 92 30 32 port Fa1 3 device 172 20 26 141 port Fa1 4 vmps port group Executive Row device 198 4 254 222 port es5 Fa0 1 device 198 4 254 222 port es5 Fa0 2 device 198 4 254 223 all ports VLAN groups vmps vlan group group name vlan name vlan name vmps vlan group Engineering vlan name hardware vlan name software VLAN port Policies...

Page 647: ...cted Host Polling page 18 6 Displaying IP Unnumbered Interface Settings page 18 7 Troubleshooting IP Unnumbered Interface page 18 8 Related Documents page 18 8 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command ...

Page 648: ...Using the VLANs over IP Unnumbered Interfaces Feature DHCP Option 82 DHCP provides a framework for passing configuration information to hosts on a TCP IP network Configuration parameters and other control information are carried in tagged data items that are stored in the options field of the DHCP message The data items are also called options Option 82 is organized as a single DHCP option that co...

Page 649: ...ered Interfaces the following features are not supported Dynamic routing protocols HSRP VRRP Static ARP Unnumbered Interface and Numbered Interface in different VRFs Type byte 1 Length byte 2 Interface byte 9 Reserved byte 10 Reserved bytes 3 4 VLAN ID bytes 11 12 NAS IP address bytes 5 8 103088 1 12 bytes Table 18 1 Agent Remote ID Suboption Field Descriptions Field Description Type Format type T...

Page 650: ...es page 18 4 Configuring IP Unnumbered Interface Support on a Range of Ethernet VLANs page 18 5 Configuring IP Unnumbered Interface Support on LAN and VLAN Interfaces To configure IP unnumbered interface support on a single LAN or VLAN interface perform this task Command Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enter...

Page 651: ...nge vlan 1 10 Switch config if ip unnumbered fastethernet 3 1 Switch config if exit Switch config end Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config interface range fastethernet gigabitethernet vlan vlan slot interface fastethernet gigabitethernet vlan...

Page 652: ...1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config interface vlan vlan id Enters interface configuration mode and the interface to be configured as a tunnel port Step 4 Switch config if ip unnumbered type number poll Enables IP processing and connected host polling on an interface witho...

Page 653: ...example shows how to display key statistic for the backlog of unnumbered interfaces with connected host polling Switch show ip arp poll Number of IP addresses processed for polling 439 Number of IP addresses in queue for polling 3 high water mark 0 max 1000 Number of requests dropped Queue was full 0 Request was throttled by incomplete ARP 0 Duplicate request was found in queue 0 To clear the key ...

Page 654: ...wise only the loopback interface host route is advertised to an OSPF neighbor Switch config int loopback 0 Switch config if ip address Switch config if ip address 10 1 0 1 255 255 0 0 Switch config if ip ospf network point to point Switch config if end Related Documents Related Topic Document Title DHCP and other IP addressing configuration tasks IP Addressing and Services section of the Cisco IOS...

Page 655: ...net Switching page 19 1 Default Layer 2 Ethernet Interface Configuration page 19 4 Layer 2 Interface Configuration Guidelines and Restrictions page 19 4 Configuring Ethernet Interfaces for Layer 2 Switching page 19 5 Note To configure Layer 3 interfaces see Chapter 35 Configuring Layer 3 Interfaces Note For complete syntax and usage information for the switch commands used in this chapter see the ...

Page 656: ... Gigabit Ethernet interfaces on the Catalyst 4500 series switch are full duplex mode only providing 2 Gbps effective bandwidth Switching Frames Between Segments Each Ethernet interface on a Catalyst 4500 series switch can connect to a single workstation or server or to a hub through which workstations or servers connect to the network On a typical Ethernet hub all ports connect to a common backpla...

Page 657: ...not support DTP are configured with the access keyword if you do not intend to trunk across those links To enable trunking to a device that does not support DTP use the nonegotiate keyword to cause the interface to become a trunk without generating DTP frames Table 19 1 Layer 2 Interface Modes Mode Purpose switchport mode access Puts the interface into permanent nontrunking mode and negotiates to ...

Page 658: ... However spanning tree information for each VLAN is maintained by Cisco switches separated by a cloud of non Cisco 802 1Q switches The non Cisco 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches Make sure the native VLAN for an 802 1Q trunk is the same on both ends of the trunk link If the VLAN on one end of the trunk is different from the VLAN on th...

Page 659: ...te Step 3 Switch config if switchport trunk encapsulation dot1q negotiate Optional Specifies the encapsulation Note You must enter this command with the dot1q keyword to support the switchport mode trunk command which is not supported by the default mode negotiate Step 4 Switch config if switchport mode dynamic auto desirable trunk Configures the interface as a Layer 2 trunk Required only if the i...

Page 660: ...hernet 5 8 switchport Name Fa5 8 Switchport Enabled Administrative Mode dynamic desirable Operational Mode trunk Administrative Trunking Encapsulation negotiate Operational Trunking Encapsulation dot1q Negotiation of Trunking Enabled Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Trunking VLANs Enabled ALL Pruning VLANs Enabled 2 1001 Step 8 Switch config if switchport trunk prunin...

Page 661: ...AN in the VLAN database see the Configuring VLANs in Global Configuration Mode section on page 17 5 To configure an interface as a Layer 2 access port perform this task Command Purpose Step 1 Switch config interface fastethernet gigabitethernet tengigabitethernet slot port Specifies the interface to configure Step 2 Switch config if shutdown Optional Shuts down the interface to prevent traffic flo...

Page 662: ...Switch show interface fastethernet 5 6 switchport Name Fa5 6 Switchport Enabled Administrative Mode dynamic auto Operational Mode static access Administrative Trunking Encapsulation negotiate Operational Trunking Encapsulation native Negotiation of Trunking On Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Administrative private vlan host association none Administrative private vla...

Page 663: ... example shows how to verify that the Layer 2 configuration was cleared Switch show running config interface fastethernet 5 6 Building configuration Current configuration interface FastEthernet5 6 end This example shows how to verify the switch port configuration Switch show interfaces fastethernet 5 6 switchport Name Fa5 6 Switchport Enabled Switch Step 3 Switch show running config interface fast...

Page 664: ...atalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 19 Configuring Layer 2 Ethernet Interfaces Configuring Ethernet Interfaces for Layer 2 Switching ...

Page 665: ...ssociation between two or more user network interfaces that identifies a point to point or multipoint to multipoint path within the service provider network An EVC is a conceptual service pipe within the service provider network A bridge domain is a local broadcast domain that exists separately from VLANs A Catalyst 4500 series switch comprises of two bridge domains BDs BD 0 and BD 1 By default al...

Page 666: ...s sequence creates an EVC Lite VLAN and associates it to an interface The same VLAN can be associated with multiple interfaces although each interface can have only one bridge domain On a Catalyst 4500 series switch we can have two BDs 0 and 1 Because each BD supports 4K VLAN s we can support 8K VLANs An EVC Lite VLAN can be associated with the BD 0 and 1 interfaces However traffic flowing on this...

Page 667: ...pter 20 Configuring EVC Lite How to Configure EVC Lite Switch show evc lite evc lite vlans 10 Ports in bridge domain 1 Gi7 1 Note Because a port channel can only accommodate member links belonging to the BD of the port channel the show evc lite command displays only the port channel instead of all the member links ...

Page 668: ...20 4 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 20 Configuring EVC Lite How to Configure EVC Lite ...

Page 669: ... features and settings based on the location of a switch in the network and for mass configuration deployments across the network Each SmartPort macro is a set of CLI commands that you define SmartPort macro sets do not contain new CLI commands each SmartPort macro is a group of existing CLI commands When you apply a SmartPort macro on an interface the CLI commands contained within the macro are c...

Page 670: ... interfaces and the IP address for Layer 3 interface Retaining such commands in macro definitions requires that you change the value of such parameters such as VLAN ID or IP address before applying the macro to different interfaces Alternatively it requires that you create different macros for each possible value of its parameters Table 21 1 Cisco Default SmartPort Macros Macro Name1 1 Cisco defau...

Page 671: ... 1 and MAXHOST with 5 Be aware that you can specify any string in the macro as a keyword Macro Parameter Help It is often difficult to remember the macro keywords while applying a macro to an interface or switch Macros can contain the definitions for mandatory keywords If you apply a macro without those keyword values the commands are considered invalid and they fail You can enhance the macro infr...

Page 672: ...ccess Enable port security limiting port to a single MAC address that of desktop switchport port security Ensure port security age is greater than one minute and use inactivity timer Port security maximum 1 is the default and will not Show up in the config switchport port security violation restrict switchport port security aging time 2 switchport port security aging type inactivity Configure port...

Page 673: ...GE Hardcode trunk and disable negotiation to speed up convergence Hardcode speed and duplex to router switchport mode trunk switchport nonegotiate speed 100 duplex full Configure qos to trust this interface auto qos voip trust qos trust dscp Ensure fast access to the network when enabling the interface Ensure that switch devices cannot become active on the interface spanning tree portfast spanning...

Page 674: ...ch and is replaced by the corresponding value Macro names are case sensitive For example the commands macro name Sample Macro and macro name sample macro result in two separate macros Some macros might contain keywords that require a parameter value Use the macro global apply macro name global configuration command or the macro apply macro name interface configuration command to display a list of ...

Page 675: ... The Cisco default macros use the character to help identify required keywords There is no restriction on using the character to define keywords when you create a macro Creating SmartPort Macros To create a SmartPort macro perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config macro name macro name Creates a macro definition and ent...

Page 676: ...rface configuration mode and specify the interface on which to apply the macro Step 5 Switch config if default interface interface id Optional Clears all configuration from the specified interface Step 6 Switch config if macro apply trace macro name parameter value parameter value parameter value Applies each individual command defined in the macro to the interface by entering macro apply macro na...

Page 677: ...pported macros cisco global page 21 9 cisco desktop page 21 9 cisco phone page 21 10 cisco switch page 21 11 cisco router page 21 11 cisco global This example shows how to use the system defined macro cisco global Switch config macro global apply cisco global Changing VTP domain name from gsg switch to smartports Setting device to VTP TRANSPARENT mode Switch config end Switch show parser macro nam...

Page 678: ...sco phone This example shows how to use the system defined macro cisco phone to assign a value of 35 to the access VLAN and 56 to the voice VLAN on the Fast Ethernet interface 2 9 Note This macro requires the AVID and VVID keywords which are the access and voice VLANs of the port Switch config interface fastethernet2 9 Switch config if macro apply cisco phone Switch config if macro description cis...

Page 679: ...ch NVID 38 Switch config if end Switch show parser macro name cisco switch Macro name cisco switch Macro type customizable Access Uplink to Distribution switchport trunk encapsulation dot1q Define unique Native VLAN on trunk ports Recommended value for native vlan NVID should not be 1 switchport trunk native vlan NVID native_vlan_id Update the allowed VLAN range VRANGE such that it includes data v...

Page 680: ... trunk and disable negotiation to speed up convergence Hardcode speed and duplex to router switchport mode trunk switchport nonegotiate speed 100 duplex full Configure qos to trust this interface auto qos voip trust qos trust dscp Ensure fast access to the network when enabling the interface Ensure that switch devices cannot become active on the interface spanning tree portfast spanning tree bpdug...

Page 681: ...lying a macro to a single interface When you use an interface range the macro is applied sequentially to each interface within the range If a macro command fails on one interface it is still applied to the remaining interfaces When you apply a macro to a switch or a switch interface the macro name is automatically added to the switch or interface You can display the applied commands and macro name...

Page 682: ...u can enter up to three keyword value pairs Parameter keyword matching is case sensitive The corresponding value replaces all matching occurrences of the keyword Step 5 interface interface id Optional Enters interface configuration mode and specify the interface on which to apply the macro Step 6 default interface interface id Optional Clears all configuration from the specified interface Step 7 m...

Page 683: ...tch show parser macro cisco desktop Macro name cisco desktop Macro type default Basic interface Enable data VLAN only Recommended value for access vlan AVID should not be 1 switchport access vlan AVID switchport mode access Enable port security limiting port to a single MAC address that of desktop switchport port security switchport port security maximum 1 Ensure port security age is greater than ...

Page 684: ...21 16 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 21 Configuring SmartPort Macros Configuring Static SmartPort Macros ...

Page 685: ...sco IP phone to a port Auto Smartport automatically applies the Cisco IP phone macro The Cisco IP phone macro enables quality of service QoS security features and a dedicated voice VLAN to ensure proper treatment of delay sensitive voice traffic Auto Smartport uses event triggers to map devices to macros The most common event triggers are based on Cisco Discovery Protocol CDP messages received fro...

Page 686: ...ot a phone device nothing is triggered If 802 1X authentication is configured on a port a MAC address based trigger is never triggered If 802 1X authentication is not configured on a port CDP LLDP has priority over a MAC address based trigger with a hold off timer applied for MAC address based trigger Between CDP LLDP there is no particular order whichever one arrives first is triggered Device Cla...

Page 687: ...onfiguration Guidelines page 22 5 Configuring Auto Smartport Built in Macro Parameters page 22 6 Configuring User Defined Event Triggers page 22 8 Configuring Mapping Between User Defined Triggers and Built in Macros page 22 9 Configuring Auto Smartport User Defined Macros page 22 10 Enabling Auto Smartport Macros Note By default Auto Smartport is disabled globally To disable Auto Smartport macros...

Page 688: ...p config Optional Saves your entries in the configuration file Command Purpose Table 22 1 Auto Smartport Built in Event Trigger Macros Event Trigger Name Description CISCO_PHONE_EVENT System detects that a phone device is connected to an interface CISCO_SWITCH_EVENT System detects that a switch is connected to an interface CISCO_ROUTER_EVENT System detects that a router is connected to an interfac...

Page 689: ... and disable it before adding the port to an EtherChannel Note If an Auto Smartport macro is applied on an interface EtherChannel configuration usually fails because of conflict with the auto QoS configuration applied by the macro The built in macro default data VLAN is VLAN 1 The default voice VLAN is VLAN 2 You should modify the built in macro default values if your switch uses different VLANs T...

Page 690: ...not coexist on an interface A switch applies a macro in accordance with the LLDP advertisement from the attached device If the device does not identify itself properly the wrong macro is applied Consult the specific device documentation to ensure the device s firmware is current The LWAP s WLC software version must be 6 0 188 Cisco IOS 12 4 21a JA2 or later to make it detectable as LWAP by AutoSma...

Page 691: ...gger value CISCO_PHONE_EVENT CISCO_SWITCH_EVENT CISCO_ROUTER_EVENT CISCO_WIRELESS_AP_EVENT CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT CISCO_DMP_EVENT CISCO_IPVSC_EVENT WORD Apply a user defined event trigger Specify a built in macro name value CISCO_PHONE_AUTO_SMARTPORT Optional Specify the parameter values ACCESS_VLAN 1 and VOICE_VLAN 2 CISCO_SWITCH_AUTO_SMARTPORT Optional Specify the parameter values N...

Page 692: ...bpduguard enable service policy input AutoQos VoIP Input Cos Policy service policy output AutoQos VoIP Output Policy end Note You can also use the macro auto device command to simplify changing the parameters for a built in functions for a device type Configuring User Defined Event Triggers You can configure two types of event triggers user defined and MAC address based The following sections desc...

Page 693: ...g startup config Optional Saves your entries in the configuration file Command Purpose Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config macro auto mac address group Specifies a group of MAC address as an event trigger Changes mode to config mac addr grp You can then add or remove the MAC address or Organizational Unique Identifier OUI from the ...

Page 694: ...r description MAC_AuthBypass Event Trigger environment Trigger mapping function CISCO_PHONE_AUTO_SMARTPORT output truncated Configuring Auto Smartport User Defined Macros The Cisco IOS shell provides basic scripting capabilities for configuring the user defined Auto Smartport macros These macros can contain multiple lines and can include any CLI command You can also define variable substitution co...

Page 695: ...cute CISCO_DMP_EVENT if LINKUP eq YES then conf t interface INTERFACE macro description TRIGGER switchport access vlan 1 Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config macro auto execute event trigger parameter value function contents Specifies a user defined macro that maps to an event trigger Specify an event trigger value CISCO_PHONE_EVENT...

Page 696: ... fi no switchport port security no switchport port security maximum 1 no switchport port security violation restrict no switchport port security aging time 2 no switchport port security aging type inactivity no spanning tree portfast no spanning tree bpduguard enable exit fi Switch config end Table 22 4 lists the supported shell keywords your can apply in your macros and antimacro statements Table...

Page 697: ...classifier Table 22 5 Unsupported Cisco IOS Shell Reserved Keywords Command Description Pipeline case Conditional construct esac Conditional construct for Looping construct function Shell function in Conditional construct select Conditional construct time Pipeline until Looping construct while Looping construct Table 22 6 Commands for Displaying Auto Smartport and Static Smartport Macros Command P...

Page 698: ...hone 7975 70 24 Valid Default Cisco IP Phone 7985 70 25 Valid Default Cisco IP Phone 9971 70 26 Valid Default Cisco WLC 2100 Series 40 27 Valid Default DLink Device 10 28 Valid Default Enterasys Device 10 29 Valid Default HP Device 10 30 Valid Default HP JetDirect Printer 30 31 Valid Default Lexmark Device 10 32 Valid Default Lexmark Printer E260dn 30 33 Valid Default Microsoft Device 10 34 Valid ...

Page 699: ... Valid Built in Cisco DMP 4310G 70 18 Valid Built in Cisco DMP 4400G 70 19 Valid Built in Cisco WLC 2100 Series 40 20 Valid Built in Cisco Access Point 10 21 Valid Built in Cisco AIR LAP 30 22 Valid Built in Cisco AIR AP 30 23 Valid Built in Linksys Device 20 24 This example shows how to use the show shell triggers privileged EXEC command to view the event triggers in the switch software Switch sh...

Page 700: ...witchport nonegotiate auto qos voip trust mls qos trust cos exit end fi if LINKUP eq NO then conf t interface INTERFACE no macro description no switchport nonegotiate no switchport trunk native vlan NATIVE_VLAN no switchport trunk allowed vlan ALL no auto qos voip trust no mls qos trust cos if AUTH_ENABLED eq NO then no switchport mode no switchport trunk encapsulation fi exit end fi function CISC...

Page 701: ...atalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 22 Configuring Cisco IOS Auto Smartport Macros Displaying Auto Smartport end fi output truncated ...

Page 702: ...22 18 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 22 Configuring Cisco IOS Auto Smartport Macros Displaying Auto Smartport ...

Page 703: ...to PVST Interoperability PVST Simulation page 23 35 Configuring PVST Simulation page 23 36 About Detecting Unidirectional Link Failure page 23 40 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you ...

Page 704: ...sts the spanning tree algorithm recalculates the spanning tree topology and activates the standby path When two ports on a switch are part of a loop the spanning tree port priority and port path cost setting determine which port is put in the forwarding state and which port is put in the blocking state The spanning tree port priority value represents the location of an interface in the network top...

Page 705: ...s The following elements determine the stable active spanning tree topology of a switched network The unique bridge ID bridge priority and MAC address associated with each VLAN on each switch The spanning tree path cost or bridge priority value to the root bridge The port identifier port priority and MAC address associated with each Layer 2 interface Bridge protocol data units BPDUs contain inform...

Page 706: ...ee are selected Election of the Root Bridge For each VLAN the switch with the highest bridge priority the lowest numerical priority value is elected as the root bridge If all switches are configured with the default priority value 32 768 the switch with the lowest MAC address in the VLAN becomes the root bridge The spanning tree root bridge is the logical center of the spanning tree topology in a ...

Page 707: ...ted pair UTP link is the root port Network traffic might be more efficient over the high speed fiber optic link By changing the spanning tree port priority on the fiber optic port to a higher priority lower numerical value than the priority set for the root port the fiber optic port becomes the new root port STP Port States Propagation delays can occur when protocol information passes through a sw...

Page 708: ...t a Cisco switch to a non Cisco device that supports 802 1Q through an 802 1Q trunk the Cisco switch combines the spanning tree instance of the 802 1Q native VLAN of the trunk with the spanning tree instance of the non Cisco 802 1Q switch However all per VLAN spanning tree information is maintained by Cisco switches separated by a network of non Cisco 802 1Q switches The non Cisco 802 1Q network s...

Page 709: ... Time for a VLAN page 23 19 Disabling Spanning Tree Protocol page 23 20 Enabling Per VLAN Rapid Spanning Tree page 23 20 Table 23 4 Spanning Tree Default Configuration Values Feature Default Value Enable state Spanning tree enabled for all VLANs Bridge priority value 32 768 Spanning tree port priority value configurable on a per interface basis used on interfaces configured as Layer 2 access ports...

Page 710: ...ee vlan 200 VLAN200 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768 address 0050 3e8d 6401 Configured hello time 2 max age 20 forward delay 15 Current root has priority 16384 address 0060 704c 7000 Root port is 264 FastEthernet5 8 cost of root path is 38 Topology change flag not set detected flag not set Number of topology changes 0 last change occurred...

Page 711: ...tch config end Switch This example shows how to verify the configuration Switch show spanning tree summary include extended Extended system ID is enabled Configuring the Root Bridge A Catalyst 4500 series switch maintains an instance of spanning tree for each active VLAN configured on the switch A bridge ID consisting of the bridge priority and the bridge MAC address is associated with each instan...

Page 712: ...e for a network of that diameter This action can significantly reduce the spanning tree convergence time Use the hello time keyword to override the automatically calculated hello time Note We recommend that you avoid manually configuring the hello time forward delay time and maximum age time after configuring the switch as the root bridge To configure a switch as the root switch perform this task ...

Page 713: ...LAN 1 bridge hello time unchanged at 2 VLAN 1 bridge forward delay unchanged at 15 Switch config end This configuration is the one after the switch becomes the root Switch show spanning tree vlan 1 VLAN1 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 8192 address 0030 94fc 0a00 Configured hello time 2 max age 20 forward delay 15 We are the root of the spanni...

Page 714: ... as the root bridge To configure a switch as the secondary root switch perform this task This example shows how to configure the switch as the secondary root switch for VLAN 10 with a network diameter of 4 Switch configure terminal Switch config spanning tree vlan 10 root secondary diameter 4 VLAN 10 bridge priority set to 16384 VLAN 10 bridge max aging time set to 14 VLAN 10 bridge hello time unc...

Page 715: ...is example shows how to configure the spanning tree port priority of a Fast Ethernet interface Switch configure terminal Switch config interface fastethernet 5 8 Switch config if spanning tree port priority 100 Switch config if end Switch This example shows how to verify the configuration of a Fast Ethernet interface when it is configured as an access port Switch show spanning tree interface faste...

Page 716: ...essage age 0 forward delay 0 hold 0 Number of transitions to forwarding state 1 Link type is point to point by default BPDU sent 94 received 2 Port 129 FastEthernet3 1 of VLAN1003 is forwarding Port path cost 19 Port priority 128 Port Identifier 128 129 Designated root has priority 32768 address 0003 6b10 ebea Designated bridge has priority 32768 address 0003 6b10 ebea Designated port id is 128 12...

Page 717: ...ansitions to forwarding state 1 BPDU sent 0 received 13513 output truncated Switch Configuring STP Port Cost The default value for spanning tree port path cost is derived from the interface media speed In the event of a loop spanning tree considers port cost when selecting an interface to put into the forwarding state You can assign lower cost values to interfaces that you want spanning tree to se...

Page 718: ...cost of a Fast Ethernet interface Switch configure terminal Switch config interface fastethernet 5 8 Switch config if spanning tree vlan 200 cost 17 Switch config if end Switch This example shows how to verify the configuration of VLAN 200 on the interface when it is configured as a trunk port Switch show spanning tree vlan 200 output truncated Port 264 FastEthernet5 8 of VLAN200 is forwarding Por...

Page 719: ... to configure the bridge priority of VLAN 200 to 33 792 Switch configure terminal Switch config spanning tree vlan 200 priority 33792 Switch config end Switch This example shows how to verify the configuration Switch show spanning tree vlan 200 bridge brief Hello Max Fwd Vlan Bridge ID Time Age Delay Protocol VLAN200 33792 0050 3e8d 64c8 2 20 15 ieee Switch Configuring the Hello Time Note Exercise...

Page 720: ...root secondary commands to modify the maximum aging time To configure the spanning tree maximum aging time for a VLAN perform this task This example shows how to configure the maximum aging time for VLAN 200 to 36 seconds Switch configure terminal Switch config spanning tree vlan 200 max age 36 Switch config end Switch Command Purpose Step 1 Switch config no spanning tree vlan vlan_ID hello time h...

Page 721: ...g spanning tree vlan 200 forward time 21 Switch config end Switch This example shows how to verify the configuration Switch show spanning tree vlan 200 bridge brief Hello Max Fwd Vlan Bridge ID Time Age Delay Protocol VLAN200 49152 0050 3e8d 64c8 2 20 21 ieee Switch This example shows how to display spanning tree information for the bridge Switch show spanning tree bridge Hello Max Fwd Vlan Bridge...

Page 722: ...ult STP mode on Cisco Catalyst 4500 series Cisco Catalyst 4900M Cisco Catalyst 4948E and Cisco Catalyst 4948F switches To enable PVRST perform this task The following example shows how to configure PVRST Switch config t Enter configuration commands one per line End with CNTL Z Command Purpose Step 1 Switch config no spanning tree vlan vlan_ID Disables spanning tree on a per VLAN basis Step 2 Switc...

Page 723: ...t links and that half duplex links are shared links you can avoid explicitly configuring the link type To configure a specific link type use the spanning tree linktype command Restarting Protocol Migration A switch running both MSTP and RSTP supports a built in protocol migration process that enables the switch to interoperate with legacy 802 1D switches If this switch receives a legacy 802 1D con...

Page 724: ...the network and use redundant paths by locating different VLAN and spanning tree instance assignments in different parts of the network A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments You must configure a set of bridges with the same MST configuration information which allows them to participate in a specific set of spanning tree instances Intercon...

Page 725: ...mary IEEE 802 1w RSTP RSTP specified in 802 1w supersedes STP specified in 802 1D but remains compatible with STP You configure RSTP when you configure the MST feature For more information see the Configuring MST section on page 23 28 RSTP provides the structure on which the MST operates significantly reducing the time to reconfigure the active topology of a network when its physical topology or c...

Page 726: ... in the active topology An alternate port or backup port role excludes the port from the active topology RSTP Port States The port state controls the forwarding and learning processes and provides the values of discarding learning and forwarding Table 23 5 shows the STP port states and RSTP port states In a stable topology RSTP ensures that every root port and designated port transitions to the fo...

Page 727: ... second for each hop the difference in the message age is measured in seconds Data traffic from one port of a pseudobridge a port at the edge of a region to another port follows a path entirely contained within the pseudobridge or MST region Data traffic belonging to different VLANs might follow different paths within the MST regions established by MST The system prevents looping by doing either o...

Page 728: ...ion MST configuration table An array of 4096 bytes Each byte interpreted as an unsigned integer corresponds to a VLAN The value is the instance number to which the VLAN is mapped The first byte that corresponds to VLAN 0 and the 4096th byte that corresponds to VLAN 4095 are unused and always set to zero You must configure each byte manually Use SNMP or the CLI to perform the configuration MST BPDU...

Page 729: ...e same state as that of the IST port The IST port at the boundary can take up any port role except a backup port role IST Master The IST master of an MST region is the bridge with the lowest bridge identifier and the least path cost to the CST root If an MST bridge is the root bridge for CST then it is the IST master of that MST region If the CST root is outside the MST region then one of the MST ...

Page 730: ...ts the received remaining hop count by one The bridge discards the BPDU M record and ages out the information held for the port if the count reaches zero after decrementing The nonroot bridges propagate the decremented count as the remaining hop count in the BPDUs M records they generate The message age and maximum age timer settings in the RST portion of the BPDU remain the same throughout the re...

Page 731: ...ig mst show pending Pending MST configuration Command Purpose Step 1 Switch config spanning tree mode mst Enters MST mode Step 2 Switch config spanning tree mst configuration Enters MST configuration submode Use the no keyword to clear the MST configuration Step 3 Switch config mst show current Displays the current MST configuration Step 4 Switch config mst name name Sets the MST region name Step ...

Page 732: ...g no spanning tree mst configuration Switch config end Switch show spanning tree mst configuration Name Revision 0 Instance Vlans mapped 0 1 4094 Configuring MST Instance Parameters To configure MST instance parameters perform this task This example shows how to configure MST instance parameters Switch config spanning tree mst 1 priority 0 61440 bridge priority in increments of 4096 Switch config ...

Page 733: ... FWD 200000 128 240 P2p Bound STP MST01 vlans mapped 1 10 Bridge address 00d0 00b8 1400 priority 49153 49152 sysid 1 Root this switch for MST01 Interface Role Sts Cost Prio Nbr Status Fa4 4 Back BLK 1000 160 196 P2p Fa4 5 Desg FWD 200000 128 197 P2p Fa4 48 Boun FWD 200000 128 240 P2p Bound STP Switch Configuring MST Instance Port Parameters To configure MST instance port parameters perform this ta...

Page 734: ... always revert to the most efficient mode For example an RSTP bridge designated for a legacy 802 1D stays in 802 1D mode even after the legacy bridge has been removed from the link Similarly an MST port still assumes that it is a boundary port when the bridge s to which it is connected have joined the same region To force a Catalyst 4500 series switch to renegotiate with the neighbors that is to r...

Page 735: ...ysid 0 port Fa4 48 path cost 203100 IST master this switch Operational hello time 2 forward delay 15 max age 20 max hops 20 Configured hello time 2 forward delay 15 max age 20 max hops 20 Interface Role Sts Cost Prio Nbr Status Fa4 4 Back BLK 1000 240 196 P2p Fa4 5 Desg FWD 200000 128 197 P2p Fa4 48 Root FWD 200000 128 240 P2p Bound STP MST01 vlans mapped 1 10 Bridge address 00d0 00b8 1400 priorit...

Page 736: ...his switch for MST01 FastEthernet4 4 of MST01 is backup blocking Port info port id 240 196 priority 240 cost 1000 Designated root address 00d0 00b8 1400 priority 32769 cost 0 Designated bridge address 00d0 00b8 1400 priority 32769 port id 128 197 Timers message expires in 5 sec forward delay 0 forward transitions 0 Bpdus MRecords sent 123 received 1188 FastEthernet4 5 of MST01 is designated forwar...

Page 737: ...by default However you may want to control the connection between MST and Rapid PVST to protect against accidentally connecting an MST enabled port to a Rapid PVST enabled port Because Rapid PVST is the default STP mode you may encounter many Rapid PVST enabled connections Disabling this feature causes the switch to stop the MST region from interacting with PVST regions The MST enabled port moves ...

Page 738: ...he topology change visible throughout other MST regions you can map that VLAN to IST or connect the PVST switch to the two regions through access links When you disable the PVST simulation note that the PVST peer inconsistency can also occur while the port is already in other states of inconsistency For example the root bridge for all STP instances must all be in either the MST region or the Rapid...

Page 739: ...simulation feature is disabled as a result of which the interface was moved to the spanning tree Blocking state Action Identify the PVST switch from the network which might be configured incorrectly The following sample output shows the system message you receive when peer inconsistency on the interface is cleared Message SPANTREE_PVST_PEER_UNBLOCK Unblocking port s port number Severity Critical E...

Page 740: ... tree summary Switch is in mst mode IEEE Standard Root bridge for MST0 EtherChannel misconfig guard is enabled Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is disabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled UplinkFast is disabled BackboneFast is disabled Pathcost method used is long PVST Simulation Default is enabled Name Bl...

Page 741: ... address 0013 5f20 01c0 Designated bridge has priority 32769 address 0013 5f20 01c0 Designated port id is 128 297 designated path cost 0 Timers message age 0 forward delay 0 hold 0 Number of transitions to forwarding state 1 Link type is point to point by default PVST Simulation is enabled by default BPDU sent 132 received 1 This example shows the interface details when PVST simulation is globally...

Page 742: ... 802 1D 2004 RSTP and IEEE 802 1Q 2005 MSTP standard and requires no user configuration The switch checks the consistency of the port role and state in the BPDUs it receives to detect unidirectional link failures that could cause bridging loops When a designated port detects a conflict it keeps its role but reverts to a discarding blocking state because disrupting connectivity in case of inconsist...

Page 743: ...spute mechanism only r1 will revert to discarding while the root port a1 opens a permanent loop However this problem does not occur in Layer 2 switched networks that are connected by point to point links Figure 23 5 Bridging Loops on Shared Segments This example shows the spanning tree status when port Gi3 14 has been configured to disable PVST simulation and the port is currently in the peer type...

Page 744: ...ing tree interface gi3 13 detail Port 269 GigabitEthernet3 13 of VLAN0002 is designated blocking dispute Port path cost 4 Port priority 128 Port Identifier 128 297 Designated root has priority 32769 address 0013 5f20 01c0 Designated bridge has priority 32769 address 0013 5f20 01c0 Designated port id is 128 297 designated path cost 0 Timers message age 0 forward delay 0 hold 0 Number of transitions...

Page 745: ...Update page 24 12 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About Flex Links This section describes this information Flex Li...

Page 746: ...mption mechanism specifying the preferred port for forwarding traffic In Figure 24 1 for example you can configure the Flex Links pair with preemption mode so that after port 1 reactivates in the scenario and it has greater bandwidth than port 2 port 1 begins forwarding after a duration equal to the preemption delay and port 2 becomes the standby You do this by entering the interface configuration...

Page 747: ...e transmit command Transmits dummy multicast packets over a new active interface Note Local administrative shut down or a link that starts forwarding again due to preemption is not considered a link failure In those cases flush the dynamic hosts and not move them Static MAC addresses configured on a Flex Links member interface are moved over to the backup if it fails Static MAC addresses configure...

Page 748: ...ng traffic from server to the PC out of port 4 One dummy multicast packet is sent out for every MAC address which is the default Flex Links behavior The MAC address table move update MMU feature may be enabled to further expedite downstream convergence MMUs are special packets that carry multiple MAC addresses Switch A is configured to transmit these packets and switches B C and D are configured t...

Page 749: ...herChannel logical interfaces as Flex Links Moreover you can configure a port channel and a physical interface as Flex Links with either the port channel or the physical interface as the active link The types Fast Ethernet Gigabit Ethernet or port channel of the backup link and the active link can differ However you should configure both Flex Links with similar characteristics so that no loops exi...

Page 750: ...ode Step 2 Switch conf interface interface id Specifies the interface and enters interface configuration mode The interface might be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 64 Step 3 Switch conf if switchport backup interface interface id Configures a physical Layer 2 interface or port channel as part of a Flex Links pair with the interface W...

Page 751: ...Active Interface Backup Interface State GigabitEthernet1 21 GigabitEthernet1 2 Active Down Backup Down Interface Pair Gi1 21 Gi1 2 Preemption Mode forced Preemption Delay 50 seconds Bandwidth 10000 Kbit Gi1 1 10000 Kbit Gi1 2 Mac Address Move Update Vlan auto output truncated Step 4 Switch conf if switchport backup interface interface id preemption mode forced bandwidth off Configures a preemption...

Page 752: ...s down VLANs preferred on this interface are moved to the peer interface of the Flex Links pair In this example if interface 1 6 shuts down interface 1 8 carries all VLANs of the Flex Links pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State FastEthernet1 6 FastEthernet1 8 Active Down Backup VLB all Vlans Preferred on Active Interface...

Page 753: ...ed on Backup Interface 60 100 120 Switch show interfaces switchport backup detail Switch Backup Interface Pairs Active Interface Backup Interface State FastEthernet1 6 FastEthernet1 8 Active VLB cfg Backup VLB cfg Vlans Preferred on Active Interface 1 50 Vlans Preferred on Backup Interface 60 100 120 Preemption Mode off Bandwidth 10000 Kbit Fa1 6 100000 Kbit Fa1 8 Mac Address Move Update Vlan auto...

Page 754: ...ress table move update Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch conf interface interface id Specifies the interface and enters interface configuration mode The interface might be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 64 Step 3 Switch conf if switchport backup interface interface id or S...

Page 755: ...ve Updates To configure a switch to receive and process MAC address table move update messages perform this task To disable the MAC address table move update feature on the access switch enter the no mac address table move update receive configuration command To display the MAC address table move update information enter the show mac address table move update command This example shows how to conf...

Page 756: ...mands for monitoring the Flex Links configuration and the MAC address table move update information Table 24 1 Flex Links and MAC Address Table Move Update Monitoring Commands Command Purpose Switch show interface interface id switchport backup Displays the Flex Link backup interface configured for an interface or all the configured Flex Links and the state of each active and backup interface up o...

Page 757: ...and Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About REP One REP segment is a chain of ports connected to each other and configured with a segment ID Each segment consists of standard non edge segment ports and two user configured edge ports A...

Page 758: ... Figure 25 2 with both edge ports located on the same switch is a ring segment In this configuration there is connectivity between the edge ports through the segment With this configuration you can create a redundant connection between any two switches in the segment Figure 25 2 REP Ring Segment REP segments have these characteristics If all ports in the segment are operational one port referred t...

Page 759: ...d STP or REP topology change notices to the aggregation switch In this case the STP topology change notice TCN that is sent is a multiple spanning tree MST STP message Figure 25 3 Edge No Neighbor Ports REP has these limitations You must configure each segment port an incorrect configuration can cause forwarding loops in the networks REP can manage only a single failed port within the segment mult...

Page 760: ...be sent to the Cisco multicast address which at present is used only to send blocked port advertisement BPA messages when there is a failure in the segment The packets are dropped by devices not running REP Fast Convergence Because REP runs on a physical link basis and not a per VLAN basis only one hello message is required for all VLANs reducing the load on the protocol We recommend that you crea...

Page 761: ...port or a negative offset number downstream position from the secondary edge port If E2 became the primary edge port its offset number is then 1 and E1 is then 1 By entering the preferred keyword to select the port that you previously configured as the preferred alternate port with the rep segment preferred interface configuration command Figure 25 4 Neighbor Offset Numbers in a Segment When the R...

Page 762: ...ent from segment ports STP can not run on a segment To migrate from an STP ring configuration to REP segment configuration begin by configuring a single port in the ring as part of the segment and continue by configuring contiguous ports to minimize the number of segments Each segment always contains a blocked port so multiple segments means multiple blocked ports and a potential loss of connectiv...

Page 763: ...REP is enabled the task of sending segment topology change notices STCNs is disabled all the VLANs are blocked and the default administrative VLAN is VLAN 1 When VLAN load balancing is enabled the default is manual pre emption with the delay timer disabled If VLAN load balancing is not configured the default after manual pre emption is to block all the VLANs in the primary edge port REP Configurat...

Page 764: ...ed as an edge port and one as a regular segment port a misconfiguration the edge port is treated as a regular segment port REP interfaces come up in a blocked state and remains in a blocked state until notified that it is safe to unblock You need to be aware of this to avoid sudden connection losses REP sends all LSL PDUs in untagged frames on the native VLAN The BPA message sent to the Cisco mult...

Page 765: ... BPA STCN HFL TLV rx 0 tx 0 EPA ELECTION TLV rx 118 tx 118 EPA COMMAND TLV rx 0 tx 0 EPA INFO TLV rx 4214 tx 4190 This example shows how to create an administrative VLAN per segment Here VLAN ID 2 is configured as the administrative VLAN only for REP segment 2 All remaining segments have VLAN 1 as the administrative VLAN Switch configure terminal Switch config rep admin vlan 2 segment 2 Switch con...

Page 766: ...Enters global configuration mode Step 2 Switch config interface interface id Specifies the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 Switch config if switchport mode trunk or switchport mode private vlan trunk promiscuous Configures the Layer 2 interface as a Layer ...

Page 767: ...you can configure VLAN load balancing Note Although each segment can have only one primary edge port if you configure edge ports on two different switches and enter the primary keyword on both switches the configuration is allowed However REP selects only one of these ports as the segment primary edge port You can identify the primary edge port for a segment by entering the show rep topology privi...

Page 768: ...erface port IDs by entering the show interface interface id rep detail privileged EXEC command Enter a neighbor_offset number to identify the alternate port as a downstream neighbor from an edge port The range is from 256 to 256 with negative numbers indicating the downstream neighbor from the secondary edge port A value of 0 is invalid Enter 1 to identify the secondary edge port as the alternate ...

Page 769: ...primary Switch config if rep block port 4 vlan 100 200 Switch config if end Figure 25 5 Example of VLAN Blocking Setting Manual Preemption for VLAN Load Balancing If you do not enter the rep preempt delay seconds interface configuration command on the primary edge port to configure a preemption time delay the default is to manually trigger VLAN load balancing on the segment Be sure that all other ...

Page 770: ...eturns to privileged EXEC mode Step 5 Switch show rep topology Displays REP topology information Command Purpose Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config snmp mib rep trap rate value Enables the switch to send REP traps and set the number of traps sent per second The range is from 0 to 1000 The default is 0 no limit imposed a trap is se...

Page 771: ...herChannel Guard Optional page 26 6 About STP PortFast Port Types page 26 7 Enabling PortFast Port Types page 26 8 About Bridge Assurance page 26 11 Configuring Bridge Assurance page 26 13 About BPDU Guard page 26 15 Enabling BPDU Guard page 26 15 About PortFast Edge BPDU Filtering page 26 16 Enabling PortFast Edge BPDU Filtering page 26 17 About UplinkFast page 26 19 Enabling UplinkFast page 26 2...

Page 772: ... its ports automatically go into the listening state Enabling Root Guard To enable root guard on a Layer 2 access port to force it to become a designated port perform this task This example shows how to enable root guard on Fast Ethernet interface 5 8 Switch config interface fastethernet 5 8 Switch config if spanning tree guard root Switch config if end Switch This example shows how to verify the ...

Page 773: ... link When enabled globally loop guard applies to all point to point ports on the system Loop guard detects root ports and blocked ports and ensures that they keep receiving BPDUs from their designated port on the segment If a loop guard enabled root or blocked port stop receiving BPDUs from its designated port it transitions to the blocking state assuming there is a physical link error on this po...

Page 774: ... to spanning tree Loop guard can take advantage of logical ports provided by the Port Aggregation Protocol PAgP However to form a channel all the physical ports grouped in the channel must have compatible configurations PAgP enforces uniform configurations of root guard or loop guard on all the physical ports to form a channel Spanning tree always chooses the first operational port in the channel ...

Page 775: ...cost 0 Timers message age 0 forward delay 0 hold 0 Number of transitions to forwarding state 1 The port is in the portfast mode by portfast trunk configuration Link type is point to point by default Bpdu filter is enabled Loop guard is enabled by default on the port BPDU sent 0 received 0 To enable loop guard on an interface perform this task This example shows how to enable loop guard on port 4 4...

Page 776: ... switch are manually configured in an EtherChannel and one or more interfaces on the other device are not For EtherChannel configuration guidelines see the EtherChannel Configuration Guidelines and Restrictions section on page 27 6 Note EtherChannel guard applies only to EtherChannels in forced mode that is manually configured rather than through PAgP or LACP If the switch detects a misconfigurati...

Page 777: ...be either an access port or an edge trunk port portfast edge trunk This type of port interface immediately transitions to the forwarding state bypassing the listening and learning states Use PortFast edge on Layer 2 access ports connected to a single workstation or server to allow those devices to connect to the network immediately rather than waiting for spanning tree to converge Even if the inte...

Page 778: ...ffective when used on access ports If you enable PortFast edge on a port connecting to another switch you risk creating a spanning tree loop Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 1 Switch config spanning tree portfast edge network normal default Configures the default state for all interfaces on the switch You have these options Optional edge Config...

Page 779: ...Delay 15 sec Bridge ID Priority 2 priority 0 sys id ext 2 Address 7010 5c9c 5200 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 0 sec Step 3 Switch config if spanning tree portfast edge trunk Enables edge behavior on a Layer 2 access port connected to an end workstation or server Optional trunk Enables edge behavior on a trunk port Use this keyword if the link is a trunk Use this ...

Page 780: ...if spanning tree portfast network Switch config if end Switch Switch show running config interface gigabitethernet 5 8 Building configuration Current configuration interface GigabitEthernet5 8 no ip address switchport switchport access vlan 200 switchport mode access spanning tree portfast network end Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch c...

Page 781: ... point links on all network ports When a port does not receive BPDUs within the alloted hello time period the port is put into a blocked state the same as a port inconsistent state which stops forwarding of frames When the port resumes receipt of BPDUs the port resumes normal spanning tree operations Note Only Rapid PVST and MST spanning tree protocols support Bridge Assurance PVST does not suppor...

Page 782: ...h STP Topology Running Bridge Assurance Figure 26 5 Network Problem Averted with Bridge Assurance Enabled The system generates syslog messages when a port is block or unblocked The following sample outputs show the log that is generated for each of these states Blocked port Sep 17 09 48 16 249 PDT SPANTREE 2 BRIDGE_ASSURANCE_BLOCK Bridge Assurance blocking port GigabitEthernet5 8 on VLAN0200 stack...

Page 783: ...force the root bridge placement in the network Configuring Bridge Assurance This example show how to display spanning tree information and verify if Bridge Assurance is enabled Look for these details in the output Portfast Default Network Bridge Assurance Enabled Switch show spanning tree summary Switch is in rapid pvst mode Root bridge for VLAN0199 VLAN0200 VLAN0128 EtherChannel misconfig guard i...

Page 784: ...ge 20 sec Forward Delay 15 sec Bridge ID Priority 2 priority 0 sys id ext 2 Address 7010 5c9c 5200 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 0 sec Interface Role Sts Cost Prio Nbr Type Gi5 7 Desg FWD 4 128 1 P2p Edge Gi5 8 Desg FWD 3 128 480 P2p Network Gi5 9 Desg FWD 4 128 169 P2p Edge Gi5 10 Desg FWD 4 128 215 P2p Network This example shows how port GigabitEthernet 5 8 conf...

Page 785: ...ed interfaces BPDU Guard shuts down that interface if a BPDU is received regardless of the PortFast port type configuration Note To prevent the port from shutting down use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down only the offending VLAN on the port where the violation occurred Enabling BPDU Guard Enabling BPDU Guard Globally To globally enable B...

Page 786: ...PortFast edge status In that case PortFast edge BPDU filtering is disabled on this port and STP resumes sending BPDUs on this port PortFast edge BPDU filtering can also be configured on a per port basis When PortFast edge BPDU filtering is explicitly configured on a port it does not send any BPDUs and drops all BPDUs it receives Caution Explicitly configuring PortFast edge BPDU filtering on a port...

Page 787: ...ed PortFast Edge BPDU Guard Default is disabled Portfast Edge BPDU Filter Default is enabled Portfast Default is edge Bridge Assurance is enabled Loopguard is disabled UplinkFast is disabled BackboneFast is disabled Pathcost method used is long Name Blocking Listening Learning Forwarding STP Active Table 26 1 PortFast Edge BPDU Filtering Port Configurations Per Port Configuration Global Configurat...

Page 788: ...fastEthernet 4 4 detail Port 196 FastEthernet4 4 of VLAN0002 is forwarding Port path cost 4 Port priority 128 Port Identifier 128 269 Designated root has priority 32770 address 0002 172c f400 Designated bridge has priority 32770 address 0002 172c f400 Designated port id is 128 269 designated path cost 0 Timers message age 0 forward delay 0 hold 0 Number of transitions to forwarding state 1 Link ty...

Page 789: ... forwarding and a set of blocked ports except for self looping ports The uplink group provides an alternate path in case the currently forwarding link fails Figure 26 6 shows an example of a topology with no link failures Switch A the root switch is connected directly to Switch B over link L1 and to Switch C over link L2 The Layer 2 interface on Switch C that is connected directly to Switch B is i...

Page 790: ...Ns on the switch You cannot configure UplinkFast on an individual VLAN To enable UplinkFast perform this task This example shows how to enable UplinkFast with a maximum update rate of 400 pps Switch config spanning tree uplinkfast max update rate 400 Switch config exit Switch This example shows how to verify which VLANS have UplinkFast enabled Switch show spanning tree uplinkfast UplinkFast is ena...

Page 791: ...r the time defined by the Max Age setting After receiving inferior BPDUs the receiving switch tries to determine if there is an alternate path to the root bridge If the port that the inferior BPDUs are received on is already in blocking mode then the root port and other blocked ports on the switch become alternate paths to the root bridge If the inferior BPDUs are received on a root port then all ...

Page 792: ...nate the time defined by the Max Age setting 20 second delay 1 When Switch C receives the inferior configuration BPDUs from Switch B Switch C infers that an indirect failure has occurred 2 Switch C then sends out an RLQ 3 Switch A receives the RLQ Because Switch A is the root bridge it replies with an RLQ response listing itself as the root bridge 4 When Switch C receives the RLQ response on its e...

Page 793: ...gins sending inferior BPDUs that say it is the root switch However the other switches ignore these inferior BPDUs and the new switch learns that Switch B is the designated bridge to Switch A the root switch Figure 26 10 Adding a Switch in a Shared Medium Topology Enabling BackboneFast Note For BackboneFast to work you must enable it on all switches in the network BackboneFast is supported for use ...

Page 794: ...y Switch is in rapid pvst mode Root bridge for VLAN0001 VLAN1002 VLAN1005 EtherChannel misconfiguration guard is enabled Extended system ID is enabled PortFast Edge BPDU Guard Defaultis disabled Portfast Edge BPDU Filter Default is disabled Portfast Default is disabled Bridge Assurance is enabled Loopguard Default is disabled UplinkFast is disabled BackboneFast is disabled Pathcost method used is ...

Page 795: ...em ID is disabled PortFast Edge BPDU Guard Default is disabled Portfast Edge BPDU Filter Default is enabled Portfast Default is network Bridge Assurance is enabled Loopguard is disabled by default EtherChannel misconfiguration guard is enabled UplinkFast is enabled BackboneFast is enabled Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active 5 vlans 0 0 0 11 11 Backb...

Page 796: ...26 26 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 26 Configuring Optional STP Features Enabling BackboneFast ...

Page 797: ...Guidelines and Restrictions page 27 6 Configuring EtherChannel page 27 7 Displaying EtherChannel to a Virtual Switch System page 27 20 Understanding Link State Tracking page 27 23 Configuring Link State Tracking page 27 26 Note The commands in the following sections can be used on all Ethernet interfaces of the switch including the uplink ports on the supervisor engine Note For complete syntax and...

Page 798: ...packets on one segment in an EtherChannel are blocked from returning on any other segment of the EtherChannel Note The port channel link failure switchover for the Catalyst 4500 series switch was measured at 50 milliseconds which provides SONET like link failure switchover time These subsections describe how EtherChannel works Port Channel Interfaces page 27 2 Configuring EtherChannels page 27 2 L...

Page 799: ...bally but is enabled on all port interfaces To configure auto LAG on your switch ensure that you enable auto LAG globally When auto LAG is enabled globally All port interfaces participate in the creation of auto EtherChannels if the partner port interfaces have EtherChannel configured on them For more information see Table 27 1Supported auto LAG configuration on actor and partner devices page 27 4...

Page 800: ...member of a manual EtherChannel To allow it to bundle with the auto EtherChannel first unbundle the manual EtherChannel on the port interface When auto LAG is enabled and an auto EtherChannel is created you can create multiple EtherChannels manually with the same partner device But by default the port tries to create auto EtherChannel with the partner device Auto LAG is supported only on Layer 2 E...

Page 801: ...e For example A LAN port in active mode can form an EtherChannel successfully with another LAN port that is in active mode A LAN port in active mode can form an EtherChannel with another LAN port in passive mode A LAN port in passive mode cannot form an EtherChannel with another LAN port that is also in passive mode because neither port initiates negotiation LACP uses the following parameters LACP...

Page 802: ...ge source or message destination or both Use the option that provides the greatest variety in your configuration For example if the traffic on a channel is going only to a single MAC address using the destination MAC address always chooses the same link in the channel using source addresses or IP addresses might result in better load balancing Note Load balancing can only be configured globally As...

Page 803: ...ion to this rule For example you cannot configure Storm Control on some of the members of an EtherChannel Storm Control must be configured on all or none of the ports If you configure Storm Control on only some of the ports those ports are dropped from the EtherChannel interface put in suspended state You should configure Storm Control at the port channel interface level and not at the physical in...

Page 804: ...tch config if ip address 172 32 52 10 255 255 255 0 Switch config if end This example shows how to verify the configuration of port channel interface 1 Switch show running config interface port channel 1 Building configuration Current configuration interface Port channel1 ip address 172 32 52 10 255 255 255 0 no ip directed broadcast end Switch Configuring Physical Interfaces as Layer 3 EtherChann...

Page 805: ...ast channel group 1 mode desirable end Switch show interfaces fastethernet 5 4 etherchannel Port state EC Enbld Up In Bndl Usr Config Command Purpose Step 1 Switch config interface fastethernet gigabitethernet tengigabitethernet slot port Selects a physical interface to configure Step 2 Switch config if no switchport Makes this a Layer 3 routed port Step 3 Switch config if no ip address Ensures th...

Page 806: ...ner Partner Partner Partner Group Port Name Device ID Port Age Flags Cap Fa5 4 JAB031301 0050 0f10 230c 2 45 1s SAC 2D Age of the port in the current state 00h 54m 52s Switch This example shows how to verify the configuration of port channel interface 1 after the interfaces have been configured Switch show etherchannel 1 port channel Channel group listing Group 1 Port channels in the group Port ch...

Page 807: ...xample shows how to configure Fast Ethernet interfaces 5 6 and 5 7 into port channel 2 with PAgP mode desirable Switch configure terminal Switch config interface range fastethernet 5 6 7 Note Space is mandatory Switch config if range channel group 2 mode desirable Switch config if range end Switch end Note See the Configuring a Range of Interfaces section on page 9 4 for information about the rang...

Page 808: ...In Bndl Usr Config Channel group 1 Mode Desirable Gcchange 0 Port channel Po1 GC 0x00010001 Port indx 0 Load 0x55 Flags S Device is sending Slow hello C Device is in Consistent state A Device is in Auto mode P Device learns on physical port d PAgP is down Timers H Hello timer is running Q Quit timer is running S Switching timer is running I Interface timer is running Local information Hello Partne...

Page 809: ...s Note LACP Standalone Disable is enabled by default To configure the LACP Standalone or Independent mode perform this task This example shows how to configure the LACP Standalone mode Switch configure terminal Switch config interface port channel 1 Switch config if switchport Switch config if exit Switch config int gi3 1 Switch config if channel group 1 mode active Switch config if exit Switch co...

Page 810: ...in Cisco IOS Release 15 2 4 E and Cisco IOS XE Release 3 8 0E you can specify the minimum number of active ports that must be in the link up state and bundled in an EtherChannel for the port channel interface to transition to the link up state Using EtherChannel min links you can prevent low bandwidth LACP EtherChannels from becoming active Port channel min links also cause LACP EtherChannels to b...

Page 811: ... channel groups in use 125 Number of aggregators 125 Group Port channel Protocol Ports 25 Po25 RU LACP Gi1 3 1 D Gi1 3 2 m Gi2 2 25 P Gi2 2 26 P When the minimum links requirement is not met in standalone switches the port channel is flagged and assigned the SM SN or RM RN state for example Switch show etherchannel 25 summary Flags D down P bundled in port channel I stand alone s suspended H Hot s...

Page 812: ...1 2 1000BaseX GBIC Supervisor active WS X4014 JAB063808YZ 2 48 10 100BaseTX RJ45 WS X4148 RJ JAB0447072W 3 48 10 100BaseTX RJ45 V WS X4148 RJ45V JAE061704J6 4 48 10 100BaseTX RJ45 V WS X4148 RJ45V JAE061704ML M MAC addresses Hw Fw Sw Status 1 0005 9a39 7a80 to 0005 9a39 7a81 2 1 12 1 12r EW 12 1 13 EW 0 26 Ok 2 0002 fd80 f530 to 0002 fd80 f55f 0 1 Ok 3 0009 7c45 67c0 to 0009 7c45 67ef 1 6 Ok 4 000...

Page 813: ...vice is in Active mode P Device is in Passive mode Channel group 25 LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Te1 49 FA bndl 32768 0x19 0x19 0x32 0x3F Te1 50 FA bndl 32768 0x19 0x19 0x33 0x3F Te1 51 FA bndl 32768 0x19 0x19 0x34 0x3F Te1 52 FA bndl 32768 0x19 0x19 0x35 0x3F The show lacp counters command displays similar output Switch show lacp counters LACPDUs M...

Page 814: ...w etherchannel auto Displays the EtherChannel created automatically Command Purpose Step 1 Switch config interface interface id Specifies the port interface to be enabled for auto LAG and enters interface configuration mode Step 2 Switch config if channel group auto Optional Enables auto LAG feature on individual port interface By default the auto LAG feature is enabled on the port Step 3 Switch c...

Page 815: ...how to verify the configuration Switch show etherchannel load balance EtherChannel Load Balancing Configuration src dst ip EtherChannel Load Balancing Addresses Used Per Protocol Non IP Source XOR Destination MAC address IPv4 Source XOR Destination IP address IPv6 Source XOR Destination IP address Switch Removing an Interface from an EtherChannel To remove an Ethernet interface from an EtherChanne...

Page 816: ...playing EtherChannel to a Virtual Switch System Catalyst 4500 series switches support enhanced PAgP If a Catalyst 4500 series switch is connected to a Catalyst 6500 series Virtual Switch System VSS by using a PAgP EtherChannel the Catalyst 4500 series switch automatically serve as a VSS client using enhanced PAgP on this EtherChannel for dual active detection This VSS client feature has no impact ...

Page 817: ...st The standby virtual switch also views the active chassis as failed and transitions to active state by using an SSO switchover Two active virtual switches exist in the network with identical configurations causing duplicate IP addresses and bridge identifiers This scenario has adverse effects on the network topology and traffic if it persists Dual Active Detection Using Enhanced PAgP One method ...

Page 818: ...isor engine of the Catalyst 4500 series switch This ensures that dual active detection is not disrupted even when the active supervisor engine switches over to the redundant supervisor engine Virtual Switch A active Virtual Switch B standby Remote switch Catalyst 4500 series switch Active_ID A s MAC Virtual switch TLV Active_ID A s MAC Virtual switch TLV Active_ID A s MAC Remote switch TLV Active_...

Page 819: ...neighboring switch Partner Name and the ports to which this EtherChannel is connected Partner Port If a Catalyst 4500 switch is connected to a Catalyst 6500 series VSS with the same version of enhanced PAgP dual active detection the switch can detect a dual active scenario Switch show pagp 1 dual active PAgP dual active detection enabled Yes PAgP dual active version 1 1 Channel group 1 Dual Active...

Page 820: ...d server 4 through link state group 2 Port 3 is connected to server 3 and port 4 is connected to server 4 Port 3 and port 4 are the downstream interfaces in link state group 2 Port 7 and port 8 are connected to distribution switch 2 through link state group 2 Port 7 and port 8 are the upstream interfaces in link state group 2 Link state group 2 on switch B Switch B provides primary links to server...

Page 821: ...ate group is configured link state tracking is disabled and the upstream interfaces lose connectivity the link states of the downstream interfaces remain unchanged The server does not recognize that upstream connectivity has been lost and does not failover to the secondary interface You can recover a downstream interface link down condition by removing the failed downstream port from the link stat...

Page 822: ...ed to a link state group without an upstream interface the downstream interface is put in error disabled state until an upstream interfaces is added to the group An interface cannot be a member of more than one link state group You can configure up to 20 link state groups per switch If a SPAN destination port is configured as a downstream interface it is error disabled when all upstream interfaces...

Page 823: ... to display information specific to the group Enter the detail keyword to display detailed information about the group it is an example of output from the show link state group 1 command Switch show link state group 1 Link State Group 1 Status Enabled Down it is an example of output from the show link state group detail command Switch show link state group detail Up Interface up Dwn Interface Down...

Page 824: ...27 28 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 27 Configuring EtherChannel and Link State Tracking Configuring Link State Tracking ...

Page 825: ...MVR page 28 23 Displaying MVR Information page 28 29 Configuring IGMP Filtering page 28 30 Displaying IGMP Filtering Configuration page 28 34 Note To support Cisco Group Management Protocol CGMP client devices configure the switch as a CGMP server For more information see the Cisco IOS 15 0M configuration guides at this location http www cisco com en US products ps10591 products_installation_and_c...

Page 826: ...P snooping is enabled the switch creates one entry per VLAN in the Layer 2 forwarding table for each Layer 2 multicast group from which it receives an IGMP join request All hosts interested in this multicast traffic send IGMP membership reports and are added to the forwarding table entry Layer 2 multicast groups learned through IGMP snooping are dynamic However you can statically configure Layer 2...

Page 827: ... multicast group If the switch does not receive an IGMP join message within the query response interval the interface is removed from the port list of the MAC group VLAN entry in the Layer 2 forwarding table Note By default all IGMP joins are forwarded to all multicast router ports With immediate leave processing enabled on the VLAN an interface can be removed immediately from the port list of the...

Page 828: ...M and IGMP are not configured because the multicast traffic does not require routing In a network where IP multicast routing is configured the IP multicast router acts as the IGMP querier by sending general queries If the IP multicast traffic in a VLAN only needs to be Layer 2 switched an IP multicast router is not required Without an IP multicast router on the VLAN you must configure another swit...

Page 829: ... page 28 7 Configuring a Static Connection to a Multicast Router page 28 8 Enabling IGMP Immediate Leave Processing page 28 8 Configuring the IGMP Leave Timer page 28 9 Configuring IGMP Snooping Querier page 28 10 Configuring Explicit Host Tracking page 28 11 Configuring a Host Statically page 28 11 Suppressing Multicast Flooding page 28 12 Default IGMP Snooping Configuration Table 28 1 shows the ...

Page 830: ...Enabled Multicast router learning mode pim dvmrp CGMP interoperability mode IGMP_ONLY Vlan 2 IGMP snooping Enabled IGMPv2 immediate leave Disabled Explicit host tracking Enabled Multicast router learning mode pim dvmrp CGMP interoperability mode IGMP_ONLY Enabling IGMP Snooping on a VLAN To enable IGMP snooping on a VLAN perform this task Command Purpose Step 1 Switch configure terminal Enters glo...

Page 831: ...vmrp CGMP interoperability mode IGMP_ONLY Configuring Learning Methods The following sections describe IGMP snooping learning methods Configuring PIM DVMRP Learning page 28 7 Configuring CGMP Learning page 28 7 Configuring PIM DVMRP Learning To configure IGMP snooping to learn from PIM DVMRP packets perform this task This example shows how to configure IP IGMP snooping to learn from PIM DVMRP pack...

Page 832: ...lan 200 vlan ports 200 Fa2 10 Switch Enabling IGMP Immediate Leave Processing When you enable IGMP immediate leave processing on a VLAN a switch removes an interface from the multicast group when it detects an IGMPv2 leave message on that interface Note For IGMPv3 immediate leave processing is enabled by default with EHT To enable immediate leave processing on an IGMPv2 interface perform this task...

Page 833: ...e timer perform this task This example shows how to enable the IGMP configurable leave timer and to verify the configuration Switch configure terminal Switch config ip igmp snooping last member query interval 200 Switch config ip igmp snooping vlan 10 last member query interval 500 Switch config end Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch con...

Page 834: ...ch Configuring IGMP Snooping Querier The IGMP Snooping Querier feature can be enabled either globally or per VLAN Note The IGMP snooping querier is disabled by default To configure IGMP Snooping Querier perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config no ip igmp snooping vlan vlan_id querier Enables IGMP Snooping Querier Step ...

Page 835: ...t tracking Explicit host tracking Disabled Configuring a Host Statically Hosts normally join multicast groups dynamically but you can also configure a host statically on an interface To configure a host statically on an interface perform this task Step 8 Switch config ip igmp snooping vlan vlan_id querier tcn query count value Configures IGMP Snooping Querier tcn query count Step 9 Switch config i...

Page 836: ...rable if the switch that does the flooding has many ports that are subscribed to different groups The traffic could exceed the capacity of the link between the switch and the end host resulting in packet loss With the no ip igmp snooping tcn flood command you can disable multicast flooding on a switch interface following a topology change Only the multicast groups that have been joined by a port a...

Page 837: ...isable flooding and use default to restore the default behavior flooding is enabled To disable multicast flooding on an interface perform this task This example shows how to disable multicast flooding on interface Fast Ethernet 2 11 Switch config interface fastethernet 2 11 Switch config if no ip igmp snooping tcn flood Switch config if end Switch IGMP Snooping Switch Configuration By default floo...

Page 838: ...o direct a switch to send a query solicitation perform this task This example shows how to configure the switch to send a query solicitation upon detecting a TCN Switch config ip igmp snooping tcn query solicit Switch config end Switch Displaying IGMP Snooping Information The following sections show how to display IGMP snooping information Displaying Querier Information page 28 15 Displaying IGMP ...

Page 839: ...querier vlan 3 Vlan IP Address IGMP Version Port 3 172 20 50 22 v3 Fa3 15 Displaying IGMP Host Membership Information Note By default EHT maintains a maximum of 1000 entries in the EHT database Once this limit is reached no additional entries are created To create additional entries clear the database with the clear ip igmp snooping membership vlan command To display host membership information pe...

Page 840: ...ts 1 Source Group Interface Reporter Uptime Last Join Last Leave 40 40 40 2 224 10 10 10 Gi4 1 20 20 20 20 00 23 37 00 06 50 00 20 30 Displaying Group Information To display detailed IGMPv3 information associated with a group perform one of the following tasks Command Purpose Switch show ip igmp snooping groups vlan vlan_ID Displays groups the type of reports that were received for the group Host ...

Page 841: ... address Switch show ip igmp snooping groups vlan 10 226 6 6 7 hosts IGMPv3 host information for group 226 6 6 7 Timers Expired hosts are deleted on next IGMP General Query Host MAC IP Filter mode Expires Uptime Sources 175 1 0 29 INCLUDE stopped 00 00 51 2 175 2 0 30 INCLUDE stopped 00 04 14 2 This example shows how to display summary information for an IGMPv3 group Switch show ip igmp snooping g...

Page 842: ...lan mac address type ports 1 0100 5e01 0101 igmp Switch Gi6 1 1 0100 5e01 0102 igmp Switch Gi6 1 1 0100 5e01 0103 igmp Switch Gi6 1 1 0100 5e01 0104 igmp Switch Gi6 1 1 0100 5e01 0105 igmp Switch Gi6 1 1 0100 5e01 0106 igmp Switch Gi6 1 Switch This example shows how to display a total count of MAC address entries for VLAN 1 Switch show mac address table multicast vlan 1 count Multicast MAC Entries...

Page 843: ...Explicit Host Tracking Disabled Multicast router learning mode pim dvmrp CGMP interoperability mode IGMP_ONLY Displaying IGMP Snooping Querier Information To display IGMP Snooping Querier information perform this task This example shows how to display Snooping Querier information switch show ip igmp snooping querier vlan 2 detail IP address 1 2 3 4 IGMP version v2 Port Router Switch Max response t...

Page 844: ...the network wide single multicast VLAN while subscribers remain in separate VLANs It also isolates the streams from the subscriber VLANs for bandwidth and security reasons Note Only Layer 2 ports participate in MVR Note You need to configure subscriber ports as MVR receiver ports and router or data source ports as MVR source ports Note Only one MVR multicast VLAN per switch is supported MVR assume...

Page 845: ...vision application a PC or a television with a set top box can receive the multicast stream Multiple set top boxes or PCs can be connected to one subscriber port which is a switch port configured as an MVR receiver port Figure 28 1 is an example configuration DHCP assigns an IP address to the set top box or the PC When a subscriber selects a channel the set top box or PC sends an IGMP report to Sw...

Page 846: ...thout Immediate Leave when the switch receives an IGMP leave message from a subscriber on a receiver port it sends out an IGMP query on that port and waits for IGMP group membership reports If no reports are received in a configured time period the receiver port is removed from multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave ...

Page 847: ...ulticast VLAN of the source uplink port based on the MVR mode Configuring MVR These sections include basic MVR configuration information Default MVR Configuration page 28 23 MVR Configuration Guidelines and Limitations page 28 23 Configuring MVR Global Parameters page 28 24 Configuring MVR on Access Ports page 28 26 Configuring MVR on a Trunk Port page 28 27 Displaying MVR Information page 28 29 D...

Page 848: ...configure MVR on a PVLAN The IGMPSN group MAC address can alias with an MVR group s MAC address For example 225 1 1 1 and 226 1 1 1 are IP addresses whose MAC addresses match to the same multicast MAC address 0100 5e01 0101 If 225 1 1 1 is configured as an MVR group then 225 1 1 1 is handled by MVR and 226 1 1 1 is handled by IGMPSN If the 226 1 1 1 host is present on the MVR trunk receiver IGMPSN...

Page 849: ... Vlan Type SinglePort RetIndex AdjIndex 40048 0100 5E01 0101 100 Ret 104444 Switch show platform hardware ret chain index 104444 RetIndex 104444 Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config mvr Enables MVR on the switch Step 3 Switch config mvr group ip address count Configures an IP multicast address on the switch or uses the count paramet...

Page 850: ...mode Step 5 Switch config if switch access vlan value Assign the VLAN to the port Step 6 Switch config if mvr type source receiver Configures an MVR port as source or receiver source Subscribers cannot be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Configure a port as a receiver port if it is a subscriber port and should only receive...

Page 851: ...chport mode trunk Switch config if mvr type source Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config mvr Enables MVR on the switch Step 3 Switch config interface interface id Enters interface configuration mode and enters the type and number of the Layer 2 port to configure Step 4 Switch config if switchport mode trunk Change the interface to tr...

Page 852: ... if mvr vlan 100 receiver vlan 300 Switch show mvr interface Port Type Mode VLAN Status Immediate Leave Fa2 1 SOURCE Trunk 100 ACTIVE UP DISABLED Fa2 2 RECEIVER Access 200 ACTIVE UP DISABLED Fa2 3 SOURCE Access 100 ACTIVE UP DISABLED Fa2 4 RECEIVER Trunk 300 ACTIVE UP DISABLED Compatible Mode Switch show mvr members MVR Group IP Status Members VLAN Membership 225 1 1 1 ACTIVE UP Fa2 1 100 Static 2...

Page 853: ...e Switch show mvr interface fastEthernet 2 2 Port Type Mode VLAN Status Immediate Leave Fa2 2 RECEIVER Access 200 ACTIVE UP DISABLED Table 28 3 Commands for Displaying MVR Information show mvr Displays MVR status whether MVR is enabled or disabled the multicast VLAN the maximum 1500 and current 0 to 1500 number of multicast groups the query response time the MVR mode show mvr interface interface i...

Page 854: ... to control the multicast groups to which a user on a switch port can belong This allows the administrator to control the distribution of multicast services such as IP TV based on some type of subscription or service plan With IGMP filtering an administrator can apply this type of control With this feature you can filter multicast joins on a per port basis by configuring IP multicast profiles and ...

Page 855: ...ddresses To create an IGMP profile for a port perform this task Table 28 4 Default IGMP Filtering Settings Feature Default Setting IGMP filters No filtering IGMP maximum number of IGMP groups No limit IGMP profiles None defined Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ip igmp profile profile number Enters IGMP profile configuration mode...

Page 856: ...ltiple interfaces but each interface can only have one profile applied to it Note You can apply IGMP profiles to Layer 2 ports only You cannot apply IGMP profiles to routed ports or SVIs or to ports that belong to an EtherChannel port group To apply an IGMP profile to a switch port perform this task To remove a profile from an interface use the no ip igmp filter command This example shows how to a...

Page 857: ...t the number of IGMP groups that an interface can join to 25 Switch configure terminal Switch config interface fastethernet2 12 Switch config if ip igmp max groups 25 Switch config if end Switch show running config interface fastethernet2 12 Building configuration Current configuration 123 bytes Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ...

Page 858: ...igmp profile IGMP Profile 3 range 230 9 9 0 230 9 9 0 IGMP Profile 4 permit range 229 9 9 0 229 255 255 255 This is an example of the show running config privileged EXEC command when an interface is specified with IGMP maximum groups configured and IGMP profile 4 has been applied to the interface Switch show running config interface fastethernet2 12 Building configuration Current configuration 123...

Page 859: ... chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About MLD Snooping In IP version 4 IPv4 Layer 2 switches can use Internet Group Management Protocol IGMP snooping to limit the flooding of multicast traffic by dynam...

Page 860: ... Note The switch does not support MLDv2 enhanced snooping MESS which sets up IPv6 source and destination multicast address based forwarding MLD snooping can be enabled or disabled globally or per VLAN When MLD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then...

Page 861: ...sage When the switch receives an MLDv1 Done message if Immediate Leave is not enabled the switch sends an MASQ to the port from which the message was received to determine if other devices connected to the port should remain in the multicast group Multicast Client Aging You can configure port membership removal from addresses based on the number of queries A port is removed from membership to an a...

Page 862: ...on VLANs and as with IGMP snooping you should only use the feature on VLANs where a single host is connected to the port If the port was the last member of a group the group is also deleted and the leave information is forwarded to the detected IPv6 multicast routers When Immediate Leave is not enabled in a VLAN the case when multiple clients for a group exist on the same port and a Done message i...

Page 863: ...guring MLD Snooping Queries page 29 9 Disabling MLD Listener Message Suppression page 29 10 Default MLD Snooping Configuration Table 29 1 shows the default MLD snooping configuration Table 29 1 Default MLD Snooping Configuration Feature Default Setting MLD snooping Global Disabled MLD snooping per VLAN Enabled MLD snooping must be globally enabled for VLAN MLD snooping to take place IPv6 Multicast...

Page 864: ...overrides the global configuration MLD snooping is enabled only on VLAN interfaces in the default state enabled You can enable and disable MLD snooping on a per VLAN basis but if you globally disable MLD snooping it is disabled in all VLANs If global snooping is enabled you can enable or disable VLAN snooping To globally enable MLD snooping on the switch perform this task To globally disable MLD s...

Page 865: ...snooping learns about router ports through MLD queries and PIMv6 queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports...

Page 866: ...nd This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ipv6 mld snooping vlan vlan id mrouter interface interface id Specifies the multicast router VLAN ID and specify the interface ...

Page 867: ...lient The range is 1 to 7 the default is 2 The queries are sent 1 second apart Step 5 Switch config ipv6 mld snooping vlan vlan id last listener query count count Optional Sets the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 Switc...

Page 868: ...rt per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers To disable MLD listener message suppression perform this task To reenable MLD message suppression use the ipv6 mld snooping listener message suppression global configuration command Displaying MLD Snooping Information You can display MLD snooping information for dynam...

Page 869: ...to 1001 and 1006 to 4094 show ipv6 mld snooping mrouter vlan vlan id Displays information on dynamically learned and manually configured multicast router interfaces When you enable MLD snooping the switch automatically learns the interface to which a multicast router is connected These are dynamically learned interfaces Optional Enter vlan vlan id to display information for a single VLAN The VLAN ...

Page 870: ... Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 29 Configuring IPv6 Multicast Listener Discovery Snooping Displaying MLD Snooping Information ...

Page 871: ... 802 1Q Tunneling page 30 3 About VLAN Mapping page 30 6 Configuring VLAN Mapping page 30 9 About Layer 2 Protocol Tunneling page 30 13 Configuring Layer 2 Protocol Tunneling page 30 15 Monitoring and Maintaining Tunneling Status page 30 23 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Se...

Page 872: ...nel Ports in a Service Provider Network Packets coming from the customer trunk port into the tunnel port on the service provider edge switch are normally 802 1Q tagged with the appropriate VLAN ID When the tagged packets exit the trunk port into the service provider network they are encapsulated with another layer of an 802 1Q tag called the metro tag that contains the VLAN ID that is unique to th...

Page 873: ...Customers A and B both have VLAN 100 in their networks the traffic remains segregated within the service provider network because the metro tag is different Each customer controls its own VLAN numbering space which is independent of the VLAN numbering space used by other customers and the VLAN numbering space used by the service provider network Configuring 802 1Q Tunneling These sections describe...

Page 874: ...802 1Q trunks we recommend using ISL trunks for connecting switches in the core layer Use the switchport trunk native vlan tag per port command and the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an 802 1Q trunk including the native VLAN are tagged If the switch is configured to tag native VLAN packets on all 802 1Q trunks the switc...

Page 875: ...VIs on VLANs that include tunnel ports Tunnel ports do not support IP access control lists ACLs Layer 3 quality of service QoS ACLs and other QoS features related to Layer 3 information are not supported on tunnel ports MAC based QoS is supported on tunnel ports EtherChannel port groups are compatible with tunnel ports as long as the 802 1Q configuration is consistent within an EtherChannel port g...

Page 876: ... Mapping Note WS C4948 10GE does not support VLAN mapping VLAN mapping is only supported on Supervisor Engine 6 E and later engines In a typical deployment of VLAN mapping you want the service provider to provide a transparent switching infrastructure that treats customers switches at the remote location as a part of the local site This allows customers to use the same VLAN ID space and run Layer ...

Page 877: ...work must also be transparent to the customer edge devices Figure 30 4 Layer 2 VPN Deployment All forwarding operations on the Catalyst 4500 series switch are performed using S VLAN and not C VLAN information because the VLAN ID is mapped to the S VLAN on ingress Note When you configure features on a port configured for VLAN mapping you always use the S VLAN rather than the customer VLAN ID C VLAN...

Page 878: ...tagged packets enter the switch on the trunk native VLAN and are not mapped For quality of service QoS the switch supports flexible mapping between C CoS or C DSCP and S CoS and maps the inner CoS to the outer CoS for traffic with traditional QinQ or selective QinQ VLAN mapping Mapping Customer VLANs to Service Provider VLANs Figure 30 5 shows a topology where a customer uses the same VLANs in mul...

Page 879: ...mapping When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks ISL trunks or nontrunking links When IEEE 802 1Q trunks are used in these core switches the native VLANs of the IEEE 802 1Q trunks ...

Page 880: ...following VLAN mapping types are discussed One to One Mapping page 30 10 Traditional Q in Q on a Trunk Port page 30 11 Selective Q in Q on a Trunk Port page 30 12 One to One Mapping To configure one to one VLAN mapping to map a customer VLAN ID to a service provider VLAN ID perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config inte...

Page 881: ...he service provider network VLANs 101 to 105 in the service provider network are mapped to VLAN IDs 1 to 5 in the customer network Note Packets with unconfigured vlan_ids are dropped Traditional Q in Q on a Trunk Port To configure VLAN mapping for traditional Q in Q on a trunk port or tunneling by default perform the following task Note Configuring tunneling by default bundles all packets on the p...

Page 882: ...gigabiethernet0 1 Switch config if switchport vlan mapping 1 5 dot1q tunnel 100 Switch config if no switchport vlan mapping default drop Switch config if exit Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config interface interface id Enters interface configuration mode for the interface connected to the service provider network You can enter a phy...

Page 883: ...ice provider network and are delivered to customer switches on the outbound side of the service provider network Identical packets are received by all customer ports on the same VLANs with these results Users on each of a customer s sites can properly run STP and every VLAN can build a correct spanning tree based on parameters from all sites and not just from the local site CDP discovers and shows...

Page 884: ...er 2 Protocol Tunneling Figure 30 7 Layer 2 Network Topology without Proper Convergence Customer A Site 2 VLANs 1 to 100 Customer B Site 2 VLANs 1 to 200 Customer B Site 1 VLANs 1 to 200 Customer A Site 1 VLANs 1 to 100 VLAN 30 Trunk ports Switch 1 Switch 1 Trunk ports VLAN 30 VLAN 40 Service provider 74073 Trunk Asymmetric link VLAN 30 VLAN 40 Trunk ports Switch 2 Switch 3 Switch 4 Trunk ports 74...

Page 885: ... to the other side of the customer network Figure 30 6 shows Customer A and Customer B in access VLANs 30 and 40 Asymmetric links connect the Customers in Site 1 to edge switches in the service provider network The Layer 2 PDUs for example BPDUs coming into Switch 2 from Customer B in Site 1 are forwarded to the infrastructure as double tagged packets with the well known MAC address as the destina...

Page 886: ...rating characteristics of Layer 2 protocol tunneling The switch supports tunneling of CDP STP including multiple STP MSTP and VTP Protocol tunneling is disabled by default but can be enabled for the individual protocols on 802 1Q tunnel ports access ports or trunk ports Dynamic Trunking Protocol DTP is not compatible with Layer 2 protocol tunneling because you must manually configure asymmetric li...

Page 887: ...et a per protocol per port drop threshold for the PDUs generated by the customer network If the limit is exceeded the port drops PDUs until the rate at which it receives them is below the drop threshold Because tunneled PDUs especially STP BPDUs must be delivered to all remote sites so that the customer virtual network operates properly you can give PDUs higher priority within the service provider...

Page 888: ...es to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 Switch config if l2protocol tunnel drop threshold cdp point to point stp vtp value Optional Configures the threshold for packets p...

Page 889: ...uration mode Enter the interface to be configured as a tunnel port This should be the edge port in the service provider network that connects to the customer switch Step 3 Switch config if switchport mode dot1q tunnel Configures the interface as an 802 1Q tunnel port Step 4 Switch config if l2protocol tunnel point to point pagp lacp udld Optional Enables point to point protocol tunneling for the d...

Page 890: ...cp udld value Optional Configures the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a shutdown threshold on this interface ...

Page 891: ...face gigabitEthernet 1 1 11 Switch config if switchport access vlan 17 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Command Purpose Step 1 Switch configure terminal Enters the global configuration mode Step 2 Switch config interface interface id Enters interface configuration mode Enter the interface to be configured as a tunnel port Step 3 S...

Page 892: ... Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitEthernet 1 1 13 Switch config if switchport mode trunk This example shows how to configure the customer switch at S...

Page 893: ...ess 0008 e341 4600 Designated port id is 128 321 designated path cost 0 Timers message age 0 forward delay 2 hold 0 Number of transitions to forwarding state 0 Link type is point to point by default Bpdu filter is enabled internally BPDU sent 0 received 0 Table 30 2 Commands for Monitoring and Maintaining Tunneling Command Purpose Switch clear l2protocol tunnel counters Clears the protocol counter...

Page 894: ...0 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 30 Configuring 802 1Q Tunneling VLAN Mapping and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status ...

Page 895: ...o routers bridges access servers and switches CDP allows network management applications to discover Cisco devices that are neighbors of already known devices in particular neighbors running lower layer transparent protocols With CDP network management applications can learn the device type and the SNMP agent address of neighboring devices CDP enables applications to send SNMP queries to neighbori...

Page 896: ...bal CDP information Sending CDP packets every 120 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled Switch For additional CDP show commands see the Monitoring and Maintaining CDP section on page 31 3 Enabling CDP on an Interface To enable CDP on an interface use this command This example shows how to enable CDP on Fast Ethernet interface 5 1 Switch config inte...

Page 897: ...rpose Switch show cdp interface type number Displays information about interfaces where CDP is enabled Command Purpose Switch clear cdp counters Resets the traffic counters to zero Switch clear cdp table Deletes the CDP table of information about neighbors Switch show cdp Displays global information such as frequency of transmissions and the holdtime for packets being transmitted Switch show cdp e...

Page 898: ...ow cdp neighbors Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID JAB023807H1 Fas 5 3 127 T S WS C2948 2 46 JAB023807H1 Fas 5 2 127 T S WS C2948 2 45 JAB023807H1 Fas 5 1 127 T S WS C2948 2 44 JAB023807H1 Gig 1 2 122 T S WS C2948 2 50 JAB023807H1 Gig 1 1 122 T S WS C2948 2 49 JAB03130104 Fas ...

Page 899: ...5 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About LLDP LLDP M...

Page 900: ...V IEEE 802 3 specific TLVs LLDP MED LLDP for Media Endpoint Devices LLDP MED is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as switches It specifically provides support for voice over IP VoIP applications and provides additional TLVs for capabilities discovery network policy power over Ethernet PoE inventory management and location informa...

Page 901: ...d Location Service section on page 32 12 Note A switch cannot send LLDP and LLDP MED simultaneously to an end point device By default a network device sends only LLDP packets until it receives LLDP MED packets from an end point device The network device then sends LLDP MED packets until it receives only LLDP packets Location Service The location service feature enables the switch to provide locati...

Page 902: ...d station State is specified as Disconnected Serial number UDI Model number Software version VLAN ID and VLAN name If an administrator changes a location address at the switch the information is reported to the MSE The switch sends a NMSP location notification message that identifies the list of ports affected by the change and the changed address information Configuring LLDP and LLDP MED and Loca...

Page 903: ...guration Feature Default Setting LLDP global state Disabled LLDP holdtime before discarding 120 seconds LLDP timer packet update frequency 30 seconds LLDP reinitialization delay 2 seconds LLDP tlv select Enabled to send and receive all TLVs LLDP interface state Enabled LLDP receive Enabled LLDP transmit Enabled LLDP med tlv select Enabled to send all LLDP MED TLVs Command Purpose Step 1 Switch con...

Page 904: ...e shows how to receive LLDP packets again Switch configure terminal Switch config lldp receive Switch config end For additional LLDP show commands see the Monitoring and Maintaining LLDP LLDP MED and Location Service section on page 32 14 Disabling and Enabling LLDP Globally Note LLDP is disabled by default To disable LLDP globally perform this task To enable LLDP once it has been disabled perform...

Page 905: ...ce perform this task To enable LLDP on an interface once it has been disabled perform this task Step 2 Switch config lldp run Enables LLDP Step 3 Switch config end Returns to privileged EXEC mode Command Purpose Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config interface interface id Specifies the interface on which you are disabling LLDP and en...

Page 906: ...ED and Location Service This example shows how to enable LLDP on an interface Switch configure terminal Switch config interface GigabitEthernet 1 1 Switch config if lldp transmit Switch config if lldp receive Switch config if end Step 5 Switch config end Returns to privileged EXEC mode Step 6 Switch copy running config startup config Saves your entries in the configuration file Command Purpose ...

Page 907: ...tion inventory management LLDP MED inventory management TLV location LLDP MED location TLV network policy LLDP MED network policy TLV power management LLDP MED power management TLV Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config interface interface id Specifies the interface on which you are configuring a LLDP MED TLV and enter interface confi...

Page 908: ...l Specifies the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 0 dscp dvalue Optional Specifies the differentiated services code point DSCP value for the configured VLAN The range is 0 to 63 the default is 0 dot1p Optional Configures the telephone to use IEEE 802 1p priority tagging and use VLAN 0 the native VLAN none Optional Do not instruct the I...

Page 909: ...h Cisco IOS Release 12 2 54 SG Catalyst 4500 series switches can perform inline power negotiation using LLDP as specified in the IEEE 802 3at standard The LLDP TLV used is DTE Power via MDI TLV With this feature inline powered devices based on the IEEE standard can be powered in the PoE power range 12 95W to 25 5W at the device end by the switch on PoE supported modules Note To verify inline power...

Page 910: ...Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config location admin tag string civic location identifier id elin location string identifier id Specifies the location information for an endpoint admin tag Specify an administrative tag or site information civic location Specify civic location information Note The civic location identifier in the LLDP...

Page 911: ...obility Service Engine MSE must be running Heitz 6 0 or later software image to support wired location service Step 5 Switch config if location additional location information word civic location id id elin location id id Enters location information for an interface additional location information Specifies additional information for a location or place civic location id Specifies global civic loc...

Page 912: ...terval seconds Duration in seconds before a switch sends the location or attachment updates to the MSE The range is 1 to 30 the default is 30 Step 5 Switch config interface interface id Specifies the interface on which you want to prevent all learned attachment information from being sent to the MSE Step 6 Switch config if nmsp attachment suppress Prevents the attachment information learned on thi...

Page 913: ...om is not required ANSI TIA 1057 LLDP MED Support and IEEE 802 1ab LLDP Link Layer Discovery Protocol http www cisco com en US docs ios cether configuration guide ce_lldp med html show lldp entry entry name Displays information about a specific neighbor You can enter an asterisk to display all neighbors or you can enter the name of the neighbor about which you want information show lldp errors Dis...

Page 914: ...t 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 32 Configuring LLDP LLDP MED and Location Service Cisco IOS Carries Ethernet Features in Cisco IOS XE 3 1 0SG ...

Page 915: ...air Ethernet cables This protocol monitors a physical connection such as wrong cabling to detect unidirectional links to avoid spanning tree topology loops or silent drop traffic All connected devices must support UDLD for the protocol to successfully identify the unidirectional links When UDLD detects a unidirectional link it can administratively shut down the affected port and send you a warning...

Page 916: ...idirectional Link Topology Fast UDLD Topology Figure 33 2 illustrates a typical Fast UDLD topology Switch A and B are connected through a 2 port EtherChannel and Fast UDLD is enabled on the individual ports If one of the links becomes unidirectional Fast UDLD detects this situation faster than regular UDLD and errdisables the link Traffic is switched over to the second link by EtherChannel Because...

Page 917: ...tected using normal mode Aggressive If a port A loses its neighbor connectivity it actively attempts to reestablish the relationship by sending a probe to a second port B If port B does not respond the link is considered unidirectional and port A enters an errdisable state to avoid silent drop traffic Note Both unidirectional and bidirectional link failures can be detected in aggressive mode UDLD ...

Page 918: ...Resetting Disabled LAN Interfaces page 33 8 Fast UDLD Guidelines and Restrictions When using or configuring Fast UDLD consider these guidelines and restrictions Fast UDLD is disabled by default Configure fast UDLD only on point to point links between network devices that support fast UDLD You can configure fast UDLD in either normal or aggressive mode Do not enter the link debounce command on fast...

Page 919: ...on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Operation Modes section on page 33 3 message time message timer interval Configures the period of time between UDLD probe messages on ports that are in the advertisement phase and are det...

Page 920: ...On a fiber optic interface this command overrides the udld enable global configuration command setting Enables Fast UDLD on the interface with message interval equal to the interval value in milliseconds The interval value range is from 200 milliseconds to 1000 milliseconds To enable Fast UDLD UDLD must be enabled explicitly configured or globally enabled and operational in bidirectional state on ...

Page 921: ...d For both UDLD and Fast UDLD if aggressive mode is configured then aggressive mode must be explicitly disabled with the no udld port aggressive command If normal mode is configured the no udld port command disables both UDLD and Fast UDLD Disables Fast UDLD on an interface The interface reverts to the UDLD configuration that was present before you enabled Fast UDLD Step 2 Switch show udld interfa...

Page 922: ...ate for the state of the link To globally enable fast UDLD error reporting perform this task Resetting Disabled LAN Interfaces To reset all LAN ports that have been errdisabled by UDLD use this command Command Purpose Step 1 Switch config udld message time interval Configures the time between UDLD probe messages on ports that are in advertisement mode and are currently determined to be bidirection...

Page 923: ...Time out interval 5000 ms Port fast hello configuration setting Disabled Port fast hello interval 0 ms Port fast hello operational state Disabled Neighbor fast hello configuration setting Disabled Neighbor fast hello interval Unknown Entry 1 Expiration time 43300 ms Cache Device index 1 Current neighbor state Bidirectional Device ID FOX10430380 Port ID Gi1 34 Neighbor echo 1 device FOX104303NL Nei...

Page 924: ...t bidirectional state Bidirectional Current operational state Advertisement Single neighbor detected Message interval 200 ms Time out interval 5000 ms Port fast hello configuration setting Enabled Port fast hello interval 200 ms Port fast hello operational state Enabled Neighbor fast hello configuration setting Enabled Neighbor fast hello interval 200 ms Entry 1 Expiration time 500 ms Cache Device...

Page 925: ...4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About Unidirectional Ethernet You can set stubless Gigabit Ethernet ports to unidirectionally transmit or receive traffic Unidirectional Ethernet uses only one strand of fiber for either transmitting or receiving one way traffic for t...

Page 926: ...NTL Z Switch config interface gigabitethernet 1 1 Switch config if unidirectional receive only Switch config if end Warning Enable l2 port unidirectional mode will automatically disable port udld You must manually ensure that the unidirectional link does not create a spanning tree loop in the network Enable l3 port unidirectional mode will automatically disable ip routing on the port You must manu...

Page 927: ...net on Gigabit Ethernet interface 1 1 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 1 Switch config if no unidirectional Switch config if end This example shows the result of entering the show interface command for a port that does not support Unidirectional Ethernet Switch show interface f6 1 unidirectional Unidirecti...

Page 928: ...34 4 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 34 Configuring Unidirectional Ethernet Configuring Unidirectional Ethernet ...

Page 929: ...s Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About Layer 3 Interfaces The Catalyst 4500 series switch supports Layer 3 interfaces with the Cisco IOS IP and IP routing protocols Layer 3 the network layer is primarily responsible for the routing of data in packets across logical internetwor...

Page 930: ...ridging functions on a single Catalyst 4500 series switch Figure 35 1 shows how the routing and bridging functions in the three physical devices of the traditional network are performed logically on one Catalyst 4500 series switch Figure 35 1 Logical Layer 3 VLAN Interfaces for the Catalyst 4500 Series Switch Physical Layer 3 Interfaces The physical Layer 3 interfaces support capabilities equivale...

Page 931: ... it is not counted in the SVI up and down calculation and applies to all VLANs that are enabled on that port A VLAN interface is brought up after the Layer 2 port has had time to converge that is transition from listening learning to forwarding This prevents routing protocols and other features from using the VLAN interface as if it were fully operational It also prevents other problems from occur...

Page 932: ...ions see the Configuring Layer 3 Interface Counters section on page 35 11 The hardware counters are displayed in the output of the show interface command as shown in the following example Counter fields that are updated when the counter configuration is present are highlighted Switch show interface gi3 1 GigabitEthernet3 1 is up line protocol is up connected Hardware is Gigabit Ethernet Port addre...

Page 933: ...previous configuration depends on the counter configuration Table 35 2 Configuration Guidelines The Catalyst 4500 series switch supports AppleTalk routing and IPX routing For AppleTalk routing and IPX routing information refer to Configuring AppleTalk and Configuring Novell IPX in the Cisco IOS AppleTalk and Novell IPX configuration guides at the following URLs http www cisco com en US docs ios at...

Page 934: ...dress 1001 1 1 64 Switch config if ip address 100 1 1 1 255 255 255 0 Switch config if tunnel source 10 10 10 1 Switch config if tunnel destination 10 10 10 2 Switch config if tunnel mode gre ip Switch config if end Configuring Logical Layer 3 VLAN Interfaces Note Before you can configure logical Layer 3 VLAN interfaces you must create and configure the VLANs on the switch assign VLAN membership t...

Page 935: ... show interface counters never Input queue 0 75 0 0 size max drops flushes Total output drops 0 Queueing strategy fifo Output queue 0 40 size max 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 packets output 0 bytes 0 ...

Page 936: ...n a VLAN goes down the Layer 3 interface on that VLAN is shut down SVI autostated When the first port on the VLAN is brought back up the Layer 3 interface on the VLAN that was previously shut down is brought up SVI Autostate Exclude enables you to exclude the access ports and trunks in defining the status of the SVI up or down even if it belongs to the same VLAN If the excluded access port and tru...

Page 937: ...ng Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association none Administrative private vlan mapping none Administrative private vlan trunk native VLAN none Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulation dot1q Administrative private vlan trunk normal VLANs none A...

Page 938: ...ip mtu 68 Switch config if exit Switch config end Switch show ip interface vlan 1 Vlan1 is up line protocol is up Internet address is 10 10 10 1 24 Broadcast address is 255 255 255 255 Address determined by setup command MTU is 68 bytes Helper address is not set continued The following example shows how to configure IPv6 MTU on an interface Switch configure terminal Enter configuration commands on...

Page 939: ...upervisor Engine 6L E Supervisor Engine 7 E Supervisor Engine 7L E and Supervisor Engine 8 E do not support Layer 2 interface counters To configure Layer 3 interface counters assign counters to a Layer 3 interface perform this task This example shows how to enable counters on interface VLAN 1 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interfac...

Page 940: ... 2 Switch config if end Switch 00 24 18 SYS 5 CONFIG_I Configured from console by console In this situation you must release a counter from another interface for use by the new interface Configuring Physical Layer 3 Interfaces Note Before you can configure physical Layer 3 interfaces you must enable IP routing if IP routing is disabled and specify an IP routing protocol To configure physical Layer...

Page 941: ...ace 2 1 Switch show running config Building configuration interface FastEthernet2 1 no switchport ip address 10 1 1 1 255 255 255 248 ip classless no ip http server line con 0 line aux 0 line vty 0 4 end Configuring EIGRP Stub Routing This section consists of the following subsections About EIGRP Stub Routing page 35 13 Configuring EIGRP Stub Routing page 35 14 Monitoring and Maintaining EIGRP pag...

Page 942: ...tches A and C are connected to the rest of the WAN Switch B advertises connected static redistribution and summary routes from switch A and C to Hosts A B and C Switch B does not advertise any routes learned from switch A and the reverse Figure 35 3 EIGRP Stub Switch Configuration For more information about EIGRP stub routing see the Configuring EIGRP Stub Routing part of the Cisco IOS IP Configur...

Page 943: ...35 4 the remote router can access the corporate network and the Internet using a distribution router only In this example having a full route table on the remote router serves no purpose because the path to the corporate network and the Internet always uses a distribution router The larger route table only reduces the amount of memory required by the remote router Bandwidth and memory can be conse...

Page 944: ...r the principles of stub routing are the same as they are with a hub and spoke topology Figure 35 5 shows a common dual homed remote topology with one remote router but 100 or more routers could be connected on the same interfaces on distribution router 1 and distribution router 2 The remote router uses the best route to reach its destination If distribution router 1 experiences a failure the remo...

Page 945: ...at was previously traveling across the corporate network 10 2 1 0 24 is now sent across a much lower bandwidth connection The over utilization of the lower bandwidth WAN connection can cause a number of problems that might affect the entire corporate network The use of the lower bandwidth route that passes using the remote router might cause WAN EIGRP distribution routers to be dropped Serial line...

Page 946: ...estined for the network core The EIGRP stub routing feature can help to provide greater network stability In the event of network instability this feature prevents EIGRP queries from being sent over limited bandwidth links to nontransit routers Instead distribution routers to which the stub router is connected answer the query on behalf of the stub router This feature greatly reduces the chance of...

Page 947: ... Stub Peer Advertising CONNECTED SUMMARY Routes Monitoring and Maintaining EIGRP To delete neighbors from the neighbor table use the following command Command Purpose Step 1 Switch config router eigrp 1 Configures a remote or distribution router to run an EIGRP process Step 2 Switch config router network network number Specifies the network address of the EIGRP distribution router Step 3 Switch co...

Page 948: ...ce of this default route can cause this route to displace default routes learned from other neighbors from the routing table If the default route learned from the neighbors is displaced by the summary default route or if the summary route is the only default route present all traffic destined for the default route does not leave the router Instead this traffic is sent to the null 0 interface where...

Page 949: ... Dec 4 1996 infinite send lifetime 04 45 00 Dec 4 1996 infinite Router A accepts and attempts to verify the MD5 digest of any EIGRP packet with a key equal to 1 It also accepts a packet with a key equal to 2 All other MD5 packets are dropped Router A sends all EIGRP packets with key 2 Router B accepts key 1 or key 2 and sends key 1 In this scenario MD5 authenticates Stub Routing Example A router t...

Page 950: ...ary routes Summary routes can be created manually with the summary address command or automatically at a major network border router with the auto summary command enabled This option is enabled by default In the following example the eigrp stub command is used to configure the router as a stub that advertises connected and summary routes router eigrp 1 network 10 0 0 0 eigrp stub In the following ...

Page 951: ...er see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About CEF This section contains information on the two primary components that comprise the CEF operation CEF Features page 36 1 Forwarding Information Base page 36 2 Adja...

Page 952: ...ne has a finite number of forwarding slots for storing routing information If this limit is exceeded CEF is automatically disabled and all packets are forwarded in software In this situation you should reduce the number of routes on the switch and then reenable hardware switching with the ip cef command Adjacency Tables In addition to the FIB CEF uses adjacency tables to prepend Layer 2 addressing...

Page 953: ...r 3 Because the ASIC is specifically designed to forward packets the Integrated Switching Engine hardware can run this process much faster than CPU subsystem software Figure 36 1 shows a high level view of the ASIC based Layer 2 and Layer 3 switching process on the Integrated Switching Engine Table 36 1 Adjacency Types for Exception Processing Adjacency Type Processing Method Null adjacency Packet...

Page 954: ... Software Interfaces page 36 6 Hardware and Software Switching For the majority of packets the Integrated Switching Engine performs the packet forwarding function in hardware These packets are hardware switched at very high rates Exception packets are forwarded by the CPU subsystem software Statistic reports should show that the Integrated Switching Engine is forwarding the vast majority of packet...

Page 955: ...switches When GRE is configured without tunnel options packets are hardware switched Otherwise packets are switched in the software Software Switching Software switching occurs when traffic cannot be processed in hardware The following types of exception packets are processed in software at a much slower rate Packets that use IP header options Note Packets that use TCP header options are switched ...

Page 956: ...orward the packet All hardware switching within a particular flow such as a TCP connection is routed to the same next hop which reduces the chance that packet reordering occurs Up to eight different routes for a particular network are supported Software Interfaces Cisco IOS for the Catalyst 4500 series switch supports GRE and IP tunnel interfaces that are not part of the hardware forwarding engine...

Page 957: ...ent paths Per destination load balancing is enabled by default when you enable CEF it is the load balancing method of choice in most situations Because per destination load balancing depends on the statistical distribution of traffic load sharing becomes more effective as the number of source destination pairs increases Use per destination load balancing to ensure that packets for a given host pai...

Page 958: ... pkt 0 bytes mcast 12 pkt 778 bytes mcast L3 out Switched ucast 0 pkt 0 bytes mcast 0 pkt 0 bytes 4046399 packets input 349370039 bytes 0 no buffer Received 3795255 broadcasts 2 runts 0 giants 0 throttles output truncated Switch Note The IP unicast packet count is updated approximately every five seconds Displaying IP Statistics IP unicast statistics are gathered on a per interface basis To displa...

Page 959: ... IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 36 Configuring Cisco Express Forwarding Monitoring and Maintaining CEF Command Purpose Switch show interface type number counters detail Displays IP statistics ...

Page 960: ... Fa3 1 N A N A N A N A Port InPkts 1024 1522 OutPkts 1024 1522 InPkts 1523 1548 OutPkts 1523 1548 Fa3 1 4557008 4384192 0 0 Port Tx Bytes Queue 1 Tx Bytes Queue 2 Tx Bytes Queue 3 Tx Bytes Queue 4 Fa3 1 64 0 91007 7666686162 Port Tx Drops Queue 1 Tx Drops Queue 2 Tx Drops Queue 3 Tx Drops Queue 4 Fa3 1 0 0 0 0 Port Rx No Pkt Buff RxPauseFrames TxPauseFrames PauseFramesDrop Fa3 1 0 0 0 N A Port Uns...

Page 961: ...ath Forwarding page 37 1 Unicast RPF Configuration Tasks page 37 9 Monitoring and Maintaining Unicast RPF page 37 11 Unicast RPF Configuration Example Inbound and Outbound Filters page 37 12 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catal...

Page 962: ...packet Unicast RPF does this by doing a reverse lookup in the CEF table If the packet was received from one of the best reverse path routes the packet is forwarded as normal If there is no reverse path route on the same interface from which the packet was received it might mean that the source address was modified If Unicast RPF does not find a reverse path for the packet the packet is dropped Not...

Page 963: ...ets that fail validation In this example a customer has sent a packet having a source address of 209 165 200 225 which is received at interface Gigabit Ethernet 1 1 Unicast RPF checks the FIB to see if 209 165 200 225 has a return path to Gigabit Ethernet 1 1 If there is a matching path the packet is forwarded There is no reverse entry in the routing table that routes the customer packet back to s...

Page 964: ...ry for the interface Unicast RPF is an input function and is applied only on the input interface of a switch at the upstream end of a connection Given these implementation principles Unicast RPF becomes a tool that network administrators can use not only for their customers but also for their downstream network or ISP even if the downstream network or ISP has other connections to the Internet Caut...

Page 965: ...the network The more entities that deploy Unicast RPF across Internet intranet and extranet resources the better the chances of mitigating large scale network disruptions throughout the Internet community and the better the chances of tracing the source of an attack Unicast RPF will not inspect IP packets encapsulated in tunnels such as GRE LT2P or PPTP Unicast RPF must be configured at a home gat...

Page 966: ... has a single link to an upstream ISP In this example Unicast RPF is applied at interface Gigabit Ethernet 1 1 on the Enterprise switch for protection from malformed packets arriving from the Internet Unicast RPF is also applied at interface Gigabit Ethernet 2 1 on the ISP switch for protection from malformed packets arriving from the enterprise network Figure 37 3 Enterprise Network Using Unicast...

Page 967: ...ternet The full Internet routing table is required Requiring the full routing table helps protect the ISP from external DoS attacks that use addresses that are not in the Internet routing table Where Not to Use Unicast RPF Do not use Unicast RPF on interfaces that are internal to the network Internal interfaces are likely to have routing asymmetry see Figure 37 4 meaning multiple routes to the sou...

Page 968: ...client Customers must ensure that the packets flowing up the link out to the Internet match the route advertised out the link Otherwise Unicast RPF filters those packets as malformed packets Limitation Unicast loose mode is not supported Related Features and Technologies For more information about Unicast RPF related features and technologies review the following Unicast RPF requires Cisco express...

Page 969: ...r to configuring Unicast RPF configure ACLs Configure standard or extended ACLs to mitigate transmission of invalid IP addresses perform egress filtering Permit only valid source addresses to leave your network and get onto the Internet Prevent all other source addresses from leaving your network for the Internet Configure standard or extended ACLs entries to drop deny packets that have invalid so...

Page 970: ...d policy accounting on output is disabled Hardware idb is GigabitEthernet3 1 Fast switching type 1 interface type 155 IP CEF switching enabled IP CEF switching turbo vector IP Null turbo vector IP prefix lookup IPv4 mtrie 8 8 8 8 optimized Input fast flags 0x4000 Output fast flags 0x0 ifindex 78 78 Slot 3 Slot unit 1 VC 1 Transmit limit accumulator 0x0 0x0 IP MTU 1500 Command Purpose Step 1 Switch...

Page 971: ...d route 0 stream ID 0 strict source route 0 alert 0 other Frags 0 reassembled 0 timeouts 0 couldn t reassemble 0 fragmented 0 couldn t fragment Bcast 205233 received 0 sent Mcast 463292 received 462118 sent Sent 990158 generated 282938 forwarded The second line below 0 unicast RPF displays Unicast RPF packet dropping information Drop 3 encapsulation failed 0 unresolved 0 no adjacency 0 no route 0 ...

Page 972: ...nterdomain routing CIDR block 209 165 202 128 28 that has both inbound and outbound filters on the upstream interface Be aware that ISPs are usually not single homed Provisions for asymmetrical flows when outbound traffic goes out one link and returns by using a different link must be designed into the filters on the border switches of the ISP ip cef distributed interface Serial 5 0 0 description ...

Page 973: ...Reference you can locate it in the Cisco IOS Master Command List All Releases About IP Multicast Note Controlling the transmission rate to a multicast group is not supported At one end of the IP communication spectrum is IP unicast where a source IP host sends packets to a specific destination IP host In IP unicast the destination address in the IP packet is the address of a single unique host in ...

Page 974: ...eplicated in the Integrated Switching Engine forwarded to the appropriate output interfaces and sent to each member of the multicast group We tend to think of IP multicasting and video conferencing as the same thing Although the first application in a network to use IP multicast is often video conferencing video is only one of many IP multicast applications that can add value to a company s busine...

Page 975: ...del to flood multicast traffic to every corner of the network PIM DM is intended for networks in which most LANs need to receive the multicast such as LAN TV and corporate or financial information broadcasts It can be an efficient delivery mechanism if active receivers exist on every subnet in the network For more detailed information on PIM Dense Mode refer to this URL http www cisco com en US do...

Page 976: ...cast group the switch adds the host s port number to the associated multicast table entry When the switch receives the IGMP Leave Group message from a host it removes the host s port from the table entry Because IGMP control messages are transmitted as multicast packets they are indistinguishable from multicast data if only the Layer 2 header is examined A switch running IGMP snooping examines eve...

Page 977: ...tion IP address and unicast MAC address are dropped Starting with Release IOS XE 3 3 0SG and IOS 15 1 1 SG the seven RP restriction was removed IPv4 Bidirectional Bidir PIM is supported on the Catalyst 4500 series switch IPv6 Bidir PIM is not For some multicast groups when more than 8K mroutes are installed in a system the network may experience higher traffic losses upon switchover of the HA syst...

Page 978: ...rmat for forwarding in hardware The MFIB subsystem removes the protocol specific information and leaves only the essential forwarding information Each entry in the MFIB table consists of an S G or G route an input RPF VLAN and a list of Layer 3 output interfaces The MFIB subsystem together with platform dependent management software loads this multicast routing information into the hardware FIB an...

Page 979: ... ports other than the one it arrived on in the input VLAN For example assume that VLAN 3 has two switch ports in it Gig 3 1 and Gig 3 2 If a host on Gig 3 1 sends a multicast packet the host on Gig 3 2 might also need to receive the packet To send a multicast packet to the host on Gig 3 2 all of the switch ports in the ingress VLAN must be added to the port set that is loaded in the MET If VLAN 1 ...

Page 980: ...lticast routes and by Layer 2 multicast entries The actual number of output interface lists available in hardware depends on the specific configuration If the total number of multicast routes exceed 32 000 multicast packets might not be switched by the Integrated Switching Engine They would be forwarded by the CPU subsystem at much slower speeds Note For RET a maximum of 102 K entries is supported...

Page 981: ...e packet is replicated and multiple copies of the packet are sent out At Layer 3 replication occurs only for multicast packets unicast packets are never replicated to multiple Layer 3 interfaces In IP multicasting for each incoming IP multicast packet that is received many replicas of the packet are sent out IP multicast packets can be transmitted on the following types of routes Hardware routes S...

Page 982: ...red with multicast helper The interface is a generic routing encapsulation GRE or Distance Vector Multicast Routing Protocol DVMRP tunnel The interface uses non Advanced Research Products Agency ARPA encapsulation The following packets are always forwarded in software Packets sent to multicast groups that fall into the range 224 0 0 where is in the range from 0 to 255 This range is used by routing...

Page 983: ...ot needed by the multicast routing protocols The problem is that if no action is taken the non RPF packets that are sent to the software can overwhelm the CPU Prior to Release IOS XE 3 3 0SG and IOS 15 1 1 SG to prevent this situation from happening the CPU subsystem software would load fast drop entries in the hardware when it receives an RPF failed packet that is not needed by the PIM protocols ...

Page 984: ...lticast routes IP multicast routes include S G and G Each route in the MFIB table can have one or more optional flags associated with it The route flags indicate how a packet that matches a route should be forwarded For example the Internal Copy IC flag on an MFIB route indicates that a process on the switch needs to receive a copy of the packet The following flags can be associated with MFIB rout...

Page 985: ...net masklength notation as 10 8 224 4 If an interface has multiple assigned IP addresses then one route is created for each such IP address Multicast HA Starting with Release IOS XE 3 4 0SG and IOS 15 1 2 SG the Catalyst 4500 4900 4900X Series switches support multicast HA which ensures uninterrupted multicast traffic flow in the event of a supervisor engine failure MFIB states are synced to the s...

Page 986: ...alyst 4500 series switch to forward multicast packets To enable IP multicast routing on the router enter this command Table 38 1 Default IP Multicast Configuration Feature Default Value Rate limiting of RPF Enabled globally IP multicast routing Disabled globally Note When IP multicast routing is disabled IP multicast traffic data packets are not forwarded by the Catalyst 4500 series switch However...

Page 987: ...e receiver s first hop router can send join messages toward the source to build a source based distribution tree There is no default mode setting By default multicast routing is disabled on an interface Enabling Dense Mode To configure PIM on an interface to be in dense mode enter this command For an example of how to configure a PIM interface in dense mode see the PIM Dense Mode Example section E...

Page 988: ...t routing table s outgoing interface list when either of the following is true When members or DVMRP neighbors exist on the interface When an explicit join has been received by a PIM neighbor on the interface To enable PIM to operate in the same mode as the group enter this command Enabling Bidirectional Mode Most of the configuration requirements for Bidir PIM are the same as those for configurin...

Page 989: ...c is forwarded only to network segments with active receivers that have explicitly requested multicast data The most commonly used methods to configure a rendezvous point described here are the use of Static RP and the use of the Auto RP protocol Another method not described here is the use of the Bootstrap Router BSR protocol Command Purpose Switch config ip pim rp address rp address access list ...

Page 990: ...nnouncement is made independently of the decisions by the other mapping agents To configure a rendezvous point perform this task Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config ip multicast routing Enables IP multicast routing Step 4 Switch config interface FastEthernet GigabitEtherne...

Page 991: ...ified as RP is the IP address associated with loopback interface 0 Access list 5 describes the groups for which this router serves as RP Step 10 Switch config ip pim send rp discovery interface type interface number scope ttl value interval seconds Configures the router to be an RP mapping agent Perform this step on the RP router only Use the optional interface type and interface number arguments ...

Page 992: ...er Selects an interface that is connected to hosts on which PIM can be enabled Step 13 Switch config if interface ethernet 1 ip multicast boundary access list filter autorp Configures an administratively scoped boundary Perform this step on the interfaces that are boundaries to other routers The access list is not shown in this task An access list entry that uses the deny keyword creates a multica...

Page 993: ...ing the PIM dense mode techniques You can prevent this occurrence by configuring the no ip pim dm fallback command If a conflict exists between the RP configured with the ip pim rp address command and one learned by Auto RP the Auto RP information is used unless the override keyword is configured To configure a single static RP perform this task Command or Action Purpose Step 1 Switch enable Enabl...

Page 994: ...ng RPF neighbor According to the Protocol Independent Multicast PIM specifications this neighbor must have the highest IP address if more than one neighbor has the same metric Use the ip multicast multipath command to enable load splitting of IP multicast traffic across multiple equal cost paths Note The ip multicast multipath command does not work with bidirectional Protocol Independent Multicast...

Page 995: ... shows how to enable ECMP multicast load splitting on a router based on a source address using the S hash algorithm Switch config ip multicast multipath The following example shows how to enable ECMP multicast load splitting on a router based on a source and group address using the basic S G hash algorithm Switch config ip multicast multipath s g hash basic The following example shows how to enabl...

Page 996: ... Timers Uptime Expires Interface state Interface Next Hop State Mode 224 0 255 1 uptime 0 57 31 expires 0 02 59 RP is 0 0 0 0 flags DC Incoming interface Null RPF neighbor 0 0 0 0 Dvmrp Outgoing interface list Ethernet0 Forward Dense 0 57 31 0 02 52 Tunnel0 Forward Dense 0 56 55 0 01 28 198 92 37 100 32 224 0 255 1 uptime 20 20 00 expires 0 02 55 flags C Incoming interface Tunnel0 RPF neighbor 10 ...

Page 997: ...gs SJC 224 2 127 254 2d16h 00 00 00 RP 171 69 10 13 flags SJCL 128 9 160 67 32 224 2 127 254 00 02 46 00 00 12 flags CLJT 129 48 244 217 32 224 2 127 254 00 02 15 00 00 40 flags CLJT 130 207 8 33 32 224 2 127 254 00 00 25 00 02 32 flags CLJT 131 243 2 62 32 224 2 127 254 00 00 51 00 02 03 flags CLJT 140 173 8 3 32 224 2 127 254 00 00 26 00 02 33 flags CLJT 171 69 60 189 32 224 2 127 254 00 03 47 0...

Page 998: ...Source 36 29 1 3 32 71 0 110 0 Source 128 9 160 96 32 505 1 106 0 Source 128 32 163 170 32 661 1 88 0 Source 128 115 31 26 32 192 0 118 0 Source 128 146 111 45 32 500 0 87 0 Source 128 183 33 134 32 248 0 119 0 Source 128 195 7 62 32 527 0 118 0 Source 128 223 32 25 32 554 0 105 0 Source 128 223 32 151 32 551 1 125 0 Source 128 223 156 117 32 535 1 114 0 Source 128 223 225 21 32 582 0 114 0 Source...

Page 999: ...t were switched in hardware on the corresponding route The partially switched packet counter represents the number of times that a fast switched packet was also copied to the CPU for software processing or for forwarding to one or more non platform switched interfaces such as a PimTunnel interface The slow switched packet count represents the number of packets that were switched completely in soft...

Page 1000: ...he PIM interfaces that are fast switched and process switched and the packet counts for these The H is added to interfaces where IP multicast is enabled Switch show ip pim interface count States FS Fast Switched H Hardware Switched Address Interface FS Mpackets In Out 192 1 10 2 Vlan10 H 40886 0 192 1 11 2 Vlan11 H 0 40554 192 1 12 2 Vlan12 H 0 40554 192 1 23 2 Vlan23 0 0 192 1 24 2 Vlan24 0 0 Cle...

Page 1001: ...PIM The RP router is the router with the address 10 8 0 20 ip multicast routing ip pim rp address 10 8 0 20 1 interface ethernet 1 ip pim sparse mode Bidirectional PIM Mode Example By default a bidirectional RP advertises all groups as bidirectional Use an access list on the RP to specify a list of groups to be advertised as bidirectional Groups with the deny keyword operate in dense mode A differ...

Page 1002: ...0 0 0 255 255 255 access list 45 permit 227 0 0 0 0 255 255 255 access list 45 deny 225 0 0 0 0 255 255 255 access list 46 permit 226 0 0 0 0 255 255 255 Sparse Mode with a Single Static RP Example The following example sets the PIM RP address to 192 168 1 1 for all multicast groups and defines all groups to operate in sparse mode ip multicast routing interface ethernet 1 ip pim sparse mode ip pim...

Page 1003: ...he CLI You can configure the switch as an ANCP client that connects to a remote ANCP server with multicast enabled You can then initiate joins and leaves from that server Use the switch in a system in which a subscriber requests that a digital right management DRM server receive a given channel multicast potentially through any private protocol mechanism Note The ANCP client does not allow more th...

Page 1004: ...ates any existing multicast streams that have been enabled with ANCP To configure a switch to communicate with a single ANCP server use the no ancp client server interface command This command directs the ANCP client to initiate a TCP connection to the remote ANCP server identified with the IP address If the TCP connection fails the connection times out and retries for the connection every 120 sec...

Page 1005: ...mmand which displays the status of the ANCP TCP connection with the remote ANCP server Switch show ancp status ANCP enabled on following interfaces Et0 0 ANCP end point s on this interface ANCP state ESTAB Neighbor 10 1 1 1 Neighbor port 6068 Hello interval 100 Sender instance 1 Sender name 372F61C Sender port 0 Partition ID 0 TCB 36E27E8 Capabilities negotiated Transactional Multicast Switch In t...

Page 1006: ...ress and provide it to the ANCP server This allows the ANCP client on the switch to identify the proper port using an identifier the switch understands The configure DHCP snooping on the Catalyst 4500 series switch use the following commands Switch config ip dhcp snooping Switch config ip dhcp snooping vlan vlan range By default DHCP option 82 is inserted when DHCP snooping is activated Turning th...

Page 1007: ...e ANCP server Entering a suspend or shut command on a VLAN removes ANCP activated multicast streams from the VLAN Deleting a VLAN removes ANCP activated multicast streams from the VLAN If a port enters the errdisable or blocked state ANCP activated multicast streams are removed from the port Disabling IGMP snooping globally or per VLAN might disrupt ANCP client functionality An ANCP client does no...

Page 1008: ...39 6 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 39 Configuring ANCP Client ANCP Guidelines and Restrictions ...

Page 1009: ...ther than the variable rates for different routing protocol hello mechanisms network profiling and planning are simplified and reconvergence time is more consistent and predictable Note For details on all the BFD commands introduced in this chapter see the URL http www cisco com en US docs ios iproute_pi command reference iri_book html For complete syntax and usage information for the switch comma...

Page 1010: ...r Bidirectional Forwarding Detection Restrictions include BFD works only for directly connected neighbors BFD neighbors must be no more than one IP hop away Multihop configurations are not supported Cisco IOS Release 15 1 1 SG Catalyst 4500 Series Switches support up to 128 BFD sessions with a minimum hello interval of 100 ms and a multiplier of 3 The multiplier specifies the minimum number of con...

Page 1011: ... packets to each other at the negotiated interval Cisco supports BFD echo mode Echo packets are sent by the forwarding engine and are forwarded back along the same path to perform detection The BFD session at the other end does not participate in the actual forwarding of the echo packets See Configuring BFD Echo Mode page 40 15 for more information This section includes the following subsections N...

Page 1012: ...e state machine FSM transitions to full state Both OSPF BFD and BFD are enabled On broadcast interfaces OSPF establishes a BFD session only with the designated router DR and backup designated router BDR but not between any two switches routers in DROTHER state BFD Detection of Failures Once a BFD session has been established and timer negations are complete BFD peers send BFD control packets that ...

Page 1013: ... are permitted at larger hello intervals BFD Support for Nonbroadcast Media Interfaces Starting with Cisco IOS Release 15 1 1 SG the BFD feature is supported on VLAN interfaces on the Catalyst 4500 series switch The bfd interval command must be configured on an interface to initiate BFD monitoring BFD Support for Nonstop Forwarding with Stateful Switchover Typically when a networking device restar...

Page 1014: ... receive packets and then sends packets for any elements that have expired BFD also uses checkpoint messages to ensure that sessions created by clients on the active RP are maintained during a switchover When a switchover occurs BFD starts an SSO reclaim timer Clients must reclaim their sessions within the duration specified by the reclaim timer or else the session is deleted Timer values are diff...

Page 1015: ...econd Advantages to implementing BFD over reduced timer mechanisms for routing protocols include the following Although reducing the EIGRP BGP and OSPF timers can result in minimum detection timer of one to two seconds BFD can provide failure detection in less than one second Because BFD is not tied to any particular routing protocol it can be used as a generic and consistent failure detection mec...

Page 1016: ... packets are sent and received in addition to BFD control packets The adjacency creation takes places once you have configured BFD support for the applicable routing protocols This section contains the following procedures Configuring BFD Session Parameters on the Interface page 40 8 required Configuring BFD Support for Dynamic Routing Protocols page 40 9 required Configuring BFD Support for Stati...

Page 1017: ...l participating switches The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD neighbors must be configured See the Configuring BFD Session Parameters on the Interface section on page 40 8 for more information To configure BFD support for BGP perform this task Step 4 bfd interval milliseconds min_rx milliseconds multiplier interval multiplier Swi...

Page 1018: ...IGRP is routing by using the bfd interface type number command in router configuration mode Prerequisites EIGRP must be running on all participating switches The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD neighbors must be configured See the Configuring BFD Session Parameters on the Interface section on page 40 8 for more information To co...

Page 1019: ...command in interface configuration mode See the following sections for tasks for configuring BFD support for OSPF Configuring BFD Support for OSPF for All Interfaces page 40 11 optional Configuring BFD Support for OSPF for One or More Interfaces page 40 12 optional Configuring BFD Support for OSPF for All Interfaces To configure BFD for all OSPF interfaces perform the steps in this section If you ...

Page 1020: ...his section Prerequisites OSPF must be running on all participating switches The baseline parameters for BFD sessions on the interfaces over which you want to run BFD sessions to BFD neighbors must be configured See the Configuring BFD Session Parameters on the Interface section on page 40 8 for more information Command or Action Purpose Step 1 enable Switch enable Enables privileged EXEC mode Ent...

Page 1021: ...configure terminal Enters global configuration mode Step 3 interface type number Switch config interface gigabitethernet 6 1 Enters interface configuration mode Step 4 ip ospf bfd disable Switch config if ip ospf bfd Enables or disables BFD on a per interface basis for one or more interfaces associated with the OSPF routing process Note You should use the disable keyword only if you enabled BFD on...

Page 1022: ... milliseconds multiplier interval multiplier Switch config if bfd interval 500 min_rx 500 multiplier 5 Enables BFD on the interface Step 7 exit Switch config if exit Exits interface configuration mode and returns to global configuration mode Step 8 ip route static bfd interface type interface number ip address group group name passive Switch config ip route static bfd Gi6 1 10 1 1 1 group group1 p...

Page 1023: ...n Echo mode is described as without asymmetry when it is running on both sides both BFD neighbors are running echo mode Prerequisites BFD must be running on all participating switches Before using BFD echo mode you must disable the sending of Internet Control Message Protocol ICMP redirect messages by entering the no ip redirects command to avoid high CPU utilization The baseline parameters for BF...

Page 1024: ...hboring switches Repeat the steps in this procedure for each BFD switch To disable BFD echo mode without asymmetry perform this task Command or Action Purpose Step 1 enable Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Switch configure terminal Enters global configuration mode Step 3 bfd slow timer milliseconds Switch config bfd slow timer 120...

Page 1025: ...guring BFD in an OSPF Network page 40 22 Example Configuring BFD Hardware Offload support in a BGP Network Network page 40 25 Example Configuring BFD Support for Static Routing page 40 27 Example Configuring BFD in an EIGRP Network with Echo Mode Enabled by Default The following example shows how to configure BFD in an EIGRP network with echo mode enabled by default Step 4 no bfd echo Example Swit...

Page 1026: ...th for BFD sessions and failure detections while their BFD neighbor SwitchC runs BFD Version 0 and uses BFD controls packets for BFD sessions and failure detections Figure 40 3 shows a large EIGRP network with several switches three of which are BFD neighbors that are running EIGRP as their routing protocol Figure 40 3 EIGRP Network with Three BFD Neighbors Running V1 or V0 The example starting in...

Page 1027: ...255 0 bfd interval 100 min_rx 50 multiplier 3 no shutdown router eigrp 11 network 172 16 0 0 bfd all interfaces auto summary ip default gateway 10 4 9 1 ip default network 0 0 0 0 ip route 0 0 0 0 0 0 0 0 10 4 9 1 ip route 172 16 1 129 255 255 255 255 10 4 9 1 end The output from the show bfd neighbors details command from SwitchA verifies that BFD sessions have been created among all three switch...

Page 1028: ...ms ago Registered protocols EIGRP Uptime 00 04 30 Last packet Version 1 Diagnostic 0 State bit Up Demand bit 0 Poll bit 0 Final bit 0 Multiplier 3 Length 24 My Discr 1 Your Discr 6 Min tx interval 1000000 Min rx interval 1000000 Min Echo interval 50000 The output from the show bfd neighbors details command on SwitchB verifies that BFD sessions have been created and that EIGRP is registered for BFD...

Page 1029: ...t interface 6 1 on SwitchB is shut down the BFD values of the corresponding BFD sessions on SwitchA and SwitchB are reduced Figure 40 4 Gigabit Ethernet Interface 6 1 Failure When Gigabit Ethernet interface 6 1 on SwitchB fails BFD will no longer detect SwitchB as a BFD neighbor for SwitchA or for SwitchC In this example Gigabit Ethernet interface 6 1 has been administratively shut down on SwitchB...

Page 1030: ...anges detail network 172 16 0 0 0 0 0 255 area 0 network 172 17 0 0 0 0 0 255 area 0 bfd all interfaces Configuration for SwitchB interface GigabitEthernet 6 1 no switchport ip address 172 16 10 2 255 255 255 0 bfd interval 100 min_rx 100 multiplier 3 interface GigabitEthernet 6 2 no switchport ip address 172 18 0 1 255 255 255 0 router ospf 123 log adjacency changes detail network 172 16 0 0 0 0 ...

Page 1031: ... 332 last 12 ms ago Last packet Version 0 Diagnostic 0 I Hear You bit 1 Demand bit 0 Poll bit 0 Final bit 0 Multiplier 5 Length 24 My Discr 1 Your Discr 8 Min tx interval 200000 Min rx interval 200000 Min Echo interval 0 Uptime 00 33 13 SSO Cleanup Timer called 0 SSO Cleanup Action Taken 0 Pseudo pre emptive process count 239103 min max avg 8 16 8 last 0 ms ago IPC Tx Failure Count 0 IPC Rx Failur...

Page 1032: ...nimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0 Checksum Sum 0x0 Number of opaque AS LSA 0 Checksum Sum 0x0 Number o...

Page 1033: ...tethernet 6 1 Gigabitethernet 6 1 is up line protocol is up Internet Address 172 18 0 1 24 Area 0 Process ID 123 Router ID 172 18 0 1 Network Type BROADCAST Cost 1 Transmit Delay is 1 sec State DR Priority 1 BFD enabled Designated Router ID 172 18 0 1 Interface address 172 18 0 1 No backup designated router on this network Timer intervals configured Hello 10 Dead 40 Wait 40 Retransmit 5 oob resync...

Page 1034: ...hAddr LD RD RH RS State Int 1 1 1 1 1 1 Up Up Gi3 2 Session state is UP and not using echo function Session Host Hardware OurAddr 1 1 1 2 Local Diag 0 Demand mode 0 Poll bit 0 MinTxInt 50000 MinRxInt 50000 Multiplier 3 Received MinRxInt 50000 Received Multiplier 3 Holddown hits 0 0 Hello hits 50 0 Rx Count 8678 Tx Count 8680 Elapsed time watermarks 0 0 last 0 Registered protocols BGP Uptime 00 06 ...

Page 1035: ...hbor is 1 1 1 2 remote AS 45000 external link Using BFD to detect fast fallover SwitchB SwitchB show ip bgp neighbors BGP neighbor is 1 1 1 1 remote AS 40000 external link Using BFD to detect fast fallover Example Configuring BFD Support for Static Routing In the following example the network consists of SwitchA and SwitchB Gigabit Ethernet interface 6 1 on SwitchA is connected to the same network...

Page 1036: ...RP module of the Cisco IOS IP Routing Protocols Configuration Guide Configuring and monitoring OSPF Configuring OSPF module of the Cisco IOS IP Routing Protocols Configuration Guide BFD commands complete command syntax command mode command history defaults usage guidelines and examples Cisco IOS IP Routing Protocol Independent Command Reference BGP commands complete command syntax command mode com...

Page 1037: ...ets use Cisco MIB Locator found at the following URL http www cisco com go mibs RFC Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Support and Documentation website provides online resources to download documentation software and tools Use these resources to install and configure the softwar...

Page 1038: ...40 30 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 40 Configuring Bidirection Forwarding Detection Additional References ...

Page 1039: ...t Campus Fabric Campus Fabric Configuration Guidelines Limitations and Restrictions Understanding Fabric Domain Elements Configuring Fabric Edge Devices Security Group Tags and Policy Enforcement in Campus Fabric Multicast Using Campus Fabric Overlay Dataplane Security Campus Fabric Configuration Examples Note For complete syntax and usage information for the switch commands used in this chapter s...

Page 1040: ...dge devices with local endpoints and resolves requests from edge devices to locate remote endpoints You can configure a total of 3 control plane devices internally a fabric border device and externally a designated control plane device such as a Cisco CSR1000v to allow redundancy on your network Fabric Border Devices Connect traditional Layer 3 networks or different fabric domains to the local dom...

Page 1041: ...s not supported in Virtual Switching System VSS mode and in VSS wireless mode Virtual Extensible LAN VXLAN encapsulation is supported on the Supervisor uplink modules only Ensure that you use supervisor uplink modules for underlay connections between fabric elements Campus Fabric is supported only on Cisco Catalyst 4500 E series switches on Supervisor Engine 8 E IPv6 hosts are not supported in the...

Page 1042: ...t your underlay configuration is set up Configure control plane devices and border devices in your fabric domain Cisco Catalyst 4500 E series switches cannot be configured as control plane or border devices For more information on configuring control plane and border devices see the How to Configure Fabric Overlay section in Software Configuration Guide Cisco IOS XE Denali 16 3 x Catalyst 3850 Swi...

Page 1043: ...6 Step 5 Switch config fabric auto domain border ipv4 address Specifies the IP address of the border device to allow the edge device to communicate with the fabric border device You can specify up to 2 border IP addresses for the edge device Step 6 Switch config fabric auto domain context name eg context ID ID Creates a new context in the fabric domain and assigns an ID to it Contexts or VRFs prov...

Page 1044: ...rmation option ip dhcp snooping vlan 10 ip dhcp snooping fabric auto domain default control plane 192 168 1 4 auth key example key1 control plane 192 168 1 5 auth key example key2 border 192 168 1 6 context name eg context id 10 host pool name VOICE_DOMAIN context eg context vlan 10 gateway 192 168 1 254 24 use dhcp 209 65 201 6 exit exit exit vlan 10 name VOICE_DOMAIN interface Vlan10 ip vrf forw...

Page 1045: ...ic Configuring Multicast PIM Sparse Mode in Campus Fabric Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ip multicast routing Enables IP multicast routing Step 3 Switch config ip pim rp address rp address Statically configures the address of a Protocol Independent Multicast PIM rendezvous point RP for multicast groups Step 4 Switch config int...

Page 1046: ...e subinterface on which to enable Protocol Independent Multicast PIM sparse mode and enters interface configuration mode Step 5 Switch config if ip pim sparse mode Enables Protocol Independent Multicast PIM on the interface for sparse mode operation Step 6 Switch config if exit Exits interface configuration mode and enters global configuration mode Step 7 Switch config interface interface type int...

Page 1047: ...ices and border devices in your fabric domain Cisco Catalyst 4500 E series switches cannot be configured as control plane or border devices For more information on configuring dataplane security control plane and border devices see the How to Configure Fabric Overlay section in Software Configuration Guide Cisco IOS XE Denali 16 3 x Catalyst 3850 Switches To configure dataplane security in static ...

Page 1048: ... context EID VOICE_VLAN database mapping 192 168 1 0 24 locator set default RLOC exit exit loc reach algorithm lsb reports ignore disable ttl propagate ipv4 sgt ipv4 use petr 192 168 1 6 priority 10 weight 10 ipv4 itr map resolver 192 168 1 4 ipv4 itr map resolver 192 168 1 5 Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config router lisp Enters L...

Page 1049: ...s 192 168 1 254 255 255 255 0 ip helper address global 172 10 1 1 no ip redirects ip local proxy arp ip route cache same interface no lisp mobility liveness test lisp mobility default EID VOICE_VLAN router lisp eid table default dynamic default EID VOICE_VLAN database mapping 192 168 1 0 24 locator set FD_DEFAULT RLOC router lisp site FD_Default authentication key example key1 exit ipv4 map server...

Page 1050: ...e eg context id 10 host prefix 192 168 1 0 24 context name eg context host pool name Voice context eg context use dhcp 172 10 1 1 exit host pool name doc exit exit exit router lisp encapsulation vxlan loc reach algorithm lsb reports ignore disable ttl propagate ipv4 sgt ipv4 proxy etr ipv4 proxy itr 1 1 1 1 ipv4 itr map resolver 198 51 100 2 ipv4 etr map server 198 51 100 2 key example key1 exit ...

Page 1051: ...ation associated with a feature use the Feature Navigator on Cisco com to search for information about the feature or refer to the software release notes for a specific release Policy Based Routing Policy Based Routing PBR gives you a flexible method of routing packets by allowing you to define policies for traffic flows lessening reliance on routes derived from routing protocols PBR gives you mor...

Page 1052: ...the packets are forwarded Route maps contain statements that can be marked as permit or deny They are interpreted in the following ways If a statement is marked as deny the packets meeting the match criteria are sent back using the normal forwarding channels and destination based routing is performed If the statement is marked as permit and a packet matches the access lists then the first valid se...

Page 1053: ...statement in the sequence the statement with the next higher sequence number If no next statement exists PBR processing terminates and the packet is routed using the default IP routing table If the route map statement encountered is a route map deny statement The packet is matched against the criteria given in the match command This command may refer to an ACL that may itself have one or more perm...

Page 1054: ...acket Matching Criteria Access Control Lists ACLs define the allowed match criteria for packets Each ACL is applied to incoming packets in a certain order stopping only when the packet characteristics match the ACL being applied Unlike policy maps route maps do not support the match any match semantics IPv6 packets are matched via a match ipv6 address statement in the associated PBR route map IPv6...

Page 1055: ...m 61 1 1 1 to 133 3 3 1 with destination port 105 Processing moves from sequence 21 to 24 because all ACLs in these sequence numbers have a deny action for port 105 In sequence 25 ACL 105 has a permit action for TCP port 105 The route map deny command takes effect and the packet is routed using the default IP routing table The Catalyst 4500 series switch supports matching route map actions with a ...

Page 1056: ...cking process that it is interested in tracking a certain object The tracking process in turn informs PBR when the state of the object changes Restrictions for Policy Based Routing with Object Tracking The set next hop verify availability command is not supported with the following VRF instances Virtual switching system VSS IPv6 traffic IPv4 and IPv6 Policy Based Routing for VRF Instances Virtual ...

Page 1057: ...looked up this overrides the default or global routing table If a route is not specified in the VRF routing table then packets are dropped even if a route exists in the global routing table The set next hop verify availability command is not supported with VRF instances Policy Based Routing Configuration Tasks To configure PBR perform the tasks described in the following sections The task in the f...

Page 1058: ... address sequence track object Optional Configures the route map to verify the reachability of the tracked object Note This option is not supported for IPv6 traffic For information about defining new tracked object see Verifying Next Hop IP using Object Tracking page 42 14 Step 5 Switch config route map set ip next hop recursive ip address Specifies a recursive next hop IP address Note The recursi...

Page 1059: ...rface type interface number type number Specifies the output interface from which the packet will be sent if there is no explicit route for this destination Before forwarding the packet to the next hop the switch looks up the packet s destination address in the unicast routing table If a match is found the packet is forwarded by using the routing table If no match is found the packet is forwarded ...

Page 1060: ...tandard or Extended ipv6 access lists The access lists can specify the source and destination IP addresses protocol types and port numbers Step 3 Switch config route map set ipv6 next hop ip address ip address Specifies the next hop IP address to which matching packets are sent The next hop IP address specified here must belong to a subnet that is directly connected to this switch If more than one...

Page 1061: ...g table If no match is found the packet is forwarded to the specified next hop Step 6 Switch config route map set default interface interface type interface number type number Specifies the output interface from which the packet will be sent if there is no explicit route for this destination Before forwarding the packet to the next hop the switch looks up the packet s destination address in the un...

Page 1062: ...igure your device in the following way Command Purpose Switch config ip local policy route map map tag Identifies the IPv4 route map to use for local PBR Command Purpose Switch config ipv6 local policy route map map tag Identifies the IPv6 route map to use for local PBR Command Purpose Step 1 Switch config route map map tag permit deny sequence number Defines a route map to control where packets a...

Page 1063: ... routing table to which to forward matched packets The next hop IP address must exist in the global routing table Step 4 Set one of the following For IPv4 Switch config route map set ip default vrf vrf name next hop ip address ip address For IPv6 Switch config route map set ipv6 default vrf vrf name next hop ip address ip address For IPv4 Switch config route map set ip default global next hop ip a...

Page 1064: ... route packets Use the set global command to configure VRF to Global routing Use the set vrf command to specify the VRF table to be looked up to route packets Use this command to configure Inter VRF routing and route packets arriving at a particular VRF interface through a different VRF interface by looking up a different VRF s routing table This command overrides the default or global routing tab...

Page 1065: ... Step 3 Switch config ip sla operation number Starts a Cisco IOS IP Service Level Agreement SLA operation configuration and enters IP SLA configuration mode Step 4 Switch config ip sla icmp echo ip address source ip ip address Configures an IP SLA Internet Control Message Protocol ICMP echo probe operation and enters Echo configuration mode Step 5 Switch config ip sla echo frequency seconds Option...

Page 1066: ...access to two different service providers Packets arriving on interface fastethernet 3 1 from the source 1 1 1 1 are sent to the switch at 6 6 6 6 if the switch has no explicit route for the destination of the packet Packets arriving from the source 2 2 2 2 are sent to the switch at 7 7 7 7 if the switch has no explicit route for the destination of the packet All other packets for which the switch...

Page 1067: ...quence 20 All other packets from subnet 1 1 1 0 follow the set statement in sequence 10 access list 1 deny ip 1 1 1 1 access list 1 permit ip 1 1 1 0 0 0 0 255 access list 2 permit ip 1 1 1 1 access list 2 permit ip 2 2 2 2 interface fastethernet 3 1 ip policy route map Texas route map Texas permit 10 match ip address 1 set ip next hop 3 3 3 3 route map Texas permit 20 match ip address 2 set ip ne...

Page 1068: ... Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 42 Configuring Policy Based Routing Policy Based Routing Configuration Examples Policy routing matches 0 packets 0 bytes ...

Page 1069: ...addresses both IPv4 and IPv6 VRF lite Note Starting with Cisco IOS Release 12 2 52 SG the Catalyst 4500 switch supports VRF lite NSF support with routing protocols OSPF EIGRP BGP This chapter includes these topics About VRF lite page 43 2 VRF lite Configuration Guidelines page 43 3 Configuring VRF lite for IPv4 page 43 4 Configuring VRF lite for IPv6 page 43 14 VPN Co existence Between IPv4 and IP...

Page 1070: ...ly attached eliminating the need for the PE to maintain all of the service provider VPN routes Each PE router maintains a VRF for each of its directly connected sites Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in the same VPN Each VPN is mapped to a specified VRF After learning local VPN routes from CEs a PE router exchanges VPN routing...

Page 1071: ...nfigure VPN route targets for each VPN community member Multiprotocol BGP peering of VPN community PE routers Propagates VRF reachability information to all members of a VPN community You need to configure BGP peering in all PE routers within a VPN community VPN forwarding Transports all traffic between all VPN community members across a VPN service provider network VRF lite Configuration Guidelin...

Page 1072: ...CEs BGP is designed for passing routing information between systems run by different administrations BGP makes simplifies passing attributes of the routes to the CE VRF lite does not support IGRP and ISIS Beginning with Cisco IOS Release 12 2 50 SG Multicast and VRF can be configured together on a Layer 3 interface The Catalyst 4500 series switch supports all the PIM protocols PIM SM PIM DM PIM SS...

Page 1073: ...er specified VRF ARP entries are learned in separate VRFs The user can display Address Resolution Protocol ARP entries for specific VRFs Step 4 Switch config vrf rd route distinguisher Creates a VRF table by specifying a route distinguisher Enter either an AS number and an arbitrary number xxx y or an IP address and arbitrary number A B C D y Step 5 Switch config vrf route target export import bot...

Page 1074: ...ables privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config ip vrf vrf name Configures a VRF table and enters VRF configuration mode Step 4 Switch config vrf rd route distinguisher Creates routing and forwarding tables for a VRF instance Step 5 Switch config vrf exit Exits VRF configuration mode Step 6 Switch con...

Page 1075: ...source interface subinterface name Uses the IP address of a specified interface for all outgoing TACACS packets Step 14 Switch config sg tacacs exit Exits server group configuration mode Command or Action Purpose Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ip routing Enables IP routing Step 3 Switch config ip vrf vrf name Names the VRF and...

Page 1076: ... perform this task Step 8 Switch config vrf interface interface id Enters interface configuration mode and specifies the Layer 3 interface to be associated with the VRF The interface can be a routed port or a SVI Step 9 Switch config if ip vrf forwarding vrf name Associates the VRF with the Layer 3 interface Step 10 Switch config if ip address ip address mask Configures IP address for the Layer 3 ...

Page 1077: ...of the OSPF network Step 8 Switch copy running config startup config Optional Saves your entries in the configuration file Command Purpose Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config router bgp autonomous system number Configures the BGP routing process with the AS number passed to other BGP routers and enters router configuration mode Ste...

Page 1078: ...ith switch S8 Commands for configuring the other switches are not included but would be similar Figure 43 2 VRF lite Configuration Example Configuring Switch S8 On switch S8 enable routing and configure VRF Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config ip vrf v11 Switch config vrf rd 800 1 Switch config vrf route target e...

Page 1079: ...erface FastEthernet3 11 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if no ip address Switch config if exit Configure the VLANs used on switch S8 VLAN 10 is used by VRF 11 between the CE and the PE VLAN 20 is used by VRF 12 between the CE and the PE VLANs 118 and 208 are used for VRF for the VPNs that include switch S11 and switch S20 r...

Page 1080: ...ate Switch config router af network 8 8 1 0 mask 255 255 255 0 Switch config router af end Configuring Switch S20 Configure S20 to connect to CE Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config interface Fast Ethernet 0 7 Switch config if no switchport Switch config if ip address 208 0 0 20 255 255 255 0 Switch config if exi...

Page 1081: ... exit Router config interface Loopback2 Router config if ip vrf forwarding v2 Router config if ip address 3 3 2 3 255 255 255 0 Router config if exit Router config interface Fast Ethernet3 0 10 Router config if encapsulation dot1q 10 Router config if ip vrf forwarding v1 Router config if ip address 38 0 0 3 255 255 255 0 Router config if exit Router config interface Fast Ethernet3 0 20 Router conf...

Page 1082: ...lan134 RPF nbr 172 16 34 1 Outgoing interface list Vlan45 Forward Sparse Dense 00 00 02 00 02 57 H Vlan134 Bidir Upstream Sparse Dense 13 35 54 00 00 00 H Note For more information about the information in the displays refer to the Cisco IOS Switching Services Command Reference at http www cisco com en US docs ios ipswitch command reference isw_book html Configuring VRF lite for IPv6 Configuring V...

Page 1083: ...for ARP perform this task Configuring the User Interface for PING To perform a VRF aware ping perform this task Configuring the User Interface for uRPF You can configure uRPF on an interface assigned to a VRF Source lookup is performed in the VRF table To configure VRF aware services for uRPF perform this task Command Purpose Switch show ip arp vrf vrf name Displays the ARP table static and dynami...

Page 1084: ...ftp source interface show mode command To use the address of the interface where the connection is made use the no form of this command To configure the user interface for FTP and TFTP perform this task To specify the IP address of an interface as the source address for TFTP connections use the ip tftp source interface show mode command To return to the default use the no form of this command Step...

Page 1085: ...fig ip tftp source interface interface type interface number Specifies the source IP address for TFTP connections Step 3 Switch config end Returns to privileged EXEC mode Command Purpose Switch telnet ip address vrf vrf name Connects through Telnet to an IP host or address in the specified VRF Switch ssh l username vrf vrf name ip host Connects through SSH to an IP host or address in the specified...

Page 1086: ... 64 ospfv3 100 ipv6 area 0 interface Vlan200 vrf forwarding v2 no ip address ipv6 address 2000 1 1 64 ospfv3 200 ipv6 area 0 interface GigabitEthernet 1 0 1 switchport access vlan 100 end interface GigabitEthernet 1 0 2 switchport access vlan 200 end interface GigabitEthernet 1 0 24 switchport trunk encapsulation dot1q switchport mode trunk no ip address end router ospfv3 100 router id 10 10 10 10...

Page 1087: ...ipv6 area 0 interface Vlan700 vrf forwarding v2 no ip address ipv6 address 2000 1 2 64 ospfv3 200 ipv6 area 0 interface Vlan800 vrf forwarding v1 no ip address ipv6 address 3000 1 7 64 ospfv3 100 ipv6 area 0 interface Vlan900 vrf forwarding v2 no ip address ipv6 address 4000 1 7 64 ospfv3 200 ipv6 area 0 interface GigabitEthernet 1 0 1 switchport trunk encapsulation dot1q switchport mode trunk no ...

Page 1088: ...ition v2 rd 200 1 address family ipv6 exit address family interface Vlan100 vrf forwarding v1 no ip address ipv6 address 1000 1 3 64 ospfv3 100 ipv6 area 0 interface Vlan200 vrf forwarding v2 no ip address ipv6 address 2000 1 3 64 ospfv3 200 ipv6 area 0 interface GigabitEthernet 1 0 1 switchport access vlan 100 end interface GigabitEthernet 1 0 2 switchport access vlan 200 end interface GigabitEth...

Page 1089: ... route vrf a IPv6 Routing Table a 3 entries Codes C Connected L Local S Static U Per user Static route B BGP R RIP I1 ISIS L1 I2 ISIS L2 IA ISIS interarea IS ISIS summary D EIGRP EX EIGRP external Command Purpose Switch show ipv6 route vrf a X X X X X 0 128 bgp connected eigrp interface isis local nd nsf ospf repair rip shortcut static summary tag updated watch Displays routing protocol informatio...

Page 1090: ...e Names the VRF and enters VRF configuration mode Step 4 Switch config vrf address family ipv4 ipv6 Optional IPv4 by default Configuration MUST for ipv6 Step 5 Switch config vrf rd route distinguisher Optional Creates a VRF table by specifying a route distinguisher Enter either an Autonomous System number and an arbitrary number xxx y or an IP address and arbitrary number A B C D y Step 6 Switch c...

Page 1091: ... vrf brief detail interfaces vrf name Verifies the configuration Displays information about the configured VRFs Step 12 Switch copy running config startup config Optional Saves your entries in the configuration file Command Purpose Command Purpose Step 1 Switch config vrf configuration Enters vrf configuration mode Step 1 Switch config vrf interface interface id Enters interface configuration mode...

Page 1092: ... mode Step 3 Switch config router ospfv3 process id Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family Step 4 Switch config router area area ID default cot nssa stub Configures the OSPFv3 area Step 5 Switch config router router id router id Use a fixed router ID Step 6 Switch config router address family ipv6 unicast vrf vrf name Or Switch config router address family ipv...

Page 1093: ... ospf process id area area ID instance instance id Enables OSPFv3 on an interface with the IPv4 or IPv6 AF or Enables OSPFv3 on an interface Step 5 Switch config if end Returns to privileged EXEC mode Command Purpose Command Purpose Step 1 Switch enable Enters privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config...

Page 1094: ...up Step 5 Switch config router neighbor ip address ipv6 address peer group name remote as autonomous system number alternate as autonomous system number Adds the IPv6 address of the neighbor in the specified autonomous system to the IPv6 multiprotocol BGP neighbor table of the local router Step 6 Switch config router address family ipv6 vrf vrf name unicast multicast vpnv6 Specifies the IPv6 addre...

Page 1095: ...thernet0 0 vrf forwarding red ip address 50 1 1 2 255 255 255 0 ipv6 address 4000 72B 64 interface Ethernet0 1 ip vrf forwarding blue ip address 60 1 1 2 255 255 255 0 ipv6 address 5000 72B 64 In this example all addresses v4 and v6 defined for Ethernet0 0 refer to VRF red whereas for Ethernet0 1 the IP address refers to VRF blue but the ipv6 address refers to the global IPv6 routing table Migrati...

Page 1096: ...43 28 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 43 Configuring VRF lite Migrating from the Old to New CLI Scheme ...

Page 1097: ...ctions include Overview of QoS page 44 1 Configuring VSS QoS page 44 13 Configuring QoS on a Standalone Supervisor Engine 6 E 6L E or Supervisor Engine 7 E 7L E 8 E page 44 47 Configuring VSS Auto QoS page 44 81 Configuring Auto QoS on a Standalone Supervisor Engine 6 E 6L E or Supervisor Engine 7 E 7L E 8 E page 44 88 Note For complete syntax and usage information for the switch commands used in ...

Page 1098: ...ts in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 44 1 Prioritization values in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p class of service CoS value in the three least significant bits On interfaces configured as Layer 2 ISL trunks all traffic is in ISL frames Layer 2 802 1Q frame headers have a ...

Page 1099: ...vices along a path provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the traffic types and patterns in your network and the granularity of control you need over incoming and outgoing traffic QoS Terminology The following terms are...

Page 1100: ...lues The Internet Engineering Task Force IETF has defined the six most significant bits of the 1 byte IP ToS field as the DSCP The per hop behavior represented by a particular DSCP value is configurable DSCP values range between 0 and 63 Note Layer 3 IP packets can carry either an IP precedence value or a DSCP value QoS supports the use of either value since DSCP values are backwards compatible wi...

Page 1101: ...0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 16 17 18 19 20 21 22 23 6 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 48 49 50 51 52 53 54 55 3 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 24 25 26 27 28 29 30 31 7 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 1 0 1 ...

Page 1102: ...ansmit queue The transmit queue is selected based on output QoS classification criteria The selected queue provides the desired behavior in terms of latency and bandwidth Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet Classification is enabled when a QoS policy map is attached to an interface You specify which f...

Page 1103: ...fined with the class map you can create a policy that defines the QoS actions for a traffic class A policy might contain multiple classes with actions specified for each one of them A policy might include commands to classify the class as a particular aggregate for example assign a DSCP or rate limit the class This policy is then attached to a particular port on which it becomes effective You impl...

Page 1104: ...y map class configuration mode For information on the policed DSCP map see the Queueing and Scheduling section on page 44 8 When configuring policing and policers keep these items in mind Policers account only for the Layer 2 header length when calculating policer rates In contrast shapers account for header length as well as IPG in rate calculations Beginning with Cisco IOS Release 15 0 2 SG IOS ...

Page 1105: ...ream can be destined for the priority queue per class level policy You enable the priority queue for a traffic class with the priority policy map class configuration command in class mode Traffic Shaping Traffic Shaping provides the ability to control the rate of outgoing traffic in order to make sure that the traffic conforms to the maximum rate of transmission contracted for it Traffic that meet...

Page 1106: ...rate limits each unique flow to an individual rate Flow based QoS is available on a Catalyst 4500 series switch with the built in NetFlow hardware support It can be applied to ingress traffic on both switched and routed interfaces with flow masks defined using Flexible NetFlow FNF It supports up to 100 000 individual flows in hardware and up to 512 unique policer configuration Flow based QoS is ty...

Page 1107: ...refer to the following URL http www cisco com en US docs ios xml ios msp command reference guide media ser prxy html Restrictions The following restrictions apply to using a metadata based QoS policy on a Catalyst 4500 series switch They can only be attached to target in input direction They can only be attached to physical ports and EtherChannel They cannot be attached to VLANs port VLANs and SVI...

Page 1108: ...and the Catalyst 4500 series switch allows you to change the queue limit for all interfaces globally instead of applying a policy with queue limit to all the interfaces To set the queue limit globally perform this task This is a global configuration command You can override it with the per port per class queue limit command Command Purpose Step 1 Switch configure terminal Enters global configurati...

Page 1109: ... redundancy force switchover for redundancy supervisors in RPR mode Configuring VSS QoS Note HQoS is not supported on the Catalyst 4500 series switch Topics include MQC based QoS Configuration page 44 48 Platform supported Classification Criteria and QoS Features page 44 48 Platform Hardware Capabilities page 44 49 Prerequisites for Applying a QoS Service Policy page 44 49 Restrictions for Applyin...

Page 1110: ...s the match criteria for a class map to be successful match criteria for all packets match cos Matches a packet based on a Layer 2 class of service CoS marking match ip dscp Identifies a specific IP differentiated service code point DSCP value as a match criterion Up to eight DSCP values can be included in one match statement match ip precedence Identifies IP precedence values as match criteria ma...

Page 1111: ...d port or an EtherChannel A policy is attached to a VLAN using vlan configuration mode Attaching QoS service policy to VLANs and EtherChannel is described in the Policy Associations section on page 44 73 Qos Actions Numbers of entries supported Classification 64k input and 64k output classification entries are supported A given policy can use at most 24k ACLs Policing 16K policers are supported Po...

Page 1112: ... protocol arp command For details see the Catalyst 4500 Series Switch Cisco IOS Command Reference Classification Statistics The supervisor engine supports only packet based classification statistics and TCAM resource sharing When a policy map is applied on multiple targets the command show policy map interface displays the aggregate classification statistics not those specific to an interface Note...

Page 1113: ...ly partitioned by software as follows 0 Input Policers and 16K Output Policers 2K Input Policers and 14K Output Policers 4K Input Policers and 12K Output Policers 6K Input Policers and 10K Output Policers 8K Input Policers and 8K Output Policers 10K Input Policers and 6K Output Policers 12K Input Policers and 4K Output Policers 14K Input Policers and 2K Output Policers 16K Input Policers and 0 Out...

Page 1114: ...icer based marking is preferred If policer based service policy is attached to both a port and a VLAN port based policed is preferred by default To over ride a specific VLAN policy on a given port then you must configure a per port per vlan policy You should not delete a port channel with a per port per VLAN QoS policy Workaround Before deleting the port channel do the following 1 Remove any per p...

Page 1115: ...rvice ToS byte of IPv4 DSCP Precedence value in the traffic class byte of IPv6 Benefits of Marking Network Traffic Traffic marking allows you to fine tune the attributes for traffic on your network This increased granularity helps isolate traffic that requires special handling and thus helps to achieve optimal application performance Traffic marking allows you to determine how traffic will be trea...

Page 1116: ...r information on configuring a policy map see the Creating a Policy Map section on page 44 51 The final task is to attach the policy map to the interface For information on attaching the policy map to the interface see the Attaching a Policy Map to an Interface section on page 44 51 Method Two Unconditional Tablemap based Marking You can create a table map that can be used to mark traffic attribut...

Page 1117: ...icy map to the interface For information on attaching the policy map to the interface see the Attaching a Policy Map to an Interface section on page 44 51 Marking Action Drivers A marking action can be triggered based on one of the two QoS processing steps Classification based In this case all the traffic matching a class is marked using either explicit or tablemap based method This method is refe...

Page 1118: ...port The supervisor engine can mark more than one QoS attribute of a packet matching a class of traffic For example DSCP and CoS can all be set together using either explicit or tablemap based marking Note When using unconditional explicit marking of multiple fields or policer based multi field multi region conform exceed violate marking the number of table maps that can be setup in TOS or COS mar...

Page 1119: ...Precedence fields and can be used as one of the following 64 32 different tablemaps with each one mapping 8 CoS 16 CoS and CFi values to DSCP in input output direction a combination of above two types of tablemaps Similar mappings are available on the 512 entry COS marking table Configuring the Policy Map Marking Action This section describes how to establish unconditional marking action for netwo...

Page 1120: ...plicit actions for each policer region Switch configure terminal Switch config pmap c policer cir percent 20 pir percent 30 Switch config pmap c policer conform action set cos transmit 3 set dscp transmit 10 Switch config pmap c policer exceed action set cos transmit 4 set dscp transmit 20 Switch config pmap c policer violate action drop Switch show policy map p1 Policy Map police Class ipp5 polic...

Page 1121: ...for one or more classes of traffic Because there are only eight queues per port there can be at most eight classes of traffic including the reserved class class default with queuing action s Classes of traffic that do not have any queuing action are referred to as non queuing classes Non queuing class traffic ends up using the queue corresponding to class class default When a queuing policy a poli...

Page 1122: ...Switch config pmap class class name Specifies the name of the class whose traffic policy you want to create or change and enter policy map class configuration mode By default no traffic classes are defined Step 4 Switch config pmap class shape average cir bps optional_postfix percent percent Enables average rate traffic shaping You can specify the shaping rate in absolute value or as a percentage ...

Page 1123: ...ss Average Rate Traffic Shaping cir 32 Sharing bandwidth The bandwidth assigned to a class of traffic is the minimum bandwidth that is guaranteed to the class during congestion Transmit Queue Sharing is the process by which output link bandwidth is shared among multiple queues of a given port The supervisor engine supports a range of 32 kbps to 10 gbps for sharing with a precision of approximately...

Page 1124: ...if service policy output policy11 Step 4 Switch config pmap class bandwidth bandwidth kbps percent percent Specifies the minimum bandwidth provided to a class belonging to the policy map when there is traffic congestion in the switch If the switch is not congested the class receives more bandwidth than you specify with the bandwidth command By default no bandwidth is specified You can specify the ...

Page 1125: ...map c exit Switch config pmap class prec3 Switch config pmap c bandwidth 100000 Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet1 1 Switch config if service policy output policy11 Switch config if end Switch Switch show policy map policy11 Policy Map policy11 Class prec1 bandwidth 300000 kbps Class prec2 bandwidth 200000 kbps Class prec3 bandwidth 100000 kb...

Page 1126: ...y queue When a priority queue is configured on one class of a policy map only bandwidth remaining is accepted on other classes guaranteeing a minimum bandwidth for other classes from the remaining bandwidth of what is left after using the priority queue When a priority queue is configured with a policer then either bandwidth or bandwidth remaining is accepted on other classes Note Use bandwidth or...

Page 1127: ...sents the number of queue entries in which packets belonging to that class of traffic can be queued The scheduler moves packets from the queue that are ready for transmission based on the queue shape bandwidth and priority configuration The queue limit provides the maximum number of packets that can be in the queue at any given time When the queue is full an attempt to enqueue any further packets ...

Page 1128: ...ched in the egress direction on a physical interface each of the class based queues gets the same number of queue entries from within the dedicated quota for that physical port When a queue is explicitly given a size using the queue limit command the switch tries to allocate all the entries from within the dedicated quota for the interface If the required number of entries is greater than the dedi...

Page 1129: ...ig pmap class shape average cir bps optional_postfix percent percent Enables average rate traffic shaping You can specify the shaping rate in absolute value or as a percentage For cir bps optional_postfix specify the shaping rate in bps Range is 32000 to 10000000000 bps Supply an optional postfix K M G For percent specify the percentage of link rate to shape the class of traffic The range is 1 to ...

Page 1130: ...sk Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config policy map policy map name Creates a policy map by entering the policy map name and enter policy map configuration mode By default no policy maps are defined Step 3 Switch config pmap class class name Specifies the name of the class whose traffic policy you want to create or change and enter p...

Page 1131: ...p c exit Switch config pmap exit Switch config interface gigabitethernet1 1 Switch config if service policy output policy1 Switch config if end Switch Switch show policy map policy1 Policy Map policy1 Class class1 shape average 256000 dbl Transmit Queue Statistics Transmit queue statistics are visible by entering the show policy map interface command Switch show policy map interface gigabitEtherne...

Page 1132: ...igure 44 4 Per Port Per VLAN Topology The following configuration file shows how to perform ingress and egress policing per VLAN using the policy map P31_QOS applied to port Gigabit Ethernet 3 1 ip access list 101 permit ip host 1 2 2 2 any Command Purpose Step 1 Switch config interface fastethernet gigabitethernet tengigabitethernet slot interface Port channel number Selects the interface to conf...

Page 1133: ...assume that interface Gigabit Ethernet 6 1 is a trunk port and belongs to VLANs 20 300 301 and 400 The following example shows how to apply policy map p1 for traffic in VLANs 20 and 400 and policy map p2 to traffic in VLANs 300 through 301 Switch configure terminal Switch config interface gigabitethernet 6 1 Switch config if vlan range 20 400 Switch config if vlan range service policy input p1 Swi...

Page 1134: ...et 6 1 GigabitEthernet6 1 vlan 20 Service policy input p1 Class map c1 match all 0 packets Match cos 1 Match access group 100 police cir 100000000 bps bc 3125000 bytes conformed 0 bytes actions transmit exceeded 0 bytes actions drop conformed 0000 bps exceed 0000 bps Class map class default match any 0 packets Match any GigabitEthernet6 1 vlan 300 Service policy output p2 Class map c1 match all 0 ...

Page 1135: ...rection on different targets In other words it is not possible to police the packets both on port and VLAN in the input direction However the user can police on the input port and on the output VLAN Queuing actions are only allowed in the egress direction and only on the physical port Percentage based actions like policer cannot be configured on a VLAN Port and VLAN PV and EtherChannel Port channe...

Page 1136: ...estriction ensures that if the EtherChannel policy is marking down dscp or cos the marked modified value based classification can be implemented in hardware Note Auto QoS macros with SRND4 generate class maps with more than one type of match These class maps need to be modified to use only with one matching type when applied on EtherChannel member ports Note Classification criteria for the policy ...

Page 1137: ...ueued to a control packet queue that is setup separately from the default queue and has 5 percent of the link bandwidth reserved for it If there is an egress queuing policy on the port the queue is selected based on the classification criteria applicable to the packet Low Priority Packets Packets that are not considered high priority as described previously are considered unimportant These include...

Page 1138: ... config Step 2 Define a flow record to create flows with source address as key Switch config flow record r1 Switch config flow record match ipv4 source address Switch config flow record exit Switch config Step 3 Configure classmap to match on the UserGroup1 and specify flow record definition for flow creation Switch config class map match all c1 Switch config cmap match access group name UserGroup...

Page 1139: ...ig flow record match transport tcp source port Switch config flow record match transport tcp destination port Switch config flow record exit Switch config flow record r2 Switch config flow record match ipv4 source address Switch config flow record exit Switch config Step 3 Configure classmap to match on the UserGroup1 and specify flow record definition for flow creation Switch config class map mat...

Page 1140: ... config policy map p1 Switch config pmap class c1 Switch config pmap c police 1000000 9000 Switch config pmap c exit Switch config pmap exit Switch config interface fastEthernet 6 1 Switch config if service policy input p1 Switch config if end Configuration Guidelines The general guidelines for creating configuring modifying deleting a flow based QoS policy and attaching and detaching a flow based...

Page 1141: ... must include appropriate key fields to ensure flows created from different classmaps are unique and distinct Otherwise the resulting flows from different classmap cannot be distinguished In such cases policy actions corresponding to the classmap which created the first flow in hardware will apply and results will not be always be as expected Flows from traffic received on different QoS targets ar...

Page 1142: ...nfiguring System Queue Limit Note This feature is available only from Cisco IOS Release 15 0 2 SG1 and later and Cisco IOS Release XE 3 2 1SG With the hw module system max queue limit command the Catalyst 4500 series switch allows you to change the queue limit for all interfaces globally instead of applying a policy with queue limit to all the interfaces To set the queue limit globally perform thi...

Page 1143: ...s Switch redundancy reload shelf for redundancy supervisors in SSO mode or Switch redundancy force switchover followed by another redundancy force switchover for redundancy supervisors in RPR mode Configuring QoS on a Standalone Supervisor Engine 6 E 6L E or Supervisor Engine 7 E 7L E 8 E Note HQoS is not supported on the Catalyst 4500 series switch Topics include MQC based QoS Configuration page ...

Page 1144: ... Configuration Guide Release 12 3 Note The incoming traffic is considered trusted by default Only when the trusted boundary feature is enabled on an interface can the port enter untrusted mode In this mode the switch marks the DSCP value of an IP packet and the CoS value of the VLAN tag on the Ethernet frame as 0 Platform supported Classification Criteria and QoS Features The following table provi...

Page 1145: ...er to classify packets table map support Unconditional marking of one packet field based on another packet field priority Gives priority to a class of traffic belonging to a policy map shape Shapes traffic to the indicated bit rate according to the algorithm specified bandwidth Provides a guaranteed minimum bandwidth to each of the eight queues dbl Dynamic buffer limit queue limit Specifies the ma...

Page 1146: ...policy map p1 is applied to interfaces Gig 1 1 and Gig 1 2 1 CAM entry is used one ACE that matches IP packets but 2 policers are allocated one per target So all IP packets with dscp 50 are policed to 1 mbps on interface Gig 1 1 and packets on interface Gig 1 2 are policed to 1 mbps Note With Cisco IOS Release 12 2 46 SG you can issue the match protocol arp command For details see the Catalyst 450...

Page 1147: ... are organized as 8 banks of 2K policers The policer banks are dynamically assigned input or output policer bank by the software depending on the QoS configuration So the 16K policers are dynamically partitioned by software as follows 0 Input Policers and 16K Output Policers 2K Input Policers and 14K Output Policers 4K Input Policers and 12K Output Policers 6K Input Policers and 10K Output Policer...

Page 1148: ... refer to the Cisco IOS documentation at the following link http www cisco com en US docs ios 12_2 qos configuration guide qcfpolsh html Platform Restrictions Platform restrictions include the following Multi policer actions can be specified setting CoS and IP DSCP is supported When unconditional marking and policer based marking exists on the same field cos or dscp or precedence policer based mar...

Page 1149: ...fication traffic marking allows you to mark that is set or change a value attribute for the traffic belonging to a specific class For instance you may want to change the class of service CoS value from 2 to 1 in one class or you may want to change the differentiated services code point DSCP value from 3 to 2 in another class In this module these values are referred to as attributes or marking fiel...

Page 1150: ... in Table 44 4 In this sample configuration the set cos command has been configured in the policy map policy1 to mark the CoS attribute enable configure terminal policy map p1 class class1 set cos 3 end For information on configuring a policy map see the Creating a Policy Map section on page 44 51 The final task is to attach the policy map to the interface For information on attaching the policy m...

Page 1151: ... on page 44 50 The final task is to attach the policy map to the interface For information on attaching the policy map to the interface see the Attaching a Policy Map to an Interface section on page 44 51 Marking Action Drivers A marking action can be triggered based on one of the two QoS processing steps Classification based In this case all the traffic matching a class is marked using either exp...

Page 1152: ...g actions QoS group can be marked only in the input direction and can only support unconditional explicit marking Only explicit marking is supported for policer based marking Multi attribute Marking Support The supervisor engine can mark more than one QoS attribute of a packet matching a class of traffic For example DSCP CoS and QoS group can all be set together using either explicit or tablemap b...

Page 1153: ...engine provides 512 entry marking tables for each direction These are similar to mapping tables available on supervisor engines that support the switch QoS model However these provide an ability to have multiple unique mapping tables that are setup by the user For example the TOS marking table provides marking of DSCP Precedence fields and can be used as one of the following 8 different tablemaps ...

Page 1154: ...h explicit actions for each policer region Switch configure terminal Switch config pmap c policer cir percent 20 pir percent 30 Switch config pmap c policer conform action set cos transmit 3 set dscp transmit 10 Switch config pmap c policer exceed action set cos transmit 4 set dscp transmit 20 Switch config pmap c policer violate action drop Switch show policy map p1 Policy Map police Class ipp5 p...

Page 1155: ...ation The only exception is that system generated control packets are enqueued into control packet queue so that control traffic receives some minimum link bandwidth Queues are assigned when an output policy attached to a port with one or more queuing related actions for one or more classes of traffic Because there are only eight queues per port there can be at most eight classes of traffic includ...

Page 1156: ...de By default no policy maps are defined Step 3 Switch config pmap class class name Specifies the name of the class whose traffic policy you want to create or change and enter policy map class configuration mode By default no traffic classes are defined Step 4 Switch config pmap class shape average cir bps optional_postfix percent percent Enables average rate traffic shaping You can specify the sh...

Page 1157: ...h Switch show policy map queuing policy Policy Map queuing policy Class queuing class Average Rate Traffic Shaping cir 32 Sharing bandwidth The bandwidth assigned to a class of traffic is the minimum bandwidth that is guaranteed to the class during congestion Transmit Queue Sharing is the process by which output link bandwidth is shared among multiple queues of a given port The supervisor engine s...

Page 1158: ...ce gigabitethernet1 1 Switch config if service policy output policy11 Step 4 Switch config pmap class bandwidth bandwidth kbps percent percent Specifies the minimum bandwidth provided to a class belonging to the policy map when there is traffic congestion in the switch If the switch is not congested the class receives more bandwidth than you specify with the bandwidth command By default no bandwid...

Page 1159: ...ap c bandwidth 200000 Switch config pmap c exit Switch config pmap class prec3 Switch config pmap c bandwidth 100000 Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet1 1 Switch config if service policy output policy11 Switch config if end Switch Switch show policy map policy11 Policy Map policy11 Class prec1 bandwidth 300000 kbps Class prec2 bandwidth 200000...

Page 1160: ...ckets enqueued to the strict priority queue When a priority queue is configured on one class of a policy map only bandwidth remaining is accepted on other classes guaranteeing a minimum bandwidth for other classes from the remaining bandwidth of what is left after using the priority queue When a priority queue is configured with a policer then either bandwidth or bandwidth remaining is accepted on...

Page 1161: ... with a default size This size represents the number of queue entries in which packets belonging to that class of traffic can be queued The scheduler moves packets from the queue that are ready for transmission based on the queue shape bandwidth and priority configuration The queue limit provides the maximum number of packets that can be in the queue at any given time When the queue is full an att...

Page 1162: ...ce policy with queuing actions is configured but no explicit queue limit command is attached in the egress direction on a physical interface each of the class based queues gets the same number of queue entries from within the dedicated quota for that physical port When a queue is explicitly given a size using the queue limit command the switch tries to allocate all the entries from within the dedi...

Page 1163: ...ap class configuration mode By default no traffic classes are defined Step 4 Switch config pmap class shape average cir bps optional_postfix percent percent Enables average rate traffic shaping You can specify the shaping rate in absolute value or as a percentage For cir bps optional_postfix specify the shaping rate in bps Range is 32000 to 10000000000 bps Supply an optional postfix K M G For perc...

Page 1164: ...nters global configuration mode Step 2 Switch config policy map policy map name Creates a policy map by entering the policy map name and enter policy map configuration mode By default no policy maps are defined Step 3 Switch config pmap class class name Specifies the name of the class whose traffic policy you want to create or change and enter policy map class configuration mode By default no traf...

Page 1165: ... config pmap c dbl Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet1 1 Switch config if service policy output policy1 Switch config if end Switch Switch show policy map policy1 Policy Map policy1 Class class1 shape average 256000 dbl Transmit Queue Statistics Transmit queue statistics are visible by entering the show policy map interface command Switch show...

Page 1166: ...ecedence to voice packet over data Figure 44 6 Per Port Per VLAN Topology The following configuration file shows how to perform ingress and egress policing per VLAN using the policy map P31_QOS applied to port Gigabit Ethernet 3 1 ip access list 101 permit ip host 1 2 2 2 any Command Purpose Step 1 Switch config interface fastethernet gigabitethernet tengigabitethernet slot interface Port channel ...

Page 1167: ...icy output P32_QoS Example 2 Let us assume that interface Gigabit Ethernet 6 1 is a trunk port and belongs to VLANs 20 300 301 and 400 The following example shows how to apply policy map p1 for traffic in VLANs 20 and 400 and policy map p2 to traffic in VLANs 300 through 301 Switch configure terminal Switch config interface gigabitethernet 6 1 Switch config if vlan range 20 400 Switch config if vl...

Page 1168: ...ow policy map interface gigabitEthernet 6 1 GigabitEthernet6 1 vlan 20 Service policy input p1 Class map c1 match all 0 packets Match cos 1 Match access group 100 police cir 100000000 bps bc 3125000 bytes conformed 0 bytes actions transmit exceeded 0 bytes actions drop conformed 0000 bps exceed 0000 bps Class map class default match any 0 packets Match any GigabitEthernet6 1 vlan 300 Service polic...

Page 1169: ...erformed multiple times in a given direction on different targets In other words it is not possible to police the packets both on port and VLAN in the input direction However the user can police on the input port and on the output VLAN Queuing actions are only allowed in the egress direction and only on the physical port Percentage based actions like policer cannot be configured on a VLAN Port and...

Page 1170: ...nnel policy is marking down dscp or cos the marked modified value based classification can be implemented in hardware Note Classification criteria for the policy map on the physical member ports cannot be modified to add a new type of field Auto QoS is not supported on EtherChannel or its member ports A physical port configured with Auto QoS is not allowed to become a member of a physical port Sof...

Page 1171: ... policy on the port the queue is selected based on the classification criteria applicable to the packet Low Priority Packets Packets that are not considered high priority as described previously are considered unimportant These include locally sourced pings telnet and other protocol packets They undergo the same treatment as any other packet that is transiting the given transmit port including egr...

Page 1172: ...exit Switch config Step 2 Define a flow record to create flows with source address as key Switch config flow record r1 Switch config flow record match ipv4 source address Switch config flow record exit Switch config Step 3 Configure classmap to match on the UserGroup1 and specify flow record definition for flow creation Switch config class map match all c1 Switch config cmap match access group nam...

Page 1173: ...ipv4 destination address Switch config flow record match transport tcp source port Switch config flow record match transport tcp destination port Switch config flow record exit Switch config flow record r2 Switch config flow record match ipv4 source address Switch config flow record exit Switch config Step 3 Configure classmap to match on the UserGroup1 and specify flow record definition for flow ...

Page 1174: ...rd r1 Switch config cmap exit Switch config policy map p1 Switch config pmap class c1 Switch config pmap c police 1000000 9000 Switch config pmap c exit Switch config pmap exit Switch config interface fastEthernet 6 1 Switch config if service policy input p1 Switch config if end Configuration Guidelines The general guidelines for creating configuring modifying deleting a flow based QoS policy and ...

Page 1175: ... Flow records within the same policy must include appropriate key fields to ensure flows created from different classmaps are unique and distinct Otherwise the resulting flows from different classmap cannot be distinguished In such cases policy actions corresponding to the classmap which created the first flow in hardware will apply and results will not be always be as expected Flows from traffic ...

Page 1176: ...tEthernet2 6 switchport mode trunk Configuring System Queue Limit Note This feature is available only from Cisco IOS Release 15 0 2 SG1 and later and Cisco IOS Release XE 3 2 1SG With the hw module system max queue limit command the Catalyst 4500 series switch allows you to change the queue limit for all interfaces globally instead of applying a policy with queue limit to all the interfaces To set...

Page 1177: ...rvisors Switch redundancy reload shelf for redundancy supervisors in SSO mode or Switch redundancy force switchover followed by another redundancy force switchover for redundancy supervisors in RPR mode Configuring VSS Auto QoS Auto QoS Overview page 44 81 Auto QoS Policy and Class Maps page 44 82 Auto Qos Compact page 44 87 Effects of Auto QoS and Auto Qos Compact on Running Configuration page 44...

Page 1178: ...is a two way street So it might work in one direction and not in the other Auto QoS Policy and Class Maps There are 7 policy maps that must be defined 5 Input 2 output on all ports AutoQos 4 0 Input Policy AutoQos VoIP Input Cos Policy AutoQos VoIP Input Dscp Policy AutoQos 4 0 Cisco Phone Input Policy AutoQos 4 0 Output Policy AutoQos 4 0 Cisco Softphone Input Policy AutoQos VoIP Output Policy Th...

Page 1179: ...match access group name AutoQos 4 0 ACL Bulk Data class map match all AutoQos 4 0 Scavenger Classify match access group name AutoQos 4 0 ACL Scavenger class map match all AutoQos 4 0 Default Classify match access group name AutoQos 4 0 ACL Default for interfaces with video devices class map match any AutoQos 4 0 VoIP match dscp ef match cos 5 class map match all AutoQos 4 0 Broadcast Vid match dsc...

Page 1180: ...lass AutoQos 4 0 VoIP class AutoQos 4 0 Broadcast Vid class AutoQos 4 0 Realtime Interact class AutoQos 4 0 Network Ctrl class AutoQos 4 0 Internetwork Ctrl class AutoQos 4 0 Signaling class AutoQos 4 0 Network Mgmt class AutoQos 4 0 Multimedia Conf class AutoQos 4 0 Multimedia Stream class AutoQos 4 0 Transaction Data class AutoQos 4 0 Bulk Data class AutoQos 4 0 Scavenger policy map AutoQos 4 0 ...

Page 1181: ... dscp af41 set cos 4 class AutoQos 4 0 Signaling Classify set dscp cs3 set cos 3 class AutoQos 4 0 Transaction Classify set dscp af21 set cos 2 class AutoQos 4 0 Bulk Data Classify set dscp af11 set cos 1 class AutoQos 4 0 Scavenger Classify set dscp cs1 set cos 1 class AutoQos 4 0 Default Classify set dscp default set cos 0 The output policy maps are as follows policy map AutoQos 4 0 Output Polic...

Page 1182: ...utput AutoQos VoIP Output Policy The selection of the input policy depends on whether the port is Layer 2 or Layer 3 For Layer 2 the policy trusts the Cos setting in the received packets For Layer 3 ports it relies on the DSCP value contained in the packets For phone connected ports the no auto qos voice cisco phone command is used to apply the following service policy to the port qos trust device...

Page 1183: ...uired task when have to perform an ISSU from an image where auto QoS compact is supported to an image where this feature is not available The following example shows you how to enable auto qos compact and configure the auto qos voip cisco phone interface configuration command and then display configuration details Switch configure terminal Switch config auto qos global compact Switch config interf...

Page 1184: ...e user modifications are overridden when the switch reloads Configuring Auto QoS on a Standalone Supervisor Engine 6 E 6L E or Supervisor Engine 7 E 7L E 8 E Auto QoS Overview page 44 88 Auto QoS Policy and Class Maps page 44 89 Auto QoS Compact page 44 96 Effects of Auto QoS and Auto Qos Compact on Running Configuration page 44 97 Auto QoS Overview Note Auto QoS cannot be applied to VLANs or Ethe...

Page 1185: ...s follows for control traffic between the phone and the callmanager and phone to phone Bearer DSCP matching Note Control traffic can be either AF31 or CS3 So we match to both values and assign them to different qos groups when matching DSCP and only a single group when matching COS class map match all AutoQos VoIP Control Dscp26 match dscp af31 class map match all AutoQos VoIP Control Dscp24 match...

Page 1186: ...ch dscp cs5 class map match all AutoQos 4 0 Realtime Interact match dscp cs4 class map match all AutoQos 4 0 Network Ctrl match dscp cs7 class map match all AutoQos 4 0 Internetwork Ctrl match dscp cs6 class map match any AutoQos 4 0 Signaling match dscp cs3 match cos 3 class map match all AutoQos 4 0 Network Mgmt match dscp cs2 class map match any AutoQos 4 0 Multimedia Conf match dscp af41 match...

Page 1187: ... Signaling set qos group 16 Class AutoQos 4 0 Network Mgmt set qos group 16 Class AutoQos 4 0 Multimedia Conf set qos group 34 Class AutoQos 4 0 Multimedia Stream set qos group 26 Class AutoQos 4 0 Transaction Data set qos group 18 Class AutoQos 4 0 Bulk Data set qos group 10 Class AutoQos 4 0 Scavenger set qos group 8 Policy Map AutoQos 4 0 Cisco Phone Input Policy Class AutoQos 4 0 VoIP Data Cos...

Page 1188: ... set cos 3 set qos group 16 police cir 32000 bc 8000 conform action transmit exceed action drop Class AutoQos 4 0 Transaction Classify set dscp af21 set cos 2 set qos group 18 police cir 10000000 bc 8000 conform action transmit exceed action set dscp transmit cs1 exceed action set cos transmit 1 Class AutoQos 4 0 Bulk Data Classify set dscp af11 set cos 1 set qos group 10 police cir 10000000 bc 80...

Page 1189: ... and assigned to a qos group goes into the class default queue for control traffic CS3 and AF31 class map match all AutoQos VoIP Control QosGroup24 match qos group 24 class map match all AutoQos VoIP Control QosGroup26 match qos group 26 For phone to phone Bearer EF traffic class map match all AutoQos VoIP Bearer QosGroup match qos group 46 For softphone Class Map match any AutoQos 4 0 Scavenger Q...

Page 1190: ...Qos 4 0 Bulk Data Queue match qos group 10 class map match any AutoQos 4 0 Scavenger Queue match qos group 8 match dscp cs1 The output policy maps are as follows Each class maps to a different qos group with class default taking any traffic not assigned to a qos group Note in this example the outbound policy map drops voice packets when the priority queue exceeds 33 utilization of the link Each de...

Page 1191: ... VoIP Output Policy This policy map is applied as an output policy for any port on which auto QoS is configured establishing policy governing egress traffic on the port based on whether it is voice data or control traffic The purpose of the input policy maps is to identify voice data or control traffic and mark it as such as it traverses the switch The output policy map matches the packets on the ...

Page 1192: ...ify Generates QoS configuration for untrusted interfaces It applies a service policy to classify the traffic stemming from untrusted desktops or devices and marks them accordingly The service policies generated do not police Auto QoS Compact When you enter an auto QoS command the switch goes on to display all the generated commands as if the commands were entered from the CLI Enable auto QoS compa...

Page 1193: ...auto QoS interface configuration commands and the generated global configurations are added to the running configuration When you save this configuration all generated commands and any user entered configuration that was not overridden is saved to memory If auto QoS compact is enabled only the list of auto QoS commands you have entered are displayed in the running configuration The generated globa...

Page 1194: ...es Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 44 Configuring Quality of Service Configuring Auto QoS on a Standalone Supervisor Engine 6 E 6L E or Supervisor Engine 7 E 7L E 8 E ...

Page 1195: ...ire a CPU intensive deep packet inspection DPI Since traffic classification is by means of a DNS request and not DPI this feature is compatible in scenarios where network traffic is encrypted Metadata Driven Using information about applications This enables you to holistically program the network so it behaves like a self driving car You now have information about all the required applications in ...

Page 1196: ...plications the network traffic belongs to or which domains are being requested As long as the traffic is part of the trusted list the switch requests the DNS server for metadata and IP address information This request is sent in the form of a DNS query The response once received is cached locally until the Time to Live TTL for that resource record expires The response is bound to the traffic and a...

Page 1197: ... responses the other being the TXT record and has a predefined lifespan A forward lookup request from a host is a request for an A record TXT DNS AS resource record or TXT record A record containing metadata This is one of the DNS Server responses the other being the A record and has a predefined lifespan A TXT record is limited to 255 characters For AVC with DNS AS the TXT attribute is always CIS...

Page 1198: ...uests based on the trusted domain list finds the host s forward look up request Note The DNS AS client receives a copy of the host s A record request and does not alter the host s original request in any manner Based on the snooped result the DNS AS client sends a TXT request to the authoritative DNS server Step 2 The authoritative DNS server responds with a TXT record response Step 3 A successful...

Page 1199: ...ional user configuration is required The binding table entries are synchronized when The standby comes up bulk synchronization New entries are added to the binding table database One or more entries are cleared from the database Note AVC with DNS AS is also supported in the VSS mode and Quad Supervisor VSS Mode 1 Host 3 Authoritative DNS Server 2 DNS AS Client An A record request from the host to ...

Page 1200: ...logging or snooping you must attach the policy map to the interface by using the service policy input command You have maintained metadata in the authoritative DNS server and reachability exists before you enable AVC with DNS AS Restrictions and Guidelines for Configuring AVC with DNS AS Only a forward look up is supported Two DNS servers are supported in case of a failover One is considered the p...

Page 1201: ...nd saved on the local authoritative DNS server You configure application classification information for each trusted domain in a prescribed format a metadata stream This is the information that the server propagates to switches when queried for application metadata When the switch sends a TXT query regarding an application the DNS server sends the relevant metadata in the TXT response To generate ...

Page 1202: ...the next twenty four bits Classification Engine ID Defines the context for the selector ID Only these engine IDs are allowed L3 IANA layer 3 protocol number L4 IANA layer 4 well known port number L7 Cisco global application ID CU Custom protocol Use this engine ID for custom application names Selector ID An application identifier for a given classification engine ID Enter a numeric value between 1...

Page 1203: ...corresponding TXT Resource Record of the DNS server in charge of the DNS domain that you have marked as a trusted domain Copy and paste the metadata stream from the website to the authoritative DNS server you are using Command or Action Purpose Command or Action Purpose Step 1 configure terminal Example Switch configure terminal Enters global configuration mode Step 2 ip name server server address...

Page 1204: ...e relevant class maps that will determine traffic class to the interface by using the service policy input command For more information see Configuring QoS for AVC with DNS AS page 45 11 Command or Action Purpose Step 1 configure terminal Example Switch configure terminal Enters global configuration mode Step 2 no avc dns as client trusted domains Example Switch config avc dns as client trusted do...

Page 1205: ...rotocol attribute traffic class voip telephony match protocol attribute business relevance business relevant class map match all BROADCAST VIDEO match protocol attribute traffic class broadcast video match protocol attribute business relevance business relevant class map match all REAL TIME INTERACTIVE match protocol attribute traffic class real time interactive match protocol attribute business r...

Page 1206: ...NGER set dscp cs1 class class default set dscp default App Class and QoS Traffic Mapping The following table shows how the app class field in the metadata stream maps to the 12 class Easy QoS Model of traffic classification Note The DNS AS client applies default forwarding behavior in these cases If the match attributes that you specify for the traffic class and business relevance do not match wha...

Page 1207: ...rity Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config policy map MARKING Switch config pmap class NETWORK CONTROL Switch config pmap c set dscp ef Switch config pmap c end Switch app class REALTIME INTERACTIVE app class RTI Traffic class real time interactive Business relevance YES app class MULTIMEDIA CONFERENCING app class MMC Traffic class multim...

Page 1208: ... Ex Chapter 45 Configuring AVC with DNS AS Configuring AVC with DNS AS Attach the policy map to an interface Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface tengigabitethernet 1 0 1 Switch config if service policy input MARKING Switch config if end ...

Page 1209: ...action with DNS AS With every flow that is created in the flow table the DNS AS client resolves the application name for the flow if the entry exists in the binding table by using the destination IP address and if not available the source IP address At periodic configured intervals 600 seconds by default FNF exports option template data that is mapped to the corresponding application name to an ex...

Page 1210: ...tes Enables the collector to map the application names from the option application table to their attributes Attributes are statically assigned to each protocol or application and are not dependent on traffic For standard applicatons Application Tag Guidelines that apply this field as part of the option application table template apply here as well Category Groups applications based on the first l...

Page 1211: ...e FNF Configuration for AVC with DNS AS The following example shows how you can configure FNF for AVC with DNS AS 1 Create a flow record As in the example you must configure The source and destination IP addresses as key fields in order to resolve application names The use of the application name as a nonkey field in flow record Additionally not mandatory you can also configure the number of bytes...

Page 1212: ... sent 2 924 bytes Client send statistics Client Option options application name Records added 4 sent 4 Bytes added 332 sent 332 Client Option options application attributes Records added 2 sent 2 Bytes added 388 sent 388 3 Create a flow monitor and apply it to an interface to perform network traffic monitoring The interface you apply the flow monitor to can also be the same interface you have appl...

Page 1213: ...ESTINATION ADDRESS 203 0 113 125 counter packets long 445 application name appexample2 IPV4 SOURCE ADDRESS 192 51 51 51 IPV4 DESTINATION ADDRESS 203 0 113 100 counter packets long 14325 application name appexample3 Switch 4 Other related show commands Switch show avc dns as client binding table detail DNS AS generated protocols Max number of protocols 50 Customization interval min N A Age The amou...

Page 1214: ..._GLOBAL ID 13 appID Name Description 13 0 unclassified Unclassified traffic 13 1 unknown Unknown application 13 518 appexample2 appexample2 social web application and service Monitoring AVC with DNS AS To display the various AVC with DNS AS settings you have configured use these show commands in the privileged EXEC mode Table 45 2 AVC with DNS AS Monitoring Commands Command Purpose Example show av...

Page 1215: ...r of DNS queries sent and the number of responses received Example show avc dns as client statistics show avc dns as client name server brief Displays information about the DNS server to which the metadata request was sent Example show avc dns as client name server brief show ip name server Displays all the name server IP addresses that have been maintained Example show ip name server Table 45 2 A...

Page 1216: ...ient binding table detailed DNS AS generated protocols Max number of protocols 50 Customization interval min N A Age The amount of time that the entry is active TTL Time to live which was learned from DNS AS server Time To Expire Entry expiration time in case device does not see DNS traffic for the entry host Protocol Name example VRF default Host www example com Age min 2 TTL min 60 Time To Expir...

Page 1217: ...s 0 Server details vrf id 0 vrf name default ip 192 0 2 2 AAAA Query Error packets 0 AAAA Query TX packets 0 AAAA Response RX packets 0 TXT Query Error packets 0 TXT Query TX packets 2 TXT Response RX packets 2 A Query Error packets 0 A Query TX packets 4 A Response RX packets 2 Total Drop packets 0 avc_dns_as_pkts_logged 2 avc_dns_as_q_pkts_processed 2 Back to Table 45 2 Example show avc dns as c...

Page 1218: ... with DNS AS section The DNS server does not return correct values Verify that the correct DNS AS metadata is maintained in the DNS system Using Linux dig dig TXT short www example org dns server ip CISCO CLS app name example app class TD business YES app id CU 28 202 Using Windows nslookup C Windows system32 NSLookup exe q TXT www example org dns server ip www example org text CISCO CLS app name ...

Page 1219: ... to a Cisco 7960 IP Phone and carry IP voice traffic If necessary the switch can supply electrical power to the circuit connecting it to the Cisco 7960 IP Phone Because the sound quality of an IP telephone call can deteriorate if the data is unevenly sent the switch uses quality of service QoS based on IEEE 802 1p class of service CoS QoS uses classification and scheduling to transmit network traf...

Page 1220: ...IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP phone See Figure 46 1 You can configure Layer 2 access ports on the switch to send CDP packets that instruct the attached phone to configure the phone access port in one of these modes In trusted mode all traffic received using the access port on the Cisco IP phone passes using the phone unchanged In...

Page 1221: ...ort to receive voice and data traffic from a Cisco IP phone on different VLANs perform this task Command Purpose Step 1 Switch configure terminal Enters configuration mode Step 2 Switch config interface fastethernet gigabitethernet slot port Specifies the interface to configure Step 3 Switch config if switchport voice vlan dot1p Instructs the switch to use 802 1p priority tagging for voice traffic...

Page 1222: ...nistrative Native VLAN tagging enabled Voice VLAN 2 VLAN0002 Administrative private vlan host association none Administrative private vlan mapping none Administrative private vlan trunk native VLAN none Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulation dot1q Administrative private vlan trunk normal VLANs none Administrative private vlan t...

Page 1223: ... switch does not supply it You can configure the switch not to supply power to the Cisco 7960 IP Phone and to disable the detection mechanism For information on the CLI commands that you can use to supply PoE to a Cisco 7960 IP Phone see Chapter 15 Configuring Power over Ethernet Command Purpose Step 1 Switch configure terminal Enters configuration mode Step 2 Switch config interface fastethernet ...

Page 1224: ...46 6 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 46 Configuring Voice Interfaces Configuring Power ...

Page 1225: ...Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About Private VLANs The private VLAN PVLAN feature addresses two problems that service providers face when using VLANs The switch supports up to 4094 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support T...

Page 1226: ... with each other at the Layer 2 level Community VLANs Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level Twoway Community VLANs Bidirectional VLAN Ports within a twoway community VLAN can communicate with each other but not with communities or twoway communities at the Layer 2 level Note Beginning with Cisco IOS...

Page 1227: ...Director to connect an isolated VLAN or a number of community or twoway community VLANs to the server LocalDirector can load balance the servers present in the isolated community or twoway community VLANs or you can use a promiscuous port to monitor or back up all the PVLAN servers from an administration workstation PVLAN Terminology The following table defines the key terms used in this chapter T...

Page 1228: ...PVLANs Packets are received and transmitted with secondary or regular VLAN tags on the PVLAN trunk ports Note Only IEEE 802 1q encapsulation is supported Promiscuous Port A promiscuous port belongs to the primary VLAN and can communicate with all interfaces including the community and isolated host ports and PVLAN trunk ports that belong to the secondary VLANs associated with the primary VLAN Prom...

Page 1229: ...s is that traffic from an isolated port in switch A does not reach an isolated port on Switch B See Figure 47 2 To maintain the security of your private VLAN configuration and to avoid other use of the VLANs configured as PVLANs configure PVLANs on all intermediate devices including devices that have no private VLAN ports Note Trunk ports carry traffic from regular VLANs and also from primary isol...

Page 1230: ...or for multiple PVLAN domains This makes it useful for connecting a downstream switch that does not support PVLANs such as Catalyst 2950 Figure 47 3 Isolated PVLAN Trunk Ports In this illustration a Catalyst 4500 switch is being used to connect a downstream switch that does not support PVLANs Traffic being sent in the downstream direction towards host1 from the router is received by the Catalyst 4...

Page 1231: ...uous trunks are used in situations where one would normally use a PVLAN promiscuous host port but where it is necessary to carry multiple VLANs either normal VLANs or for multiple PVLAN domains This makes it useful for connecting an upstream router that does not support PVLANs such as a Cisco 7200 Figure 47 4 Promiscuous PVLAN Trunk Ports In Figure 47 4 a Catalyst 4500 series switch connects a PVL...

Page 1232: ...nt VLAN All untagged packets are forwarded in the native VLAN Either the primary VLANs or a regular VLAN can be configured as the native VLAN No default native VLAN set exists on an isolated secondary trunks All untagged packets are dropped if no native VLAN is configured Community and twoway community VLANs cannot be propagated or carried over PVLAN trunks For IGMP Snooping IGMP reports are learn...

Page 1233: ... When a packet is transmitted out of a promiscuous trunk port the packet could logically belong to secondary VLAN if received from a secondary port or in primary VLAN if bridged from another promiscuous port Because we cannot differentiate between both packets all VLAN QoS policies are ignored on packets egressing promiscuous trunk ports PVLANs and Unicast Broadcast and Multicast Traffic In regula...

Page 1234: ... this subnet is the IP subnet address of the entire PVLAN Per Virtual Port Error Disable on PVLANs For PVLANs per virtual port error disable behavior is defined as follows On a PVLAN promiscuous or promiscuous trunk ports if a violation occurs on the primary VLAN it is error disabled On a PVLAN host or trunk port if a violation occurs on the secondary VLAN the associated primary VLAN is error disa...

Page 1235: ...to selected secondary VLANs Configuring a Layer 2 Interface as a PVLAN Promiscuous Port page 47 17 Configuring a Layer 2 Interface as a Promiscuous PVLAN Trunk Port page 47 21 Switch config if switchport private vlan host association primary_vlan_ID secondary_vlan_ID Associates the Layer 2 interface with a PVLAN Note You can associate only one primary secondary VLAN pair to the isolated port Confi...

Page 1236: ...ost or trunk port See the Configuring a Layer 2 Interface as a PVLAN Host Port section on page 47 18 and Configuring a Layer 2 Interface as an Isolated PVLAN Trunk Port section on page 47 19 Step 6 Associate the isolated port or community port to the primary secondary VLAN pair See the Associating a Secondary VLAN with a Primary VLAN section on page 47 16 Step 7 Configure an interface as a promisc...

Page 1237: ...ry VLAN ACL and QoS are applied on egress unicast routed traffic stemming from the integrated router port You can stop Layer 3 switching on an isolated or community VLAN by deleting the mapping of that VLAN with its primary VLAN PVLAN ports can be on different network devices as long as the devices are trunk connected and the primary and secondary VLANs remain associated with the trunk Isolated po...

Page 1238: ...he no arp command then overwrite the entry with the arp command In a DHCP environment if you shut down your PC it is not possible to give your IP address to someone else To solve this problem the Catalyst 4500 series switch supports the no ip sticky arp command This command promotes IP address overwriting and reuse in a DHCP environment Normal VLANs can be carried on a promiscuous or isolated trun...

Page 1239: ...onfig vlan end Switch show vlan private vlan Primary Secondary Type Interfaces 202 primary 303 community This example shows how to configure VLAN 440 as an isolated VLAN and verify the configuration Switch configure terminal Switch config vlan 440 Switch config vlan private vlan isolated Switch config vlan end Switch show vlan private vlan Primary Secondary Type Interfaces 202 primary 303 communit...

Page 1240: ...eter can contain only one isolated VLAN ID Enter a secondary_vlan_list or use the add keyword with a secondary_vlan_list to associate secondary VLANs with a primary VLAN Use the remove keyword with a secondary_vlan_list to clear the association between secondary VLANs and a primary VLAN The command does not take effect until you exit VLAN configuration submode This example shows how to associate c...

Page 1241: ...LAN promiscuous port note the following The secondary_vlan_list parameter cannot contain spaces It can contain multiple comma separated items Each item can be a single PVLAN ID or a hyphenated range of PVLAN IDs Enter a secondary_vlan_list or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the PVLAN promiscuous port Command Purpose Step 1 Switch configure terminal Ente...

Page 1242: ...Promiscuous Mapping 200 VLAN0200 2 VLAN0002 Private VLAN Trunk Native VLAN none Administrative Private VLAN Trunk Encapsulation dot1q Administrative Private VLAN Trunk Normal VLANs none Administrative Private VLAN Trunk Private VLANs none Operational Private VLANs 200 VLAN0200 2 VLAN0002 Trunking VLANs Enabled ALL Pruning VLANs Enabled 2 1001 Capture Mode Disabled Capture VLANs Allowed ALL Configu...

Page 1243: ... Negotiation of Trunking Off Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Voice VLAN none Appliance trust none Administrative Private Vlan Host Association 202 VLAN0202 440 VLAN0440 Promiscuous Mapping none Trunk encapsulation dot1q Trunk vlans Operational private vlan s 202 VLAN0202 440 VLAN0440 Trunking VLANs Enabled ALL Pruning VLANs Enabled 2 1001 Capture Mode Disabled Captur...

Page 1244: ...port with a PVLAN Note Multiple PVLAN pairs can be specified using this command so that a PVLAN trunk port can carry multiple secondary VLANs If an association is specified for the existing primary VLAN the existing association is replaced If there is no trunk association any packets received on secondary VLANs are dropped You can use the no keyword to delete all associations from the primary VLAN...

Page 1245: ... vlan mapping trunk command is 500 For example 500 isolated secondary VLANs could map to 500 primary VLANs because only one isolated VLAN association per primary VLAN is supported Or 500 community secondary VLANs could map to one primary VLAN Or 250 community secondary VLANs could map to 1 primary VLAN and another 250 community secondary VLANs could map to another primary VLAN for a total of 500 p...

Page 1246: ...move keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the PVLAN promiscuous port This example shows how to configure interface FastEthernet 5 2 as a promiscuous trunk port and to verify the configuration Switch configure terminal Switch config interface fastethernet 5 2 Switch config if switchport mode private vlan trunk promiscuous Switch config if switchport pr...

Page 1247: ...AN Use the remove keyword with a secondary_vlan_list parameter to clear the mapping between secondary VLANs and the primary VLAN This example shows how to permit routing of secondary VLAN ingress traffic from PVLANs 303 through 307 309 and 440 and verify the configuration Switch configure terminal Switch config interface vlan 202 Switch config if private vlan mapping add 303 307 309 440 Switch con...

Page 1248: ...7 27 Configuring a Layer 2 Etherchannel as a Promiscuous PVLAN Trunk Port page 47 28 Configuring a Layer 2 EtherChannel Do the following Step 1 Configure a VLAN as a PVLAN Refer to the URL http www cisco com en US docs switches lan catalyst4500 12 2 01xo configuration guide pvlans ht ml wp1174853 Step 2 Associate a secondary VLAN with a primary VLAN Refer to the URL http www cisco com en US docs s...

Page 1249: ...faces port channel 63 switchport Name Po63 Switchport Enabled Administrative Mode private vlan promiscuous Operational Mode private vlan promiscuous Administrative Trunking Encapsulation negotiate Operational Trunking Encapsulation native Negotiation of Trunking Off Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Voice VLAN none Administrative Private VLAN Host Association none Admi...

Page 1250: ...e VLAN 1 default Trunking Native Mode VLAN 1 default Voice VLAN none Appliance trust none Administrative Private Vlan Host Association 202 VLAN0202 440 VLAN0440 Promiscuous Mapping none Trunk encapsulation dot1q Trunk vlans Operational private vlan s 202 VLAN0202 440 VLAN0440 Trunking VLANs Enabled ALL Pruning VLANs Enabled 2 1001 Capture Mode Disabled Capture VLANs Allowed ALL Command Purpose Ste...

Page 1251: ...tiple secondary VLANs If an association is specified for the existing primary VLAN the existing association is replaced If there is no trunk association any packets received on secondary VLANs are dropped You can use the no keyword to delete all associations from the primary VLAN Step 5 Switch config if no switchport private vlan trunk allowed vlan vlan_list all none add remove except vlan_atom vl...

Page 1252: ... vlan trunk native VLAN 10 Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulation dot1q Administrative private vlan trunk normal VLANs none Administrative private vlan trunk associations 3 VLAN0003 301 VLAN0301 Administrative private vlan trunk mappings none Operational private vlan none Operational Normal VLANs none Trunking VLANs Enabled ALL...

Page 1253: ...hport private vlan mapping trunk 2 Remove the mapping of a PVLAN promiscuous trunk port to all previously configured primary VLANs and all of their selected secondary VLANs For example Switch config if no switchport private vlan mapping trunk When you configure a Layer 2 etherchannel as a PVLAN promiscuous trunk port observe that multiple private VLAN pairs can be specified with the switchport pri...

Page 1254: ...1q Negotiation of Trunking On Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association none Administrative private vlan mapping none Administrative private vlan trunk native VLAN 10 Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulatio...

Page 1255: ...ownlink ports on a switch can run Cisco TrustSec MACsec link layer switch to switch security Cisco TrustSec and Cisco SAP are meant only for switch to switch links and are not supported on switch ports connected to end hosts such as PCs or IP phones MKA is supported on both switch to host facing links and switch to switch links as well Host facing links typically use flexible authentication orderi...

Page 1256: ...d by MKA The switch compares that ICV to the ICV within the frame If they are not identical the frame is dropped The switch also encrypts and adds an ICV to any frames sent over the secured port the access point used to provide the secure MAC service to a client using the current session key The MKA Protocol manages the encryption keys used by the underlying MACsec protocol The basic requirements ...

Page 1257: ... of 0 30 or 50 bytes for each physical interface Replay protection You can configure MACsec window size as defined by the number of out of order frames that are accepted This value is used while installing the security associations in the MACsec A value of 0 means that frames are accepted only in the correct order Key Lifetime and Hitless Key Rollover A MACsec key chain MKA can have multiple pre s...

Page 1258: ...rts You use virtual ports for multiple secured connectivity associations on a single physical port Each connectivity association pair represents a virtual port with a maximum of two virtual ports per physical port Only one of the two virtual ports can be part of a data VLAN the other must externally tag its packets for the voice VLAN You cannot simultaneously host secured and unsecured sessions in...

Page 1259: ...10 802 multiple host mode a port is open or closed based on a single authentication If one user the primary secured client services client host is authenticated the same level of network access is provided to any host connected to the same port If a secondary host is a MACsec supplicant it cannot be authenticated and traffic would no flow A secondary host that is a non MACsec host can send traffic...

Page 1260: ...s 0 CA Statistics Pairwise CAKs Derived 32 Pairwise CAK Rekeys 31 Group CAKs Generated 0 Group CAKs Received 0 SA Statistics SAKs Generated 32 SAKs Rekeyed 31 SAKs Received 0 SAK Responses Received 32 MKPDU Statistics MKPDUs Validated Rx 580 Distributed SAK 0 Distributed CAK 0 MKPDUs Transmitted 597 Distributed SAK 32 Distributed CAK 0 MKA Error Counter Totals Bring up Failures 0 Reauthentication ...

Page 1261: ... MKA policy relay policy Switch config mka policy replay policy Switch config mka policy replay protection window size 300 Switch config mka policy end Let s say that we configure an MKA policy as follows Switch conf terminal Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 mka policy policy name Identifies an MKA policy and enter MKA policy configuration mode The ...

Page 1262: ...ely after the SA source MAC address Replay protect is YES with window size 0 Frames cannot come out of order Configuring MACsec on an Interface To configure MACsec on an interface with one MACsec session for voice and one for data perform this task Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Identifies the MACsec interface and enter inte...

Page 1263: ...main Oper control dir both Authorized By Authentication Server Vlan Policy 10 Session timeout 3600s server Remaining 3567s Timeout action Reauthenticate Idle timeout N A Common Session ID 0A05783B0000001700448BA8 Acct Session ID 0x00000019 Handle 0x06000017 Runnable methods list Method State dot1x Authc Success Step 10 mka policy policy name Applies an existing MKA protocol policy to the interface...

Page 1264: ... Chain K1 to another Key Chain K2 Note We recommend that you configure keys such that there is an overlap between the lifetime of the keys so that CAK rekey is successful and there is a seamless transition between the keys CA without any traffic loss or session restart Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 key chain key chain name macsec Configures a key...

Page 1265: ...w MKA session is triggered with this key Upon success session will be Secured and UP for infinite time Understanding MKA MACsec with EAP TLS Beginning in Cisco IOS XE Release 3 9 0E MKA MACsec is supported on switch to switch links on Cisco Catalyst 4500 X series switches and Cisco Catalyst 4500 E series switches with Supervisor Engine 8 E Using IEEE 802 1X Port based Authentication with Extensibl...

Page 1266: ...generates a certificate request and forwards it to the CA 3 The CA receives the certificate enrollment request and depending on your network configuration one of the following options occurs Manual intervention is required to approve the request The end host is configured to automatically request a certificate from the CA Thus operator intervention is no longer required at the time the enrollment ...

Page 1267: ...s of 1024 is used You can specify other modulus sizes with the modulus keyword Step 3 end Returns to privileged EXEC mode Step 4 show crypto key mypubkey rsa Optional Displays the RSA public keys of your device This step allows you to verify that the RSA key pair has been successfully generated Step 5 copy running config startup config Optional Saves your entries in the configuration file Command ...

Page 1268: ...er the key pair is exportable RSA key pair associated with trustpoint is exportable It is recommended that a new key pair be generated for security reasons Step 9 crypto pki authenticate name Retrieves the CA certificate and authenticates it Step 10 exit Exits Global Configuration mode Step 11 show crypto pki certificate trustpoint name Displays information about the certificate for the trust poin...

Page 1269: ...ify whether to include the device FQDN and IP address in the certificate request You are also given the choice about displaying the certificate request to the console terminal The base 64 encoded certificate with or without PEM headers as requested is displayed Step 11 crypto pki import name certificate Imports a certificate via TFTP at the console terminal which retrieves the granted certificate ...

Page 1270: ...a link layer security policy The must secure keyword specifies that the device port must be authorized only if a secure MACsec session is established Step 12 exit Exits service template configuration mode and returns to global configuration mode Step 13 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Step 1 configure terminal Enters global c...

Page 1271: ... interface interface id Identifies the MACsec interface and enter interface configuration mode The interface must be a physical interface Step 3 macsec network link Enables MKA MACsec using EAP TLS on the interface Step 4 authentication periodic Enables reauthentication for this port Step 5 authentication timer reauthenticate interval Sets the reauthentication interval Step 6 access session host m...

Page 1272: ...16 end date 09 39 53 IST Apr 13 2017 Associated Trustpoints POLESTAR IOS CA Switch configure terminal Switch config crypto pki enroll POLESTAR IOS CA Start certificate enrollment The subject name in the certificate will include CN catdevice polestar com C IN ST KA OU ENG O Polestar The subject name in the certificate will include Device polestar com Include the router serial number in the subject ...

Page 1273: ...ntication restart 7 Switch config action control policymap end Switch configure terminal Switch config eap profile EAPTLS PROF IOSCA Switch config eap profile method tls Switch config eap profile pki trustpoint POLESTAR IOS CA Switch config eap profile end Switch configure terminal Switch config dot1x credentials EAPTLSCRED IOSCA Switch config dot1x creden username catdevice polestar cisco com Swi...

Page 1274: ...n Between MACsec capable devices packets are encrypted on egress from the sending device decrypted on ingress to the receiving device and in the clear within the devices This feature is only available between 802 1AE capable devices Network Device Admission Control NDAC NDAC is an authentication process by which each network device in the TrustSec domain can verify the credentials and trustworthin...

Page 1275: ... Cisco TrustSec credentials on the switch to use in other TrustSec configurations To configure Cisco TrustSec credentials perform this task To delete the Cisco TrustSec credentials enter the clear cts credentials privileged EXEC command This example shows how to create Cisco TrustSec credentials Switch cts credentials id trustsec password mypassword CTS device ID and password have been inserted in...

Page 1276: ...upported with the NPE license or with a LAN Base service image If you select GCM without the required license the interface is forced to a link down state To configure Cisco TrustSec switch to switch link layer security with 802 1X perform this task Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Enters interface configuration mode Step 3 ct...

Page 1277: ...e license from Cisco If you select GCM without the required license the interface is forced to a link down state These protection levels are supported when you configure SAP pairwise master key sap pmk SAP is not configured no protection sap mode list gcm encrypt gmac no encap protection desirable but not mandatory sap mode list gcm encrypt gmac confidentiality preferred and integrity required The...

Page 1278: ...p 4 sap pmk key mode list mode1 mode2 mode3 mode4 Optional Configures the SAP pairwise master key PMK and operation mode SAP is disabled by default in Cisco TrustSec manual mode key A hexadecimal value with an even number of characters and a maximum length of 32 characters The SAP operation mode options gcm encrypt Authentication and encryption Note Select this mode for MACsec authentication and e...

Page 1279: ...if cts dot1x exit Switch config if exit Switch config interface gi1 1 4 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if cts manual Switch config if cts dot1x sap pmk 033445AABBCCDDEEFF mode list gcm encrypt gmac Switch config if cts dot1x no propagate sgt Switch config if cts dot1x exit Switch config if exit Switch config radius server ...

Page 1280: ... Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 48 Configuring MACsec Encryption Configuring Cisco TrustSec MACsec Switch cts credentials id cts 72 password trustsec123 ...

Page 1281: ...can locate it in the Cisco IOS Master Command List All Releases About 802 1X Port Based Authentication 802 1X defines 802 1X port based authentication as a client server based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports An authentication server validates each supplicant client connected to an authenticato...

Page 1282: ...9 15 Using 802 1X with VLAN User Distribution page 49 15 Using 802 1X with Authentication Failed VLAN Assignment page 49 16 Using 802 1X with Port Security page 49 18 Using 802 1X Authentication with ACL Assignments and Redirect URLs page 49 19 Using 802 1X with RADIUS Provided Session Timeouts page 49 20 Using 802 1X with Voice VLAN Ports page 49 21 Using Voice Aware 802 1x Security page 49 21 Us...

Page 1283: ...rver the frame header is removed from the server leaving the EAP frame which is then encapsulated for Ethernet and sent to the client Note The Catalyst 4500 series switches must be running software that supports the RADIUS client and 802 1X Authentication server Performs the actual authentication of the client The authentication server validates the identity of the client and notifies the switch t...

Page 1284: ...e after three attempts to start authentication the client transmits frames as if the port is in the authorized state A port in the authorized state means that the client was successfully authenticated When the client supplies its identity the switch begins its role as the intermediary passing EAP frames between the client and the authentication server until authentication succeeds or fails If the ...

Page 1285: ...nt This setting is the default force unauthorized Causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client using the interface auto Allows 802 1X authentication and causes the port to begin in the unauthorized state allowing only EAPOL frames to be sent and received using the port The aut...

Page 1286: ... s host mode determines whether more than one client can be authenticated on the port and how authentication is enforced You can configure an 802 1X port to use any of the five host modes described in the following sections In addition each mode can be modified to allow preauthentication open access Single Host Mode page 49 7 Multiple Hosts Mode page 49 7 Multidomain Authentication Mode page 49 7 ...

Page 1287: ...ched to it and it also acts as a client to the switch With multiple hosts mode enabled you can use 802 1X authentication to authenticate the port and port security to manage network access for all MAC addresses including that of the client Note Wired guest access does not work on Supervisor Engine 8 E in multiple host mode or in multi authentication mode Figure 49 4 Multiple Host Mode Example Mult...

Page 1288: ...nality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the VSAs received from the authentication server Note When a port is in multiauthentication mode Guest VLAN and Authentication Failed VLAN will not activate for data devices Pre authentication Open Access Beginning with Cisco IOS Release 12 2 50 SG any of the four host modes can be additionally ...

Page 1289: ...vice is reauthenticated on the new port When a host moves to a second port the session on the first port is deleted and the host is reauthenticated on the new port MAC move is supported on all host modes The authenticated host can move to any port on the switch for any host mode enabled on that port For more information see Configuring MAC Move section on page 49 55 Using MAC Replace Beginning wit...

Page 1290: ...ts on the port are assigned into PVLANs whether their posture is compliant or non compliant If the type of the VLAN named in the Access Accept does not match the type of VLAN expected to be assigned to the port regular VLAN to access port secondary PVLAN to PVLAN host port the VLAN assignment fails If a guest VLAN is configured to handle non responsive hosts the type of VLAN configured as the gues...

Page 1291: ...tion is allowed with guest VLANs Usage Guidelines for Using 802 1X Authentication with Guest VLANs on Windows XP Hosts When using 802 1X authentication with guest VLANs on Windows XP hosts consider these guidelines If the host fails to respond to the authenticator the port attempts to connect three times with a 30 second timeout between each attempt After this time the login password window does n...

Page 1292: ...ntication Bypass section on page 49 60 Feature Interaction This section lists feature interactions and restrictions when MAB is enabled If a feature is not listed assume that it interacts seamlessly with MAB such as Unidirectional Controlled Port MAB can only be enabled if 802 1X is configured on a port MAB functions as a fall back mechanism for authorizing MACs If you configure both MAB and 802 1...

Page 1293: ...ss of link or the detection of an EAPOL on the wire causes a transition out of the guest VLAN and back to the default 802 1X mode Once a new MAC is authenticated by MAB the responsibility to limit access belongs to the 802 1X authenticator or port security to secure the port The 802 1X default host parameter is defined only for a single host If the port is changed to multiple user host port securi...

Page 1294: ... For the voice device to operate properly it must learn the voice VLAN ID through other protocols such as CDP LLDP or DHCP wherever appropriate When a RADIUS server is unavailable it may not be possible for a switch to recognize a MAC address as that of a voice device Therefore when Inaccessible Authentication Bypass is configured for voice devices it should also be configured for data Voice devic...

Page 1295: ...l port cannot send traffic to the network it can only receive traffic from other devices in the network When you configure a port as unidirectional with the authentication control direction in interface configuration command the port will receive traffic in VLANs on that port but it is not put into a spanning tree forwarding state If a VLAN contains only unauthenticated ports any SVI on that VLAN ...

Page 1296: ...es not assign one employee VLAN to all employees You have to know the real VLANs configured on the switch User distribution allows you to send a list of VLAN or VLAN group name s to the switch Your switch can then do a local mapping to the corresponding VLAN Figure 49 7 Figure 49 7 802 1X with VLAN User Distribution For details on how to configure VLAN User Distribution see the Configuring 802 1X ...

Page 1297: ...ever get a link down event and may not detect the new host until the next reauthentication occurs EAP failure messages are not sent to the user If the user failures authentication the port is moved to an authentication failed VLAN and a EAP success message is sent to the user Because the user is not notified of the authentication failure there may be confusion as to why there is restricted access ...

Page 1298: ... is authenticated and the port security table is not full the client s MAC address is added to the port security list of secure hosts The port then proceeds to come up normally When a client is authenticated and manually configured for port security it is guaranteed an entry in the secure host table unless port security static aging was enabled A security violation occurs if an additional host is ...

Page 1299: ... page 49 20 For details on how to configure downloadable ACL and URL redirect refer to the Configuring 802 1X Authentication with ACL Assignments and Redirect URLs section on page 49 38 Cisco Secure ACS and AV Pairs for URL Redirect When downloadable ACL is enabled Cisco Secure ACS provides AAA services through RADIUS You can set these Attribute Value AV pairs on the Cisco Secure ACS with RADIUS c...

Page 1300: ...e is declared For details on how to configure a downloadable policy refer to the Configuring a Downloadable Policy section on page 49 44 Using 802 1X with RADIUS Provided Session Timeouts You can specify whether a switch uses a locally configured or a RADIUS provided reauthentication timeout If the switch is configured to use the local timeout it reauthenticates the host when the timer expires If ...

Page 1301: ...e holds true for dynamic VLAN assignment 802 1X guest VLAN works with the 802 1X voice VLAN port feature However the guest VLAN cannot be the same as the voice VLAN 802 1X port security works with the 802 1X voice VLAN port feature and is configured per port Two MAC addresses must be configured one for the Cisco IP phone MAC address on the VVID and one for the PC MAC address on PVID However you ca...

Page 1302: ... restricted VLAN features only apply to the data devices on an MDA enabled port The switch treats a voice device that fails authorization as a data device If more than one device attempts authorization on either the voice or the data domain of a port it is error disabled Until a device is authorized the port drops its traffic Non Cisco IP phones or voice devices are allowed into both the data and ...

Page 1303: ...AN V2 the port will have two operational VLANs V1 and V2 If H1 and H2 sends untagged ingress traffic H1 traffic is mapped to VLAN V1 and H2 traffic to VLAN V2 all egress traffic going out of the port on VLAN V1 and VLAN V2 are untagged If both the hosts H1 and H2 are logged out or the sessions are removed due to some reason then VLAN V1 and VLAN V2 are removed from the port and the configured VLAN...

Page 1304: ...hose VLANs join the multicast group When two hosts in different VLANs join a multicast group on the same multi auth port two copies of each multicast packet are sent out from that port Limiting Login for Users The Limiting Login feature helps Network administrators to limit the login attempt of users to a network When a user fails to successfully login to a network within a configurable number of ...

Page 1305: ...protocol timeout Timeout A switch attempts 802 1X at link up but the attached endpoint is not 802 1X capable After the configured number of retries and timeouts the switch attempts the next authentication method if one is configured like MAB If MAB fails the switch deploys the Guest VLAN also called the no response VLAN if configured The Guest VLAN is configured with the authentication event no re...

Page 1306: ...t port that is authorized as a wireless access point once the client is authenticated See the Resetting the 802 1X Configuration to the Default Values section on page 49 95 When the port is authorized all other hosts that are indirectly attached to the port are granted access to the network If the port becomes unauthorized reauthentication fails or an EAPOL logoff message is received the switch de...

Page 1307: ...1X with MAC Authentication Bypass page 49 60 optional Configuring 802 1X with Inaccessible Authentication Bypass page 49 62 optional Configuring 802 1X with Unidirectional Controlled Port page 49 66 optional Configuring 802 1X with VLAN User Distribution page 49 68 Configuring 802 1X with Authentication Failed page 49 71 optional Configuring 802 1X with Voice VLAN page 49 73 optional Configuring V...

Page 1308: ...interface 802 1X protocol enable state Force authorized The port transmits and receives normal traffic without 802 1X based authentication of the client Periodic reauthentication Disabled Time between reauthentication attempts 3600 sec Quiet period 60 sec Number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 s...

Page 1309: ...obal configuration mode Step 2 Switch config dot1x system auth control Enables 802 1X on your switch To disable 802 1X globally on the switch use the no dot1x system auth control command Step 3 Switch config aaa new model Enables AAA To disable AAA use the no aaa new model command Step 4 Switch config aaa authentication dot1x default method1 method2 Creates an 802 1X AAA authentication method list...

Page 1310: ...fig if authentication port control auto Switch config if end Switch show authentication sessions interface f9 2 Interface FastEthernet9 2 MAC Address 0007 e95d 83c4 IP Address Unknown Status Running Domain UNKNOWN Oper host mode single host Oper control dir both Session timeout N A Idle timeout N A Common Session ID 0A050B160000009505106398 Acct Session ID 0x0000009B Handle 0x0D000095 Step 8 Switc...

Page 1311: ...t1x Info for FastEthernet9 2 PAE AUTHENTICATOR PortControl AUTO ControlDirection Both HostMode SINGLE_HOST QuietPeriod 60 ServerTimeout 0 SuppTimeout 30 ReAuthMax 2 MaxReq 2 TxPeriod 30 Dot1x Authenticator Client List Supplicant 0007 e95d 83c4 Session ID 0A050B160000009505106398 Auth SM State AUTHENTICATING Auth BEND SM State REQUEST Port Status UNAUTHORIZED The following example illustrates when ...

Page 1312: ...uth BEND SM State IDLE Port Status AUTHORIZED Configuring Switch to RADIUS Server Communication A RADIUS security server is identified by its host name or IP address host name and specific UDP port number or IP address and specific UDP port numbers The combination of the IP address and UDP port number creates a unique identifier which enables RADIUS requests to be sent to multiple UDP ports on a s...

Page 1313: ...counting ports respectively The idle time min parameter specifies the number of minutes before an idle RADIUS server is tested to verify that it is still up The default is 60 minutes The key string specifies the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server The key is a text string that must match the encryption key used on the RADIUS ...

Page 1314: ...s You also need to create a AAA client setting on the RADIUS server These settings include the IP address of the switch and the key string to be shared by both the server and the switch Configuring Multiple Domain Authentication and Multiple Authorization Note Multiple Authorization requires Cisco IOS Release 12 2 50 SG and later releases To configure Multiple Domain Authentication MDA and Multipl...

Page 1315: ... on an 802 1X authorized port after a authenticating a single host multi domain Both a host and a voice device such as an IP phone Cisco or non Cisco to authenticate on an IEEE 802 1X authorized port Note You must configure a voice VLAN for an IP phone when the host mode is set to multi domain For more information see Chapter 46 Configuring Voice Interfaces multi auth Allows multiple hosts and a v...

Page 1316: ...tch config if switchport voice vlan 10 Switch config if dot1x pae authenticator Switch config if dot1x port control auto Switch config if dot1x host mode multi domain Switch config if no shut Switch config if end This example shows how to enable MDA and to allow both a host and a non 802 1X voice device on the port Cisco IOS Release 12 2 50 SG and later Switch conf t Enter configuration commands o...

Page 1317: ...rt Status AUTHORIZED Authentication Method Dot1x Authorized By Authentication Server Vlan Policy 12 Domain VOICE Supplicant 0060 b057 4687 Auth SM State AUTHENTICATED Auth BEND SM Stat IDLE Port Status AUTHORIZED Authentication Method Dot1x Authorized By Authentication Server Switch This example shows how to enable MDA and to authentication of multiple hosts and a voice device on an IEEE 802 1x au...

Page 1318: ...ion succeeds enter the show ip access list command to display the downloadable ACLs Configuring the Switch for Downloadable ACL To configure the switch for downloadable ACL follow these steps Step 1 Configure the IP device tracking table Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config aaa new model Enables the authentication authorization and ...

Page 1319: ... in speed 100 duplex full authentication event fail action authorize vlan 111 authentication event server dead action authorize vlan 333 authentication event server alive action reinitialize authentication host mode multi auth authentication order dot1x authentication port control auto authentication timer restart 100 authentication timer reauthenticate 20 authentication timer inactivity 200 mab e...

Page 1320: ... 9 Server Policies ACS ACL xACSACLx IP PERMIT_ALL_TRAFFIC 51de4498 Method status list Method State mab Authc Success The show authentication sessions interface interface name policy displays session information in the form of Local Policies features defined locally on the box Server policies features downloaded from radius and Resultant Policies the one with higher precedence when both local and s...

Page 1321: ...g command displays the contents of the downloadable ACL Switch show ip access lists xACSACLx IP auth 48b79b6e Extended IP access list xACSACLx IP auth 48b79b6e per user 10 permit udp any any Switch config Cisco ACS Configuration for DACL Note Only Cisco ACS supports DACL To ensure correct functioning of the ACS configuration required for DACL follow these steps Step 1 Configure a downloadable IP A...

Page 1322: ... http www cisco com Note A default port ACL must be configured on the interface Configuring the Switch To configure the switch for URL redirect follow these steps Step 1 Configure the IP device tracking table Switch config ip device tracking Step 2 Configure RADIUS by using the send authentication command Switch config radius server vsa send authentication Step 3 Configure the URL redirect ACL URL...

Page 1323: ... 10 permit ip host 1 1 1 1 host 2 2 2 2 20 permit icmp host 1 1 1 1 host 2 2 2 2 Switch Verify URL redirect by using the following commands The show ip device tracking command displays the constraints on the IP device tracking table Switch config show ip device tracking all IP Device Tracking Enabled IP Device Tracking Probe Count 3 IP Device Tracking Probe Interval 30 IP Address MAC Address Inter...

Page 1324: ...decimal from 1 to 99 or 1300 to 1999 Enter deny or permit to specify whether to deny or permit access if conditions match source is the address of the network or host from which the packet is sent specified as follows The 32 bit quantity in dotted decimal format The keyword any as an abbreviation for source and source wildcard value of 0 0 0 0 255 255 255 255 You do not need a source wildcard valu...

Page 1325: ...ice tracking global configuration commands Step 9 Switch config ip device tracking probe count count interval interval Optional Configures these parameters for the IP device tracking table count Number of times that the switch sends the ARP probe The range is 1 to 5 The default is 3 interval Number of seconds that the switch waits for a response before resending the ARP probe The range is 30 to 30...

Page 1326: ...arty AAA server to interoperate by loading the Cisco RADIUS dictionary which has Cisco Radius AV pairs configured as a VSA Note The RADIUS vendor specific attributes VSAs allow vendors to support their own proprietary RADIUS attributes that are not included in standard RADIUS attributes Configuring the Switch To configure the switch for per user ACL and filter ID ACL Step 1 Configure the IP device...

Page 1327: ... host 1 1 1 1 host 2 2 2 2 Switch Per User ACL Configuration in ACS In the Group User Setting page scroll down to the Cisco IOS PIX 6 x RADIUS Attributes section Select the box next to 009 001 cisco av pair and enter the elements of the per user ACL Per user ACLS take this format protocol_ inacl sequence number ACE protocol Either ip for IP based ACLs or mac for MAC based ACLs Figure 49 12 shows h...

Page 1328: ... Figure 49 12 Define the ACEs for the Per User ACL Note Outbound ACLs OUTACL are not supported Filter Id Configuration in ACS In the Group User Setting page scroll down to the IETF RADIUS Attributes section Select the box next to Filter Id and enter the ACL to apply for members of this group Figure 49 13 The Filter Id ia in this format ACL_ in ACL Number of the ACL that was previously configured o...

Page 1329: ...ice tracking table contains the host IP address learned through ARP or DHCP The following command displays the constraints on the IP device tracking table Switch show ip device tracking all IP Device Tracking Enabled IP Device Tracking Probe Count 3 IP Device Tracking Probe Interval 30 IP Address MAC Address Interface STATE 50 0 0 12 0015 60a4 5e84 GigabitEthernet2 9 ACTIVE The following command s...

Page 1330: ...ort ACL in the following example Switch show access list 151 deny ip host 20 20 0 3 host 20 20 10 10 10 permit ip any any 57 estimate matches The following command displays the number of sessions RouterRP show authentication sessions Interface MAC Address Method Domain Status Fg Session ID Gi2 9 aabb cc00 5600 mab VOICE Auth 0D0102340000000CEDF12589 Session count 1 Key to Session Events Status Fla...

Page 1331: ...any 57 estimate matches check for the mac access list created Extended MAC access list PerUser_MAC_ACL 589079192 per user deny any host 0000 aaaa aaaa The following command shows that the Policy Enforced Module EPM session contains the Filter Id 155 from ACS Note The 156 IP extended ACL is to be preconfigured on the switch so that the policy enforcement can happen Switch show ip access list 156 Ex...

Page 1332: ... Per User ACL and Filter ID ACL To configure per user ACL and Filter ID ACL perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config access list access list number deny permit source source wildcard log Defines the default port ACL through a source address and wildcard The access list number is a decimal from 1 to 99 or 1300 to 1999 E...

Page 1333: ...thorization network default local Sets the authorization method to local To remove the authorization method use the no aaa authorization network default local command Step 8 Switch config ip device tracking Enables the IP device tracking table To disable the IP device tracking table use the no ip device tracking global configuration commands Step 9 Switch config ip device tracking probe count coun...

Page 1334: ...2 MaxReq 2 TxPeriod 30 RateLimitPeriod 0 Dot1x Authenticator Client List Empty Port Status AUTHORIZED Switch Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config interface interface id Enters interface configuration mode Step 3 Switch config if switchport mode access Specifies a nontrunking nontagged single VLAN Layer 2 interface Step 4 Switch conf...

Page 1335: ...t 30 ReAuthPeriod From Authentication Server ReAuthMax 2 MaxReq 2 TxPeriod 30 RateLimitPeriod 0 Dot1x Authenticator Client List Empty Port Status AUTHORIZED Switch Configuring MAC Move MAC move allows an authenticated host to move from one switch port to another Note You should remove port security before configuring MAC move To globally enable MAC move on the switch perform this task This example...

Page 1336: ... configure terminal Switch config interface f7 1 Switch config if authentication violation replace The following syslog messages displays when MAC replace occurs AUTHMGR 5 SECUREMACREPLACE mac addr replaced mac addr on interface name Configuring Violation Action You can configure 802 1X security violation behavior as either shutdown restrict or replace mode based on the response to the violation T...

Page 1337: ... sent by the client Beginning with Cisco IOS Release 12 2 25 EWA the Catalyst 4500 series switch maintains the EAPOL packet history If another EAPOL packet is detected on the interface during the lifetime of the link network access is denied The EAPOL history is reset upon loss of the link Any number of 802 1X incapable clients are allowed access when the switch port is moved to the guest VLAN If ...

Page 1338: ...interface to be enabled for 802 1X authentication Step 3 Switch config if switchport mode access or Switch config if switchport mode private vlan host Specifies a nontrunking nontagged single VLAN Layer 2 interface Specifies that the ports with a valid PVLAN trunk association become active host PVLAN trunk ports Step 4 Switch config if dot1x pae authenticator Enables 802 1X authentication on the p...

Page 1339: ...witch configure terminal Enters global configuration mode Step 2 Switch dot1x guest vlan supplicant Optional Enables supplicants to be allowed into the guest VLANs globally on the switch Note Although not visible in the CLI for Cisco IOS Release 12 3 31 SG legacy configurations that include the dot1x guest vlan supplicant command still work We do not recommend that you use this command However bec...

Page 1340: ...t1x guest vlan 5 Switch config if dot1x port control auto Switch config if end Switch Configuring 802 1X with MAC Authentication Bypass To enable MAC Authentication Bypass MAB perform this task Step 7 Cisco IOS Release 12 2 50 SG and later Switch config if authentication port control auto Cisco IOS Release 12 2 46 SG or earlier releases Switch config if dot1x port control auto Enables 802 1X authe...

Page 1341: ...config if mab Switch config if end Switch show mab int g3 3 details MAB details for GigabitEthernet3 3 Mac Auth Bypass Enabled MAB Client List Client MAC 0001 0001 0001 Session ID C0A8016F0000002304175914 MAB SM state TERMINATE Auth Status AUTHORIZED Step 4 Switch config if dot1x pae authenticator Enables 802 1X authentication on the port with default parameters Refer to the Default 802 1X Configu...

Page 1342: ... ServerTimeout 30 SuppTimeout 30 ReAuthPeriod 3600 Locally configured ReAuthMax 2 MaxReq 2 TxPeriod 1 RateLimitPeriod 0 Mac Auth Bypass Enabled Dot1x Authenticator Client List Supplicant 0000 0000 0001 Auth SM State AUTHENTICATED Auth BEND SM Stat IDLE Port Status AUTHORIZED Authentication Method MAB Authorized By Authentication Server Vlan Policy N A Switch Configuring 802 1X with Inaccessible Au...

Page 1343: ...ine 6L E Cisco IOS Release 12 2 50 SG and later Supervisor Engine 7 E Supervisor Engine 7L E Supervisor Engine 8 E Cisco IOS Release 15 0 1 X and later Switch config authentication critical recovery delay msec Cisco IOS Release 12 2 46 SG or earlier releases Switch config dot1x critical recovery delay msec Optional Specifies a throttle rate for the reinitialization of critically authorized ports w...

Page 1344: ...ation command which forces all authorized data clients to be reauthenticated when RADIUS becomes unavailable and a client attempts to authenticate This only applies to data devices Voice devices are unaffected To disable it use the no authentication event server dead action reinitialize vlan interface configuration command Step 9 Catalyst 4900M Catalyst 4948E Catalyst 4948E F Supervisor Engine 6 E...

Page 1345: ...entication dot1x default group radius Switch config dot1x system auth control Switch config radius server host 10 1 2 3 auth port 1645 acct port 1646 test username randomuser idle time 1 key mykey Switch config radius server deadtime 1 Switch config radius server dead criteria time 15 tries 3 Switch config interface f3 1 Switch config if switchport mode access Switch config if dot1x pae authentica...

Page 1346: ... reinitialize Switch config if end Switch show dot1x int fastethernet 3 1 details Dot1x Info for FastEthernet3 1 PAE AUTHENTICATOR PortControl AUTO ControlDirection Both HostMode SINGLE_HOST ReAuthentication Disabled QuietPeriod 60 ServerTimeout 30 SuppTimeout 30 ReAuthPeriod 3600 Locally configured ReAuthMax 2 MaxReq 2 TxPeriod 30 RateLimitPeriod 0 Critical Auth Enabled Critical Recovery Action R...

Page 1347: ...ol AUTO ControlDirection In HostMode SINGLE_HOST ReAuthentication Disabled QuietPeriod 60 ServerTimeout 30 SuppTimeout 30 ReAuthPeriod 3600 Locally configured ReAuthMax 2 MaxReq 2 TxPeriod 30 Step 3 Switch config if switchport mode access or Switch config if switchport mode private vlan host Specifies a nontrunking nontagged single VLAN Layer 2 interface Specifies that the ports with a valid PVLAN...

Page 1348: ...Timeout 30 ReAuthPeriod 3600 Locally configured ReAuthMax 2 MaxReq 2 TxPeriod 30 RateLimitPeriod 0 Switch Configuring 802 1X with VLAN User Distribution You will need to configure the switch and ACS to configure 802 1X with VLAN user distribution Configuring the Switch To configure the switch follow these steps Step 1 Create a VLAN group on the switch Enter the following commands to create a VLAN ...

Page 1349: ...ame in the ACS configuration By default ACS sends only one VLAN name or group per user However you can configure ACS to send more than one tag per attribute To do this you must modify the configuration in ACS for user or group See the example shown in Figure 49 14 show command Purpose show vlan group all Displays the member VLANs for all the VLAN groups configured on the device show vlan group gro...

Page 1350: ...802 1X Port Based Authentication Figure 49 14 VLAN User Distribution on ACS Interface Configuration to Modify Tags per Attribute After you add the number of tags required per attribute the user or group set up presents multiple fields to be filled with values from the RADIUS server Figure 49 15 Figure 49 15 VLAN User Distribution on ACS Multiple VLAN Numbers Configured per User ...

Page 1351: ...e configuration mode and specifies the interface to be enabled for 802 1X authentication Step 3 Switch config if switchport mode access Specifies a nontrunking nontagged single VLAN Layer 2 interface Step 4 Switch config if authentication port control auto Enables 802 1X authentication on the interface Step 5 Cisco IOS Release 12 2 50 SG and later Switch config if authentication event fail action ...

Page 1352: ...rotocol Version 2 Dot1x Info for GigabitEthernet3 1 PAE AUTHENTICATOR PortControl AUTO ControlDirection Both HostMode SINGLE_HOST QuietPeriod 60 ServerTimeout 0 SuppTimeout 30 ReAuthMax 2 MaxReq 2 TxPeriod 30 Switch Cisco IOS Release 12 2 46 SG or earlier Switch configure terminal Switch config interface gigabitEthernet3 1 Switch config if switchport mode access Switch config if dot1x port control...

Page 1353: ...al Enters global configuration mode Step 2 Switch config interface interface id Enters interface configuration mode Step 3 Switch config if switchport access vlan vlan id Sets the VLAN for a switched interface in access mode Step 4 Switch config if switchport mode access Specifies a nontrunking nontagged single VLAN Layer 2 interface Step 5 Switch config if switchport voice vlan vlan id Sets the v...

Page 1354: ...nfiguration command You disable voice aware 802 1x security by entering the no version of this command This command applies to all 802 1x configured ports in the switch Note If you do not include the shutdown vlan keywords the entire port is shut down when it enters the error disabled state If you use the errdisable recovery cause security violation global configuration command to configure error ...

Page 1355: ...X with VLAN Assignment For enabling dynamic VLAN assignment no additional configuration is required in the switch For information on configuring Multiple authentication MDA refer to the Configuring Multiple Domain Authentication and Multiple Authorization section on page 49 34 To enable VLAN assignment you must configure the Cisco ACS server Note 802 1x authentication with VLAN assignment is not s...

Page 1356: ...ting User IETF RADIUS Attributes Figure 49 16 This step ensures correct functioning of the ACS configuration required for dynamic VLAN assignment Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config interface interface id Enters interface configuration mode Step 3 Switch config if switchport access vlan id Sets the VLAN for a switched interface in ...

Page 1357: ...t respond to EAPOL You can configure the order and priority of the authentication methods For detailed configuration information for MAB see the Configuring 802 1X with MAC Authentication Bypass section on page 49 60 For detailed configuration information for web based authentication see Chapter 52 Configuring Web Based Authentication Note When web based authentication and other authentication met...

Page 1358: ...est Step 9 Switch config if authentication priority method1 method2 method3 Optional Overrides the relative priority of authentication methods to be used The three values of method in the default order of priority are dot1x mab and webauth Step 10 Switch config if authentication event fail action next method Specifies that the next configured authentication method be applied if authentication fail...

Page 1359: ...02 1X when fallback authentication is configured on the port enter the following commands Switch show authentication sessions interface g7 2 Interface GigabitEthernet7 2 MAC Address 0060 b057 4687 IP Address Unknown User Name test2 Status Authz Success Domain DATA Oper host mode multi auth Oper control dir both Authorized By Authentication Server Vlan Policy N A Session timeout N A Idle timeout N ...

Page 1360: ...icated using MAB when fallback authentication is configured on the port enter the following commands Switch show authentication sessions interface g7 2 Interface GigabitEthernet7 2 MAC Address 0060 b057 4687 IP Address 192 168 22 22 User Name 0060b0574687 Status Authz Success Domain DATA Oper host mode multi auth Oper control dir both Authorized By Authentication Server Vlan Policy N A Session tim...

Page 1361: ... 1000 state ESTAB Cisco IOS Release 12 2 46 SG or earlier Switch config ip admission name rule1 proxy http Switch config fallback profile fallback1 Switch config fallback profile ip access group default policy in Switch config fallback profile ip admission rule1 Switch config fallback profile exit Switch config interface gigabit5 9 Switch config if switchport mode access Switch config if dot1x por...

Page 1362: ...fer to the Default 802 1X Configuration section on page 49 27 Step 5 Cisco IOS Release 12 2 50 SG and later Switch config if authentication periodic Cisco IOS Release 12 2 46 SG or earlier releases Switch config if dot1x reauthentication Enables periodic reauthentication of the client which is disabled by default To disable periodic reauthentication use the no authentication periodic interface con...

Page 1363: ...rface interface id Enters interface configuration mode and specifies the interface to which multiple hosts are indirectly attached Step 3 Switch config if switchport mode access Specifies a nontrunking nontagged single VLAN Layer 2 interface Step 4 Switch config if dot1x pae authenticator Enables 802 1X authentication on the port with default parameters Refer to the Default 802 1X Configuration se...

Page 1364: ... occur because the client provided an invalid password You can provide a faster response time to the user by entering a number smaller than the default To change the quiet period perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config interface interface id Enters interface configuration mode and specifies the interface to be enabled...

Page 1365: ...ve this response it waits a set period of time known as the retransmission time and then retransmits the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers To change the amount of time that the switch waits for client notification perform thi...

Page 1366: ...Retransmission Number In addition to changing the switch to client retransmission times you can change the number of times that the switch sends EAP Request Identity and other EAP Request frames to the client before restarting the authentication process The number of EAP Request Identity retransmissions is controlled by the dot1x max reauth req command the number of retransmissions for other EAP R...

Page 1367: ...x pae authenticator Enables 802 1X authentication on the port with default parameters Refer to the Default 802 1X Configuration section on page 49 27 Step 5 Switch config if dot1x max req count or Switch config if dot1x max reauth req count Specifies the number of times EAPOL DATA packets are retransmitted if lost or not replied to For example if you have a supplicant that is authenticating and it...

Page 1368: ... information see the 802 1X Supplicant and Authenticator Switches with Network Edge Access Topology section on page 49 24 Configuring Switch as an Authenticator To configure a switch as an authenticator perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config cisp enable Enables CISP Step 3 Switch config interface interface id Specifi...

Page 1369: ... You must configure the following procedure in the Cisco ACS server Configuring a user with Cisco AV Pair value allows SSW to authenticate itself with the ASW Because the user is attached with the AV pair value upon successful authentication on ASW the macro is executed on the interface on which SSW is authenticated Switch configure terminal Switch config cisp enable Switch config interface Gigabi...

Page 1370: ...s not applied to the macro Note Disabling spanning tree bpduguard happens only if it was previously enabled through the port level command Enabling it globally without a specific port level CLI prevents NEAT from disabling it on the port after the authenticator switch receives a device traffic class switch AV Pair and applies the macro There are 2 scenarios Scenario 1 With Port Level BPDU Guard Co...

Page 1371: ...rd end When the authenticator switch receives a device traffic class switch AV pair the following macro is applied to the authenticator switch port no switchport access vlan AVID no switchport nonegotiate switchport mode trunk switchport trunk native vlan AVID no spanning tree bpduguard enable spanning tree portfast trunk After the supplicant switch is authenticated as a switch device the configur...

Page 1372: ...orm this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config cisp enable Enables CISP Step 3 Switch config dot1x credentials profile Creates 802 1x credentials profile This must be attached to the port that is configured as supplicant Step 4 Switch config sername suppswitch Creates a username Step 5 Switch config password password Creates a p...

Page 1373: ... the authenticator switch For more information see the Chapter 22 Configuring Cisco IOS Auto Smartport Macros Configuration Guidelines If BPDU Guard was enabled prior to supplicant switch authentication it is re enabled after the supplicant switch unauthenticates You can configure NEAT ports and non NEAT ports with the same configuration When the supplicant switch authenticates the port mode is ch...

Page 1374: ...switch VSA Doing this allows you to remove unsupported configurations on the authenticator switch port and to change the port mode from access to trunk For details see Chapter 22 Configuring Cisco IOS Auto Smartport Macros Note Configuring only the Auto SmartPorts macro does not identify the end host as a supplicant switch The switch VSA is required to identify the supplicant switch However when A...

Page 1375: ...to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 These sectio...

Page 1376: ...ers and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 49 18 on page 49 96 Network in which the user must only access a single service Using RADIUS you can control user access to a single host to a single utility such as Teln...

Page 1377: ...nal data included with the ACCEPT or REJECT packets includes these items Telnet SSH rlogin or privileged EXEC services Connection parameters including the host or client IP address access list and user timeouts RADIUS Change of Authorization This section provides an overview of the RADIUS interface including available primitives and how they are used during a Change of Authorization CoA Overview p...

Page 1378: ...er This section includes these topics CoA Request Response Code CoA Request Commands Session Reauthentication RFC 5176 Compliance The Disconnect Request message which is also referred to as Packet of Disconnect POD is supported by the switch for session termination Table 49 2 shows the IETF attributes are supported for this feature Table 49 3 shows the possible values for the Error Cause attribute...

Page 1379: ...lling Station Id IETF attribute 31 which contains the host MAC address Audit Session Id Cisco VSA Acct Session Id IETF attribute 44 Unless all session identification attributes included in the CoA message match the session the switch returns a Disconnect NAK or CoA NAK with the Invalid Attribute Value error code attribute The packet format for a CoA Request code as defined in RFC 5176 consists of ...

Page 1380: ...oup when its credentials are known To initiate session authentication the AAA server sends a standard CoA Request message which contains a Cisco vendor specific attribute VSA in this form Cisco Avpair subscriber command reauthenticate and one or more session identification attributes The current session state determines the switch response to the message If the session is currently authenticated b...

Page 1381: ... the switch returns a Disconnect NAK message with the Session Context Not Found error code attribute If the session is located the switch terminates the session After the session has been completely removed the switch returns a Disconnect ACK If the switch fails over to a standby switch before returning a Disconnect ACK to the client the process is repeated on the new active switch when the reques...

Page 1382: ...can use method lists to designate one or more security protocols to be used such as TACACS or local username lookup thus ensuring a backup system if the initial method fails The software uses the first method listed to authenticate to authorize or to keep accounts on users If that method does not respond the software selects the next method in the list This process continues until there is success...

Page 1383: ...y configured on the same device for accounting services The RADIUS host entries are tried in the order that they are configured A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the ...

Page 1384: ...out global configuration command setting If no timeout is set with the radius server host command the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the...

Page 1385: ...exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backu...

Page 1386: ...IUS server For more information see the Identifying the RADIUS Server Host section on page 49 103 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username...

Page 1387: ...e Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the...

Page 1388: ...ith the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the last item in the...

Page 1389: ...ser When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use the aaa authorization global configuration command with the radius keyword to set paramete...

Page 1390: ...our entries Step 6 Switch copy running config startup config Optional Saves your entries in the configuration file Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config aaa accounting network start stop radius Enables RADIUS accounting for all network related service requests Step 3 Switch config aaa accounting exec start stop radius Enables RADIUS ...

Page 1391: ...to provide a user logging in from a switch with immediate access to privileged EXEC commands cisco avpair shell priv lvl 15 This example shows how to specify an authorized VLAN in the RADIUS server database cisco avpair tunnel type 64 VLAN 13 cisco avpair tunnel medium type 65 802 media 6 cisco avpair tunnel private group ID 81 vlanid This example shows how to apply an input ACL in ASCII format to...

Page 1392: ...witch You specify the RADIUS host and secret text string by using the radius server global configuration commands To specify a vendor proprietary RADIUS server host and a shared secret text string perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config radius server vsa send accounting authentication Enables the switch to recognize a...

Page 1393: ...es in your key do not enclose the key in quotation marks unless the quotation marks are part of the key Step 4 Switch config end Returns to privileged EXEC mode Step 5 Switch show running config Verifies your settings Step 6 Switch copy running config startup config Optional Saves your entries in the configuration file Command Purpose Step 1 Switch configure terminal Enters global configuration mo...

Page 1394: ...sion key For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com Step 9 Switch config locsvr da radius ignore server key Optional Configures the switch to ignore the server key For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com Step 10 Switch config locsvr da...

Page 1395: ...l CDP Link Layer Discovery Protocol LLDP and DHCP to obtain endpoint information from network devices and make this information available to its clients Device Sensor has internal clients such as the embedded Device Classifier local analyzer Auto Smartports ASP MediaNet Service Interface Media Services Proxy and EnergyWise Device Sensor also has an external client Identity Services Engine ISE whic...

Page 1396: ...rs MSP IOS Sensor Device Classifier Interaction Note To enable MSP you must configure the profile flow command Once done when SIP H323 or mDNS traffic are present appropriate SIP H323 or mDNS TLV notifications are sent to the IOS sensor MSP Media Service Proxy offers bandwidth reservation for audio or video flows and Metadata services to 3rd party endpoints To offer and install Media services MSP ...

Page 1397: ... protocol details from MSP the IOS sensor prepares Normalized TLVs with the new protocols These protocol details are sent to session manager for further classification Configuring Device Sensor Device Sensor is enabled by default Complete the following tasks when you want Device Sensor to include or exclude a list of TLVs termed filter lists for a particular protocol Note If you do not perform any...

Page 1398: ...co Discovery Protocol Filter To create a CDP filter containing a list of TLVs that can be included or excluded in the Device Sensor output follow these steps beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Switch configure terminal Enters global configuration mode Step 2 profile flow Switch config profile flow Enables MSP Step 3 end Switch config end Returns to privileg...

Page 1399: ...fig sensor cdplist end Returns to privileged EXEC mode Command Purpose Step 1 configure terminal Switch configure terminal Enters global configuration mode Step 2 device sensor filter list lldp list tlv list name Switch config device sensor filter list lldp list lldp list Creates a TLV list and enters LLDP sensor configuration mode where you can configure individual TLVs Step 3 tlv name tlv name n...

Page 1400: ... to the option list You can delete the entire option list without removing options individually from the list by using the no device sensor filter list dhcp list option list name command Step 4 end Switch config end Returns to privileged EXEC mode Command Purpose Step 1 configure terminal Switch configure terminal Enters global configuration mode Step 2 device sensor filter spec cdp dhcp lldp excl...

Page 1401: ...iption 23 08 15 47 69 67 61 62 69 74 45 74 68 65 72 6E 65 74 31 2F 30 2F 32 34 lldp 5 system name 12 0A 0A 73 75 70 70 6C 69 63 61 6E 74 dhcp 82 relay agent info 20 52 12 01 06 00 04 00 18 01 18 02 08 00 06 00 24 14 DC DF 80 dhcp 12 host name 12 0C 0A 73 75 70 70 6C 69 63 61 6E 74 dhcp 61 client identifier 32 3D 1E 00 63 69 73 63 6F 2D 30 30 32 34 2E 31 34 Command Purpose Step 1 configure terminal...

Page 1402: ...p 18 trust type 5 00 12 00 05 00 cdp 11 duplex type 5 00 0B 00 05 01 cdp 10 native vlan type 6 00 0A 00 06 00 01 cdp 9 vtp mgmt domain type 9 00 09 00 09 63 69 73 63 6F Troubleshooting Commands The following commands can help troubleshoot Device Sensor debug device sensor errors events debug authentication all Restrictions for Device Sensor Only CDP LLDP and DHCP protocols are supported The sessio...

Page 1403: ...ure terminal Switch config device sensor filter spec cdp include cdp list1 The following example shows how to enable client notifications and accounting events for all TLV changes Switch enable Switch configure terminal Switch config device sensor notify all changes Displaying 802 1X Statistics and Status To display 802 1X statistics for all interfaces use the show dot1x all statistics privileged ...

Page 1404: ...3462B10000000E29811B94 Available methods list Handle Priority Name 3 0 dot1x 2 1 mab Runnable methods list Handle Priority Name 2 0 mab 3 1 dot1x Displaying the Summary of All Auth Manager Sessions on the Switch This example shows how ti display the summary of all sessions Switch show authentication sessions Interface MAC Address Method Domain Status Session ID Gi1 48 0015 63b0 f676 dot1x DATA Aut...

Page 1405: ...e 0x2400000D Runnable methods list Method State dot1x Failed over mab Authc Success Interface GigabitEthernet1 5 MAC Address 0014 bf5d d26d IP Address 20 0 0 7 User Name johndoe Status Authz Success Domain DATA Oper host mode multi auth Oper control dir both Authorized By Authentication Server Vlan Policy N A Session timeout N A Idle timeout N A Common Session ID 0A3462B10000000E29811B94 Acct Sess...

Page 1406: ...n Policy N A Session timeout N A Idle timeout N A Common Session ID 0A3462B10000000D24F80B58 Acct Session ID 0x0000000F Handle 0x2400000D Runnable methods list Method State dot1x Failed over mab uthc Success Switch show authentication session method dot1x int gi1 5 Interface GigabitEthernet1 5 MAC Address 0014 bf5d d26d IP Address 20 0 0 7 User Name johndoe Status Authz Success Domain DATA Oper ho...

Page 1407: ...ogging messages are displayed during the following events POLICY_APP_SUCCESS Policy application success events on Named ACLs Proxy ACLs and service policies URL redirect policies POLICY_APP_FAILURE Policy application failure conditions similar to unconfigured policies wrong policies download request failures and download failures from AAA IPEVENT IP assignment IP release and IP wait events for cli...

Page 1408: ...erent software releases and platforms Your Cisco software release or platform may not support all the features documented in a feature guide See the Feature Information table at the end of the feature guide for information about which features in that guide are supported in your software release Use Cisco Feature Navigator to find information about platform support and Cisco software image support...

Page 1409: ...ty Features Pre fragmentation For Ipsec VPNs http www cisco com en US docs ios sec_secure_connectivity configuration guide sec_pre_frag_vpns html Router Security Audit Manageability http www cisco com en US prod collateral routers ps10537 product_bulletin_ISRG2_Manageability pdf Trusted Root Certification Authority http www cisco com en US docs security cta admin_guide ctaCerts html ...

Page 1410: ...49 130 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 49 Configuring 802 1X Port Based Authentication Cisco IOS Security Features ...

Page 1411: ... page 50 6 Additional References for 509v3 Certificates for SSH Authentication page 50 6 Feature Information for X 509v3 Certificates for SSH Authentication page 50 8 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch C...

Page 1412: ... The Transport Layer Protocol uses a digital signature algorithm called the public key algorithm to authenticate the server to the client And the User Authentication Protocol uses a digital signature to authenticate public key authentication the client to the server The validity of the authentication depends upon the strength of the linkage between the public signing key and the identity of the si...

Page 1413: ...ng the result along with its certificates and sending the information to the peer rather than having the peer contact the OCSP responder How to Configure X 509v3 Certificates for SSH Authentication Configuring Digital Certificates for Server Authentication page 50 3 Configuring Digital Certificates for User Authentication page 50 4 Configuring Digital Certificates for Server Authentication Command...

Page 1414: ...EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config ip ssh server algorithm authentication publickey keyboard password Defines the order of host key algorithms Only the configured algorithm is negotiated with the Secure Shell SSH client Note The IOS SSH server must have at least one configured host key algorithm To use th...

Page 1415: ...nable Switch configure terminal Switch config ip ssh server algorithm authentication publickey Switch config ip ssh server algorithm publickey x509v3 ssh rsa Switch config ip ssh server certificate profile Switch ssh server cert profile user Switch ssh server cert profile user trustpoint verify trust2 Switch ssh server cert profile user end Step 7 Switch ssh server cert profile user trustpoint sig...

Page 1416: ...lickey Algorithms x509v3 ssh rsa ssh rsa Hostkey Algorithms x509v3 ssh rsa ssh rsa Authentication timeout 120 secs Authentication retries 3 Minimum expected Diffie Hellman key size 1024 bits Additional References for 509v3 Certificates for SSH Authentication Related Documents Standards MIBs RFCs Related Topic Document Title Cisco IOS commands Cisco IOS Master Commands List All Releases Catalyst 45...

Page 1417: ...Assistance Description Link The Cisco Support and Documentation website provides online resources to download documentation software and tools Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies Access to most tools on the Cisco Support and Documentation website requires a Cisco com user ID and password htt...

Page 1418: ...cfn An account on Cisco com is not required Note Table 1 lists only the software release that introduced support for a given feature in a given software release train Unless noted otherwise subsequent releases of that software release train also support that feature Table 1 Feature Information for X509v3 Certificates for SSH Authentication Feature Name Releases Feature Information X509v3 Certifica...

Page 1419: ...lyst 4500 series switches It includes the following sections About PPPoE Intermediate Agent page 51 2 Enabling PPPoE IA on a Switch page 51 2 Configuring the Access Node Identifier for PPPoE IA on a Switch page 51 2 Configuring the Identifier String Option and Delimiter for PPPoE IA on an Switch page 51 3 Configuring the Generic Error Message for PPPoE IA on an Switch page 51 3 Enabling PPPoE IA o...

Page 1420: ...PAD message from untrusted port performing per port PAD message rate limiting inserting and removing VSA Tags into and from PAD messages respectively Enabling PPPoE IA on a Switch This functionality allows you to enable or disable PPPoE IA globally on the switch Switch enable Switch configure terminal Switch config pppoe intermediate agent By default PPPoE IA is disabled globally Configuring the A...

Page 1421: ...he circuit ID configured explicitly per interface or per interface per VLAN with the pppoe intermediate agent format type circuit id or pppoe intermediate agent vlan num format type circuit id commands Configuring the Generic Error Message for PPPoE IA on an Switch This functionality sets the Generic Error message of the switch PPPoE IA sends this message only on a specific error condition If you ...

Page 1422: ...obally and at least one interface that connects the switch to PPPoE server has a trusted PPPoE IA setting Refer to the following section for details Configuring the PPPoE IA Trust Setting on an Interface This functionality sets a physical interface as trusted The following example shows how to set FastEthernet interface 3 2 as trusted Switch enable Switch configure terminal Switch config interface...

Page 1423: ...cuit id command sets the circuit ID on an interface and overrides the automatic generation of circuit ID by the switch Without this command one default tag for example Ethernet x y z on the PPPoE to which the user is connected inserted by an intermediate agent The no pppoe intermediate agent format type remote id command sets the remote ID on an interface This functionality causes tagging of PADI ...

Page 1424: ...on an Interface In this section you set the circuit ID and remote ID for a specific VLAN on an interface The command overrides the circuit ID and remote ID specified for this physical interface and the switch uses the WORD value to tag packets received on this VLAN This parameter is unset by default The default value of remote id is the switch MAC address for all VLANs You would set this parameter...

Page 1425: ... that physical interface and pertaining VLANs is displayed Although PPoE IA is supported on PVLANs be aware that no PVLAN association primary and secondary VLAN mapping information is displayed The PPPoE IA show commands such as show pppoe intermediate agent info show pppoe intermediate agent info interface g3 7 or show pppoe intermediate agent statistics do not provide information about private V...

Page 1426: ...ters on all interfaces per port and per port per VLAN The following example illustrates how to do this Switch clear pppoe intermediate agent statistics Issuing of the above command clears the counters for all PPPoE discovery packets PADI PADO PADR PADS PADT received on DUT Switch show pppoe intermediate agent statistics interface g3 7 Interface GigabitEthernet3 7 Packets received All 0 PADI 0 PADO...

Page 1427: ...abb cc80 0000 Sep 2 06 12 56 137 PPPOE_IA received new PPPOE packet from inputinterface GigabitEthernet3 7 Sep 2 06 12 56 137 PPPOE_IA Process new PPPoE packet Message type PADR input interface Gi3 7 vlan 2 MAC da 001d e64c 6512 MAC sa aabb cc00 0000 Sep 2 06 12 56 145 PPPOE_IA received new PPPOE packet from inputinterface GigabitEthernet3 4 Sep 2 06 12 56 145 PPPOE_IA Process new PPPoE packet Mes...

Page 1428: ...51 10 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 51 Configuring the PPPoE Intermediate Agent Troubleshooting Tips ...

Page 1429: ...ems that do not run the IEEE 802 1X supplicant Note You can configure web based authentication on Layer 2 and Layer 3 interfaces When you initiate an HTTP session web based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the user The user keys in their credentials which the web based authentication feature sends to the AAA server for authentication If a...

Page 1430: ...t is authorized to access the LAN and switch services or that the client is denied Switch Controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client and the authentication server requesting identity information from the client verifying that information with the authentication server and relaying a respon...

Page 1431: ...t identity is valid and the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success page is sent to the user If the authentication fails the switch sends the login fail page The user retries the login If the maximum number of attempts fails the switch sends the login expired page and the host is placed in a watch list usi...

Page 1432: ...command In Cisco IOS Release 12 2 50 SG you can substitute your custom HTML pages for the four default internal HTML pages or you can specify a URL to which you are redirected upon successful authentication effectively replacing the internal Success page Web Based Authentication Interactions with Other Features These sections describe web based authentication interactions with these features Port ...

Page 1433: ...L is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a port ACL PACL as the default access policy for ingress traffic from hosts connected to the port After authentication the web based authentication host policy overrides the PACL You cannot configure a MAC ACL and web based authentication on the sa...

Page 1434: ...iguration Web Based Authentication Configuration Guidelines and Restrictions When configuring web based authentication consider these guidelines and restrictions Web authentication requires two Cisco Attribute Value AV pair attributes The first attribute priv lvl 15 must always be set to 15 This sets the privilege level of the user who is logging into the switch The second attribute is an access l...

Page 1435: ...so configure routes to reach each host IP address The HTTP server sends the HTTP login page to the host Hosts that are more than one hop away may experience traffic disruption if an STP topology change results in the host traffic arriving on a different port it is because ARP and DHCP updates may not be sent after a Layer 2 STP topology change Web based authentication does not support VLAN assignm...

Page 1436: ...interface to be enabled for web based authentication type can be fastethernet gigabit ethernet or tengigabitethernet Step 3 Switch config if ip access group name Applies the default ACL Step 4 Switch config if ip admission name Configures web based authentication on the specified interface Step 5 Switch config if exit Returns to configuration mode Step 6 Switch config ip device tracking Enables th...

Page 1437: ...ne The RADIUS host entries are chosen in the order that they were configured To configure the RADIUS server parameters perform this task Command Purpose Step 1 Switch config aaa new model Enables AAA functionality Switch config no aaa new model Disables AAA functionality Step 2 Switch config aaa authentication login default group tacacs radius Defines the list of authentication methods at login St...

Page 1438: ...oth the server and the switch and the downloadable ACL DACL Cisco IOS Release 12 2 50 SG supports DACLs For more information see the RADIUS server documentation This example shows how to configure the RADIUS server parameters on a switch Switch config ip radius source interface Vlan80 Switch config radius server host 172 l20 39 46 test username user1 Switch config radius server key rad123 Switch c...

Page 1439: ...s feature specify all four custom HTML files If you specify fewer than four files the internal default HTML pages are used The four custom HTML files must be present on the disk or flash of the switch The maximum size of each HTML file is 8 KB Any images on the custom pages must be located on an accessible HTTP server An intercept ACL must be configured within the admission rule to allow access to...

Page 1440: ...ge file disk1 login htm Switch config ip admission proxy http success page file disk1 success htm Switch config ip admission proxy http fail page file disk1 fail htm Switch config ip admission proxy http login expired page file disk1 expired htm The following example shows how to verify the configuration of custom authentication proxy web pages Switch show ip admission configuration Authentication...

Page 1441: ...rect to URL http www cisco com Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch list is disabled Authentication Proxy Max HTTP process is 7 Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Configuring the Web Based Authentication Parameters You can ...

Page 1442: ...n status Switch show authentication sessions This example shows how to view the web based authentication settings for interface Gi 3 27 Switch show authentication sessions interface gigabitethernet 3 27 Command Purpose Switch clear ip auth proxy cache host ip address Deletes authentication proxy entries Use an asterisk to delete all cache entries Enter a specific IP address to delete the entry for...

Page 1443: ...rm or software image information associated with a feature use the Feature Navigator on Cisco com to search for information about the feature or refer to the software release notes for a specific release Wired Guest Access The Wired Guest Access feature enables guest users of an enterprise network that supports both wired and wireless access to connect to the guest access network from a wired Ethe...

Page 1444: ...ort both wired and wireless access need to provide guest services that are consistent across the two access media from a perspective of both client experience and manageability For wireless networks guest traffic from a mobility anchor device is directed typically through a Control And Provisioning of Wireless Access Points CAPWAP tunnel to an array of controllers in the demilitarized zone DMZ whe...

Page 1445: ...tching guest LAN profiles must be configured on foreign and anchor devices Authentication authorization and accounting AAA services are required at the access layer for Layer 2 authentication and optionally to direct the device to open a tunnel for a wired client A DMZ uses AAA for client guest authentication The Mobility Controller Mobility Tunnel Endpoint MC MTE allows the CAPWAP tunnel to the D...

Page 1446: ...figure Wired Guest Access Configuring Guest LAN To configure a guest LAN follow these steps Configuring a CAPWAP Tunnel in a Service Template Perform the following task to configure a Control And Provisioning of Wireless Access Points CAPWAP tunnel in a service template and to activate a tunnel service when Layer 2 authentication failure occurs Command Purpose Step 1 Switch enable Enables privileg...

Page 1447: ...ss should execute the actions in a control policy in the specified order until one of the actions fails and enters control policy map action configuration mode Step 9 Switch config action control policymap action number authenticate using dot1x mab webauth Authenticates a control policy on a subscriber session Step 10 Switch config action control policymap exit Exits control policy map action conf...

Page 1448: ...itch config class control policymap 1 class always Switch config action control policymap 1 authenticate using dot1x Switch config action control policymap exit Switch config class control policymap 1 class DOT1X NO RESP Switch config action control policymap 1 activate service template GUEST TUNNEL Switch config action control policymap end Example Configuring the Mobility Agent The following exa...

Page 1449: ...ber Guest Access interface GigabitEthernet1 2 description Connected_to_MobilityController switchport mode trunk interface Vlan10 description CLIENT VLAN ip address 172 16 10 201 255 255 255 0 ip helper address 172 16 10 200 interface Vlan80 description MANAGEMENT VLAN ip address 10 20 1 1 255 255 255 0 wireless management interface Vlan80 wireless mobility controller ip 10 20 1 2 public ip 10 20 1...

Page 1450: ...s After a successful handoff of the client to the DMZ anchor controller the DHCP IP address assignment client authentication and so on are handled in the DMZ Cisco Wireless LAN Controller WLC After WLC completes the authentication the client is allowed to send and receive traffic interface GigabitEthernet1 1 description Connected_to_MC switchport mode trunk interface Vlan10 description CLIENT VLAN...

Page 1451: ...nd IOS 15 2 5 Ex Chapter 53 Configuring Wired Guest Access Configuration Examples for Wired Guest Access Example Configuring CAPWAP Forwarding Switch enable Switch configure terminal Switch config vlan 1755 Switch config vlan exit Switch config access session tunnel vlan 1775 Switch config end ...

Page 1452: ...53 10 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 53 Configuring Wired Guest Access Configuration Examples for Wired Guest Access ...

Page 1453: ... About Auto Identity page 54 1 How to Configure Auto Identity page 54 5 Configuration Examples for Auto Identity page 54 6 Verifying Auto Identity page 54 7 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Ref...

Page 1454: ...able the feature on interfaces You can configure multiple templates however you must bind multiple templates together using the merge command If you do not bind the templates the last configured template is used While binding templates if the same command is repeated in two templates with different arguments the last configured command is used Note You can also enable user defined templates that a...

Page 1455: ...NITOR_MODE Passively monitors sessions that have authentication in open mode AI_LOW_IMPACT_MODE Similar to monitor mode but with a configured static policy such as a port access control list PACL AI_CLOSED_MODE Secure mode in which data traffic is not allowed into the network until authentication is complete This mode is the default The following commands are inbuilt in the AI_MONITOR_MODE switchp...

Page 1456: ...fies that the nonresponsive host NRH authentication method is enabled AI_WEBAUTH_METHOD Specifies that the web authentication method is enabled AI_WEBAUTH_FAILED Specifies that the web authentication method failed to authenticate AI_WEBAUTH_NO_RESP Specifies that the web authentication client failed to respond AI_DOT1X_METHOD Specifies that the dot1x method is enabled AI_DOT1X_FAILED Specifies tha...

Page 1457: ...page 54 6 Configuring Auto Identity Globally To configure Auto Identity globally perform this task Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config source template AI_GLOBAL_CONFIG_TEMPLATE template name Configures an auto identity template AI_GLOBAL_CON...

Page 1458: ...witch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config interface type number Configures an interface and enters interface configuration mode Step 4 Switch config if source template AI_CLOSED_MODE AI_LOW_IMPACT_MODE AI_MONITOR_MODE template name merge Configures a source template for the interf...

Page 1459: ...chport access vlan 100 Switch config if switchport voice vlan 101 Switch config if end Verifying Auto Identity To verify the Auto Identity configuration use the following commands The following output from the show template interface source built in all command displays all the configured built in interface templates Switch show template interface source built in all Template Name AI_CLOSED_MODE M...

Page 1460: ...e aaa radius server command displays the composite results of all the configuration commands that apply to an interface including commands that come from sources such as static templates dynamic templates dialer interfaces and authentication authorization and accounting AAA per user attributes Switch show derived config include aaa radius server aaa new model aaa authentication dot1x default group...

Page 1461: ... 0xBB00000B Current Policy AI_DOT1X_MAB_POLICIES Local Policies Server Policies Vlan Group Vlan 100 Security Policy Must Not Secure Security Status Link Unsecure Method status list Method State dot1x Authc Success The following output from the show running config interface type number command displays the contents of the current running configuration file or the configuration for an interface Swit...

Page 1462: ...OS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 54 Auto Identity Verifying Auto Identity Device ID Local Intf Hold time Capability Port ID SEPC0255C43BE00 Gi2 0 6 180 B T C0255C43BE00 P1 Total entries displayed 1 ...

Page 1463: ...t Security on Voice Ports page 55 22 Displaying Port Security Settings page 55 27 Configuring Port Security with Other Features Environments page 55 31 Port Security Configuration Guidelines and Restrictions page 55 33 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a comma...

Page 1464: ...ng Defines a private VLAN for the promiscuous ports Configuring Port Security on an Isolated Private VLAN Host Port page 55 14 switchport port security Enables port security Configuring Port Security on Access Ports page 55 7 switchport port security aging static Configures static aging of MAC address Aging Secure MAC Addresses page 55 5 switchport port security aging time Specifies an aging time ...

Page 1465: ...one without putting additional load on the CPU Port security has the following characteristics It allows you to age out secure MAC addresses Two types of aging are supported inactivity and absolute It supports a sticky feature whereby the secure MAC addresses on a port are retained through switch reboots and link flaps It can be configured on various types of ports such as access voice trunk Ether...

Page 1466: ...ty mac address mac_address interface configuration command You can configure all secure MAC addresses on a range of VLANs with the port security mac address VLAN range configuration command for trunk ports You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices You can configure some of the addresses and allow the rest to be dynamically conf...

Page 1467: ...onfigure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration You might want to do this if you do not expect the user to move to another port and you want to avoid statically configuring a MAC address on every port Note If you use a different chassis you might need another MAC address To enable sticky port security enter the ...

Page 1468: ...hich SNMP traps are generated can be controlled by the snmp server enable traps port security trap rate command The default value 0 causes an SNMP trap to be generated for every security violation Shutdown A port security violation causes the interface to shut down immediately You might want to configure this mode in a highly secure environment where you do not want unsecured MAC addresses to be d...

Page 1469: ...ember ports Configuring Port Security on Access Ports To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to the port perform this task Command Purpose Step 1 Switch config interface interface_id interface port channel port_channel_number Enters interface configuration mode and specifies the interface to configure Note The interface can be a Layer 2...

Page 1470: ...e this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a port The static keyword enables aging for statically configured secure addresses on this port The time aging_time value specifies the aging time for this port Valid range for aging_time is from 0 to 1440 minutes If the time is eq...

Page 1471: ...ommands To return the violation mode to the default condition shutdown mode use the no switchport port security violation shutdown command Step 8 Switch config if switchport port security limit rate invalid source mac packets_per_sec Sets the rate limit for bad packets Default is 10 pps Step 9 Switch config if no switchport port security mac address mac_address Optional Enters a secure MAC address...

Page 1472: ...ecure MAC Address page 55 12 Example 6 Configuring Sticky Port Security page 55 13 Example 7 Setting a Rate Limit for Bad Packets page 55 13 Example 8 Clearing Dynamic Secure MAC Addresses page 55 14 Step 11 Switch config if no switchport port security mac address mac_address sticky vlan voice access Specifies the sticky mac address for the interface When you specify the vlan keyword the mac addre...

Page 1473: ...l MAC Addresses 0 Configured MAC Addresses 0 Sticky MAC Addresses 0 Last Source Address Vlan 0000 0000 0000 0 Security Violation Count 0 Example 2 Setting a Violation Mode This example shows how to set the violation mode on the Fast Ethernet interface 3 12 to restrict Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface fastethernet 3 12 Switc...

Page 1474: ...up Violation Mode Shutdown Aging Time 0 mins Aging Type Inactivity SecureStatic Address Aging Disabled Maximum MAC Addresses 1 Total MAC Addresses 0 Configured MAC Addresses 0 Sticky MAC Addresses 0 Last Source Address Vlan 0000 0000 0000 0 Security Violation Count 0 Example 5 Configuring a Secure MAC Address This example shows how to configure a secure MAC address on Fast Ethernet interface 5 1 a...

Page 1475: ...ining Age mins 1 0000 0000 0001 SecureSticky Fa5 1 1 0000 0000 0002 SecureSticky Fa5 1 1 0000 0000 0003 SecureSticky Fa5 1 Total Addresses in System excluding one mac per port 2 Max Addresses limit in System excluding one mac per port 3072 Switch show running config interface fastEthernet 5 1 Building configuration Current configuration 344 bytes interface FastEthernet5 1 switchport mode access sw...

Page 1476: ...C addresses in the system Switch clear port security dynamic Configuring Port Security on PVLAN Ports You can configure port security on a private VLAN port to take advantage of private VLAN functionality as well as to limit the number of MAC addresses Note This section follows the same configuration model that was presented for access ports These sections describe how to configure trunk port secu...

Page 1477: ...on mode Step 5 Switch config vlan pri_vlan_id Specifies a primary VLAN Step 6 Switch config vlan private vlan primary Specifies the VLAN as the primary private VLAN Step 7 Switch config vlan private vlan association add sec_vlan_id Creates an association between a secondary VLAN and a primary VLAN Step 8 Switch config vlan exit Returns to global configuration mode Step 9 Switch config interface in...

Page 1478: ...al Enters global configuration mode Step 2 Switch config vlan sec_vlan_id Specifies the VLAN Step 3 Switch config vlan private vlan isolated Sets the private VLAN mode to isolated Step 4 Switch config vlan exit Returns to global configuration mode Step 5 Switch config vlan pri_vlan_id Specifies the VLAN Step 6 Switch config vlan private vlan primary Designates the VLAN as the primary private VLAN ...

Page 1479: ...re port security on trunk ports in metro aggregation to limit the number of MAC addresses per VLAN Trunk port security extends port security to trunk ports It restricts the allowed MAC addresses or the maximum number of MAC addresses to individual VLANs on a trunk port Trunk port security enables service providers to block the access from a station with a different MAC address than the ones specif...

Page 1480: ...urity related parameters on a per VLAN per port basis perform this task SVI 2 SV1 3 5 4 5 3 5 2 5 1 Metro Layer 2 switch Access port in VLAN 2 Access port in VLAN 3 ISL or dot1q trunk gi1 1 130601 Logical representation of switch Command Purpose Step 1 Switch config interface interface_id interface port channel port_channel_number Enters interface configuration mode and specifies the interface to ...

Page 1481: ...n gi1 1 vlan Default maximum 3 VLAN Maximum Current 1 3 0 2 3 0 3 3 0 4 3 0 Step 4 Switch config if switchport port security maximum value vlan Configures a maximum number of secure mac addresses for each VLAN on the interface that are not explicitly configured with a maximum mac address limit See the Maximum Number of Secure MAC Addresses section on page 55 4 Step 5 Switch config if vlan range ra...

Page 1482: ...itch config if sw mode trunk Switch config if switchport port security Switch config if vlan range 2 6 Switch config if vlan range port security maximum 3 Switch config if exit Switch show port security interface g1 1 vlan Default maximum not set using 3072 VLAN Maximum Current 2 3 0 3 3 0 4 3 0 5 3 0 6 3 0 Switch Example 3 Configuring Secure MAC Addresses in a VLAN Range This example shows how to...

Page 1483: ...d on this VLAN is limited to the maximum value configured on the port Each VLAN can be configured with a maximum count that is greater than the value configured on the port Also the sum of the maximum configured values for all the VLANs can exceed the maximum configured for the port In either of these situations the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN ...

Page 1484: ...a port is changed from trunk to private VLAN trunk addresses associated with a VLAN on the trunk are retained if that VLAN is present in the allowed list of private VLAN trunk or the secondary VLAN of an association on the private VLAN trunk If the VLAN is not present in either of them the address is removed from the running configuration When a port is changed from private VLAN trunk to trunk a s...

Page 1485: ...curity command Step 4 Switch config if no switchport port security violation restrict shutdown Optional Sets the violation mode the action to be taken when a security violation is detected as one of these restrict A port security violation restricts data and causes the SecurityViolation counter to increment and send an SNMP trap notification shutdown The interface is error disabled when a security...

Page 1486: ...Port Security on Trunk Ports section on page 55 17 Step 7 Switch config if no switchport port security mac address sticky Optional Enables sticky learning on the interface To disable sticky learning on an interface use the no switchport port security mac address sticky command The interface converts the sticky secure MAC addresses to dynamic secure addresses Step 8 Switch config if no switchport p...

Page 1487: ... Maximum MAC Addresses for Voice and Data VLANs page 55 25 Example 2 Configuring Sticky MAC Addresses for Voice and Data VLANs page 55 26 Example 1 Configuring Maximum MAC Addresses for Voice and Data VLANs This example shows how to designate a maximum of one MAC address for a voice VLAN for a Cisco IP Phone let s say and one MAC address for the data VLAN for a PC let s say on Fast Ethernet interf...

Page 1488: ...urity mac address sticky 0000 0000 0004 vlan voice end Switch Example 2 Configuring Sticky MAC Addresses for Voice and Data VLANs This example shows how to configure sticky MAC addresses for voice and data VLANs on Fast Ethernet interface 5 1 and to verify the configuration Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface fa5 1 Switch conf...

Page 1489: ...ac address sticky 0000 0000 0b0b vlan voice end Switch Voice Port Security Configuration Guidelines and Restrictions Note Port security as implemented on voice ports functions the same as port security on access ports When using or configuring voice port security consider these guidelines and restrictions You can configure sticky port security on voice ports If sticky port security is enabled on a...

Page 1490: ...Restrict Fa3 3 2 2 0 Shutdown Fa3 4 2 2 0 Shutdown Fa3 5 2 2 0 Shutdown Command Purpose Switch show interface status err disable Displays interfaces that have been error disabled along with the cause for which they were disabled Switch show port security interface interface_id interface port_channel port_channel_number Displays port security settings for the switch or for the specified interface i...

Page 1491: ...Violation Mode Shutdown Aging Time 0 mins Aging Type Absolute SecureStatic Address Aging Disabled Maximum MAC Addresses 1 Total MAC Addresses 1 Configured MAC Addresses 0 Sticky MAC Addresses 1 Last Source Address Vlan 0000 0001 001a 1 Security Violation Count 0 Example 3 Displaying All Secure Addresses for the Entire Switch This example shows how to display all secure MAC addresses configured on ...

Page 1492: ... for a VLAN Range This example shows how to display the port security settings on Gigabit Ethernet interface 1 1 for VLANs 2 and 3 Switch show port security interface g1 1 vlan 2 3 Default maximum 22 VLAN Maximum Current 2 22 3 3 22 3 Example 6 Displaying Secured MAC Addresses and Aging Information on an Interface This example shows how to display all secure MAC addresses configured on Gigabit Eth...

Page 1493: ...1 802 1X Authentication page 55 32 Configuring Port Security in a Wireless Environment page 55 32 DHCP and IP Source Guard You might want to configure port security with DHCP and IP Source Guard to prevent IP spoofing by unsecured MAC addresses IP Source Guard supports two levels of IP traffic filtering Source IP address filtering Source IP and MAC address filtering When used in source IP and MAC ...

Page 1494: ...rt security must approve of the host or a security violation will be triggered The type of security violation will depend on which feature rejects the port if the host is allowed by 802 1X for example because the port is in multihost mode but is disallowed by port security the port security violation action will be triggered If the host is allowed by port security but rejected by 802 1X for exampl...

Page 1495: ...rface are mutually exclusive When you enter a maximum secure address value for an interface and the new value is greater than the previous value the new value overwrites the previously configured value If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected While configuring trunk port security on...

Page 1496: ...5 34 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 55 Configuring Port Security Port Security Configuration Guidelines and Restrictions ...

Page 1497: ... IOS Master Command List All Releases About Auto Security Prior to Release IOS XE 3 6 0E and IOS 15 2 2 E the Catalyst 4500 series switch offered IPv4 baseline security features like Port Security which must be enabled globally and on per port basis Moreover the baseline security feature CLIs for uplink ports differ from those for downlink CLIs Beginning with Release IOS XE 3 6 0E and IOS 15 2 2 E...

Page 1498: ...uto security globally Switch config auto security Switch show running config i security auto security Relevant baseline security feature CLI as shown in the output of the show auto security command is applied on or removed from access and trunk ports Disabling auto security globally To disable auto security globally perform this task Command Purpose Step 1 Switch configure terminal Enters global c...

Page 1499: ...itch config int g1 0 15 Switch config if switchport mode trunk Switch config if auto security port uplink Switch config if end Use the show auto security and show running config commands confirm the prior configuration Switch show auto security Auto Security is Enabled globally AutoSecure is Enabled on below interface s GigabitEthernet1 0 2 GigabitEthernet1 0 3 GigabitEthernet1 0 15 Switch show ru...

Page 1500: ...lding configuration Current configuration 165 bytes interface GigabitEthernet1 0 18 switchport access vlan 20 switchport mode access switchport voice vlan 40 auto security port host spanning tree portfast Disabling Auto Security Feature for Access End Hosts or Uplink Ports Use the no auto security port command to disable auto security on a port This example shows how to disable auto security Switc...

Page 1501: ...nabled globally AutoSecurity is Enabled on below interface s GigabitEthernet2 0 2 GigabitEthernet2 0 3 GigabitEthernet2 0 4 GigabitEthernet2 0 5 GigabitEthernet2 0 6 GigabitEthernet2 0 7 GigabitEthernet2 0 8 GigabitEthernet2 0 9 This example shows the output of the show auto security configuration command when AS is enabled Switch show auto security configuration AutoSecurity provides a single CLI...

Page 1502: ...o security Auto Security is Disabled globally AutoSecure is Enabled on below interface s none Switch Guidelines and Restrictions The auto security command has no parameters Base line security CLIs like port security are not individually nvgen d on interfaces that have auto security port configured This allows you to maintain consistency over reboots After auto security port is enabled on a port yo...

Page 1503: ...nks Enabling auto security should elicit system confirmation because the current baseline security configuration will be removed as the auto security configuration is applied When auto security is globally enabled existing configurations related to DAI DHCP and PSEC are removed and security violation may be triggered on the auto security enabled port when incoming MACs exceed the limit When we iss...

Page 1504: ...56 8 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 56 Configuring Auto Security Guidelines and Restrictions ...

Page 1505: ...ation and procedures in Chapter 62 Configuring Network Security with ACLs This information also supplements the network security information and procedures in these publications Cisco IOS Security Configuration Guide Cisco IOS Release 12 4 at this URL http www cisco com en US docs ios security configuration guide 12_4 sec_12_4_book html Cisco IOS Security Command Reference Cisco IOS Release 12 4 a...

Page 1506: ...upported only in Supervisor 8 E wireless related CoPP will work only on Supervisor 8 E in wireless mode The control plane policing CoPP feature increases security on the Catalyst 4500 series switch by protecting the CPU from unnecessary or DoS traffic and giving priority to important control plane and management traffic The classification TCAM and QoS policers provide CoPP hardware support Traffic...

Page 1507: ...stem cpp to create system cpp policy and system cpp wireless policy policy maps The system cpp policy policy map contains the predefined class maps for the control plane traffic The names of all system defined CoPP class maps and their matching ACLs contain the prefix system cpp By default no action is specified for each traffic class You can define your own class maps matching CPU bound data plan...

Page 1508: ... performed in software learning control packets source MAC addresses for example IEEE BPDU CDP SSTP BPDU GARP is not allowed After you configure port security on a port where you expect a high rate of potentially unanticipated control packets the system generates a copy of the packet to the CPU until the source address is learned instead of forwarding it The current architecture of the Catalyst 45...

Page 1509: ...plane Step 4 Switch config policy map system cpp policy Switch config pmap class system cpp dot1x system cpp bpdu range system cpp cdp service system cpp sstp system cpp cgmp system cpp ospf system cpp igmp system cpp pim system cpp all systems on subnet system cpp all routers on subnet system cpp ripv2 system cpp hsrpv2 system cpp ip mcast linklocal system cpp dhcp cs system cpp dhcp sc system cp...

Page 1510: ...ystem cpp Switch config policy map system cpp wireless policy Switch config pmap class system cpp capwap keepalive Switch config pmap c police 32000 1000 conform action transmit exceed action drop Switch config pmap c end Switch show policy map system cpp wireless policy Policy Map system cpp policy Class system cpp arp Class system cpp capwap ctrl Class system cpp capwap keepalive police 32000 bp...

Page 1511: ...ess Point LSAP type code for 802 encapsulated packets or a SNAP type code for SNAP encapsulated packets LSAP sometimes called SAP refers to the type codes found in the DSAP and SSAP fields of the 802 header wild mask 16 bit hexadecimal number whose ones bits correspond to bits in the type code argument The wild mask indicates which bits in the type code argument should be ignored when making a com...

Page 1512: ...onfig class map telnet class Switch config cmap match access group 140 Switch config cmap exit Add the class map telnet class to system cpp policy and define the proper action Switch config policy map system cpp policy Switch config pmap class telnet class Switch config pmap c police 80000 1000 conform transmit exceed drop Switch config pmap c exit Switch config pmap exit Verify the above configur...

Page 1513: ...stem cpp policy policy map for CoPP The default system cpp policy policy map does not define actions for the system defined class maps no policing The only action supported in system cpp policy is police You can use both MAC and IP ACLs to define data plane and management plane traffic classes However if a packet also matches a predefined ACL for the control plane traffic a police or no police act...

Page 1514: ...r of bytes and packets that conformed or exceeded the configured policies both in hardware and in software The output of the show policy map control plane command is similar to the following Switch show policy map control plane Control Plane Service policy input system cpp policy Class map system cpp dot1x match all 0 packets Match access group name system cpp dot1x Class map system cpp bpdu range...

Page 1515: ...s Match access group name system cpp dhcp sc Class map system cpp dhcp ss match all 0 packets Match access group name system cpp dhcp ss Class map telnet class match all 92 packets Match access group 140 police cir 32000 bps bc 1500 bytes conformed 5932 bytes actions transmit exceeded 0 bytes actions drop conformed 0000 bps exceed 0000 bps Class map class default match any 0 packets Match any 0 pa...

Page 1516: ...access list enter the show access lists system cpp cdp command Switch show access list system cpp cdp Extended MAC access list system cpp cdp permit any host 0100 0ccc cccc Switch Monitoring Wireless CoPP You can enter the show policy map control plane wireless command to develop site specific policies to monitor statistics for the wireless control plane policy and to troubleshoot wireless CoPP Th...

Page 1517: ...ransmit exceeded 0 bytes actions drop conformed 0000 bps exceeded 0000 bps Class map system cpp dhcp match any 0 packets Match access group name system cpp dhcp cs 0 packets 0 bytes 5 minute rate 0 bps Match access group name system cpp dhcp sc 0 packets 0 bytes 5 minute rate 0 bps Match access group name system cpp dhcp ss 0 packets 0 bytes 5 minute rate 0 bps police cir 64000 bps bc 2000 bytes c...

Page 1518: ...mit exceeded 0 bytes actions drop conformed 0000 bps exceeded 0000 bps Class map system cpp dot11 iapp match all 0 packets Match protocol dot11 iapp police cir 64000 bps bc 2000 bytes conformed 0 bytes actions transmit exceeded 0 bytes actions drop conformed 0000 bps exceeded 0000 bps Class map system cpp dot11 mgmt match all 0 packets Match protocol dot11 mgmt police cir 64000 bps bc 2000 bytes c...

Page 1519: ...revents users from inadvertently policing or dropping critical Layer 2 control packets While this approach protects a user who is wrongly policing control packets it introduces a more serious problem If a flood of Layer 2 control packets is received on any of the switch interfaces at a very high rate due to a DoS attack or to a loop introduced in the customer network because of misconfiguration CP...

Page 1520: ...ig pmap class system control packet cdp vtp Switch config pmap c police 32k Switch config pmap c end Switch config interface gi3 1 Switch config if vlan 1 Switch config if vlan range service policy in police_cdp Switch config if vlan range exit Switch config if exit Switch config exit Switch show policy map interface gi3 1 GigabitEthernet3 1 vlan 1 Service policy input police_cdp Class map system ...

Page 1521: ...cdp vtp Switch config end Switch show running configuration include qos control packets qos control packets bpdu range qos control packets lldp qos control packets sstp qos control packets protocol tunnel Note When you unconfigure this feature for a specified protocol type the user configured policies handling that protocol type immediately become ineffective To save TCAM resources remove the poli...

Page 1522: ...interface gi3 1 Switch config if vlan range 1 Switch config if vlan range service policy in police_bpdu_1 Switch config if vlan range exit Switch config if interface gi3 2 Switch config if vlan range 2 Switch config if vlan range service policy in police_bpdu_1 Switch config if vlan range exit Configuring Control Plane Policy CDP VTP mac access list extended system control packet cdp vtp permit an...

Page 1523: ... perform the configured QoS action For example the following are valid user defined class map names to police Layer 2 control packets because they begin with the prefix system control packet system control packet bpdu1 system control packet control packet No such restrictions exist on the names you can use for user defined MACLs access groups The following example shows how to create user defined ...

Page 1524: ... initial 802 1X authentication phase completes Policing IPv6 Control Traffic On Catalyst 4900M Catalyst 4948E Supervisor Engine 6 E and Supervisor Engine 6L E IPv6 control packets such as OSPF PIM and MLD can be policed on a physical port VLAN or control plane by configuring IPv6 ACLs to classify such traffic and then applying a QoS policy to police such traffic The following examples show how to ...

Page 1525: ...Switch config pmap c police 32k Switch config pmap c class pimv6Class Switch config pmap c police 32k Switch config pmap c police exit Switch config pmap c exit Switch config pmap exit Switch config exit Switch show policy map Policy Map v6_control_packet_policy Class mldClass police cir 32000 bc 1500 conform action transmit exceed action drop Class ospfv6Class police cir 32000 bc 1500 conform act...

Page 1526: ...talyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 57 Configuring Control Plane Policing and Layer 2 Control Packet QoS Policing IPv6 Control Traffic ...

Page 1527: ...st 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About Dynamic ARP Inspection Dynamic ARP Inspection DAI is a security feature that validates Address Resolution Protocol ARP packets in a network DAI allows a network administrator to intercept log and discard ARP packets with invalid MAC IP pairs This capability protects the network from ce...

Page 1528: ...dress of MC Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB This means that HC intercepts that traffic Because HC knows the true MAC addresses associated with IA and IB HC can forward the intercepted traffic to those hosts using the correct MAC address as the destination HC has inserted itself into the traffic stream from HA to...

Page 1529: ...dress of H1 If the interface between S1 and S2 is untrusted the ARP packets from H1 get dropped on S2 This condition would result in a loss of connectivity between H1 and H2 Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network If S1 were not running DAI then H1 can easily poison the ARP of S2 and H2 if the inter switch link is configured as tr...

Page 1530: ... limited to prevent a denial of service attack By default the rate for untrusted interfaces is set to 15 pps second but trusted interfaces have no rate limit When the rate of incoming ARP packets exceeds the configured limit the port is placed in the error disable state The port remains in that state until an administrator intervenes With the errdisable recovery global configuration command you ca...

Page 1531: ...the sum of rates across all physical ports When you configure rate limits for ARP packets on trunks you must account for VLAN aggregation because a high rate limit on one VLAN can cause a denial of service attack to other VLANs when the port is error disabled by software Similarly when a port channel is error disabled a high rate limit on one physical port can cause other ports in the channel to g...

Page 1532: ...iguring ARP ACLs for Non DHCP Environments section on page 58 11 To configure DAI perform this task on both switches DHCP server Switch A Switch B Host 1 Host 2 Port 1 Port 3 111751 Command Purpose Step 1 Switch show cdp neighbors Verifies the connection between the switches Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config no ip arp inspection vlan vlan range ...

Page 1533: ... state use the no ip arp inspection trust interface configuration command By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the trusted interface It forwards the packets For untrusted interfaces the switch intercepts all ARP requests and responses It verifies that the intercepted packets have valid IP to MAC address bindings bef...

Page 1534: ...Gi3 22 Untrusted 15 1 Gi3 23 Untrusted 15 1 Gi3 24 Untrusted 15 1 Gi3 25 Untrusted 15 1 Gi3 26 Untrusted 15 1 Gi3 27 Untrusted 15 1 Gi3 28 Untrusted 15 1 Gi3 29 Untrusted 15 1 Gi3 30 Untrusted 15 1 Gi3 31 Untrusted 15 1 Gi3 32 Untrusted 15 1 Gi3 33 Untrusted 15 1 Gi3 34 Untrusted 15 1 Gi3 35 Untrusted 15 1 Gi3 36 Untrusted 15 1 Gi3 37 Untrusted 15 1 Gi3 38 Untrusted 15 1 Gi3 39 Untrusted 15 1 Gi3 ...

Page 1535: ...dge S Switch H Host I IGMP r Repeater P Phone Device ID Local Intrfce Holdtme Capability Platform Port ID SwitchA Gig 3 46 163 R S I WS C4507R Gig 3 48 SwitchB SwitchB configure terminal Enter configuration commands one per line End with CNTL Z SwitchB config ip arp inspection vlan 100 SwitchB config interface g3 46 SwitchB config if ip arp inspection trust SwitchB config if end SwitchB SwitchB sh...

Page 1536: ... Untrusted 15 1 Gi3 42 Untrusted 15 1 Gi3 43 Untrusted 15 1 Gi3 44 Untrusted 15 1 Gi3 45 Untrusted 15 1 Gi3 46 Trusted None N A Gi3 47 Untrusted 15 1 Gi3 48 Untrusted 15 1 SwitchB show ip arp inspection vlan 100 Source Mac Validation Disabled Destination Mac Validation Disabled IP Address Validation Disabled Vlan Configuration Operation ACL Match Static ACL 100 Enabled Active Vlan ACL Logging DHCP...

Page 1537: ...se a router to route packets between them To configure an ARP ACL on switch A in a non DHCP environment perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config arp access list acl name Defines an ARP ACL and enter ARP access list configuration mode By default no ARP access lists are defined Note At the end of the ARP access list ther...

Page 1538: ...nly IP to MAC address bindings are compared against the ACL Packets are permitted only if the access list permits them Step 6 Switch config interface interface id Specifies the Switch A interface that is connected to Switch B and enter interface configuration mode Step 7 Switch config if no ip arp inspection trust Configures the Switch A interface that is connected to Switch B as untrusted By defa...

Page 1539: ...tB vlan 100 static SwitchA config interface g3 48 SwitchA config if no ip arp inspection trust SwitchA config if end SwitchA show arp access list hostB ARP access list hostB permit ip host 170 1 1 2 mac host 0002 0002 0002 log SwitchA show ip arp inspection interfaces Interface Trust State Rate pps Burst Interval Gi1 1 Untrusted 15 1 Gi1 2 Untrusted 15 1 Gi3 1 Untrusted 15 1 Gi3 2 Untrusted 15 1 G...

Page 1540: ...id Protocol Data 100 0 0 0 SwitchA Configuring the Log Buffer When the switch drops a packet it places an entry in the log buffer and then generates system messages on a rate controlled basis After the message is generated the switch clears the entry from the log buffer Each log entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and t...

Page 1541: ...empty An interval setting of 0 overrides a log setting of 0 The logs and interval settings interact If the logs number X is greater than interval seconds Y X divided by Y X Y system messages are sent every second Otherwise one system message is sent every Y divided by X Y X seconds Step 3 Switch config no ip arp inspection vlan vlan range logging acl match matchlog none dhcp bindings all none perm...

Page 1542: ...ms DAI validation checks therefore the number of incoming ARP packets is rate limited to prevent a denial of service attack Note Unless you explicitly configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state ...

Page 1543: ...terface to be rate limited and enters interface configuration mode Step 4 Switch config if no ip arp inspection limit rate pps burst interval second none Limits the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an...

Page 1544: ...15 1 Gi3 17 Untrusted 15 1 Gi3 18 Untrusted 15 1 Gi3 19 Untrusted 15 1 Gi3 20 Untrusted 15 1 Gi3 21 Untrusted 15 1 Gi3 22 Untrusted 15 1 Gi3 23 Untrusted 15 1 Gi3 24 Untrusted 15 1 Gi3 25 Untrusted 15 1 Gi3 26 Untrusted 15 1 Gi3 27 Untrusted 15 1 Gi3 28 Untrusted 15 1 Gi3 29 Untrusted 15 1 Gi3 30 Untrusted 15 1 Gi3 31 Untrusted 100 1 Gi3 32 Untrusted 15 1 Gi3 33 Untrusted 15 1 Gi3 34 Untrusted 15 ...

Page 1545: ...E arp inspection error detected on Gi3 31 putting Gi3 31 in err disable state SwitchB show clock 02 21 43 556 UTC Fri Feb 4 2005 SwitchB SwitchB show interface g3 31 status Port Name Status Vlan Duplex Speed Type Gi3 31 err disabled 100 auto auto 10 100 1000 TX SwitchB SwitchB 1w2d PM 4 ERR_RECOVER Attempting to recover from arp inspection err disable state on Gi3 31 SwitchB show interface g3 31 s...

Page 1546: ...fic check on incoming ARP packets By default no additional checks are performed The keywords have these meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped For dst mac check the des...

Page 1547: ...iguring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Vlan Configuration Operation ACL Match Static ACL 100 Enabled Active Vlan ACL Logging DHCP Logging 100 Deny Deny SwitchB 1w2d SW_DAI 4 INVALID_ARP 9 Invalid ARPs Req on Gi3 31 vlan 100 0002 0002 0002 170 1 1 2 0001 0001 0001 170 1 1 1 02 30 24 UTC Fri Feb 4 2005 ...

Page 1548: ...58 22 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 58 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection ...

Page 1549: ...isco IOS DHCP Server page 59 24 Finding Feature Information Your software release may not support all the features documented in this module For the latest feature information and caveats see the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the Feature I...

Page 1550: ...tained Through DHCP page 59 9 Overview of the DHCP Server The Cisco DHCP server accepts address assignment requests and renewals from the client and assigns the addresses from predefined groups of addresses within DHCP address pools These address pools can also be configured to supply additional information to the requesting client such as the IP address of the Domain Name System DNS server the de...

Page 1551: ...tch can differentiate the VLAN that a particular DHCP Discover message belongs to possibly through Layer 2 encapsulation Each VLAN has its own subnet and all DHCP messages from the same VLAN same switch have the giaddr field set to the same value indicating the subnet of the VLAN Problems can occur while allocating IP addresses to DHCP clients that are connected to different ports of the same VLAN...

Page 1552: ... end of a hexadecimal string specified by the relay information hex command If the relay agent inserts option 82 but does not set the giaddr field in the DHCP packet the DHCP server interface must be configured as a trusted interface by using the ip dhcp relay information trusted command This configuration prevents the server from dropping the DHCP message Disabling Conflict Logging A DHCP databas...

Page 1553: ...ssible allocation only after the subnet associated with the primary IP address on the interface is exhausted Cisco DHCP server software supports advanced capabilities for IP address allocation See the Configuring DHCP Address Allocation Using Option 82 section for more information DHCP Address Pool with Secondary Subnets Each subnet is a range of IP addresses that the device uses to allocate an IP...

Page 1554: ...ped to MAC addresses of hosts that are found in the DHCP database Because the bindings are stored in the volatile memory of the DHCP server binding information is lost in the event of power failures or on device reloads To prevent the loss of automatic binding information a copy of the automatic binding information is stored on a remote host called the DHCP database agent The bindings are periodic...

Page 1555: ... bindings can be read from a separate static mapping text file The static mapping text files are read when a device reloads or the DHCP service restarts These files are read only The read static bindings are treated just like the manual bindings in that they are Retained across DHCPRELEASEs from the clients Not timed out Deleted only upon deletion of the pool Provided appropriate exclusions for th...

Page 1556: ...ss Specifies the static IP address If the subnet mask is not specified a mask is automatically assigned depending on the IP address The IP address and the mask is separated by a space Type Specifies the hardware type For example type 1 indicates Ethernet The type id indicates that the field is a DHCP client identifier Legal values can be found online at http www iana org assignments arp parame ter...

Page 1557: ...HCP lease expires and then the routes are removed When a DHCP client releases an address the corresponding static route the route configured using the ip route command is automatically removed from the routing table If the DHCP router option option 3 of the DHCP packet changes during the client renewal the DHCP default gateway changes to the new IP address supplied after the renewal This feature i...

Page 1558: ...for a configuration example Configuring DHCP Address Pools Configuring a DHCP Address Pool page 59 11 Configuring a DHCP Address Pool with Secondary Subnets page 59 13 Troubleshooting Tips page 59 15 Verifying the DHCP Address Pool Configuration page 59 16 Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal En...

Page 1559: ...dings section Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch configure terminal Enters global configuration mode Step 3 Switch config ip dhcp pool name Assigns a name to a DHCP pool and enters DHCP configuration mode Step 4 Switch dhcp config utilization mark high percentage number log Optional Configures the high utilizati...

Page 1560: ...fied by the ip helper address command as the boot server Step 11 Switch dhcp config netbios name server address address2 address8 Optional Specifies the NetBIOS WINS server that is available to a Microsoft DHCP client One address is required however you can specify up to eight addresses in one command line Servers should be listed in order of preference Step 12 Switch dhcp config netbios node type...

Page 1561: ...ol size The log keyword enables the logging of a system message A system message will be generated for a DHCP pool when the pool utilization exceeds the configured high utilization threshold Step 5 Switch dhcp config utilization mark low percentage number log Optional Configures the low utilization mark of the current address pool size The log keyword enables the logging of a system message A syst...

Page 1562: ...cp config netbios node type type Optional Specifies the NetBIOS node type for a Microsoft DHCP client Step 13 Switch dhcp config default router address address2 address8 Optional Specifies the IP address of the default device for a DHCP client The IP address should be on the same subnet as the client One IP address is required however you can specify up to eight IP addresses in one command line Th...

Page 1563: ...bnet secondary prompt In this mode the administrator can configure a default device list that is specific to the subnet See Troubleshooting Tips section if you are using secondary IP addresses under a loopback interface with DHCP secondary subnets Step 17 Switch config dhcp subnet secondary override default router address address2 address8 Optional Specifies the default device list that is used wh...

Page 1564: ...ss 172 16 4 1 255 255 255 255 secondary Verifying the DHCP Address Pool Configuration Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch show ip dhcp pool name Optional Displays information about DHCP address pools Step 3 Switch config show ip dhcp binding address Optional Displays a list of all bindings created on a specific D...

Page 1565: ...an specify the unique identifier for the client in either of the following ways A 7 byte dotted hexadecimal notation For example 01b7 0813 8811 66 where 01 represents the Ethernet media type and the remaining bytes represent the MAC address of the DHCP client A 27 byte dotted hexadecimal notation For example 7665 6e64 6f72 2d30 3032 342e 3937 6230 2e33 3734 312d 4661 302f 31 The equivalent ASCII s...

Page 1566: ...E is received or must not be timed out by the DHCP timer The static bindings should be created by using the ip dhcp pool command Step 7 Switch dhcp config client name name Optional Specifies the name of the client using any standard ASCII character The client name should not include the domain name For example the name client1 should not be specified as client1 cisco com Step 8 Switch dhcp config ...

Page 1567: ...HCP Server Options from a Central DHCP Server page 59 19 Step 5 Switch dhcp config end Exits DHCP configuration mode and returns to privileged EXEC mode Step 6 Switch show ip dhcp binding address Optional Displays a list of all bindings created on a specific DHCP server Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode Enter your password if prompted Step 2 Switch configu...

Page 1568: ...al Specifies the IP address of a DNS server that is available to a DHCP client One IP address is required however you can specify up to eight IP addresses in one command line Servers should be listed in the order of preference Step 6 Switch dhcp config end Exits DHCP configuration mode and returns to privileged EXEC mode Command or Action Purpose Step 1 Switch enable Enables privileged EXEC mode E...

Page 1569: ...efore You Begin You must know the hexadecimal value of each byte location in option 82 to configure the relay information hex command The option 82 format may vary from product to product Contact the relay agent vendor for this information Perform this task to define the DHCP class and relay agent information patterns Step 9 Switch config if end Exits interface configuration mode and returns to pr...

Page 1570: ...Specifies a hexadecimal value for full relay information option The pattern argument creates a pattern that is used to match the DHCP class If you omit this step no pattern is configured and it is considered a match to any relay agent information option value but the relay information option must be available in the DHCP packet You can configure multiple relay information hex commands in a DHCP cl...

Page 1571: ...P server address pool If this command is not configured for a class the default value is the entire subnet of the pool Each class in the DHCP pool is examined for a match in the order configured Step 7 Repeat Steps 5 and 6 for each DHCP class you need to associate with the DHCP pool Step 8 Switch dhcp pool class end Exits DHCP pool class option mode and returns to privileged EXEC mode Step 1 Switc...

Page 1572: ...e file transfer protocol is FTP The server waits for 2 minutes 120 seconds before performing database changes Switch enable Switch configure terminal Switch config ip dhcp database ftp user password 172 16 4 253 router dhcp write delay 120 Switch config exit Example Excluding IP Addresses In the following example server A and server B service the subnet 10 0 20 0 24 If the subnet is split equally ...

Page 1573: ... leases and all addresses in each subnetwork except the excluded addresses are available to the DHCP server for assigning to clients The table below lists the IP addresses for the devices in three DHCP address pools Table 59 2 DHCP Address Pool Configuration Switch config ip dhcp database ftp user password 172 16 4 253 router dhcp write delay 120 Switch config ip dhcp excluded address 172 16 1 100...

Page 1574: ...ary subnet are exhausted the DHCP server inspects the secondary subnets in the order in which the subnets were added to the pool When the DHCP server allocates an IP address from the secondary subnet 172 16 1 0 24 the server uses the subnet specific default device list that consists of IP addresses 172 16 1 100 and 172 16 1 101 However when the DHCP server allocates an IP address from the subnet 1...

Page 1575: ...dress of the client is 02c7 f800 0422 and the IP address of the client is 172 16 2 254 Switch config ip dhcp pool pool1 Switch dhcp config host 172 16 2 254 Switch dhcp config client identifier 01b7 0813 8811 66 Switch dhcp config client name example1 The following example shows how to create a manual binding for a client named example2 abc com that does not send a client identifier in the DHCP pa...

Page 1576: ...6973 636f 2d30 Infinite Static 3036 302e 3437 3165 2e64 6462 342d The following sample output displays each entry in the static mapping text file time Jan 21 2005 22 52 PM IP address Type Hardware address Lease expiration 10 19 9 1 24 id 0063 6973 636f 2d30 3036 302e 3437 10 9 9 4 id 0063 7363 2d30 3036 302e 3762 2e39 3634 632d Infinite end The following sample debug output shows the reading of th...

Page 1577: ...ch config end Example Configuring the Option to Ignore all BOOTP Requests The following example shows two DHCP pools that are configured on the device and that the device s DHCP server is configured to ignore all received BOOTP requests If a BOOTP request is received from subnet 10 0 18 0 24 the request will be dropped by the device because the ip helper address command is not configured If there ...

Page 1578: ...ral DHCP Server Example Importing DHCP Options page 59 30 Example Configuring the Remote Device to Import DHCP Options page 59 31 Example Importing DHCP Options The following example shows how to configure a remote and central server to support the importing of DHCP options The central server is configured to automatically update DHCP options such as DNS and WINS addresses within the DHCP pools In...

Page 1579: ...Option 82 This example shows how to configure two DHCP classes CLASS1 defines the group of DHCP clients whose address requests contain the relay agent information option with the specified hexadecimal values CLASS2 defines the group of DHCP clients whose address requests contain the configured relay agent information suboptions CLASS3 has no pattern configured and is treated as a match to any clas...

Page 1580: ...050000000000 bitmask 0000000000000000000000FF ip dhcp class CLASS2 relay agent information relay information hex 01040102030402020102 relay information hex 01040101030402020102 ip dhcp class CLASS3 relay agent information Associates the DHCP pool with DHCP classes ip dhcp pool ABC network 10 0 20 0 255 255 255 0 class CLASS1 address range 10 0 20 1 10 0 20 100 class CLASS2 address range 10 0 20 10...

Page 1581: ... and Extensions for the Bootstrap Protocol RFC 2131 Dynamic Host Configuration Protocol RFC 2132 DHCP Options and BOOTP Vendor Extensions MIB MIBs Link To locate and download MIBs for selected platforms Cisco software releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs Description Link The Cisco Support and Documentation website provides online res...

Page 1582: ...110R Any Internet Protocol IP addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers Any examples command display output network topology diagrams and other figures included in the document are shown for illustrative purposes only Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental 2015 2016 ...

Page 1583: ...s used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About DHCP Snooping DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintainin...

Page 1584: ...under your administrative control are trusted sources These devices include the switches routers and servers in your network Any device beyond the firewall or outside your network is an untrusted source Host ports are generally treated as untrusted sources In a service provider environment any device that is not in the service provider network is an untrusted source such as a customer switch Host ...

Page 1585: ...n the calculated checksum equals the stored checksum a switch reads entries from the file and adds the bindings to the DHCP snooping database When the calculated checksum does not equal the stored checksum the entry read from the file is ignored and so are all the entries following the failed entry The switch also ignores all those entries from the file whose lease time has expired This situation ...

Page 1586: ... remote ID suboption is the switch MAC address and the circuit ID suboption is the port identifier vlan mod port from which the packet is received Beginning with Cisco IOS Release 12 2 40 SG you can configure the remote ID and circuit ID For information on configuring these suboptions see the Enabling DHCP Snooping and Option 82 section on page 60 10 If the IP address of the relay agent is configu...

Page 1587: ... ID suboption the module number corresponds to the switch module number The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command Figure 60 2 Suboption Packet Formats Figure 60 3 shows the packet formats for user configured remote ID and circuit ID suboptions The switch uses these packet formats when DHC...

Page 1588: ...e enabling the switch to differentiate untrusted interfaces from trusted interfaces You must enable DHCP snooping globally before you can use DHCP snooping on a VLAN You can enable DHCP snooping independently from other DHCP features These sections describe how to configure DHCP snooping Default Configuration for DHCP Snooping page 60 7 Enabling DHCP Snooping page 60 7 Enabling DHCP Snooping on th...

Page 1589: ... DHCP snooping option If you want to change the default configuration values see the Enabling DHCP Snooping section Enabling DHCP Snooping Note When DHCP snooping is enabled globally DHCP requests are dropped until the ports are configured Consequently you should probably configure this feature during a maintenance window and not during production To enable DHCP snooping perform this task Table 60...

Page 1590: ... Switch config if ip dhcp snooping limit rate 100 Switch config if ip dhcp snooping vlan 555 information option format type circuit id string customer 555 Switch config if interface FastEthernet 2 1 Switch config if ip dhcp snooping vlan 555 information option format type circuit id string customer 500 Switch config end Switch show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is ...

Page 1591: ...t mode trunk switchport trunk encapsulation dot1q ip dhcp snooping trust interface VLAN 14 ip address 10 33 234 1 255 255 254 0 ip helper address 10 5 1 2 Note If you are enabling trunking on uplink gigabit interfaces and the above routing configuration is defined on a Catalyst 6500 series switch you must configure the trust relationship with downstream DHCP snooping on a Catalyst 4500 series swit...

Page 1592: ...Configured hostname for the switch If the hostname is longer than 63 characters it is truncated to 63 characters in the remote ID configuration The default remote ID is the switch MAC address Step 6 Switch config ip dhcp snooping information option allow untrusted Optional If the switch is an aggregation switch connected to an edge switch enables the switch to accept incoming DHCP snooping packets...

Page 1593: ...h config interface GigabitEthernet 5 1 Switch config if ip dhcp snooping trust Switch config if ip dhcp snooping limit rate 100 Switch config if ip dhcp snooping vlan 555 information option format type circuit id string customer 555 Switch config if interface FastEthernet 2 1 Switch config if ip dhcp snooping vlan 555 information option format type circuit id string customer 500 Switch config end ...

Page 1594: ...a secondary VLAN causes the switch to issue this warning message DHCP Snooping configuration may not take effect on secondary vlan XXX The show ip dhcp snooping command displays all VLANs both primary and secondary that have DHCP snooping enabled Configuring DHCP Snooping on Private VLAN DHCP snooping IPSG and DAI are Layer 2 based security features that can be enabled and disabled on an individua...

Page 1595: ... port in the errdisabled state The port remains in that state until you intervene or you enable errdisable recovery so that ports automatically emerge from this state after a specified timeout period Note Unless you explicitly configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure th...

Page 1596: ... config exit Switch show interfaces status Port Name Status Vlan Duplex Speed Type Te1 1 connected 1 full 10G 10GBase LR Te1 2 connected vl err dis full 10G 10GBase LR Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config errdisable detect cause dhcp rate limit action shutdown vlan Enables per VLAN errdisable detection Step 3 Switch config interface...

Page 1597: ... inspection error detected on Gi3 31 putting Gi3 31 in err disable state SwitchB show clock 02 21 43 556 UTC Fri Feb 4 2005 SwitchB SwitchB show interface g3 31 status Port Name Status Vlan Duplex Speed Type Gi3 31 err disabled 100 auto auto 10 100 1000 TX SwitchB SwitchB 1w2d PM 4 ERR_RECOVER Attempting to recover from arp inspection err disable state on Gi3 31 SwitchB show interface g3 31 status...

Page 1598: ...d or create of the file has failed upon bootup Note Because the location is based off in the network you must create a temporary file on the TFTP server You can create a temporary file on a typical UNIX workstation by creating a 0 byte file file in the directory directory that can be referenced by the TFTP server daemon With some server implementations on UNIX workstations the file should be provi...

Page 1599: ...se Agent URL Write delay Timer 300 seconds Abort Timer 300 seconds Agent Running No Delay Timer Expiry Not Running Abort Timer Expiry Not Running Last Succeded Time None Last Failed Time None Last Failed Reason No failure recorded Total Attempts 0 Startup Failures 0 Successful Transfers 0 Failed Transfers 0 Successful Reads 0 Failed Reads 0 Successful Writes 0 Failed Writes 0 Media Failures 0 Swit...

Page 1600: ... Switch clear ip dhcp snoop bind Switch show ip dhcp snoop bind MacAddress IpAddress Lease sec Type VLAN Interface Switch Example 3 Adding Information to the DHCP Snooping Database To manually add a binding to the DHCP snooping database perform this task This example shows how to manually add a binding to the DHCP snooping database Switch show ip dhcp snooping binding MacAddress IpAddress Lease se...

Page 1601: ...p dhcp snooping Switch DHCP snooping is enabled DHCP Snooping is configured on the following VLANs 10 30 40 100 200 220 Insertion of option 82 is enabled Option82 on untrusted port is not allowed Verification of hwaddr field is enabled Interface Trusted Rate limit pps FastEthernet2 1 yes 10 FastEthernet3 1 yes none GigabitEthernet1 1 no 20 Switch About IP Source Guard The IP source guard feature i...

Page 1602: ...based on its source IP address Only IP traffic with a source IP address that matches the IP source binding entry is permitted An IP source address filter is changed when a new IP source entry binding is created or deleted on the port The port VACL is recalculated and reapplied in the hardware to reflect the IP source binding change By default if the IP filter is enabled without any IP source bindi...

Page 1603: ...ds one per line End with CNTL Z Switch config ip dhcp snooping Switch config ip dhcp snooping vlan 10 20 Switch config interface fa6 1 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if switchport trunk native vlan 10 Switch config if switchport trunk allowed vlan 11 20 Switch config if no ip dhcp snooping trust Switch config if ip verify ...

Page 1604: ...vate VLAN feature is enabled IP source filter on the primary VLAN will automatically propagate to all secondary VLAN Note IP Source Guard is supported on private VLAN host ports only Displaying IP Source Guard Information You can display IP source guard PVACL information for all interfaces on a switch using the show ip verify source command as the following examples show This example shows display...

Page 1605: ...error message when entering the show ip verify source command on a port that does not have an IP source filter mode configured IP Source Guard is not configured on the interface fa6 6 You can also use the show ip verify source command to display all interfaces on the switch that have IP source guard enabled as follows Switch show ip verify source Interface Filter type Filter mode IP address Mac ad...

Page 1606: ...is equivalent to port security at Layer 3 Note Some IP hosts with multiple network interfaces may inject some invalid packets into a network interface Those invalid packets contain the IP to MAC address for another network interface of that host as the source address It may cause IPSG for static hosts in the switch which connects to the host to learn the invalid IP to MAC address bindings and reje...

Page 1607: ...be The range is 1 to 5 The default is 3 interval Number of seconds that the switch waits for a response before resending the ARP probe The range is 30 to 300 seconds The default is 30 seconds Step 3 Switch config ip device tracking probe delay interval Optional Configures the optional probe delay parameter for the IP device tracking table interval Number of seconds that the switch delays sending a...

Page 1608: ...valid IP bindings on the interface Fa4 3 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip device tracking Switch config interface fastEthernet 4 3 Switch config if switchport mode access Switch config if switchport access vlan 10 Switch config if ip device tracking maximum 5 Switch config if ip verify source tracking Switch config if end Switch s...

Page 1609: ...evious interface is now marked as inactive Switch show ip device tracking all IP Device Tracking Enabled IP Device Tracking Probe Count 3 IP Device Tracking Probe Interval 30 IP Address MAC Address Vlan Interface STATE 200 1 1 8 0001 0600 0000 8 GigabitEthernet3 1 INACTIVE 200 1 1 9 0001 0600 0000 8 GigabitEthernet3 1 INACTIVE 200 1 1 10 0001 0600 0000 8 GigabitEthernet3 1 INACTIVE 200 1 1 1 0001 ...

Page 1610: ...INACTIVE The following example display the count of all IP device tracking host entries for all interfaces Switch show ip device tracking all count Total IP Device Tracking Host entries 5 Interface Maximum Limit Number of Entries Fa4 3 5 Configuring IPSG for Static Hosts on a PVLAN Host Port You can configure IPSG for static hosts on a PVLAN host port To enable IPSG for static hosts with IP filter...

Page 1611: ... 0306 200 FastEthernet4 3 ACTIVE 40 1 1 22 0000 0000 0307 200 FastEthernet4 3 ACTIVE 40 1 1 23 0000 0000 0308 200 FastEthernet4 3 ACTIVE The output shows the five valid IP to MAC bindings that have been learned on the interface Fa4 3 For the PVLAN the bindings are associated with primary VLAN ID In this example the primary VLAN ID 200 is shown in the table Switch show ip verify source Interface Fi...

Page 1612: ...500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 60 Configuring DHCP Snooping IP Source Guard and IPSG for Static Hosts Configuring IP Source Guard for Static Hosts ...

Page 1613: ...ions Support page 61 12 Note For complete syntax and usage information for the switch commands used in this chapter see publications at this location Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS library at this location Cisco IOS Master Command List All Releases Res...

Page 1614: ... DHCPv6 server both of them must be attached to the same link However in some situations where ease of management economy or scalability is a concern it is desirable to allow a DHCPv6 client to send a message to a DHCPv6 server that is not connected to the same link DHCPv6 Relay Options Remote ID The DHCPv6 Remote ID Option feature adds the remote identification remote ID option to relayed RELAY F...

Page 1615: ...access nodes such as DSL access multiplexers DSLAMs and Ethernet switches that do not support IPv6 control or routing functions LDRA is used to insert relay agent options in DHCPv6 message exchanges primarily to identify client facing interfaces LDRA functionality can be enabled on an interface and a VLAN An LDRA device or interface has the following features Maintains interoperability with existi...

Page 1616: ... client facing trusted client facing untrusted or server facing The LDRA configuration on a VLAN has to be configured as trusted or untrusted An LDRA must implement a configuration setting for all client facing interfaces marking them as trusted or as untrusted By default any interface that is configured as client facing will be configured as an untrusted interface When a client facing interface i...

Page 1617: ...p 3 Device config interface type number Configures an interface and enters interface configuration mode Step 4 Device config if ipv6 dhcp relay destination ipv6 address interface type interface number Specifies a destination address to which client packets are forwarded and enables the DHCPv6 relay service on the interface Step 5 Device config if end Exits interface configuration mode and returns ...

Page 1618: ...fied VLAN instead of the default VLAN in interface configuration mode Step 10 Device config if ipv6 dhcp ldra attach policy client facing trusted client facing untrusted client facing disable server facing Enables LDRA functionality on a specified interface or port The server facing keyword specifies an interface or port as server facing Step 11 Device config if end Exits interface configuration m...

Page 1619: ...ample given below are self explanatory Example Device show ipv6 dhcp ldra DHCPv6 LDRA is Enabled DHCPv6 LDRA policy client facing disable Target none DHCPv6 LDRA policy client facing trusted Target vlan 5 DHCPv6 LDRA policy client facing untrusted Target none DHCPv6 LDRA policy server facing Target Gi1 0 7 Step 3 show ipv6 dhcp ldra statistics Displays LDRA configuration statistics before and afte...

Page 1620: ...len 4 05 44 10 DNS SERVERS DOMAIN LIST 05 44 10 option IA NA 3 len 12 05 44 10 IAID 0x00040001 T1 0 T2 0 05 44 10 DHCPv6 LDRA API Entered dhcpv6_ldra_client_facing_new_pak 05 44 10 DHCPv6 LDRA EVENT Vlan 5 Sending RELAY FORWARD from 2001 DB8 1 1 to FF02 1 2 Configuring CAPWAP Access Points Command or Action Purpose Step 1 Device enable Enables privileged EXEC mode Enter your password if prompted S...

Page 1621: ... DHCPv6 Relay Agent LDRA on a VLAN numbered 5 Device enable Device configure terminal Device config ipv6 dhcp ldra enable Device config vlan configuration 5 Device config vlan config ipv6 dhcp ldra attach policy client facing trusted Device config vlan config exit Device config interface gigabitethernet 0 0 Device config if switchport Device config if switchport access vlan 5 Device config if ipv6...

Page 1622: ...Cs MIBs Related Topic Document Titl1 Cisco IOS commands Cisco IOS Master Commands List All Releases Catalyst 4500 commands Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch Standard RFC Title RFC 3315 Dynamic Host Configuration Protocol for IPv6 RFC 4649 Dynamic Host Configuration Protocol for IPv6 DHCPv6 Relay Agent Remote ID Option RFC 5417 Control And Provisioning of Wirele...

Page 1623: ...on Link The Cisco Support and Documentation website provides online resources to download documentation software and tools Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies Access to most tools on the Cisco Support and Documentation website requires a Cisco com user ID and password http www cisco com cisc...

Page 1624: ...tform support and Cisco software image support To access Cisco Feature Navigator go to www cisco com go cfn An account on Cisco com is not required Table 1 Feature Information for DHCPv6 Options Support Feature Name Releases Feature Information CAPWAP Access Controller DHCP Option 52 Cisco IOS Release 15 2 5 E2 The Control And Provisioning of Wireless Access Points CAPWAP protocol allows Lightweig...

Page 1625: ...cast MAC Address Filtering page 62 16 Configuring Named MAC Extended ACLs page 62 16 Configuring EtherType Matching page 62 17 Configuring Named IPv6 ACLs page 62 18 Applying IPv6 ACLs to Layer 2 and 3 Interface page 62 20 Configuring VLAN Maps page 62 21 Displaying VLAN Access Map Information page 62 28 Using VLAN Maps with Router ACLs page 62 28 Configuring PACLs page 62 31 Using PACL with VLAN ...

Page 1626: ...ridges the packet and then routes the packet internally without going to an external router The packet is then bridged again and sent to its destination During this process the switch can control all packets including packets bridged within a VLAN You configure access lists on a router or switch to filter traffic and provide basic security for your network If you do not configure ACLs all packets ...

Page 1627: ...yer 2 interface You can use VLAN maps to filter traffic between devices in the same VLAN You do not need the enhanced image to create or apply VLAN maps VLAN maps are configured to control access based on Layer 3 addresses for IP MAC addresses using Ethernet ACEs control the access of unsupported protocols After you apply a VLAN map to a VLAN all packets routed or bridged entering the VLAN are che...

Page 1628: ...dresses Extended IP access lists using source and destination addresses and optional protocol type information IPv6 access lists using source and destination addresses and optional protocol type information MAC extended access lists using source and destination MAC addresses and optional protocol type information Note Negative TCP flags such as syn psh or fin in ACEs are not considered when you ap...

Page 1629: ...rity features such as 802 1X NAC and Web Authentication are capable of downloading ACLs from a central server and applying them to interfaces Prior to Cisco IOS Release 12 2 54 SG these features required the explicit configuration of a standard port ACL Starting with Cisco IOS Release 12 2 54 SG a port ACL does not require configuration For more details refer to the Removing the Requirement for a ...

Page 1630: ...e Packets that require logging are processed in software A copy of the packets is sent to the CPU for logging while the actual packets are forwarded in hardware so that non logged packet processing is not impacted By default the Catalyst 4500 Series Switch sends ICMP unreachable messages when a packet is denied by an access list these packets are not dropped in hardware but are forwarded to the sw...

Page 1631: ... be fully programmed Note Removal of obsolete TCAM entries can take several CPU process review cycles to complete This process may cause some packets to be switched in software if the TCAM entry or mask utilization is at or near 100 percent Selecting Mode of Capturing Control Packets In some deployments you might want to bridge control packets in hardware rather than globally capture and forward t...

Page 1632: ...nd CTI commands for IGMP or PIM packets both use MAC addresses 224 0 0 1 and 224 0 0 2 Global and per VLAN CTI for DHCP packets With Cisco IOS Release 15 0 2 SG per VLAN capture of Layer 3 control packets is driven by SVI configuration Except for IGMP PIM or DHCP no special configuration is required Enabling per VLAN capture mode consumes additional entries in the ACL feature TCAM The number of av...

Page 1633: ...tion commands one per line End with CNTL Z Switch config access list hardware capture mode global Switch config end Switch When the capture mode changes from global to VLAN the static CAM entries are invalidated This creates a window during which control packets may pass through a Catalyst 4500 Series Switch without being intercepted to the CPU This temporary situation is restored when the new per...

Page 1634: ...ration Note When an interface is in down state TCAMs are not consumed for RACLs but are for PACLs Layer 4 Operators in ACLs The following sections provide guidelines and restrictions for configuring ACLs that include Layer 4 port operations Restrictions for Layer 4 Operations page 62 11 Configuration Guidelines for Layer 4 Operations page 62 12 Using ACLs to Filter TCP Flags and How ACL Processing...

Page 1635: ...hen be used to support more Layer 4 operations For this compression to be used the IPv6 ACL cannot contain any ACEs that mask in only a portion of the bottom 48 bits of the source IPv6 address Generally you will receive at most the following number of Layer 4 operations on the same ACL Direction Protocol Type Operations Input IPv4 Security 16 Input IPv6 Compressed Security 16 Input IPv6 Uncompress...

Page 1636: ...ows access list 101 dst port gt 10 permit dst port lt 9 deny dst port gt 11 deny dst port neq 6 permit src port neq 6 deny dst port gt 10 deny access list 102 dst port gt 20 deny src port lt 9 deny src port range 11 13 deny dst port neq 6 permit Access lists 101 and 102 use the following Layer 4 operations Access list 101 Layer 4 operations 5 gt 10 permit and gt 10 deny both use the same operation...

Page 1637: ...nt field of a segment specifies the next sequence number the sender of this segment is expecting to receive syn and fin and rst syn The synchronize flag is used to establish connections fin The finish flag is used to clear connections rst See above psh The push flag indicates the data in the call should be immediately pushed through to the receiving user urg The urgent flag indicates that the urge...

Page 1638: ... on the order of statements you need Use the TCP command syntax of the permit command Match all is not supported Match any is supported only when used in the following combinations of positive flags rst and ack must be combined sync and fin and rst must be combined psh and urg Step 4 sequence number deny tcp source source wildcard operator port destination destination wildcard operator port establ...

Page 1639: ...rdware because three source and three destination operations exist If the translation attempt fails the third ACE is processed in software access list 102 permit tcp any lt 80 any gt 100 access list 102 permit tcp any range 100 120 any range 120 1024 access list 102 permit tcp any gt 1024 any lt 1023 Similarly for access list 103 the third ACE triggers an attempt to translate dst gt 1023 into mult...

Page 1640: ...m a MAC address in a specified VLAN perform this task This example shows how to block all unicast traffic to or from MAC address 0050 3e8d 6400 in VLAN 12 Switch configure terminal Switch config mac address table static 0050 3e8d 6400 vlan 12 drop Configuring Named MAC Extended ACLs You can filter non IPv4 non IPv6 traffic on a VLAN and on a physical Layer 2 port by using MAC addresses and named M...

Page 1641: ...affic based on the EtherType value using the existing MAC access list commands When you classify non IP traffic by EtherType you can apply security ACLs and QoS policies to traffic that carry the same EtherType Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config no mac access list extended name Defines an extended MAC access list using a name To d...

Page 1642: ...ervisor Engine 7 E Supervisor Engine 7L E and Supervisor Engine 8 E support hardware based IPv6 ACLs to filter unicast multicast and broadcast IPv6 traffic on Layer 2 and Layer 3 interfaces You can only configure such access lists on Layer 3 interfaces that are configured with an IPv6 address Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config no ...

Page 1643: ...t Switch config ipv6 acl deny ipv6 host 2020 10 host 2040 10 Switch config ipv6 acl permit any any Switch config ipv6 acl end Switch show ipv6 access list IPv6 access list v6test deny ipv6 host 2020 10 host 2040 10 sequence 10 permit ipv6 any any sequence 20 Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ipv6 access list name Defines an IPv6 ...

Page 1644: ...ion that have IPv6 prefix 0 This is necessary because an implicit deny all condition is at the end of each IPv6 access list Switch config ipv6 acl permit any any To enable hardware statistics enter the following commands while configuring ACEs in the access list Switch config ipv6 access list v6test Switch config ipv6 acl hardware statistics Switch config ipv6 acl end Note Hardware statistics is d...

Page 1645: ...you need to include an ACL with specific source or destination addresses If there is a match clause for that type of packet IP or MAC in the VLAN map the default action is to drop the packet if the packet does not match any of the entries within the map If there is no match clause for that type of packet the default is to forward the packet To create a VLAN map and apply it to one or more VLANs fo...

Page 1646: ...the next entry in the map If the VLAN map has at least one match clause for the type of packet IP or MAC and the packet does not match any of these match clauses the default is to drop the packet If there is no match clause for that type of packet in the VLAN map the default is to forward the packet The system might take longer to boot if you have configured a very large number of ACLs Creating an...

Page 1647: ...ip1 Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map map_1 10 Switch config access map match ip address ip1 Switch config access map action drop This example shows how to create a VLAN map to permit a packet ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded Switch config ip access list extended ip2 Switch config ext ...

Page 1648: ...rop Switch config access map exit Switch config vlan access map drop ip default 30 Switch config access map match ip address tcp match Switch config access map action forward Example 3 In this example the VLAN map is configured to drop MAC packets and forward IP packets by default By applying MAC extended access lists good hosts and good protocols the VLAN map is configured to do the following For...

Page 1649: ...ly a VLAN map to a VLAN on a switch that has ACLs applied to Layer 2 interfaces port ACLs This example shows how to apply VLAN map 1 to VLANs 20 through 22 Switch config vlan filter map 1 vlan list 20 22 Using VLAN Maps in Your Network Figure 62 3 shows a typical wiring closet configuration Host X and Host Y are in different VLANs connected to wiring closet switches A and C Traffic moving from Hos...

Page 1650: ...rmit tcp host 10 1 1 32 host 10 1 1 34 eq www Switch config ext nacl exit Next create a VLAN access map named map2 so that traffic that matches the HTTP access list is dropped and all other IP traffic is forwarded as follows Switch config vlan access map map2 10 Switch config access map match ip address http Switch config access map action drop Switch config access map exit Switch config ip access...

Page 1651: ...lied to VLAN 10 To configure this scenario follow these steps Step 1 Define the IP ACL to match and permit the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 8 host 10 1 1 100 Switch config ext nacl exit S...

Page 1652: ...t is a sample output of the show vlan filter command Switch show vlan filter VLAN Map map_1 is filtering VLANs 20 22 Using VLAN Maps with Router ACLs If the VLAN map has a match clause for a packet type IP or MAC and the packet does not match the type the default is to drop the packet If there is no match clause in the VLAN map and no action is specified the packet is forwarded if it does not matc...

Page 1653: ... ip any any To define multiple permit or deny actions in an ACL group each action type together to reduce the number of entries If you need to specify the full flow mode and the ACL contains both IP ACEs and TCP UDP ICMP ACEs with Layer 4 information put the Layer 4 ACEs at the end of the list Doing this gives priority to the filtering of traffic based on IP addresses Examples of Router ACLs and V...

Page 1654: ...Ls on Switched Packets ACLs and Routed Packets Figure 62 6 shows how ACLs are applied on routed packets For routed packets the ACLs are applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN VLAN 10 map Frame Input router ACL Output router ACL Routing function Catalyst 4500 series switch VLAN 10 VLAN 20 Host C VLAN 10 Host A VLAN 10 VLAN 2...

Page 1655: ...lines page 62 32 Removing the Requirement for a Port ACL page 62 32 Webauth Fallback page 62 33 Configuring IPv4 IPv6 and MAC ACLs on a Layer 2 Interface page 62 33 Using PACL with Access Group Mode page 62 34 Configuring Access group Mode on Layer 2 Interface page 62 35 Applying ACLs to a Layer 2 Interface page 62 35 Displaying an ACL Configuration on a Layer 2 Interface page 62 36 Creating a PAC...

Page 1656: ...ported although logging is not supported for output ACLs The access group mode can change the way PACLs interact with other ACLs To maintain consistent behavior across Cisco platforms use the default access group mode If a PACL is removed when there are active sessions on a port a hole permit ip any any is installed on the port Removing the Requirement for a Port ACL Prior to Cisco IOS Release 12 ...

Page 1657: ...llback to webauth might occur Prior to Cisco IOS Release 12 2 54 SG webauth fallback implementation required a fallback profile configured on the authenticating device As part of this profile an admission rule must be configured along with the access policies the fallback ACL Consider a situation where no port ACL is configured on a port The first few hosts authenticated through 802 1X MAB do not ...

Page 1658: ... In this situation you must specify how P1 and V1 impact the traffic with the Layer 2 interface on VLAN100 In a per interface method you can use the access group mode command to specify one of the following desired modes prefer port mode If PACL is configured on a Layer 2 interface then PACL takes effect and overwrites the effect of other ACLs Router ACL and VACL If no PACL feature is configured o...

Page 1659: ...Layer 2 Interface To apply IPv4 IPv6 and MAC ACLs to a Layer 2 interface perform one of these tasks This example applies the extended named IP ACL simple ip acl to interface FastEthernet 6 1 ingress traffic Switch configure terminal Switch config interface fast 6 1 Switch config if ip access group simple ip acl in This example applies the IPv6 ACL simple ipv6 acl to interface FastEthernet 6 1 ingr...

Page 1660: ...st is simple ip acl Outgoing access list is not set This example shows that MAC access group simple mac acl is configured on the inbound direction of interface fa6 1 Switch show mac access group interface fast 6 1 Interface FastEthernet6 1 Inbound access list is simple mac acl Outbound access list is not set This example shows that access group merge is configured on interface fa6 1 Switch show ac...

Page 1661: ...ic from Host A that requires routing If the mode is merge then the input PACL is first applied to the ingress traffic from Host A and the input Router ACL is applied on the traffic that requires routing Scenario 2 Host A is connected to an interface in VLAN 10 which has a VACL VLAN Map configured and an input PACL configured as shown in Figure 62 8 Table 62 1 Interaction between PACLs VACLs and Ro...

Page 1662: ...cted to an interface in VLAN 10 which has a VACL and an SVI configured The SVI has an input Router ACL configured and the interface has an input PACL configured as shown in Figure 62 9 Figure 62 9 Scenario 3 VACL and Input Router ACL If the interface access group mode is prefer port then only the input PACL is applied on the ingress traffic from Host A If the mode is prefer VLAN then the merged re...

Page 1663: ...G ACLs and with Cisco IOS XE Release 3 9 2E for IPv6 ACLs IPv6 OG ACLs The feature is supported only on Cisco Catalyst 4500E Series Switches with Supervisor Engines 7 E 7L E and 8 E and Cisco Catalyst 4500 X Series Switches See the following sections for more information Overview page 62 39 Configuring IPv4 OG ACLs page 62 40 Configuring IPv6 OG ACLs page 62 46 Overview All features that use or re...

Page 1664: ...language CPL policy Configuring IPv4 OG ACLs Guidelines and Restrictions for Configuring IPv4 OG ACLs page 62 40 Creating a Network Object Group page 62 40 Creating a Service Object Group page 62 42 Configuring an IPv4 OG ACL page 62 43 Applying an IPv4 OG ACL to an Interface page 62 44 Verifying IPv4 OG ACLs page 62 45 Guidelines and Restrictions for Configuring IPv4 OG ACLs The object groups can...

Page 1665: ...e Example Switch config network group group object my nested object group Optional Specifies a nested child object group to be included in the current parent object group The child object group type must match that of the parent for example if you are creating a network object group you must specify another network object group as the child You can use duplicated objects in an object group only by...

Page 1666: ... network object group configuration mode Step 3 description descripton text Example Switch config service group description test engineers Optional Specifies a description of the object group You can use up to 200 characters Step 4 protocol Example Switch config service group ahp Optional Specifies an IP protocol number or name Step 5 tcp udp tcp udp source eq lt gt port1 range port1 port2 eq lt g...

Page 1667: ...ork object group you must specify another network object group as the child You can use duplicate objects in an object group only by nesting group objects For example if object 1 is in both group A and group B you can define a group C that includes both A and B However you cannot include a group object that causes the group hierarchy to become circular for example you cannot include group A in gro...

Page 1668: ...conditions specified in the statement Every access list needs at least one permit statement Optionally use the object group service object group name keyword and argument as a substitute for the protocol Optionally use the object group source network object group name keyword and argument as a substitute for the source source wildcard Optionally use the object group destination network object grou...

Page 1669: ...55 255 224 209 165 200 234 255 255 255 224 Service object group auth proxy acl permit services tcp eq www tcp eq 443 Enter the show ip access list access list name command to display the contents of the named or numbered access list or object group ACL or for all access lists and object group ACLs if no name is entered For example Switch show ip access list my ogacl policy Extended IP access list ...

Page 1670: ...CEs you can associate the same access policy with one or more interfaces Feature interactions for IPv6 OG ACLs are the same as for Cisco IOS ACLs The maximum number of object group based ACEs supported in an IPv6 OG ACL is 2048 Creating a IPv6 Address Network Object Group To create an IPv6 address network object group perform this task Command or Action Purpose Step 1 configure terminal Example Sw...

Page 1671: ...ration mode Step 2 object group v6 service object group name Example Switch config object group v6 service mySG Defines object group name and enters the service object group configuration mode Step 3 0 255 ahp description descripton text esp exit group object hbh icmp ipv6 no pcp sctp tcp tcp udp udp Example Switch config v6service group description example of service object group Switch config v6...

Page 1672: ...ect group name Example Switch config ext nacl permit object group mySG object group myOG any sequence 10 Optional Permits any packet that matches all conditions specified in the statement In this example the service object group my SG allows network object groups from myOG with any destination Step 4 Repeat the steps to specify the fields and values on which you want to base your access list Remem...

Page 1673: ... 1 any sequence 10 permit hbh host 2002 1 any sequence 10 permit tcp host 2003 1 any eq www sequence 10 permit udp host 2003 1 any eq xdmcp sequence 10 permit esp host 2003 1 any sequence 10 permit hbh host 2003 1 any sequence 10 permit tcp host 2001 255 any eq www sequence 10 permit udp host 2001 255 any eq xdmcp sequence 10 permit esp host 2001 255 any sequence 10 permit hbh host 2001 255 any se...

Page 1674: ...mation found in the message and in the Layer 2 device configuration You can configure RA Guard in two modes host and router based on the device connected to the port Host mode All the Router Advertisement and Router Redirect messages are disallowed on the port Router mode All messages RA RS Redirect are allowed on the port only host mode is supported You can configure Catalyst 4500 host ports to a...

Page 1675: ... 1 Switch config interface interface Enters interface mode Step 2 Switch config if no ipv6 nd raguard Enables RA Guard on the switch Step 3 Switch config if end Returns to privileged EXEC mode Step 4 Switch show ipv6 nd raguard policy policy_name Shows the policy on which RA Guard has been enabled Note With Cisco Release IOS XE 3 4 0SG and IOS 15 1 2 SG the show ipv6 nd raguard policy command repl...

Page 1676: ...ket not authorized on port 131 NS 2 reason Packet accepted but not forwarded 2 Switch Note Beginning with Cisco IOS Release 15 0 2 SG per port RA Guard ACL statistics are supported and displayed when you enter a show ipv6 snooping counters interface command Previous to this release you enter the show ipv6 first hop counters interface command Note Be aware that only RA Router Advertisement and REDI...

Page 1677: ...In prior releases RA Guard is supported on EtherChannel the RA Guard configuration whether present or not on the EtherChannel overrides the RA Guard configuration on the member ports RA Guard is supported on ports that belong to PVLANs for example isolated secondary host ports community secondary host ports promiscuous primary host ports primary secondary trunk ports Primary VLAN features are inhe...

Page 1678: ...62 54 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 62 Configuring Network Security with ACLs Configuring RA Guard ...

Page 1679: ...out IPv6 page 63 1 IPv6 Default States page 63 8 Note For Cisco IOS IPv6 Configuration Guides see IPv6 Configuration Library Cisco IOS Release 15E IPv6 Configuration Guide Library Cisco IOS XE Release 3E For complete syntax and usage information for the switch commands used in this chapter see The Cisco IOS IPv6 Command Reference The Cisco IOS Command Reference Guides for the Catalyst 4500 Series ...

Page 1680: ...t support site local unicast addresses or multicast addresses The IPv6 128 bit addresses are represented as a series of eight 16 bit hexadecimal fields separated by colons in the format n n n n n n n n it is an example of an IPv6 address 2031 0000 130F 0000 0000 09C0 080F 130B The leading zeros in each field are optional implementation is easier without them it is the same address without leading ...

Page 1681: ...ace ID option Ethernet remote ID option Stateless auto configuration You can find information about these features at this location IP Addressing DHCP Configuration Guide Cisco IOS Release 15E IP Addressing DHCP Configuration Guide Cisco IOS XE Release 3E Security The following security features are supported for IPv6 on the Catalyst 4500 series switch Secure Shell SSH support over IPv6 Traffic fi...

Page 1682: ...lease 15E IPv6 First Hop Security Configuration Guide Cisco IOS Release XE 3E QoS The following QoS features are supported for IPv6 on the Catalyst 4500 series switch MQC packet classification MQC traffic shaping MQC traffic policing MQC packing marking and remarking Queueing You can find information about these features at this location QoS Classification Configuration Guide Cisco IOS XE Release ...

Page 1683: ... or dynamically learned using a routing protocol Static routes are manually configured and define an explicit path between two networking devices Unlike a dynamic routing protocol static routes are not automatically updated and must be manually reconfigured if the network topology changes The benefits of using static routes include security and resource efficiency Static routes use less bandwidth ...

Page 1684: ...ions describe the IPv6 unicast routing protocol features supported by the switch RIP page 63 6 OSPF page 63 6 EIGRP page 63 6 IS IS page 63 7 Multiprotocol BGP page 63 7 RIP Routing Information Protocol RIP for IPv6 is a distance vector protocol that uses hop count as a routing metric It includes support for IPv6 addresses and prefixes and the all RIP routers multicast group address FF02 9 as the ...

Page 1685: ...address families such as IPv6 IPv4 and OSI You can find more information about Is IS at this location IP Routing ISIS Configuration Guide Cisco IOS XE Release 3E Multiprotocol BGP Multiprotocol Border Gateway Protocol BGP is an Exterior Gateway Protocol EGP used mainly to connect separate routing domains that contain independent routing policies autonomous systems Connecting to a service provider ...

Page 1686: ...6 Default States Table 63 1 shows the default states of IPv6 configuration Table 63 1 Default IPv6 Configuration Feature Default Setting IPv6 routing Disabled globally and on all interfaces CEFv6 or dCEFv6 Disabled IPv4 CEF and dCEF are enabled by default Note When IPv6 routing is enabled CEFv6 and dCEF6 are automatically enabled IPv6 addresses None configured ...

Page 1687: ... traffic is flooded to a switch port because a MAC address has timed out or has not been learned by the switch This condition is especially undesirable for a private VLAN isolated port To guarantee that no unicast and multicast traffic is flooded to the port use the switchport block unicast and switchport block multicast commands to enable flood blocking on the switch Note The flood blocking featu...

Page 1688: ...onfiguration Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet1 1 Switch config if switchport block multicast Switch config if switchport block unicast Switch config if end Switch show interface gigabitethernet1 1 switchport Name Gi1 3 Switchport Enabled output truncated Port Protected On Unknown Unicast Traffic Not Allowed ...

Page 1689: ...ch config interface interface id Enters interface configuration mode and enter the type and number of the switch port interface GigabitEthernet1 1 Step 3 Switch config if no switchport block multicast Enables unknown multicast flooding to the port Step 4 Switch config if no switchport block unicast Enables unknown unicast flooding to the port Step 5 Switch config end Returns to privileged EXEC mod...

Page 1690: ...64 4 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 64 Port Unicast and Multicast Flood Blocking Configuring Port Blocking ...

Page 1691: ...tch Command Reference you can locate it in the Cisco IOS Master Command List All Releases About Storm Control This section contains the following subsections Hardware Based Storm Control Implementation page 65 1 Software Based Storm Control Implementation page 65 2 Storm control prevents LAN interfaces from being disrupted by a broadcast storm A broadcast storm occurs when broadcast packets flood ...

Page 1692: ...econd interval and when a threshold is reached it filters out subsequent broadcast packets Because hardware broadcast suppression uses a bandwidth based method to measure broadcast activity the most significant implementation factor is setting the percentage of total available bandwidth that can be used by broadcast traffic Because packets do not arrive at uniform intervals the one second interval...

Page 1693: ... level The range is from 0 to 100 Note For the Catalyst 4500 X Series Switch on ports operating at 1Gigabit thresholds less than 0 02 are not supported bps bps Specifies the threshold level for broadcast traffic in bits per second bps up to one decimal place The port blocks only the traffic that exceeds this level The range is 0 0 to 10000000000 0 pps pps Specifies the threshold level for broadcas...

Page 1694: ...sco Voice Protocol IEEE Protocol 802 3af SPAN source destination UDLD yes Link Debounce no Link Debounce Time no Port Security yes Dot1x yes Maximum MTU 9198 bytes Jumbo Frames Multiple Media Types no Diagnostic Monitoring N A Enabling Multicast Storm Control Per interface multicast suppression which allows you to subject incoming multicast and broadcast traffic to interface level suppression Note...

Page 1695: ...broadcast suppression enabled Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 2 1 Switch config if storm control broadcast include multicast Switch config if end Step 5 Switch config end Returns to privileged EXEC mode Step 6 Switch show storm control interface multicast Verifies the configuration Command or Action Purpose...

Page 1696: ...bilities GigabitEthernet2 1 Model WS X4648 RJ45V E RJ 45 Type 10 100 1000 TX Speed 10 100 1000 auto Duplex half full auto Auto MDIX yes EEE no Trunk encap type 802 1Q Trunk mode on off desirable nonegotiate Channel yes Broadcast suppression percentage 0 100 hw Multicast suppression percentage 0 100 hw Flowcontrol rx off on desired tx off on desired VLAN Membership static dynamic Fast Start yes CoS...

Page 1697: ...o Diagnostic Monitoring N A Use the show interfaces counters storm control command to display a count of discarded packets Switch show interfaces counters storm control Port Broadcast Multicast Level TotalSuppressedPackets Fa3 1 Enabled Disabled 10 00 46516510 Gi2 1 Enabled Enabled 50 00 0 Switch show storm control Interface Filter State Broadcast Multicast Level Fa3 1 Blocking Enabled Disabled 10...

Page 1698: ...65 8 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 65 Configuring Storm Control Displaying Storm Control ...

Page 1699: ...sulation Configuration page 66 12 Ingress Packets page 66 12 Access List Filtering page 66 13 Packet Type Filtering page 66 14 Configuration Example page 66 15 Configuring RSPAN page 66 16 Displaying SPAN and RSPAN Status page 66 24 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Swi...

Page 1700: ...a user specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The SPAN traffic from the sources is copied onto the RSPAN VLAN and then forwarded over trunk ports that are carrying the RSPAN VLAN to any RSPAN destination sessions monitoring the RSPAN VLAN as shown in Figure 66 2 Figure 66 2 Example of RSPAN Configuration SPAN and RSPAN do not affect the switchin...

Page 1701: ...t SPAN sessions do not interfere with the normal operation of the switch however an oversubscribed SPAN destination for example a 10 Mbps port monitoring a 100 Mbps port results in dropped or lost packets You can configure SPAN sessions on disabled ports however a SPAN session does not become active unless you enable the destination port and at least one source port or VLAN for that session A SPAN...

Page 1702: ...e drops the packet the SPAN destination would also drop the packet In the case of egress QoS policing if the SPAN source drops the packet the SPAN destination might not drop it If the source port is oversubscribed the destination ports have different dropping behavior Both In a SPAN session you can monitor a single port series or a range of ports for both received and sent packets Source Port A so...

Page 1703: ...traffic directed to hosts that have been learned on the destination port If ingress traffic forwarding is enabled for a network security device the destination port forwards traffic at Layer 2 A destination port does not participate in spanning tree while the SPAN session is active When it is a destination port it does not participate in any of the Layer 2 protocols STP VTP CDP DTP PagP A destinat...

Page 1704: ...are sent to the SPAN destination port For example a bidirectional both Rx and Tx SPAN session is configured for the sources a1 Rx monitor and the a2 Rx and Tx monitor to destination port d1 If a packet enters the switch through a1 and is switched to a2 both incoming and outgoing packets are sent to destination port d1 Both packets are the same unless a Layer 3 rewrite occurs in which case the pack...

Page 1705: ...t specify a traffic type Tx Rx or both both is used by default To change from both to either tx or rx unconfigure the corresponding other type rx or tx with the no monitor session session_number source interface interface_list vlan vlan_IDs cpu queue queue_ids rx tx command If you specify multiple SPAN source interfaces the interfaces can belong to different VLANs You must enter the no monitor ses...

Page 1706: ... 4094 whether traffic received or sent from the CPU is copied to the session destination and the traffic direction to be monitored For session_number specifies the session number identified with this RSPAN session 1 through 6 For interface list specifies the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number For ...

Page 1707: ...ssion session_number destination interface interface encapsulation dot1q ingress vlan vlan_IDs learning Specifies the SPAN session number 1 through 6 and the destination interfaces or VLANs For session_number specifies the session number identified with this RSPAN session 1 through 6 For interface specifies the destination interface For vlan_IDs specifies the destination VLAN Use the no keyword to...

Page 1708: ... vlan 57 Switch config monitor session 1 destination interface fastethernet 4 15 You are now monitoring traffic from interface Fast Ethernet 4 10 that is on VLAN 57 out of interface FastEthernet 4 15 To disable the span session enter the following command Switch config no monitor session 1 Verifying a SPAN Configuration This example shows how to verify the configuration of SPAN session 2 Switch sh...

Page 1709: ... to the destination of the session The queue identifier optionally allows sniffing only traffic received on the specified CPU queue s For session_number specifies the session number identified with this SPAN session 1 through 6 For interface list specifies the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Fo...

Page 1710: ...is feature lest a spanning tree loop be introduced in the network When both ingress and a trunk encapsulation are specified on a SPAN destination port the port goes forwarding in all active VLANs Configuring a non existent VLAN as an ingress VLAN is not allowed By default host learning is disabled on SPAN destination ports with ingress enabled The port is also removed from VLAN floodsets so regula...

Page 1711: ...RACLs previously associated with the SPAN destination interface are not applied Only one IP named ACL and one IPv6 ACL can be associated with a SPAN session When no ACLs are applied to packets exiting a SPAN destination interface all traffic is permitted regardless of the PACLs VACLs or RACLs that have been previously applied to the destination interface or VLAN to which the SPAN destination inter...

Page 1712: ... 10 Switch config exit Switch show monitor Session 1 Type Local Session Source Ports Both Fa6 1 Destination Ports Fa6 2 Encapsulation Native Ingress Disabled Learning Disabled Filter VLANs 1 IP Access group 10 Packet Type Filtering When configuring a SPAN session you can specify packet filter parameters similar to VLAN filters When specified the packet filters indicate types of packets that may be...

Page 1713: ...ff unicast traffic arriving on interface Gi1 1 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config monitor session 1 source interface gi1 1 rx Switch config monitor session 1 destination interface gi1 2 encapsulation dot1q ingress Switch config monitor session 1 filter address type unicast rx Switch config exit Switch show monitor Session 1 Type Local ...

Page 1714: ...or specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches RSPAN sessions can coexist with SPAN sessions within the limits described in the SPAN and RSPAN Session Limits section on page 66 6 For RSPAN configuration you can distribute the source ports and the destination ports across multiple switches in your network RSPAN does not support BPDU packet monitoring or other ...

Page 1715: ...config vlan remote_vlan_ID Specifies a remote VLAN ID Ensure that the VLAN ID is not being used for any user traffic Step 4 Switch config vlan remote span Converts the VLAN ID to a remote VLAN ID Step 5 Switch config vlan exit Returns to global configuration mode Step 6 Switch config no monitor session session_number source interface interface_list vlan vlan_IDs cpu queue queue_ids rx tx both Spec...

Page 1716: ...o create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port perform this task Step 7 Switch config monitor session session_number destination remote vlan vlan ID Specifies the RSPAN session and the destination remote VLAN For session_number specifies the session number identified with this RSPAN session 1 through 6 For vlan ID specifies the RSPAN VLAN to car...

Page 1717: ...n_number specifies the session number identified with this RSPAN session 1 through 6 For interface specifies the destination interface For vlan_IDs specifies the ingress VLAN if necessary Optional Specifies a series or range of interfaces Enter a space after the comma enter a space before and after the hyphen Optional Specifies the direction of traffic to monitor If you do not specify a traffic di...

Page 1718: ...the packet encapsulation and the ingress VLAN For session_number specifies the session number identified with this RSPAN session 1 through 6 For interface id specifies the destination port Valid interfaces include physical interfaces Optional Specifies the encapsulation of the packets transmitted on the RSPAN destination port If no encapsulation is specified all transmitted packets are sent in nat...

Page 1719: ...Specifies the characteristics of the RSPAN source port monitored port to remove For session_number specifies the session number identified with this RSPAN session 1 through 6 For interface list specifies the source port to no longer monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number For vlan_IDs specifies the source vlan or vla...

Page 1720: ... can monitor only received rx traffic on VLANs For session_number specifies the session number identified with this RSPAN session 1 through 6 For interface list specifies the source port to no longer monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number For vlan IDs the range is 1 to 4094 do not enter leading zeros For queue_ids s...

Page 1721: ...es the characteristics of the source port monitored port and RSPAN session For session_number specifies the session number identified with this RSPAN session 1 through 6 For interface list specifies the source port to monitor The interface specified must already be configured as a trunk port For vlan IDs the range is 1 to 4094 do not enter leading zeros For queue_ids specifies the source queue Opt...

Page 1722: ...us of the current SPAN or RSPAN configuration use the show monitor privileged EXEC command This example displays the output for the show monitor command for SPAN source session 1 Switch show monitor session 1 Session 1 Type Local Source Session Source Ports RX Only Fa3 13 TX Only None Both None Source VLANs RX Only None TX Only None Both None Source RSPAN VLAN None Destination Ports None Encapsula...

Page 1723: ...formation for ERSPAN page 67 9 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases Prerequisites for ERSPAN Only IPv4 delivery transpo...

Page 1724: ... indication in the ERSPAN header Bad Short Oversized BSO packet indication in the ERSPAN header The original VLAN ID or Class of Service COS in the ERSPAN header Generic routing encapsulation GRE header flags GRE header sequence number or key Maximum transmission unit MTU checking and fragmentation Hence traffic exceeding the configured MTU size as determined by Layer 3 protocols is dropped Trunca...

Page 1725: ...g multicast and Bridge Protocol Data Unit BPDU frames An ERSPAN source session is defined by the following parameters A session ID List of source ports or source VLANs to be monitored by the session The destination and origin IP addresses which are used as the destination and source IP addresses of the GRE envelope for the captured traffic respectively ERSPAN flow ID Optional attributes such as IP...

Page 1726: ...ports in any VLAN can be configured and trunk ports can be configured as source ports along with nontrunk source ports Source VLANs A VLAN that is monitored for traffic analysis The following tunnel interfaces are supported as source ports for a source session GRE IPv6 IPv6 over IP tunnel Multipoint GRE mGRE D1 D2 A1 A2 A3 B1 B2 B4 B3 Switch A Switch D Switch B Probe Destination Switch Data Center...

Page 1727: ...and then re create the session with a new session ID or a new session type Step 4 Switch config mon erspan src description description Describes the ERSPAN source session Step 5 Switch config mon erspan src source interface type number vlan vlan ID both rx tx Configures the source interface or the VLAN and the traffic direction to be monitored Step 6 Switch config mon erspan src filter ip standard...

Page 1728: ...nfig end Switch Verifying ERSPAN To verify the ERSPAN configuration use the following commands The following is sample output from the show monitor session erspan source command Switch show monitor session erspan source session Type ERSPAN Source Session Step 12 Switch config mon erspan src dst vrf vrf ID Optional Configures the VRF name to use instead of the global routing table Step 13 Switch co...

Page 1729: ...rts None Filter VLANs None Filter Addr Type RX Only None TX Only None Both None Filter Pkt Type RX Only None Dest RSPAN VLAN None IP Access group None IPv6 Access group None Destination IP Address 20 20 163 20 Destination IPv6 Address None Destination IP VRF None Destination ERSPAN ID 110 Origin IP Address 10 10 10 216 Origin IPv6 Address None IP QOS PREC 0 IPv6 Flow Label None IP TTL 255 The foll...

Page 1730: ...r Commands List All Releases Catalyst 4500 switch commands Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch MIB MIBs Link To locate and download MIBs for selected platforms Cisco software releases and feature sets use Cisco MIB Locator found at the following URL http www cisco com go mibs RFC Title RFC 2784 Generic Routing Encapsulation GRE Description Link The Cisco Support ...

Page 1731: ...Note Table 1 lists only the software release that introduced support for a given feature in a given software release train Unless noted otherwise subsequent releases of that software release train also support that feature Table 1 Feature Information for ERSPAN Feature Name Releases Feature Information ERSPAN Cisco IOS Release 15 2 4 E1 This module describes how to configure Encapsulated Remote Sw...

Page 1732: ...67 10 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 67 Configuring ERSPAN Feature Information for ERSPAN ...

Page 1733: ...68 1 Prerequisites for Wireshark page 68 2 Guidelines for Wireshark page 68 2 Restrictions for Wireshark page 68 4 Information about Wireshark page 68 5 How to Configure Wireshark page 68 11 Monitoring Wireshark page 68 14 Configuration Examples for Wireshark page 68 15 Usage Examples for Wireshark page 68 18 VSS Specific Examples page 68 31 Note For complete syntax and usage information for the s...

Page 1734: ... packets store decode and display or both Where possible keep the capture to the minimum limit by packets duration to avoid high CPU usage and other undesirable conditions Because packet forwarding typically occurs in hardware packets are not copied to the CPU for software processing For Wireshark packet capture packets are copied and delivered to the CPU which causes an increase in CPU usage To a...

Page 1735: ...lly in streaming mode where packets are both captured and processed However when you specify a buffer size of at least 32 MB but less than 80MB the session automatically turns on lock step mode in which a Wireshark capture session is split into two phases capture and process In the capture phase the packets are stored in the temporary buffer The duration parameter in lock step mode serves as captu...

Page 1736: ...he Wireshark process it is alterable during a Wireshark session The action you want to perform determines which parameters are mandatory The Wireshark CLI allows you to specify or modify any parameter prior to entering the start command When you issue the start command Wireshark will start only after determining that all mandatory parameters have been provided If the capture file already exists it...

Page 1737: ...ut can only deliver them by forwarding them to some specified local or remote destination it provides no local display or analysis support The debug platform packet command is specific to the Catalyst 4500 series switch and only works on packets that stem from the software process forwarding path Although it has limited local display capabilities it has no analysis support So the need exists for a...

Page 1738: ... attachment points with limits on mixing attachment points of different types Some restrictions apply when you specify attachment points of different types Attachment points are directional input or output or both with the exception of the Layer 2 VLAN attachment point which is always unidirectional Filters Filters are attributes of a capture point that identify and limit the subset of traffic tra...

Page 1739: ...ure Capture Filter The capture filter allows you to direct Wireshark to further filter incoming packets based on various conditions Wireshark applies the capture filter immediately on receipt of the packet packets that fail the capture filter are neither stored nor displayed A switch receives this parameter and passes it unchanged to Wireshark Because Wireshark parses the application filter defini...

Page 1740: ... and displays Stores and displays When invoked on a pcap file only only the decode and display action is applicable Storing Captured Packets to Buffer in Memory Packets can be stored in the capture buffer in memory for subsequent decode analysis or storage to a pcap file The capture buffer can be linear or circular mode In linear mode new packets are discarded when the buffer is full In circular m...

Page 1741: ...e Wireshark can decode and display packet details for a wide variety of packet formats The details are displayed by entering the monitor capture name start command with one of the following keyword options which place you into a display and decode mode brief Displays one line per packet the default detailed Decodes and displays all the fields of all the packets whose protocols are supported Detail...

Page 1742: ... security features such as ACLs and IPSG are not caught by Wireshark capture points that are connected to attachment points at the same layer In contrast packets that are dropped by output classification based security features are caught by Wireshark capture points that are connected to attachment points at the same layer The logical model is that the Wireshark attachment point occurs after the s...

Page 1743: ...o the CPU where they are packets are software tunneled to the VSS active switch via the VSL link In the VSS active switch these packets are sent to software as if the packets came from local hardware Packets from the local switch and those from the standby switch are processed by the Wireshark session in the VSS active switch while the VSS standby switch copies the relevant packets and passes them...

Page 1744: ...Specify the file association if the capture point intends to capture packets rather than merely display them Step 7 Specify the size of the memory buffer used by Wireshark to handle traffic bursts To filter the capture point use the following commands File size No limit Ring file storage No Buffer storage mode Linear Table 68 1 Default Wireshark Configuration Feature Default Setting Command Purpos...

Page 1745: ... or Class Map Switch monitor capture mycap match access list myacl Switch monitor capture mycap match class map mycm Command Purpose monitor capture name interface name vlan num control plane in out both Specifies one or more attachment points with direction To remove the attachment point use the no form of this command monitor capture name file location filename buffer size 1 100 ring 2 10 size 1...

Page 1746: ...ap match any interface gi2 1 1 in file location bootflash text pcap Monitoring Wireshark The commands in the following table are used to monitor Wireshark Command Purpose monitor capture name start capture filter filter string display display filter filter string brief detailed dump monitor capture name stop Example Switch monitor capture mycap start capture filter net 10 1 1 0 0 0 0 255 and port ...

Page 1747: ...t 20001 Destination port 20002 28 27 000000 10 1 1 167 20 1 1 2 UDP Source port 20001 Destination port 20002 29 28 000000 10 1 1 168 20 1 1 2 UDP Source port 20001 Destination port 20002 30 29 000000 10 1 1 169 20 1 1 2 UDP Source port 20001 Destination port 20002 31 30 000000 10 1 1 170 20 1 1 2 UDP Source port 20001 Destination port 20002 32 31 000000 10 1 1 171 20 1 1 2 UDP Source port 20001 De...

Page 1748: ...pe IP 0x0800 Frame check sequence 0x03b07f42 incorrect should be 0x08fcee78 Internet Protocol Src 10 1 1 140 10 1 1 140 Dst 20 1 1 2 20 1 1 2 Version 4 Header length 20 bytes Differentiated Services Field 0x00 DSCP 0x00 Default ECN 0x00 0000 00 Differentiated Services Codepoint Default 0x00 0 ECN Capable Transport ECT 0 0 ECN CE 0 Total Length 238 Identification 0x0000 0 Flags 0x00 0 Reserved bit ...

Page 1749: ...1 72 73 74 75 fghijklmnopqrstu 00a0 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 vwxyz 00b0 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 00c0 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 00d0 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 00e0 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 00f0 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 03 b0 7f 42 B 2 1 000000 10 1 1 141 20 1 1 2 UDP Source p...

Page 1750: ...b 1c 1d 1e 1f 20 21 22 23 24 25 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 012345 Example Displaying Packets from a pcap File with a Display Filter You can display the pcap file packets output by entering Switch show monitor capture file bootflash mycap pcap display filter ip src 10 1 1 140 dump 1 0 000000 10 1 1 140 20 1 1 2 UDP Source port 20001 Destination port 20002 0000 54 75 d0 3a ...

Page 1751: ...n 60 Step 3 Start the capture process and display the results Switch monitor capture mycap start display 0 000000 10 1 1 30 20 1 1 2 UDP Source port 20001 Destination port 20002 1 000000 10 1 1 31 20 1 1 2 UDP Source port 20001 Destination port 20002 2 000000 10 1 1 32 20 1 1 2 UDP Source port 20001 Destination port 20002 3 000000 10 1 1 33 20 1 1 2 UDP Source port 20001 Destination port 20002 4 0...

Page 1752: ...ch monitor capture mycap stop Note Alternatively you could let the capture operation stop automatically after the time has elapsed or the packet count has been met The mycap pcap file now contains the captured packets Step 5 Display the packets by entering Switch show monitor capture file bootflash mycap pcap 0 000000 10 1 1 30 20 1 1 2 UDP Source port 20001 Destination port 20002 1 000000 10 1 1 ...

Page 1753: ...2 UDP Source port 20001 Destination port 20002 7 000000 10 1 1 222 20 1 1 2 UDP Source port 20001 Destination port 20002 8 000000 10 1 1 223 20 1 1 2 UDP Source port 20001 Destination port 20002 9 000000 10 1 1 224 20 1 1 2 UDP Source port 20001 Destination port 20002 10 000000 10 1 1 225 20 1 1 2 UDP Source port 20001 Destination port 20002 11 000000 10 1 1 226 20 1 1 2 UDP Source port 20001 Dest...

Page 1754: ...70 71 72 73 74 75 fghijklmnopqrstu 00a0 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 vwxyz 00b0 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 00c0 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 00d0 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 00e0 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 00f0 c6 c7 c8 c9 ca cb cc cd ce cf d0 d1 03 3e d0 33 3 Step 5 Clear the buffer once wait for 1...

Page 1755: ...firm that the buffer is now empty by entering Switch show monitor capture mycap buffer brief Wait about 10 seconds Step 8 Display the buffer contents Switch show monitor capture mycap buffer brief Step 9 Restart the traffic wait about 10 seconds then display buffer contents by entering Switch show monitor capture mycap buffer brief 0 000000 10 1 1 2 20 1 1 2 UDP Source port 20001 Destination port ...

Page 1756: ...0 1 1 17 20 1 1 2 UDP Source port 20001 Destination port 20002 Step 12 Stop the packet capture and display the buffer contents by entering Switch monitor capture mycap stop Switch show monitor capture mycap buffer brief 0 000000 10 1 1 2 20 1 1 2 UDP Source port 20001 Destination port 20002 1 000000 10 1 1 3 20 1 1 2 UDP Source port 20001 Destination port 20002 2 000000 10 1 1 4 20 1 1 2 UDP Sourc...

Page 1757: ...t 20001 Destination port 20002 0 000000 10 1 1 26 20 1 1 2 UDP Source port 20001 Destination port 20002 0 000000 10 1 1 27 20 1 1 2 UDP Source port 20001 Destination port 20002 0 000000 10 1 1 28 20 1 1 2 UDP Source port 20001 Destination port 20002 0 000000 10 1 1 29 20 1 1 2 UDP Source port 20001 Destination port 20002 0 000000 10 1 1 30 20 1 1 2 UDP Source port 20001 Destination port 20002 Swit...

Page 1758: ...BCDE 0070 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 FGHIJKLMNOPQRSTU 0080 56 57 58 59 5a 5b 5c 5d 5e 5f 60 61 62 63 64 65 VWXYZ _ abcde 0090 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 fghijklmnopqrstu 00a0 76 77 78 79 7a 7b 7c 7d 7e 7f 80 81 82 83 84 85 vwxyz 00b0 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 00c0 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 00d0 a6 a7 a8 a9 aa ab ...

Page 1759: ...1 08 00 45 00 Tu E 0010 00 ee 00 00 00 00 40 11 59 5c 0a 01 01 a0 14 01 Y 0020 01 02 4e 21 4e 22 00 da 6e 17 00 01 02 03 04 05 N N n 0030 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 012345 0060 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 6789 ABCDE 0070 46 47 48 49 4a 4b 4c 4d 4e 4f 50...

Page 1760: ...ue address factory default Source 00 00 00 00 03 01 00 00 00 00 03 01 Address 00 00 00 00 03 01 00 00 00 00 03 01 0 IG bit Individual address unicast 0 LG bit Globally unique address factory default Switch Example Capture and Store in Lock step Mode This example captures live traffic and stores the packets in lock step mode to achieve a high capture rate Note The capture rate might be slow for the...

Page 1761: ...ort 20002 7 000000 10 1 1 37 20 1 1 2 UDP Source port 20001 Destination port 20002 8 000000 10 1 1 38 20 1 1 2 UDP Source port 20001 Destination port 20002 9 000000 10 1 1 39 20 1 1 2 UDP Source port 20001 Destination port 20002 Step 5 Delete the capture point by entering Switch no monitor capture mycap Example Simple Capture and Store in Lock step with High speed Mode This example shows how to ca...

Page 1762: ...1 2 UDP Source port 20001 Destination port 20002 6 000000 10 1 1 36 20 1 1 2 UDP Source port 20001 Destination port 20002 7 000000 10 1 1 37 20 1 1 2 UDP Source port 20001 Destination port 20002 8 000000 10 1 1 38 20 1 1 2 UDP Source port 20001 Destination port 20002 9 000000 10 1 1 39 20 1 1 2 UDP Source port 20001 Destination port 20002 Step 5 Delete the capture point by entering Switch no monit...

Page 1763: ...0002 3 000000 10 1 1 33 20 1 1 2 UDP Source port 20001 Destination port 20002 4 000000 10 1 1 34 20 1 1 2 UDP Source port 20001 Destination port 20002 5 000000 10 1 1 35 20 1 1 2 UDP Source port 20001 Destination port 20002 6 000000 10 1 1 36 20 1 1 2 UDP Source port 20001 Destination port 20002 7 000000 10 1 1 37 20 1 1 2 UDP Source port 20001 Destination port 20002 8 000000 10 1 1 38 20 1 1 2 UD...

Page 1764: ...witch Step 1 Prepare a capture session by entering the following commands in VSS active switch vss_dut1 monitor capture mycap interface gi 1 1 1 in vss_dut1 monitor capture mycap match ipv4 any any vss_dut1 monitor capture mycap file location bootflash mycap pcap vss_dut1 monitor capture mycap limit packets 60 duration 60 Step 2 Start the capture session with display option in brief mode vss_dut1 ...

Page 1765: ...nd this session vss_dut1 standby console monitor capture mycap interface gi 2 1 1 in vss_dut1 standby console monitor capture mycap match ipv4 any any vss_dut1 standby console monitor capture mycap file location bootflash mycap pcap vss_dut1 standby console monitor capture mycap limit packets 30 duration 60 vss_dut1 standby console monitor capture mycap start vss_dut1 standby console exit Step 3 S...

Page 1766: ... capture mycap interface gi 2 1 1 in vss_dut1 standby console monitor capture mycap match ipv4 any any vss_dut1 standby console monitor capture mycap file location bootflash mycap pcap vss_dut1 standby console monitor capture mycap limit packets 30 duration 60 vss_dut1 standby console monitor capture mycap start Do not use the display option vss_dut1 standby console exit Step 3 Start the session i...

Page 1767: ...the capture session vss_dut1 remote login module 14 Connecting to standby virtual console Type exit or quit to end this session vss_dut1 standby console monitor capture mycap interface GigabitEthernet2 1 1 in vss_dut1 standby console monitor capture mycap match ipv4 any any vss_dut1 standby console monitor capture mycap buffer size 1 circular vss_dut1 standby console monitor capture mycap limit pa...

Page 1768: ...e capture point if it is no longer needed vss_dut1 monitor capture mycap stop Nov 15 01 08 58 627 PDT BUFCAP 6 DISABLE Capture Point mycap disabled vss_dut1 no monitor capture mycap Step 5 Log in to VSS standby switch again Stop the capture session to make sure it no longer runs delete the capture point and exit vss_dut1 remote login mod 14 Connecting to standby virtual console Type exit or quit t...

Page 1769: ...ocess such as HSRP can register an interest in tracking objects and request notification when the tracked object changes state This feature increases the availability and speed of recovery of a routing system and decreases outages and outage duration Note Enhanced object tracking is not supported on switches running the LAN base feature set Unless otherwise noted the term switch refers to a Cataly...

Page 1770: ...lean AND function requires that each object in the list be in an up state for the tracked object to be up A tracked list with a Boolean OR function needs only one object in the list to be in the up state for the tracked object to be up Configuring Enhanced Object Tracking Features Default Configuration page 69 2 Tracking Interface Line Protocol or IP Routing State page 69 2 Configuring a Tracked L...

Page 1771: ...or each object Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 track object number interface interface id line protocol Optional Creates a tracking list to track the line protocol state of an interface and enter tracking configuration mode The object number identifies the tracked object and can be from 1 to 500 The interface interface id is the interface being tra...

Page 1772: ... 69 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features When you measure the tracked list by a percentage threshold you assign a percentage threshold to all objects in the tracked list The state of each object is determined by comparing the assigned percentages of each object to the list ...

Page 1773: ...nd Purpose Step 1 configure terminal Enters global configuration mode Step 2 track track number list boolean and or Configures a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 boolean Specify the state of the tracked list based on a Boolean calculation and Specify that the list is up if all objects are up or down if one or more objects are down or S...

Page 1774: ...epresent two small bandwidth connections and object 3 represents one large bandwidth connection The configured down 10 value means that once the tracked object is up it will not go down until the threshold value is equal to or lower than 10 which in this example means that all connections are down Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 track track number ...

Page 1775: ... up 51 down 10 Switch config track exit Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 track track number list threshold percentage Configures a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based on perce...

Page 1776: ...hreshold is 254 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Configuring a Tracked List with a Boolean Expression section on page 69 5 For threshold weight see the Configuring a Tracked List with a Weight Threshold section on page 69 6 For threshold percentage see the Configuring a Trac...

Page 1777: ...that you can use for network troubleshooting design and analysis For more information about Cisco IP SLAs on the switch see Chapter 78 Configuring Cisco IOS IP SLA Operations For IP SLAs command information see the Cisco IOS IP SLAs Command Reference Release 12 4T Object tracking of IP SLAs operations allows clients to track the output from IP SLAs objects and use this information to trigger an ac...

Page 1778: ... 00 47 Latest operation return code over threshold Latest RTT millisecs 4 Tracked by HSRP Ethernet0 1 3 Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 track object number ip sla operation number state Enters tracking configuration mode to track the state of an IP SLAs operation The object number range is from 1 to 500 The operation number range is from 1 to 21474...

Page 1779: ...for static routing or for DHCP ex Step 2 Configure an IP SLAs agent to ping an IP address using a primary interface and a track object to monitor the state of the agent Step 3 Configure a default static default route using a secondary interface This route is used only if the primary route is removed Configuring a Primary Interface To configure a primary interface for static routing perform this ta...

Page 1780: ...n and enter IP SLAs ICMP echo configuration mode Step 4 timeout milliseconds Sets the amount of time for which the operation waits for a response from its request packet Step 5 frequency seconds Sets the rate at which the operation is sent into the network Step 6 threshold milliseconds Sets the rising threshold hysteresis that generates a reaction event and stores history information for the opera...

Page 1781: ...s route map configuration mode Step 8 ip local policy route map map tag Identifies a route map to use for local policy routing Step 9 ip route prefix mask ip address interface id ip address distance name permanent track track number tag tag For static routing networks only Establishes static routes Entering track track number specifies that the static route is installed only if the configured trac...

Page 1782: ...69 14 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 69 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...

Page 1783: ...messages to various destinations such as the logging buffer terminal lines or a UNIX syslog server depending on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is disabled messages are sent only to the console The messages are sent as they are generated so message and debug output are interspersed wit...

Page 1784: ...tem log messages can contain up to 80 characters and a percent sign which follows the optional sequence number or time stamp information if configured Messages are displayed in this format seq no timestamp facility severity MNEMONIC description The part of the message preceding the percent sign depends on the setting of the service sequence numbers service timestamps log datetime service timestamp...

Page 1785: ... system message logging configuration Disabling Message Logging facility The facility to which the message refers for example SNMP SYS and so forth For a list of supported facilities see Table 70 4 on page 70 12 severity Single digit code from 0 to 7 that is the severity of the message For a description of the severity levels see Table 70 3 on page 70 8 MNEMONIC Text string that uniquely describes...

Page 1786: ...een disabled use the logging on global configuration command Setting the Message Display Destination Device If message logging is enabled you can send messages to specific locations in addition to the console To specify the locations that receive messages perform this task beginning in privileged EXEC mode Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Swi...

Page 1787: ...ages are dropped When synchronous logging of unsolicited messages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Unsolicited messages and debug command output are not interspersed with soli...

Page 1788: ...f line numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 Switch config logging synchronous level severity level a...

Page 1789: ... sequence numbers global configuration command This example shows part of a logging display with sequence numbers enabled 000019 SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config service timestamps log uptime or Switch config service timestamps log datetime msec localtime show timezone ...

Page 1790: ... Switch config logging console level Limits messages logged to the console By default the console receives debugging messages and numerically lower levels see Table 70 3 on page 70 8 Step 3 Switch config logging monitor level Limits messages logged to the terminal lines By default the terminal receives debugging messages and numerically lower levels see Table 70 3 on page 70 8 Step 4 Switch config...

Page 1791: ...is not affected Reload requests and low process stack messages displayed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP Optional If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you...

Page 1792: ...rver This procedure is optional Note Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network If applies to your system use the UNIX man syslogd command to decide what options must be added to or removed from the syslog command line to enable logging of remote syslog messages Command Purpose Step 1 Switch configure terminal Enters global configuration...

Page 1793: ...the man syslog conf and man syslogd commands on your UNIX system Configuring the UNIX System Logging Facility When sending system log messages to an external device you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities To configure UNIX system facility message logging perform this task which is optional Command Purpose Step 1 Switch configure termi...

Page 1794: ...on about these facilities consult the operator s manual for your UNIX operating system Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer use the show logging privileged EXEC command For information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 3 Table 70 4 Logging Facility Type K...

Page 1795: ...71 8 Enabling OBFL page 71 8 Configuration Examples for OBFL page 71 9 Note For more information about Onboard Failure Logging see http www cisco com en US docs ios 12_0s feature guide 12sobfl html For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Cat...

Page 1796: ...Restrictions To support the OBFL feature a device must have at least 8 KB of nonvolatile memory space reserved for OBFL data logging Information About OBFL Overview of OBFL page 71 2 Information about Data Collected by OBFL page 71 2 Overview of OBFL The Onboard Failure Logging OBFL feature collects data such as operating temperatures hardware uptime interrupts and other important events and messa...

Page 1797: ...mperature sample is logged the sample becomes the base value for the next record From that point on temperatures are recorded either when there are changes from the previous record or if the maximum storage time is exceeded Temperatures are measured and recorded in degrees Celsius Temperature Example Switch sh logging onboard temperature TEMPERATURE SUMMARY INFORMATION Number of sensors 7 Sampling...

Page 1798: ...0m 0m 59 0m 0m 0m 8y 0m 0m 0m 60 0m 0m 0m 226h 0m 0m 0m 61 0m 0m 0m 629m 0m 0m 0m Switch To interpret this data Number of sensors is the total number of temperature sensors that will be recorded A column for each sensor is displayed with temperatures listed under the number of each sensor as available Sampling frequency is the time between measurements Maximum time of storage determines the maximu...

Page 1799: ...010 18 54 42 0x9 0 0 0 20 0 04 14 2010 21 31 00 0x9 0 0 0 2 0 04 14 2010 22 04 15 0x9 0 0 0 0 25 04 14 2010 22 22 20 0x9 0 0 0 0 5 04 14 2010 23 05 58 0x9 0 0 0 0 5 04 15 2010 19 03 11 0x9 0 0 0 19 0 04 15 2010 21 29 22 0x9 0 0 0 2 0 04 15 2010 21 49 49 0x8 0 0 0 0 10 04 16 2010 18 46 03 0x9 0 0 0 20 0 04 16 2010 19 25 37 0x9 0 0 0 0 25 04 16 2010 19 34 59 0x9 0 0 0 0 0 04 16 2010 19 46 06 0x9 0 0...

Page 1800: ... and NMIs Interrupts are generally related to hardware limit conditions or errors that need to be corrected The continuous format records each time a component is interrupted and this record is stored and used as base information for subsequent records Each time the list is saved a timestamp is added Time differences from the previous interrupt are counted so that technical personnel can gain a co...

Page 1801: ...message can be accessed and read at a later time System messages range from level 1 alerts to level 7 debug messages and these levels can be specified in the hw module logging onboard command Error Message Log Example Switch sh logging onboard message det ERROR MESSAGE SUMMARY INFORMATION Facility Sev Name Count Persistence Flag MM DD YYYY HH MM SS CAT4K 3 DIAGNOSTICS_PASSED 22 LAST 11 24 2010 15 ...

Page 1802: ...isco IOS System and Error Messages guide Count indicates the number of instances of this message that is allowed in the history file Once that number of instances has been recorded the oldest instance will be removed from the history file to make room for new ones The Persistence Flag gives a message priority over others that do not have the flag set Default Settings for OBFL The OBFL feature is e...

Page 1803: ... diagnostics 12 14 2012 17 50 55 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 12 20 2012 17 45 55 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 12 20 2012 19 55 27 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 12 20 2012 20 37 27 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 12 21 2012 16 09 15 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 01 07 2013 02 43 06 CA...

Page 1804: ...ical data to display Switch OBFL Report for a Specific Time Example The following example shows how to display continuous reports for all components during a specific time period Switch show logging onboard module 2 continuous start 18 12 32 13 Dec 2012 end 16 40 58 24 Jan 2013 PID WS C4510R E VID 6 SN FOX1503GL5V UPTIME CONTINUOUS INFORMATION Time Stamp Reset Uptime MM DD YYYY HH MM SS Reason yea...

Page 1805: ...0R E NA FOX1503GL5V 01 07 2013 02 43 06 slot 2 NA NA 0 Inserted Cis WS C4510R E NA FOX1503GL5V 01 07 2013 04 59 38 slot 2 NA NA 0 Inserted ENVIRONMENT CONTINUOUS INFORMATION MM DD YYYY HH MM SS Device Name IOS Version F W Ver RAM KB Event VID PID TAN Serial No Cis WS C4510R E NA FOX1503GL5V 01 16 2013 15 36 34 slot 2 NA NA 0 Inserted Cis WS C4510R E NA FOX1503GL5V 01 17 2013 12 41 44 slot 2 NA NA ...

Page 1806: ...40 59 32 23 33 28 Time Stamp Sensor Temperature 0C MM DD YYYY HH MM SS 0 1 2 3 01 18 2013 14 47 04 26 23 26 25 01 18 2013 14 57 04 24 22 24 23 01 18 2013 15 07 04 24 22 24 23 01 18 2013 15 17 04 24 22 24 23 01 18 2013 15 23 03 25 22 26 23 01 18 2013 15 25 03 30 22 31 25 01 18 2013 15 35 03 32 23 33 27 01 18 2013 15 41 25 30 23 31 26 01 18 2013 15 51 25 32 23 33 27 01 18 2013 16 00 27 32 23 33 27 0...

Page 1807: ... 01 22 2013 17 20 07 31 23 34 30 01 22 2013 17 30 07 32 24 35 33 01 22 2013 17 40 07 32 24 35 33 01 22 2013 17 49 08 32 24 35 33 01 22 2013 17 59 08 32 24 35 33 01 24 2013 11 47 25 26 22 26 23 01 24 2013 11 49 25 30 24 31 28 01 24 2013 11 56 25 33 25 35 33 01 24 2013 12 06 25 32 25 35 33 01 24 2013 12 16 25 33 25 35 33 01 24 2013 12 26 25 33 25 35 33 01 24 2013 12 36 25 33 25 36 33 01 24 2013 12 4...

Page 1808: ...AGNOSTICS_PASSED module passed diagnostics 01 07 2013 04 59 38 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 01 16 2013 15 36 34 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 01 17 2013 12 41 44 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 01 18 2013 14 03 24 CAT4K 3 DIAGNOSTICS_PASSED module passed diagnostics 01 18 2013 14 16 09 CAT4K 3 DIAGNOSTICS_PASSED module passed diag...

Page 1809: ...nager an SNMP agent and a MIB The SNMP manager can be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into th...

Page 1810: ...ot tampered with in transit Authentication Determines that the message is from a valid source Encryption Mixes the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the crypto encrypted software image is installed Both SNMPv1 and SNMPv2C use a community based form of security The commun...

Page 1811: ...on SNMPv3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard Table 72 1 SNMP Operations Operation Description get req...

Page 1812: ...authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Read write all Gives read and write access to authorized management stations to all objects in the MIB including the community st...

Page 1813: ... The characteristics that make informs more reliable than traps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be resent or retried several times The retries increase traffic and contribute to a h...

Page 1814: ...on and privacy digests If you do not configure the remote engine ID first the configuration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPr...

Page 1815: ...nity string acts like a password to permit access to the agent on the switch Optionally you can specify one or more of these characteristics associated with the string An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain access to the agent A MIB view which defines the subset of all MIB objects accessible to the given community Read and write o...

Page 1816: ...ead only access to all objects Optional For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 To remove a specific community string use the no snmp server community string global configuration command Step 3 Switch config access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 c...

Page 1817: ...n configure an SNMP server group that maps SNMP users to SNMP views and you can add new users to the SNMP group To configure SNMP on the switch perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config snmp server engineID local engineid string remote ip address udp port port number engineid string Configures a name for either the loca...

Page 1818: ... Secure Hash Algorithm SHA packet authentication noauth The noAuthNoPriv security level it is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the crypto software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in ...

Page 1819: ...ccess access list Configures a new user to an SNMP group The username is your name on the host that connects to the agent The groupname is the name of the group to which you are associated Optional Enter remote to specify a remote SNMP entity to which you belong and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 or v2...

Page 1820: ...s Note This option is only available when the enhanced multilayer image is installed ospf Generates a trap for Open Shortest Path First OSPF changes You can enable any or all of these traps Cisco specific errors link state advertisement rate limit retransmit and state changes Note This option is only available when the enhanced multilayer image is installed pim Generates a trap for Protocol Indepe...

Page 1821: ...ed access access list Configures an SNMP user to be associated with the remote host created in Step 2 Note You cannot configure a remote user for an address without first configuring the engine ID for the remote host If you try to configure the user before configuring the remote engine ID you receive an error message and the command is not executed Step 4 Switch config snmp server host host addr t...

Page 1822: ...nforms and specify the type of notifications to be sent For a list of notification types see Table 72 3 on page 72 11 or enter this snmp server enable traps To enable multiple types of traps you must enter a separate snmp server enable traps command for each trap type Step 6 Switch config snmp server trap source interface id Optional Specifies the source interface which provides the IP address for...

Page 1823: ...p server list access list number Limits TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 Switch config access list access list number deny permit source source wildcard Creates a standard access list repeating the command as many times as necessary For...

Page 1824: ...MIB traps in addition to any traps previously enabled The second line specifies the destination of these traps and overwrites any previous snmp server host commands for the host cisco com Switch config snmp server enable traps entity Switch config snmp server host cisco com restricted entity This example shows how to enable the switch to send all traps to the host myhost cisco com using the commun...

Page 1825: ...ost addr informs command Table 72 4 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP group on the network show snmp pending Displays information on pending SNMP requests s...

Page 1826: ...72 18 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 72 Configuring SNMP Displaying SNMP Status ...

Page 1827: ...tch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releases Note VLAN monitors are not supported in Cisco IOS Release 15 0 2 SG Note Refer to the NetFlow Solutions Guide for more detailed information ...

Page 1828: ...tFlow lite monitoring and the WCCP Exclude feature cannot coexist on the same interface NetFlow lite and SPAN cannot coexist on the same interface NetFlow lite takes precedence over SPAN Monitor level Restrictions Port channel with an aggregate bandwidth exceeding 20 Gigabit support the highest sampling rate of 1 in 64 those with an aggregate bandwidth exceeding 40 Gigabit support 1 in 128 When ru...

Page 1829: ...rpose Step 1 Switch config terminal Enters configuration mode Step 2 Switch config netflow lite exporter exporter Defines an exporter and to enter NetFlow lite exporter submode Step 3 Switch config netflow lite exporter destination source address Specifies a destination address Step 4 Switch config netflow lite exporter source source address Specifies a source Layer 3 interface Step 5 Switch confi...

Page 1830: ...parameters and SNMP interface table mapping can also be exported periodically to the collector Mandatory parameters for a minimal exporter configuration are the destination address of the collector the source Layer 3 interface and the UDP destination port of the collector The VRF label is ignored if the collector s address is IPv6 The default global routing table is used to route the IPv6 export p...

Page 1831: ...annot be configured on 10 Gigabit ports because the bandwidth demand for export will be too high Mandatory parameters are packet rate A maximum of 2 x 1Gigabit ports can be configured with 1 in 1 sampling The best packet sampling rate that can be configured on any 1 Gigabit or 10 Gigabit port is 1 in 32 Packet sampling rates can be configured in powers of 2 like 1 in 64 and 1 in 128 You can update...

Page 1832: ... packet size size Specifies the average packet size at the observation point in NetFlow lite monitor submode Step 7 Switch config netflow lite monitor exit Exits NetFlow lite monitor submode Step 8 Switch config exit Exits global configuration mode Step 9 Switch show netflow lite monitor monitor interface interface name Displays information about a particular packet or per data source stats Comman...

Page 1833: ...an verify your settings with the show policy map privileged EXEC command Usage Guidelines Only a single packet sampling instance is supported on a monitor These commands are entered under the physical port interface mode port channel interface or config vlan mode Monitor is not supported on other interfaces If the physical port is a member of a port channel applying the monitor to the port has no ...

Page 1834: ...low lite monitor 1 interface gi1 3 Interface GigabitEthernet1 3 Netflow lite Monitor 1 Active TRUE Sampler sampler1 Exporter exporter1 Average Packet Size 0 Statistics Packets exported 0 Packets observed 0 Packets dropped 0 Average Packet Size observed 64 Average Packet Size used 64 The following example shows how to display information about a particular packet and per monitor stats on a VLAN Com...

Page 1835: ...1 Description Exporter Network Protocol Configuration Destination IP address 192 168 1 1 VRF label cisc Source IP Address 10 1 1 5 DSCP 0x1 TTL 30 COS 1 Transport Protocol Configuration Transport Protocol UDP Destination Port 1234 Source Port 65535 Export Protocol Configuration Export Protocol netflow v9 Exporter Statistics Export packets sent 36 Clear Commands To clear statistics of a packet samp...

Page 1836: ...73 10 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 73 Configuring NetFlow lite Clear Commands ...

Page 1837: ... VSS Environment page 74 8 Note This chapter provides Catalyst 4500 switch specific information For more information refer to the URL http www cisco com en US products ps6965 products_ios_protocol_option_home html For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not ...

Page 1838: ... specifies where the flow records are send to destination 20 1 20 4 flow record r1 record specifies packet fields to collect match ipv4 source address match ipv4 destination address collect counter bytes long collect counter packets long collect timestamp sys uptime first collect timestamp sys uptime last flow monitor m1 monitor refers record configuration and optionally exporter configuration It ...

Page 1839: ... you would only see the input option starting with the IOS Release XE 3 3 0 14 Flow monitor matching on ingress 802 1Q VLANId as key field cannot be attached on a VNET trunk port target 15 Only permanent and normal flow cache types are supported 16 Supervisor Engine 8 E Supervisor Engine 7 E Supervisor Engine 7L E and Catalyst 4500X do not support predefined records like traditional routers record...

Page 1840: ... for a given packet TTL value Table 74 1 lists the packet TTL and reported values 25 Cisco TrustSec CTS fields are supported These fields use Netflow collector to monitor and troubleshoot the CTS network and to segregate traffic based on source group tag SGT values When configuring the source group tag collect flow cts source group tag note the following The system copies the packets to software b...

Page 1841: ...et Length Reported Value 0 64 64 65 128 128 129 256 256 257 512 512 513 756 756 757 1500 1500 1500 4000 4000 4000 8192 Table 74 3 Options Available through FNF and the Supported Fields Field Description Comments Data Link Fields Layer 2 Flow Label A94 dot1q priority 802 1Q user dot1q vlan 802 1Q VLAN ID Ingress VLAN is supported as key field mac destination address Upstream destination MAC address...

Page 1842: ... tag Supported as a non key field configuring the IPv4 source address is a prerequisite to using this field flow cts switch derived sgt Switch derived source group tag Supported as a non key field configuring the IPv4 source address is a prerequisite to using this field IPv6 Fields destination address IPv6 destination address dscp IPv6 DSCP part of IPv6 traffic class flow label IPv6 flow label is ...

Page 1843: ...rded terminated in the router dropped by ACL RPF CAR Supported as a non key field Layer 4 Header Fields Field Description Comments TCP Header Fields destination port TCP destination number TCP destination port flags ack fin psh rst syn urg TCP flags Supported as non key fields source port TCP source port UDP Header Fields destination port UDP destination port source port UDP source port ICMP Heade...

Page 1844: ... using all the flow table entries the number of entries that it uses on a switch can be limited by the cache entries number command This limit is per flow monitor irrespective of the number of targets it is attached to The following example illustrates how to configure the flow monitor m1 cache to hold 1000 entries With this configuration interface gig 3 1 can create a maximum of 1000 flows and in...

Page 1845: ...al member ports 3 64 unique flow record configurations are supported 4 Flow QoS UBRL and FNF cannot be configured on the same target For information on Flow based QoS see the section Flow based QoS page 44 10 5 14 000 unique IPv6 addresses can be monitored 6 On a given target one monitor per traffic type is allowed However you can configure multiple monitors on the same target for different traffi...

Page 1846: ...mestamp accuracy is within 3 seconds 16 2048 Flow monitors and records are supported When TTL is configured as a flow field the following values are reported for a given packet TTL value Table 74 4 lists the packet TTL and reported values 17 Cisco TrustSec CTS fields are supported These fields use Netflow collector to monitor and troubleshoot the CTS network and to segregate traffic based on sourc...

Page 1847: ...0 150 255 255 Table 74 4 TTL Map TTL Configured Packet TT Value Reported Value Table 74 5 Packet Length Map Packet Length Configured Packet Length Reported Value 0 64 64 65 128 128 129 256 256 257 512 512 513 756 756 757 1500 1500 1500 4000 4000 4000 8192 Table 74 6 Options Available through FNF and the Supported Fields Field Description Comments Data Link Fields Layer 2 Flow Label A94 dot1q prior...

Page 1848: ...ize seen Total length maximum Maximum packet size seen Tos IPv4 Type of Service TOS ttl Pv4 Time to Live TTL Values are reported based on Table 74 4 ttl minimum Supported as a non key field ttl maximum Supported as a non key field CTS Fields flow cts destination group tag Supported as a non key field configuring the IPv4 destination address is a prerequisite to using this field flow cts source gro...

Page 1849: ... Supported as a non key field next header IPv6 next header type Only first next header is reported total length IPv6 total packet length Values are based on Table 74 5 Total length minimum Minimum packet size seen Total length maximum Maximum packet size seen protocol IPv6 next header type in the last IPv6 extension header source address IPv6 source address traffic class IPv6 traffic class Yes Rou...

Page 1850: ...rt UDP source port ICMP Header Fields code ICMP code type ICMP type IGMP Header Fields type IGMP Interface Fields input Input interface index output Output interface index Output interface can be supported only as non key Flexible NetFlow feature related fields direction input Counter Fields bytes 32 bit counters bytes long 64 bit counter packets 32 bit counters packets long 64 bit counter of the ...

Page 1851: ...0 It also includes configuration information for CFM ITU TY 1731 fault management support in this release Note For complete command and configuration information for Ethernet OAM CFM and Y 1731 see the Cisco IOS Carrier Ethernet Configuration Guide at this URL http www cisco com en US docs ios xml ios cether configuration 15 mt ce 15 mt book html For syntax of the commands used in this chapter see...

Page 1852: ...2 1ag is the standard for Layer 2 ping Layer 2 traceroute and end to end connectivity verification of the Ethernet network These sections contain conceptual information about Ethernet CFM Ethernet CFM and OAM Definitions page 75 2 CFM Domain page 75 3 Maintenance Associations and Maintenance Points page 75 4 CFM Messages page 75 5 Crosscheck Function and Static Remote MEPs page 75 5 SNMP Traps and...

Page 1853: ...verlap because that would require management by more than one entity which is not allowed Domains can touch or nest if the outer domain has a higher maintenance level than the nested domain Nesting domains can be useful when a service provider contracts with one or more operators to provide Ethernet service Each operator has its own maintenance domain and the service provider domain is a superset ...

Page 1854: ...to the down MEP For CFM frames from the relay side it processes the frames at its level and drops frames at a lower level The MEP transparently forwards all CFM frames at a higher level regardless of whether they are received from the relay or wire side If the port on which MEP is configured is blocked by STP the MEP can still send or receive CFM messages through the relay function CFM runs at the...

Page 1855: ...message is similar to an Internet Control Message Protocol ICMP ping message Refer to the ping ethernet privileged EXEC command Traceroute messages multicast frames transmitted by a MEP at administrator request to track the path hop by hop to a destination MEP Traceroute messages are similar in concept to UDP traceroute messages Refer to the traceroute ethernet privileged EXEC command Crosscheck F...

Page 1856: ...IP SLAs with CFM provide performance metrics for Layer 2 You can manually configure individual Ethernet ping or jitter operations You can also configure an IP SLA automatic Ethernet operation that queries the CFM database for all MEPs in a given maintenance domain and VLAN The operation then automatically creates individual Ethernet ping or jitter operations based on the discovered MEPs Because IP...

Page 1857: ...t configure direction the default is up inward facing Ethernet CFM Configuration Guidelines When configuring Ethernet CFM consider these guidelines and restrictions You must enter the ethernet cfm ieee global configuration command before configuring any other CFM CLI If not all other CFM CLIs are not applied CFM is not supported on and cannot be configured on either routed ports or Layer 3 EtherCh...

Page 1858: ... required configurations on draft 8 1 image Configuring the CFM Domain To configure the Ethernet CFM domain configure a service to connect the domain to a VLAN or configure a port to act as a MEP perform this task You can also enter the optional commands to configure other parameters such as continuity checks Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ethernet...

Page 1859: ...n 100 characters that identifies the MAID ma number a value from 0 to 65535 vpn id vpn enter a VPN ID as the ma name vlan vlan id VLAN range is from 1 to 4094 You cannot use the same VLAN ID for more than one domain at the same level Optional direction down specify the service direction as down port Configure port MEP a down MEP that is untagged and not associated with a VLAN Step 10 continuity ch...

Page 1860: ...t is 100 minutes Step 19 exit Return to global configuration mode Step 20 interface interface id Specify an interface to configure and enter interface configuration mode Step 21 switchport mode trunk Optional Configure the port as a trunk port Step 22 ethernet cfm mip level level id Optional Configure a customer level or service provider level maintenance intermediate point MIP for the interface T...

Page 1861: ...entries in the configuration file Command Purpose Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ethernet cfm mep crosscheck start delay delay Configures the number of seconds that the device waits for remote MEPs to come up before the crosscheck is started The range is 1 to 65535 the default is 30 seconds Step 3 Switch config ethernet cfm do...

Page 1862: ...Mac Address Type Id MA Name Reason Lvl Age 34 abc 0000 0000 0000 Vlan 5 test RMEP missing 3 95s 23 abc 0000 0000 0000 Vlan 5 test RMEP missing 3 95s Switch Step 7 Switch ethernet cfm mep crosscheck enable disable domain domain name vlan vlan id any port Enable or disable CFM crosscheck for one or more VLANs or a port MEP in the domain domain domain name Specify the name of the created domain vlan ...

Page 1863: ...main and a VLAN ID or peer MEP and enter ethernet cfm service configuration mode ma name a string of no more than 100 characters that identifies the MAID ma number a value from 0 to 65535 vpn id enter a VPN ID as the ma name vlan vlan id VLAN range is from 1 to 4094 You cannot use the same VLAN ID for more than one domain at the same level Optional direction down specify the service direction as d...

Page 1864: ... a lower domain level than native VLAN MEPs To configure Ethernet CFM port MEPs perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ethernet cfm domain domain name level level id Defines a CFM domain set the domain level and enter ethernet cfm configuration mode for the domain The maintenance level number range is 0 to 7 Step 3 S...

Page 1865: ...tinuity check messages to be missed before declaring that an MEP is down The range is 2 to 255 the default is 3 Step 8 Switch config ecfm srv continuity check static rmep Enables checking of the incoming continuity check message from a remote MEP that is configured in the MEP list Step 9 Switch config ecfm srv exit Returns to ethernet cfm configuration mode Step 10 Switch config ecfm exit Returns ...

Page 1866: ...ote You can configure fault alarms in either global configuration or Ethernet CFM interface MEP mode When a conflict exists the interface MEP mode configuration takes precedence Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config snmp server enable traps ethernet cfm cc mep up mep down config loop cross connect Optional Enables Ethernet CFM contin...

Page 1867: ...lt is 10000 ms Step 5 ethernet cfm logging alarm ieee Configures the switch to generate system logging messages for the alarms Step 6 interface interface id Optional Specifies an interface to configure and enter interface configuration mode Step 7 ethernet cfm mep domain domain name mpid identifier vlan vlan id Configures maintenance end points for the domain and enter ethernet cfm interface mep m...

Page 1868: ...twork Time Protocol NTP so that the switches are synchronized to the same clock source For detailed information about configuring IP SLAs Ethernet operations see the Cisco IOS IP SLAs for Metro Ethernet feature module at this URL http www cisco com en US docs ios xml ios ipsla configuration 15 1s Configuring_Cisco_IOS_IP_S LAs_for_Metro Ethernet html and http www cisco com en US docs ios xml ios i...

Page 1869: ...en sending of jitter packets Optional for jitter only Enter the num frames and the number of frames to be sent Step 4 Switch config ip sla ethernet monitor cos cos value Optional Sets a class of service value for the operation Before configuring the cos parameter on the switch you must globally enable QoS by entering the mls qos global configuration command Step 5 Switch config ip sla ethernet mon...

Page 1870: ...urring start time hh mm ss month day day month pending now after hh mm ss Schedules the time parameters for the IP SLAs operation operation number Enter the IP SLAs operation number Optional ageout seconds Enter the number of seconds to keep the operation in memory when it is not actively collecting information The range is 0 to 2073600 seconds The default is 0 seconds Optional life Set the operat...

Page 1871: ...illiseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distribution buckets kept 1 Statistic distribution interval milliseconds 20 Enhanced History History Statistics Number of history Lives kept 0 Number of history Buckets kept 15 History Filter Type None Switch Configuring an IP SLAs Operation with Endpoint Discovery To use IP SLAs to automatically discover...

Page 1872: ...nly Enter the num frames and the number of frames to be sent Step 4 Switch config ip sla ethernet echo cos cos value Optional Sets a class of service value for the operation Step 5 Switch config ip sla ethernet echo owner owner id Optional Configures the SNMP owner of the IP SLAs operation Step 6 Switch config ip sla ethernet echo request data size bytes Optional Specifies the protocol data size f...

Page 1873: ...he time parameters for the IP SLAs operation operation number Enter the IP SLAs operation number Optional ageout seconds Enter the number of seconds to keep the operation in memory when it is not actively collecting information The range is 0 to 2073600 seconds The default is 0 seconds Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from...

Page 1874: ...onfigure Ethernet CFM CVLAN Up MEPs perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ethernet cfm domain domain name level level id Define a CFM domain set the domain level and enter ethernet cfm configuration mode for the domain The maintenance level number range is 0 to 7 Step 3 Switch config ecfm service ma name ma number v...

Page 1875: ... configuring a large number of MEPs running at 1 s intervals Step 6 Switch config ecfm arv continuity check loss threshold threshold value Optional Set the number of continuity check messages to be missed before declaring that an MEP is down The range is 2 to 255 the default is 3 Step 7 Switch config ecfm arv exit Returns to Return to ethernet cfm configuration mode Step 8 Switch config ecfm exit ...

Page 1876: ...t any level 0 to 7 MIPs process CFM frames that are single tagged when coming from the wire side and double tagged when coming from the relay function side Transparent point functions Supported maintenance points on 802 1q tunnels Up MEP on the C VLAN component for selective or all to one bundling Up MEP on the S VLAN Port MEP MIP support on C VLAN component for selective or all to one bundling No...

Page 1877: ...ver or Ethernet adaptation layer termination function or server or Ethernet adaptation function where the server layer termination function is expected to run OAM mechanisms specific to the server layer The supported mechanisms are link up link down and 802 3ah Server layer a virtual MEP layer capable of detecting fault conditions Defect conditions Loss of continuity LOC the MEP stopped receiving ...

Page 1878: ...it to be sure that the Maintenance Entity Group MEG level matches its own MEG and then detects the AIS default condition A MEG is Y 1731 terminology for maintenance association in 802 1ag After this detection if no AIS frames are received for an interval of 3 5 times the AIS transmission period the MEP clears the AIS defect condition For example if the AIS timer is set for 60 seconds the AIS timer...

Page 1879: ... multicast LBM frame the MEP expects to receive LB reply frames within 5 seconds When a MEP receives a valid LBM frame it generates an LB reply frame and sends it to the requested MEP after a random delay in the range of 0 to 1 second The validity of the frame is determined on its having the correct MEG level When a MEP sends a multicast LBM frame and receives an LB reply frame within 5 seconds th...

Page 1880: ...lan vlan id VLAN range is from 1 to 4094 You cannot use the same VLAN ID for more than one domain at the same level Optional direction down specify the service direction as down port Configure port MEP a down MEP that is untagged and not associated with a VLAN Step 8 ais level level id Optional Configures the maintenance level for sending AIS frames transmitted by the MEP The range is 0 to 7 Step ...

Page 1881: ...ernet CFM loopback messages to 0180 c200 0037 timeout is 5 seconds Reply to Multicast request via interface FastEthernet1 0 3 from 001a a17e f880 8 ms Total Loopback Responses received 1 Managing and Displaying Ethernet CFM Information You can use the privileged EXEC commands in these tables to clear Ethernet CFM information Step 17 ethernet cfm ais link status level level id Configures the mainte...

Page 1882: ...307 DomainName level3 Level 3 Direction Up Vlan 7 Interface Gi0 3 CC Status Enabled CC Loss Threshold 3 MAC 0021 d7ef 0700 LCK Status Enabled LCK Period 60000 ms LCK Expiry Threshold 3 5 Table 75 2 Displaying CFM Information Command Purpose show ethernet cfm domain brief Displays CFM domain information or brief domain information show ethernet cfm errors configuration domain id Displays CFM contin...

Page 1883: ...el Normal link operation does not require Ethernet OAM You can implement Ethernet OAM on any full duplex point to point or emulated point to point Ethernet link for a network or part of a network specified interfaces OAM frames called OAM protocol data units OAM PDUs use the slow protocol destination MAC address 0180 c200 0002 They are intercepted by the MAC sublayer and cannot propagate beyond a ...

Page 1884: ...ity An optional phase allows the local station to accept or reject the configuration of the peer OAM entity Link monitoring detects and indicates link faults under a variety of conditions and uses the event notification OAM PDU to notify the remote OAM device when it detects problems on the link Error events include when the number of symbol errors the number of frame errors the number of frame er...

Page 1885: ...on Remote loopback is disabled No Ethernet OAM templates are configured Ethernet OAM Configuration Guidelines Follow these guidelines when configuring Ethernet OAM The switch does not support monitoring of egress frames sent with cyclic redundancy code CDC errors The ethernet oam link monitor transmit crc interface configuration or template configuration commands are visible but are not supported ...

Page 1886: ... interface to configure as an EOM interface and enters interface configuration mode Step 3 Switch config if ethernet oam Enables Ethernet OAM on the interface Step 4 Switch config if ethernet oam max rate oampdus min rate seconds mode active passive timeout seconds Configures these optional OAM parameters Optional Enter max rate oampdus to configure the maximum number of OAM PDUs sent per second T...

Page 1887: ...00 milliseconds Low threshold 10 error frame s High threshold none Transmit Frame CRC Error Not Supported Enabling Ethernet OAM Remote Loopback You must enable Ethernet OAM remote loopback on an interface for the local OAM client to initiate OAM remote loopback operations Changing this setting causes the local OAM client to exchange configuration information with its remote peer Remote loopback is...

Page 1888: ...rnet oam remote loopback stop int gi1 1 Switch Apr 9 12 52 39 793 ETHERNET_OAM 6 LOOPBACK Interface Gi1 1 has exited the master loopback mode Configuring Ethernet OAM Link Monitoring You can configure high and low thresholds for link monitoring features If no high threshold is configured the default is none no high threshold is set If you do not set a low threshold the default is a value lower tha...

Page 1889: ...ols to set a high threshold in number of symbols The range is 1 to 65535 The default is none Enter threshold high none to disable the high threshold if it was set it is the default Enter threshold low low symbols to set a low threshold in number of symbols The range is 0 to 65535 It must be lower than the high threshold Enter window symbols to set the window size in number of symbols of the pollin...

Page 1890: ...default is 1 Enter window frames to set the a polling window size in number of frames The range is 1 to 65535 each value is a multiple of 10000 frames The default is 1000 Step 7 Switch config if ethernet oam link monitor frame seconds threshold high high frames none low low frames window milliseconds Repeat this step to configure both high and low thresholds Optional Configures high and low thresh...

Page 1891: ...t oam link monitor frame threshold low 8 Switch config if ethernet oam link monitor frame period threshold hig 9000 Switch config if ethernet oam link monitor frame period threshold low 9 Switch show ethernet oam status int gi1 1 Step 8 Switch config if ethernet oam link monitor receive crc threshold high high frames none low low frames window milliseconds Repeat this step to configure both high a...

Page 1892: ...00 milliseconds Low threshold 8 error frame s High threshold 8000 error frame s Frame Period Error Window 1000 x 10000 frames Low threshold 9 error frame s High threshold 9000 error frame s Frame Seconds Error Window 100 x 100 milliseconds Low threshold 1 error second s High threshold none Receive Frame CRC Error Window 10 x 100 milliseconds Low threshold 10 error frame s High threshold 1000 error...

Page 1893: ...mote failure dying gasp action error disable interface ethernet oam end Switch show ethernet oam status int gi1 1 GigabitEthernet1 1 General Admin state enabled Mode active PDU max rate 10 packets per second PDU min rate 1 packet per 1 second Link timeout 5 seconds High threshold action error disable interface Link fault action no action Dying gasp action error disable interface Critical event act...

Page 1894: ...these PDUs are received from a link partner they are processed The switch supports sending and receiving Dying Gasp OAM PDUs when Ethernet OAM is disabled the interface is shut down the interface enters the Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config interface port channel interface id Defines an interface and enters interface configuratio...

Page 1895: ...ce or repeated to configure different options To configure an Ethernet OAM template and to associate it with an interface follow these steps Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config template template name Creates a template and enters template configuration mode Step 3 Switch config template ethernet oam link monitor receive crc thresho...

Page 1896: ...er an error frame link event Enter threshold high high frames to set a high threshold in number of frames The range is 1 to 65535 You must enter a high threshold Enter threshold high none to disable the high threshold Enter threshold low low frames to set a low threshold in number of frames The range is 0 to 65535 The default is 1 Enter window milliseconds to set the a window and period of time du...

Page 1897: ...or disable interface Switch config template exit Switch config int gi1 2 Switch config if source template oam Switch config if end Step 7 Switch config template ethernet oam link monitor frame seconds threshold high high seconds none low low seconds window milliseconds Optional Configures frame seconds high and low thresholds for triggering an error frame seconds link event Enter threshold high hi...

Page 1898: ... action no action Critical event action no action Link Monitoring Status supported on Symbol Period Error Window 100 x 1048576 symbols Low threshold 5 error symbol s High threshold 5000 error symbol s Frame Error Window 10 x 100 milliseconds Low threshold 8 error frame s High threshold 8000 error frame s Frame Period Error Window 1000 x 10000 frames Low threshold 9 error frame s High threshold 900...

Page 1899: ...lient MAC address 000f 8f03 3591 Vendor oui 00000C cisco Administrative configurations PDU revision 2 Mode active Unidirection not supported Link monitor supported Remote loopback supported MIB retrieval not supported Mtu size 1500 Switch show ethernet oam statistics GigabitEthernet1 1 Counters Information OAMPDU Tx 101163 Information OAMPDU Rx 51296 Unique Event Notification OAMPDU Tx 0 Table 75 ...

Page 1900: ...ecords 2 Dying Gasp records Total dying gasps 7 Time stamp 1d01h Total dying gasps 6 Time stamp 1d01h 0 Critical Event records Remote Faults 0 Link Fault records 2 Dying Gasp records Total dying gasps 8 Time stamp 1d01h Total dying gasps 7 Time stamp 1d01h 0 Critical Event records Local event logs 0 Errored Symbol Period records 0 Errored Frame records 0 Errored Frame Period records 0 Errored Fram...

Page 1901: ... status of Remote_Excessive_Errors in the Port Status TLV The local port is set into loopback mode CFM responds by sending a port status of Test in the Port Status TLV The remote port is set into loopback mode CFM responds by sending a port status of Test in the Port Status TLV This section includes this information Configuring Ethernet OAM Interaction with CFM page 75 51 Example Configuring Ether...

Page 1902: ...ng of no more than 100 characters that identifies the CSI vlan id VLAN range is from 1 to 4095 You cannot use the same VLAN ID for more than one domain at the same level Step 5 Switch config if exit Returns to global configuration mode Step 6 Switch config ethernet evc evc id Defines an EVC and enter EVC configuration mode Step 7 Switch config evc oam protocol cfm svlan vlan id domain domain name ...

Page 1903: ...mpid 100 vlan 100 Switch config if ethernet oam remote loopback supported Switch config if ethernet oamt Provider edge switch 2 PE2 configuration Switch config terminal Switch config interface GigabitEthernet1 20 Switch config if switchport mode trunk Switch config if ethernet cfm mip level 7 Switch config if ethernet cfm mep level 4 mpid 101 vlan 10 Switch config if ethernet oam remote loopback s...

Page 1904: ... maintenance points remote MPID Level Mac Address Vlan PortState InGressPort Age sec Service ID 100 4 0012 00a3 3780 10 UP Gi1 1 8 blue Total Remote MEPs 1 This example shows the output when you start remote loopback on CE1 or PE1 The port state on the remote PE switch shows as Test and the remote CE switch enters into error disable mode Switch ethernet oam remote loopback start interface gigabite...

Page 1905: ...ring Y 1731 page 76 4 Displaying Y 1731 Information page 76 5 For complete command and configuration information for Y 1731 see the Cisco IOS feature module at this URL http www cisco com en US docs ios xml ios cether configuration 12 2sr ce cfm y1731 html AIS and RDI Terminology Term Definition CC Ethernet OAM Continuity Check CCM Ethernet OAM Continuity Check Message CCDB Ethernet OAM Continuity...

Page 1906: ...IS allows you to suppress alarms when defects are detected at the server sub layer Because of STP s ability to restore you would not expect to apply ETH AIS in the STP environments For the Catalyst 4500 Metro switch an administrator can enable and disable AIS in the STP environment You can enable or disable transmission of frames with ETH AIS information on an MEP or on a Server MEP You also can i...

Page 1907: ...ived ETH RDI information in a single MEP indicates the absence of defects in the entire maintenance Contribution to far end performance monitoring It reflects a defect condition in the far end which serves as input to the performance monitoring process A MEP that is in a defect condition transmits frames with ETH RDI information A MEP upon receiving frames with ETH RDI information determines that ...

Page 1908: ...ance domain Likewise RDI is a flag bit in the CC message Provided CC transmission is enabled the present RDI flag of the CC message is set to true or false Configuring AIS Parameters To set the parameters for AIS perform this task Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config ethernet cfm ais domain name vlan range Enters config ais mep cfm ...

Page 1909: ...3 5 With this CLI we can change the expiry threshold parameter for MA Step 7 Switch config ais mep cfm express alarm Configures alarm suppression when an AIS message causes the MEP enters an AIS defect condition Step 8 Switch config ais mep cfm exit Returns to global configuration Step 9 Switch config no ethernet cfm ais link status global Enters config ais link cfm submode enabling you to configu...

Page 1910: ...ETHER_CFM 6 ENTER_AIS local mep with mpid 1109 level 4 id 100 dir I Interface GigabitEthernet3 1 enters AIS defect condition gi3 2 enters AIS state Switch show ethernet cfm main local detail MEP Settings MPID 1109 DomainName PROVIDER_DOMAIN Level 4 Direction I EVC evc_1 Interface Gi3 1 CC Status Enabled MAC 001b d550 91fd Defect Condition AIS presentRDI TRUE RDI defect IS present AIS Status Enable...

Page 1911: ... 51 08 567 ETHER_CFM 6 EXIT_AIS local mep with mpid 1109 level 4 id 100 dir I Interface GigabitEthernet3 1 exited AIS defect condition gi3 1 exits AIS state Switch show ethernet cfm main local detail MEP Settings MPID 1109 DomainName PROVIDER_DOMAIN Level 4 Direction I EVC evc_1 Interface Gi3 1 CC Status Enabled MAC 001b d550 91fd Defect Condition No Defect presentRDI FALSE RDI defect is not prese...

Page 1912: ...76 8 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 76 Configuring Y 1731 AIS and RDI Displaying Y 1731 Information ...

Page 1913: ...nabling Smart Call Home page 77 13 Displaying Call Home Configuration Information page 77 13 Call Home Default Settings page 77 18 Alert Group Trigger Events and Commands page 77 18 Message Contents page 77 21 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not...

Page 1914: ...ultiple concurrent message destinations Multiple message categories including configuration diagnostics environmental conditions inventory and syslog events Filtering of messages by severity and pattern matching Scheduling of periodic message sending Obtaining Smart Call Home If you have a service contract directly with Cisco Systems you can register your devices for the Smart Call Home service Sm...

Page 1915: ...rity CA The contact e mail phone and street address information should be configured so that the receiver can determine the origin of messages received The switch must have IP connectivity to an e mail server or the destination HTTP server using the ip domain name command If Cisco Smart Call Home is used an active service contract must cover the device being configured To configure Call Home follo...

Page 1916: ...Enters the Call Home configuration submode Step 3 Switch cfg call home contact email addr email address Assigns the customer s e mail address Enter up to 200 characters in e mail address format with no spaces Step 4 Switch cfg call home phone number phone number Optional Assigns the customer s phone number Note The number must begin with a plus prefix and may contain only dashes and numbers Enter ...

Page 1917: ... to the transport method to which the alert should be sent Message formatting The message format used for sending the alert For user defined destination profiles the format options are long text short text or XML The default is XML For the predefined Cisco TAC profile only XML is allowed Message size The maximum destination message size The valid range is 50 to 3 145 728 bytes and the default is 3...

Page 1918: ...stination profiles that have subscribed to the alert group containing that Call Home alert In addition the alert group must be enabled Step 7 Switch cfg call home profile destination message size limit bytes Optional Configures a maximum destination message size for the destination profile Step 8 Switch cfg call home profile active Enables the destination profile By default the profile is enabled ...

Page 1919: ... destination profile to the Diagnostic alert group The Diagnostic alert group can be configured to filter messages based on severity as described in the Configuring Message Severity Threshold section on page 77 8 Step 7 Switch cfg call home profile subscribe to alert group environment severity catastrophic disaster fatal critical major minor warning notification normal debugging Subscribes this de...

Page 1920: ... Table 77 1 and ranges from catastrophic level 9 highest level of urgency to debugging level 0 lowest level of urgency If no severity threshold is configured the default is normal level 1 Note Call Home severity levels differ from the system message logging severity levels Configuring Syslog Pattern Matching When you subscribe a destination profile to the Syslog alert group you can optionally spec...

Page 1921: ...s relative priority among configured e mail servers Provide either of these The e mail server s IP address The e mail server s fully qualified domain name FQDN of 64 characters or less Assign a priority number between 1 highest priority and 100 lowest priority Step 4 Switch cfg call home sender from email address Optional Assigns the e mail address that will appear in the from field in Call Home e...

Page 1922: ...rname example com Switch cfg call home exit Switch config Enabling Call Home To enable or disable the Call Home feature perform this task Testing Call Home Communications You can test Call Home communications by sending messages manually using two command types To send a user defined Call Home test message use the call home test command To send a specific alert group message use the call home send...

Page 1923: ...served a diagnostic event For any active profile that subscribes to diagnostic events with a severity level of minor or higher a message is sent only if the specified module or interface has observed a diagnostic event of at least the subscribed severity level otherwise no diagnostic message is sent to the destination profile This example shows how to send the configuration alert group message to ...

Page 1924: ...er If you specify a user id the response is sent to the e mail address of the registered user If do not specify a user id the response is sent to the contact e mail address of the device Based on the keyword specifying the type of report requested the following information is returned config sanity Information on best practices as related to the current running configuration bugs list Known bugs i...

Page 1925: ... home send show diagnostic result module all email support example com Configuring and Enabling Smart Call Home For application and configuration information of the Cisco Smart Call Home service see the FastStart section of the Smart Call Home User Guide at this location http www cisco com go smartcall The user guide includes configuration examples for sending Smart Call Home messages directly fro...

Page 1926: ...er 2 Address 192 168 0 1 Priority 2 Rate limit 20 message s per minute Available alert groups Keyword State Description configuration Disable configuration info diagnostic Disable diagnostic info environment Disable environmental info inventory Enable inventory info syslog Disable syslog info Profiles Profile Name campus noc Profile Name CiscoTAC 1 Switch Example 77 2 Configured Call Home Informat...

Page 1927: ... syslog Disable syslog info Profiles Profile Name campus noc Profile status ACTIVE Preferred Message Format long text Message Size Limit 3145728 Bytes Transport Method email Email address es noc example com HTTP address es Not yet set up Alert group Severity inventory normal Syslog Pattern Severity N A N A Profile Name CiscoTAC 1 Profile status ACTIVE Preferred Message Format xml Message Size Limi...

Page 1928: ...rmation for All Destination Profiles Predefined and User Defined Switch show call home profile all Profile Name campus noc Profile status ACTIVE Preferred Message Format long text Message Size Limit 3145728 Bytes Transport Method email Email address es noc example com HTTP address es Not yet set up Alert group Severity inventory normal Syslog Pattern Severity N A N A Profile Name CiscoTAC 1 Profil...

Page 1929: ...iguration info message is scheduled every 11 day of the month at 11 25 Periodic inventory info message is scheduled every 11 day of the month at 11 10 Alert group Severity diagnostic minor environment warning inventory normal Syslog Pattern Severity major Example 77 7 Call Home Statistics Switch show call home statistics Message Types Total Email HTTP Total Success 0 0 0 Config 0 0 0 Diagnostic 0 ...

Page 1930: ... the trigger events included in each alert group including the severity level of each event and the executed CLI commands for the alert group Table 77 2 Default Call Home Settings Parameters Default Call Home feature status Disabled User defined profile status Active Predefined Cisco TAC profile status Inactive Transport method E mail Message format type XML Destination message size for a message ...

Page 1931: ...ture of the chassis has risen above the critical threshold TEMP_FAILU RE Shutdown Temp 5 The temperature of the chassis is very high and the system will be shut down TEMP_FAILU RE Some Temp Sensors Failed 3 Some of the temperature sensors have failed TEMP_FAILU RE All Temp Sensors Failed 5 All temperature sensors have failed TEMP_RECO VER TempOk 5 The temperature of the chassis is normal POWER_FAI...

Page 1932: ...ECOVERY FanTrayGood 3 5 Failed fan tray has been fixed The severity of the notification depends on the failure which has been recovered from FANTRAY_ FAILURE InsufficientFantray 6 There are not enough FanTray to support the system This may be followed by a system shut down CLOCK_ALA RM ClockSwitchover 2 Clock module has switched over to another clock CLOCK_ALA RM Clock Faulty 3 The clock module ha...

Page 1933: ...ds for an inventory message Diagnostic Failure 1 3 4 5 Events related to standard or intelligent line cards CLI commands executed show module show version show inventory show buffers show logging show diagnostic result module x detail show diagnostic result module all Test TEST 1 User generated test message CLI commands executed show module show version show inventory Configuration 1 User generate...

Page 1934: ...duct type for routing using the workflow engine it is typically the product family name For long test mtessage only Device ID Unique Device Identifier UDI for end device generating message This field should empty if the message is nonspecific to a fabric switch Format type Sid serial Where Separator character Type If WS C4503 E product model number from backplane SEEPROM Sid C identifying serial I...

Page 1935: ...t for this unit CallHome CustomerData Syst emInfo ContactEmail Contact phone number Phone number of the person identified as the contact for this unit CallHome CustomerData Syst emInfo ContactPhoneNumber Street address Optional field containing street address for RMA part shipments associated with this unit CallHome CustomerData Syst emInfo StreetAddress Model name Model name of the unit such as W...

Page 1936: ...rialNumber Affected FRU part number Part number of affected FRU CallHome Device Cisco_Chas sis Cisco_Card PartNumber FRU slot Slot number of FRU generating the event message CallHome Device Cisco_Chas sis Cisco_Card LocationWithi nContainer FRU hardware version Hardware version of affected FRU CallHome Device Cisco_Chas sis Cisco_Card HardwareVers ion FRU software version Software version s runnin...

Page 1937: ...ommand Output Name show logging Attachment Type command output MIME Type text plain Command Output Text Syslog logging enabled 0 messages dropped 1 messages rate limited 0 flushes 0 overruns xml disabled filtering disabled No Active Message Discriminator No Inactive Message Discriminator Affected FRU s n Serial number of affected FRU CallHome Device Cisco_Cha ssis Cisco_Card SerialNumbe r Affected...

Page 1938: ...05 51 827 C4K_IOSMODPORTMAN 4 POWERSUPPLYREMOVED Power supply 1 has been removed Feb 6 01 05 56 087 CALL_HOME 3 SMTP_SEND_FAILED Unable to send notification using all SMTP servers ERR 6 error in reply from SMTP server Feb 6 01 05 56 867 C4K_IOSMODPORTMAN 6 POWERSUPPLYINSERTEDDETAILED Power supply 1 PWR C45 1300ACV S N DTM123900VH Hw 5 2 has been inserted Feb 6 01 05 56 867 C4K_IOSMODPORTMAN 4 POWE...

Page 1939: ...mand Output Name show inventory Attachment Type command output MIME Type text plain Command Output Text NAME Switch System DESCR Cisco Systems Inc WS C4510R 10 slot switch PID WS C4510R VID V06 SN 1234567 NAME Clock Module DESCR Clock Module PID WS X4K CLOCK VID V04 SN 12345671 NAME Mux Buffer 3 DESCR Mux Buffers for Redundancy Logic PID WS X4590 VID V04 SN 12345672 NAME Mux Buffer 4 DESCR Mux Buf...

Page 1940: ...ri aml session From aml session MessageId M44 1234567 abcd aml session MessageId aml session Session soap env Header soap env Body aml block Block xmlns aml block http www cisco com 2004 01 aml block aml block Header aml block Type http www cisco com 2005 05 callhome syslog aml block Type aml block CreationDate 2009 02 06 12 58 31 GMT 00 00 aml block CreationDate aml block Builder aml block Name C...

Page 1941: ... name SystemDescription value Cisco IOS Software Catalyst 4500 L3 Switch Software cat4500 ENTSERVICES M Experimental Version 12 2 20090204 112419 Copyright c 1986 2009 by Cisco Systems Inc Compiled Fri 06 Feb 09 15 22 by abc rme AdditionalInformation rme Chassis ch Device ch CallHome aml block Content aml block Attachments aml block Attachment type inline aml block Name show logging aml block Name...

Page 1942: ...s configuration Feb 6 01 06 36 907 C4K_IOSMODPORTMAN 6 POWERSUPPLYINSERTEDDETAILED Power supply 2 PWR C45 1400AC S N AZS11260B3M Hw 2 3 has been inserted Feb 6 01 08 06 911 C4K_IOSMODPORTMAN 4 POWERSUPPLYREMOVED Power supply 1 has been removed Feb 6 01 08 11 171 CALL_HOME 3 SMTP_SEND_FAILED Unable to send notification using all SMTP servers ERR 6 error in reply from SMTP server Feb 6 01 08 11 951 ...

Page 1943: ...lot 2 DESCR Supervisor V 10GE with 2 10GE X2 ports and 4 1000BaseX SFP ports PID WS X4516 10GE VID V07 SN 12345674 NAME Linecard slot 3 DESCR 10 100 1000BaseT RJ45 V with 48 10 100 1000 baseT voice power ports Cisco IEEE PID WS X4548 GB RJ45V VID V08 SN 12345675 NAME Linecard slot 4 DESCR 10 100 1000BaseT RJ45 V with 48 10 100 1000 baseT voice power ports Cisco IEEE PID WS X4548 GB RJ45V VID V08 S...

Page 1944: ...77 32 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 77 Configuring Call Home Message Contents ...

Page 1945: ...Catalyst 4500 series switch running the IP Base or Enterprise Services feature set The switch also supports the Built in Traffic Simulator using Cisco IOS IP SLAs video operations to generate synthetic traffic for a variety of video applications such as Telepresence IPTV and IP video surveillance camera You can use the simulator tool for network assessment before deploying applications that have s...

Page 1946: ...oS byte including Differentiated Services Code Point DSCP and IP Prefix bits Virtual Private Network VPN routing forwarding instance VRF and URL web address Because Cisco IP SLAs is Layer 2 transport independent you can configure end to end operations over disparate networks to best reflect the metrics that an end user is likely to experience IP SLAs collects a unique subset of these performance m...

Page 1947: ...erformance between any area in the network core distribution and edge without deploying a physical probe It uses generated traffic to measure network performance between two networking devices Figure 78 1 shows how IP SLAs begins when the source device sends a generated packet to the destination device After the destination device receives the packet depending on the type of IP SLAs operation it r...

Page 1948: ...l IP SLAs functionality Figure 78 1 shows where the Cisco IOS IP SLAs responder fits in the IP network The responder listens on a specific port for control protocol messages sent by an IP SLAs operation Upon receipt of the control message it enables the specified UDP or TCP port for the specified duration During this time the responder accepts the requests and responds to them It disables the port...

Page 1949: ...peration you must schedule the operation to begin capturing statistics and collecting error information You can schedule an operation to start immediately or to start at a certain month day and hour You can use the pending option to set the operation to start at a later time The pending option is an internal state of the operation that is visible through SNMP The pending state is also used when an...

Page 1950: ... en US products ps6441 products_installation_and_configuration_guides_list ht ml Configuring IP SLAs Operations This section does not include configuration information for all available operations as the configuration information details are included in the Cisco IOS IP SLAs Configuration Guide It does include several operations as examples including configuring the responder configuring UDP jitte...

Page 1951: ... ip sla application privileged EXEC command to verify that the operation type is supported on your software image This is an example of the output from the command Switch show ip sla application IP SLAs Version 2 2 0 Round Trip Time MIB Infrastructure Engine II Time of last change in whole IP SLAs 22 17 39 117 UTC Fri Jun Estimated system max number of entries 15801 Estimated number of configurabl...

Page 1952: ...ing jitter the IP SLAs UDP jitter operation can be used as a multipurpose data gathering operation The packets IP SLAs generates carry packet sending and receiving sequence information and sending and receiving time stamps from the source and the operational target Based on these UDP jitter operations measure this data Per direction jitter source to destination and destination to source Per direct...

Page 1953: ...ational target To configure UDP jitter operation on the source device perform this task Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 ip sla operation number Creates an IP SLAs operation and enter IP SLAs configuration mode Step 3 udp jitter destination ip address destination hostname destination port source ip ip address hostname source port port number control...

Page 1954: ...onds start time hh mm ss month day day month pending now after hh mm ss ageout seconds recurring Configures the scheduling parameters for an individual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time E...

Page 1955: ...e and the destination IP device The IP SLAs ICMP echo operation conforms to the same specifications as ICMP ping testing and the two methods result in the same response times Note This operation does not require the IP SLAs responder to be enabled To configure an ICMP echo operation on the source device perform this task Command Purpose Step 1 configure terminal Enters global configuration mode St...

Page 1956: ...an individual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter the hour minute second in 24 hour notati...

Page 1957: ...for all IP SLAs operations or a specific operation show ip sla enhanced history collection statistics distribution statistics entry number Displays enhanced history statistics for collected history buckets or distribution statistics for all IP SLAs operations or a specific operation show ip sla ethernet monitor configuration entry number Displays IP SLAs automatic Ethernet configuration show ip sl...

Page 1958: ...78 14 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 78 Configuring Cisco IOS IP SLA Operations Monitoring IP SLAs Operations ...

Page 1959: ...ons About RMON page 79 1 Configuring RMON page 79 3 Displaying RMON Status page 79 6 Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command List All Releas...

Page 1960: ...story group of statistics on Ethernet Fast Ethernet and Gigabit Ethernet interfaces for a specified polling interval 133836 RMON alarms and events configured SNMP configured RMON history and statistic collection enabled Workstations Workstations Network management station with generic RMON console application Catalyst 4500 switch Catalyst 4500 switch Catalyst 4500 switch Catalyst 3550 switch RMON ...

Page 1961: ...the monitoring is more efficient and little processing power is required Configuring RMON This section describes how to configure RMON on your switch It contains this configuration information Default RMON Configuration page 79 3 Configuring RMON Alarms and Events page 79 3 Configuring RMON Collection on an Interface page 79 5 Default RMON Configuration RMON is disabled by default no alarms or eve...

Page 1962: ... at which the alarm is triggered and one for when the alarm is reset The range for the rising threshold and falling threshold values is 2147483648 to 2147483647 Optional For event number specify the event number to trigger when the rising or falling threshold exceeds its limit Optional For owner string specify the owner of the alarm Step 3 Switch config rmon event number description string log own...

Page 1963: ...s and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command This example also generates an SNMP trap when the event is triggered Switch config rmon event 1 log trap eventtrap description High ifOutErrors owner jjones Configuring RMON Collection on an Interface You must first configure RMON alarms and events to...

Page 1964: ... Switch config if rmon collection stats index owner ownername Enables RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics To disable the collection of group Ethernet statistics use the no rmon collection stats index interface configuration comm...

Page 1965: ... designated intervals or specified times when the switch is connected to a live network and health monitoring runs in the background Note Diagnostic shell mode is not supported on Supervisor Engine 7 E and Supervisor Engine 8 E in wired mode This chapter consists of these sections Configuring Online Diagnostics page 80 1 Performing Diagnostics page 80 3 Power On Self Test Diagnostics page 80 10 No...

Page 1966: ...terval Use the no form of this command to remove the scheduling To configure online diagnostics perform this task This example shows how to schedule diagnostic testing on a specific date and time for a specific port on module 6 Switch config diagnostic schedule module 6 test 2 port 3 on may 23 2009 23 32 Switch config This example shows how to schedule diagnostic testing to occur daily Switch conf...

Page 1967: ...ve tests complete a warning message on the console will recommend that you reload the system to return to normal operation Strictly follow this warning Starting and Stopping Online Diagnostic Tests After you configure diagnostic tests you can use the start and stop keywords to begin or end a test To start or stop an online diagnostic command perform one of these tasks This example shows how to sta...

Page 1968: ...ealth monitoring test NA F Fixed monitoring interval test NA E Always enabled monitoring test NA A I Monitoring is active Monitoring is inactive cable tdr Interface cable diags NA o Ongoing test always active NA Test Interval Thre ID Test Name Attributes day hh mm ss ms shold 1 linecard online diag M D I not configured n a 2 online diag tdr PD Icable not configured n a 3 stub rx errors N A 000 00 ...

Page 1969: ...t 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 U U U U U U U U U U U U U U U U U U U U U U U 3 stub rx errors 4 supervisor rx errors Switch This example shows how to display the online diagnostic results details for module 6 Switch show diagnostic result module 6 detail Current bootup diagnostic level minimal module 6 SerialNo JAB0815059L Overall Diagnostic Result for module 6 PA...

Page 1970: ...time n a Last test pass time Jun 03 2009 05 39 00 Total failure count 0 Consecutive failure count 0 Detailed Status Interface Speed Local pair Cable length Remote channel Status Gi6 3 1Gbps 1 2 N A Unknown Terminated 3 6 N A Unknown Terminated 4 5 N A Unknown Terminated 7 8 N A Unknown Terminated ___________________________________________________________________________ 3 stub rx errors Error cod...

Page 1971: ...tly seated or faulty line card The error counts include idle frames so detection can occur when traffic is not flowing Errors on the supervisor end of the data path are reported as errors in traffic ingressing to the supervisor engine from linecards The error counts should not increase and the detection includes idle frames If the error counts increase for more than one line card the likely cause ...

Page 1972: ...d Online Diagnostics A line card online diagnostic test verifies that all ports on a line card are working correctly The test can detect whether the path to the front panel port on the line card is broken The test cannot indicate where along the path that the problem occurred Note This test is run only for line cards that have stub chips Line card online diagnostics runs only once when the line ca...

Page 1973: ...k 2 000b 5f27 8b86 to 000b 5f27 8b8b 0 2 12 2 27r SG 12 2 37 SG Ok 3 0005 9a80 6810 to 0005 9a80 683f 0 4 Ok 4 000c 3016 aae0 to 000c 3016 ab0f 2 6 Ok 5 0008 a3a3 4e70 to 0008 a3a3 4e9f 1 6 Ok 6 0008 a3a3 3fa0 to 0008 a3a3 3fcf 1 6 Faulty 7 0030 850e 3e78 to 0030 850e 3e8f 1 0 Ok Mod Redundancy role Operating mode Redundancy status 1 Active Supervisor SSO Active 2 Standby Supervisor SSO Standby ho...

Page 1974: ...n a different chassis If the line card passes the test the problem is associated with the chassis Issue an RMA for the chassis and contact TAC Power On Self Test Diagnostics The following topics are discussed Overview of Power On Self Test Diagnostics page 80 10 POST Result Example page 80 11 Power On Self Test Results page 80 13 Troubleshooting the Test Failures page 80 20 Overview of Power On Se...

Page 1975: ...n the switch core and validate the switching the Layer 2 and the Layer 3 functionality To isolate the hardware failures accurately the loop back is done both inside and outside the switch ports The following example shows the output from the show diagnositic result command for Supervisor Engine 8 E Supervisor Engine 7 E and Supervisor Engine 7L E Switch show diagnostic result module 3 detail Check...

Page 1976: ...ailure time n a Last test failure time n a Last test pass time Oct 01 2007 17 37 04 Total failure count 0 Consecutive failure count 0 Power On Self Test Results for ACTIVE Supervisor prod WS X45 SUP6 E part XXXXXXXXX serial XXXXXXXXXX Power on self test for Module 3 WS X45 SUP6 E Test Status Pass F Fail U Untested CPU Subsystem Tests seeprom Pass Traffic L3 Loopback Test Results Pass Traffic L2 Lo...

Page 1977: ... page 80 13 Supervisor Engine 6 E and Supervisor Engine 6L E page 80 15 Supervisor Engine 7 E Supervisor Engine 7L E and Supervisor Engine 8 E Switch show diagnostic result module 3 detail Current bootup diagnostic level minimal module 3 SerialNo CAT1450L1QU Overall Diagnostic Result for module 3 PASS Diagnostic level at card bootup minimal Test results Pass F Fail U Untested _____________________...

Page 1978: ...Ports Card Type Diag Status Diag Details 3 4 Sup 7 E 10GE SFP 1000BaseX SFP Skipped Packet memory Detailed Status Pass U Unknown L Loopback failure S Stub failure P Port failure E SEEPROM failure G GBIC integrity check failure Ports 1 2 3 4 ___________________________________________________________________________ 3 stub rx errors Error code 0 DIAG_SUCCESS Total run count 2 Last test testing type...

Page 1979: ..._________________ 1 supervisor bootup Error code 0 DIAG_SUCCESS Total run count 1 Last test testing type n a Last test execution time Jul 21 2011 13 35 55 First test failure time n a Last test failure time n a Last test pass time Jul 21 2011 13 35 55 Total failure count 0 Consecutive failure count 0 Power On Self Test Results for ACTIVE Supervisor prod WS X45 SUP6 E part 73 10597 06 serial JAE1213...

Page 1980: ...testing type Health Monitoring Last test execution time Jul 21 2011 13 36 57 First test failure time n a Last test failure time n a Last test pass time Jul 21 2011 13 36 57 Total failure count 0 Consecutive failure count 0 ___________________________________________________________________________ 4 supervisor rx errors Error code 0 DIAG_SUCCESS Total run count 1 Last test testing type Health Moni...

Page 1981: ...sor Power On Self Test utility did not run during last boot session ___________________________________________________________________________ 2 linecard online diag Error code 0 DIAG_SUCCESS Total run count 1 Last test testing type n a Last test execution time Jul 21 2011 20 16 56 First test failure time n a Last test failure time n a Last test pass time Jul 21 2011 20 16 56 Total failure count ...

Page 1982: ...tested ensure that both supervisor engines are present on power up Supervisor Engine 6 E and Supervisor Engine 6L E Switch show diagnostic result module 6 detail Current bootup diagnostic level minimal module 6 SerialNo Overall Diagnostic Result for module 6 PASS Diagnostic level at card bootup minimal Test results Pass F Fail U Untested ____________________________________________________________...

Page 1983: ... X2 1000BaseX SFP Passed None Detailed Status Pass U Unknown L Loopback failure S Stub failure P Port failure E SEEPROM failure G GBIC integrity check failure Ports 1 2 3 4 5 6 ___________________________________________________________________________ 3 stub rx errors Error code 0 DIAG_SUCCESS Total run count 3 Last test testing type Health Monitoring Last test execution time Jul 21 2011 13 39 06...

Page 1984: ...Remove and reinsert the supervisor engine into the chassis to ensure that the seating is correct Contact Cisco Systems customer support team for more information Note On a redundant chassis concurrent POST is supported on supervisor engines that are already inserted However if a second supervisor engine is inserted while the first one is loading you might boot the first supervisor engine in a faul...

Page 1985: ...ying and Monitoring WCCP Configuration Settings page 81 9 WCCP Configuration Examples page 81 9 Note The tasks in this chapter assume that you have already configured content engines on your network For specific information on hardware and network planning associated with Cisco Content Engines and WCCP see the product literature and documentation links available on Cisco com http www cisco com en ...

Page 1986: ...inistrators can easily scale their content engines to handle heavy traffic loads using these clustering capabilities Cisco clustering technology enables each content member to work in parallel resulting in linear scalability Clustering content engines greatly improves the scalability redundancy and availability of your caching solution You can cluster up to 32 content engines to scale to your desi...

Page 1987: ... on each content engine The address of each router in the group must be explicitly specified for each content engine during configuration The following sequence of events describe how WCCP works 1 Each WCCP client content engine is configured with a list of WCCP servers routers 2 Each content engine announces its presence with a Here I Am message and a list of routers with which it has established...

Page 1988: ...n priority order and redirected by the highest priority service group that matches traffic characteristics Multiple Routers Support WCCP enables you to attach multiple routers to a cluster of cache engines The use of multiple routers in a service group enables redundancy interface aggregation and distribution of the redirection load MD5 Security WCCP provides optional authentication that enables y...

Page 1989: ...nes in the cluster before configuring WCCP on your device Refer to the Cisco Content Engine User Guide for content engine configuration and setup tasks IP must be configured on the device interface connected to the cache engines Examples of device configuration tasks follow this section For complete descriptions of the command syntax refer to the Cisco IOS Configuration Fundamentals Command Refere...

Page 1990: ... list password password For IPv6 Switch config ipv6 wccp vrf vrf name group address groupaddress redirect list access list group list access list Specifies the following A dynamic service to enable on the switch The IP multicast address used by the service group optional The redirect access list to control the traffic to be redirected optional The group list to use for content engine membership op...

Page 1991: ...ace number for which the web cache service runs and enters interface configuration mode Step 3 Switch config if ip wccp vrf vrf name web cache redirect in Enables the verification on packets to determine if they qualify to be redirected to a content engine using the client interface specified in Step 2 Command Purpose Step 1 Switch config ip wccp vrf vrf name web cache Enables the web cache servic...

Page 1992: ...0 series switch in the service group authenticates the security component in a received WCCP packet immediately after validating the WCCP message header Packets failing authentication are discarded To configure an MD5 password for use by the Catalyst 4500 series switch in WCCP communications perform this task Command Purpose Step 1 Switch config access list access list permit ip host host address ...

Page 1993: ... that is currently running the number of content engines in the routers service group the content engine group is allowed to connect to the device and the access list being used Switch show ip wccp vrf vrf name web cache service number detail For IPv6 Switch show ipv6 wccp vrf vrf name detail Queries the device for information on which content engines of a specific service group that the device ha...

Page 1994: ...t 0 1 0 Switch config ipv6 wccp check services all Switch config interface GigabitEthernet 0 1 0 witch config if ipv6 wccp redirect in Switch config interface GigabitEthernet 0 2 0 Example Running a Web Cache Service The following example shows a web cache service configuration session with ingress redirection for IPv4 Switch configure terminal Switch config ip wccp web cache Switch config interfa...

Page 1995: ...ents the server interface and VLAN 50 represents the content engine interface Switch configure terminal Switch config ip wccp 61 Switch config ip wccp 62 Switch config interface vlan 30 Switch config if ip wccp 61 redirect in Switch config interface vlan 40 Switch config if ip wccp 62 redirect in Switch config interface vlan 50 Switch config if ip wccp redirect exclude in For IPV6 Switch configure...

Page 1996: ...onfig ipv6 acl permit tcp 2001 1 64 2004 1 64 eq www switch config ipv6 acl exit switch config ipv6 wccp 61 redirect list ACL_1 switch config interface vlan 40 witch config if ipv6 wccp 61 redirect in Example Using Access Lists To achieve better security you can use a standard access list to notify the Catalyst 4500 series switch to which IP addresses are valid for a content engine attempting to r...

Page 1997: ...cache service and dynamic service 99 are enabled on the Catalyst 4500 series switch WCCP Unicast Mode Switch more system running config Building configuration Current configuration version 12 2 service timestamps debug uptime service timestamps log uptime no service password encryption service udp small servers service tcp small servers enable secret 5 1 nSVy faliJsVQXVPW KuCxZNTh1 enable password...

Page 1998: ...81 14 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 81 Configuring WCCP Version 2 Services WCCP Configuration Examples ...

Page 1999: ...Command Reference you can locate it in the Cisco IOS Master Command List All Releases Determining MIB Support for Cisco IOS Releases To determine which MIBs are included in the Cisco IOS release running on the Cisco 4500 series switch follow these steps Step 1 Go to the Cisco MIBs Support page http www cisco com public sw center netmgmt cmtk mibs shtml Step 2 Under Cisco Access Products select a C...

Page 2000: ...ervice Provider W VIP From the MIB Locator page you can search by image name For example enter the following and click the Submit button c7200 js56i mz 12 0 1 From the MIB Locator page you can search for the MIB from the list of MIBs in the menu You can select one or for multiple selections hold down the CTRL key then click the Submit button Note After you make a selection follow the links and ins...

Page 2001: ... following URL http www cisco com en US tech tk648 tk362 technologies_tech_note09186a0080094aa5 shtml For a list of SNMP OIDs assigned to MIB objects go to the following URL and click on SNMP Object Navigator and follow the links http tools cisco com ITDIT MIBS servlet index Note You must have a Cisco CCO name and password to access the MIB Locator For information about how to download and compile...

Page 2002: ...eference fun_r html To configure the Cisco 4500 series switch for SNMP support follow these steps Step 1 Establish your basic SNMP configuration using the command line interface CLI on the router Note that these basic configuration commands are issued for SNMP version 2c For SNMP version 3 you must also set up SNMP users and groups Refer to the preceding list of documents for command and set up in...

Page 2003: ...k requires a single IP infrastructure that you want to virtualize into two or more logical networks or L3VPNs EVN provides path isolation for the traffic on the different virtual networks You must have a functioning campus design in place before adding virtualization to a network You should understand virtual routing and forwarding VRF instances and how they are used to maintain traffic separation...

Page 2004: ...ckward compatible with VRF Lite to enable seamless network migration from VRF Lite to EVN EVN supports IPv4 static routes Open Shortest Path First version 2 OSPFv2 and Protocol Independent Multicast PIM and Multicast Source Discovery Protocol MSDP for IPv4 Multicast routing EVN also supports Cisco Express Forwarding CEF and Simple Network Management Protocol SNMP Virtual Network Tags Provide Path ...

Page 2005: ...single IP infrastructure to provide a number of virtual networks end to end In the figure below a single IP infrastructure is virtualized into two VPNs by creating two VRFs Red and Green Figure 83 2 Network with Virtualization Laptop in Red User group Laptop in Green User group Server in Red User group Server in Green User group 277893 Laptop in Red User group Laptop in Green User group Server in ...

Page 2006: ... Ethernet and port channels To allow for backward compatibility with the VRF Lite solution the vLAN ID field in the 802 1q frame is used to carry the virtual network tag Traffic that carries a virtual network tag is called tagged traffic Traffic that does not carry a virtual network tag is called untagged traffic Tags are illustrated in the following configuration with two VRFs red and green Defin...

Page 2007: ...runk interface connects VRF aware devices together and provides the core with a means to transport traffic for multiple EVNs Trunk interfaces carry tagged traffic The tag is used to de multiplex the packet into the corresponding EVN A trunk interface has one subinterface for each EVN The vnet trunk command is used to define an interface as an EVN trunk interface An EVN interface uses two types of ...

Page 2008: ...uration 1072 bytes vrf definition red vnet tag 3 address family ipv4 exit address family You can display this hidden interface with the show derived config command and see that all of the commands entered on Fast Ethernet 0 0 0 have been inherited by Fast Ethernet 0 0 0 3 Device show derived config interface fastethernet0 0 0 3 Derived configuration 478 bytes interface FastEthernet0 0 0 3 descript...

Page 2009: ... 1 0 0 vnet trunk list mylist ip address 10 1 1 1 255 255 255 0 VRF Awareness A device connected to a virtual network may not understand virtual network tags and can send and receive only untagged traffic Such a device is referred to as VRF unaware For example a laptop computer is usually VRF unaware By contrast a device that can send and receive tagged traffic and therefore takes the tag value in...

Page 2010: ...kets enter an EVN through an edge interface traverse multiple trunk interfaces and exit the virtual network through another edge interface At the ingress edge interface packets are mapped from a VLAN into a particular EVN Once the packet is mapped to an EVN it is tagged with the associated virtual network tag The virtual network tag allows the trunk interface to carry packets for multiple EVNs The...

Page 2011: ...t with VRF red s tag 101 and sends it over the trunk interface 4 Device C receives the packet over a trunk interface Using virtual network tag 101 Device C identifies that the packet belongs to VRF red a Device C does route lookup in VRF red and sees that the next hop is Device D through a trunk interface b Device C encapsulates the packet with VRF red s tag 101 and sends it over the trunk interfa...

Page 2012: ...nk ip address 10 1 2 1 255 255 255 0 set OSPF hello interval for all VRFs on this interface ip ospf hello interval 20 Overriding Command Inheritance Virtual Network Interface Mode You can set up EVNs on the same trunk interface to have different configurations by override inherited values using specific commands in virtual network interface mode for individual EVNs In this mode the command s setti...

Page 2013: ... Yes ip ospf mtu ignore Yes Yes ip ospf network Yes Yes ip ospf priority Yes Yes ip ospf resync timeout Yes Yes ip ospf shutdown Yes Yes ip ospf transmit delay Yes Yes ip ospf transmit interval Yes Yes ip ospf ttl security Yes Yes ip ospf vnet area No No ip igmp access group Yes Yes ip igmp explicit tracking Yes Yes ip igmp helper address Yes Yes ip igmp immediate leave Yes Yes ip igmp last member...

Page 2014: ...unk is restored The override value for the specific EVN is no longer in effect In the following example the trunk interface is configured with an OSPF cost of 20 but VRF blue overrides that value with an OSPF cost of 30 interface gigabitethernet 2 0 0 vnet trunk ip address 10 1 1 1 255 255 255 0 Set OSPF cost for all VRFs on this interface to 20 ip ospf cost 20 vnet name blue Set OSPF cost for blu...

Page 2015: ...nt in its syntax such as ip ospf cost cost the no form of the command will remove the configuration but does not appear in the configuration file That is it will not be NVGEN ed because the user could enter ip ospf cost default value to override the inherited value EVN Compatibility with VRF Lite EVN is wire compatible with VRF Lite In other words on the outside 802 1q SNMP MIBs and all the EVN in...

Page 2016: ...F blue VRF or green VRF The traffic for all the VRFs is queued together Configuring Easy Virtual Networks Note We recommend that you draw your network topology indicating the interfaces on each router that belong to the EVNs The diagram facilitates tracking the interfaces you are configuring as edge interfaces and the interfaces you are configuring as trunk interfaces Command Purpose Step 1 Switch...

Page 2017: ...interface Step 13 Switch config if exit Returns to global configuration mode Step 14 Switch config router ospf process ID Configures an Open Shortest Path First OSPF routing process and associates it with a VRF This OSPF instance has no VRF so it is vnet global Step 15 Switch config router network ip address wildcard area area ID Defines the interfaces and associated area IDs on which OSPF runs an...

Page 2018: ...rf list exit vrf list Exits VRF list configuration mode Step 6 Switch config interface type number Configures an interface and enters interface configuration mode Step 7 Switch config if vnet trunk list vrf list name Defines a trunk interface and enables the VRFs that are in the VRF list Use the vrf list name you defined earlier in this task Step 8 Switch config if ip address ip address mask Sets ...

Page 2019: ... Switch show vrf vnet ipv4 ipv6 interface brief detail lock vrf name Displays information about the VRFs Switch show vrf vnet counters Displays information about the number of VRFs or virtual networks supported and configured Command Purpose Step 1 Switch configure terminal Enters global configuration mode Step 2 Switch config interface interface name Specifies the interface name and enters interf...

Page 2020: ...terface brief Interface IP Address OK Method Status Protocol Ethernet0 0 1 1 1 1 YES manual up up Ethernet0 0 131 100 1 1 1 YES manual up up Ethernet0 0 132 101 1 1 1 YES manual up up Configuration Examples for Configuring EVN Example Virtual Networks Using OSPF with network Commands In this example network commands associate a shared VRF interface with a base VRF and two named VRFs red and blue T...

Page 2021: ...ss family ipv4 exit address family interface gigabitethernet 0 0 0 ip address 10 0 0 1 255 255 255 0 vnet trunk ip ospf vnet area 0 vnet name red ip ospf cost 100 vnet name blue ip ospf 3 area 2 router ospf 1 log adjacency changes detail router ospf 2 vrf red log adjacency changes router ospf 3 vrf blue log adjacency changes Example Overriding Command Inheritance In the following example the OSPF ...

Page 2022: ...llustrates command inheritance and virtual network interface mode override in a multicast network A trunk interface leverages the fact that configuration requirements from different VRFs will be similar over the same trunk interface Eligible commands configured on the trunk interface are inherited by all VRFs running over the same interface In this example IP multicast PIM sparse mode is configure...

Page 2023: ...BLE ip pim sparse mode vrf definition red vnet tag 100 address family ipv4 exit address family ip multicast routing vrf red VRF RED interface gigabitethernet1 1 1 100 description GigabitEthernet to core VRF red vrf forwarding red ip pim sparse mode Configure the RP in the VRF using Anycast RP interface loopback0 description Anycast RP Global ip address 10 122 5 200 255 255 255 255 ip pim sparse mo...

Page 2024: ...text is specified once and the prompt changes to reflect that VRF there is no need to specify the VRF in each command traceroute Output Indicates VRF Name and VRF Tag The output of the traceroute command is enhanced to make troubleshooting easier by displaying the incoming VRF name tag and the outgoing VRF name tag as shown in the following example Device traceroute vrf red 10 0 10 12 Type escape ...

Page 2025: ...c 0 msec 4 Debug Output Filtering Per VRF Using EVN you can filter debug output per VRF by using the debug condition vrf command The following is sample output from the debug condition vrf command Device debug condition vrf red Condition 1 set CEF filter table debugging is on CEF filter table debugging is on D1 Aug 19 23 06 38 178 vrfmgr 0 Debug Condition 1 vrf red triggered count 1 CISCO VRF MIB ...

Page 2026: ...83 24 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter 83 Configuring Easy Virtual Network Troubleshooting EVN Configuration ...

Page 2027: ...ommand Descriptions Configuration Register Console Download Debug Commands Exiting the ROM Monitor Note For complete syntax and usage information for the switch commands used in this chapter see the Cisco IOS Command Reference Guides for the Catalyst 4500 Series Switch If a command is not in the Cisco Catalyst 4500 Series Switch Command Reference you can locate it in the Cisco IOS Master Command L...

Page 2028: ... variable Commands are case sensitive You can halt any command by pressing the Break key on a terminal If you are using a PC most terminal emulation programs halt a command when you press the Ctrl and the Break keys at the same time If you are using another type of terminal emulator or terminal emulation software refer to the documentation for that product for information on how to send a Break co...

Page 2029: ...r in hexadecimal as shown in the following example rommon 1 confreg 0x2101 You must reset or power cycle for new config to take effect rommon 2 The value is always interpreted as hexadecimal The new virtual configuration register value is written into NVRAM but does not take effect until you reset or reboot the router Table 84 1 Most Commonly Used ROM Monitor Commands Command Description reset or ...

Page 2030: ... fails y n n enable use all zero broadcast y n n enable break abort has effect y n n enable ignore system config info y n n change console baud rate y n n y enter rate 0 9600 1 4800 2 1200 3 2400 0 0 change the boot characteristics y n n y enter to boot 0 ROM Monitor 1 the boot helper image 2 15 boot system 0 0 Configuration Summary enabled are diagnostic mode console baud 9600 boot the ROM Monito...

Page 2031: ...guration register With ROMMON version 15 1 1r SG4 and 15 1 1r SG5on Supervisor Engine 8 E the follow error message is displayed if the supervisor is idle for more than an hour You can ignore this message it does not affect device performance rommon 0 ICMP Unsupported type opcode d00 ICMP Unsupported type opcode d00 ICMP Unsupported type opcode d00 ICMP Unsupported type opcode d00 ICMP Unsupported ...

Page 2032: ... memory size 40 MB Available main memory starts at 0x10000 size 40896KB IO packet memory size 5 percent of main memory NVRAM size 32KB Exiting the ROM Monitor You must set the configuration register to a value from 0x2 to 0xF for the router to boot a Cisco IOS image from flash memory upon startup or reloading The following example shows how to reset the configuration register and cause the router ...

Page 2033: ...onitor Present APaRT Automated Packet Recognition and Translation ARP Address Resolution Protocol AV attribute value AVVID Architecture for Voice Video and Integrated Data BDD binary decision diagrams BECN backward explicit congestion notification BGP Border Gateway Protocol BPDU bridge protocol data unit BRF bridge relay function BSC Bisync BSTUN Block Serial Tunnel BUS broadcast and unknown serv...

Page 2034: ...y function CST Common Spanning Tree CUDD University of Colorado Decision Diagram DBL Dynamic Buffer Limiting DCC Data Country Code dCEF distributed Cisco Express Forwarding DDR dial on demand routing DE discard eligibility DEC Digital Equipment Corporation DFI Domain Specific Part Format Identifier DFP Dynamic Feedback Protocol DISL Dynamic Inter Switch Link DLC Data Link Control DLSw Data Link Sw...

Page 2035: ...e Registration Protocol GMRP GARP Multicast Registration Protocol GVRP GARP VLAN Registration Protocol HSRP Hot Standby Routing Protocol ICC Inter card Communication ICD International Code Designator ICMP Internet Control Message Protocol IDB interface descriptor block IDP initial domain part or Internet Datagram Protocol IFS IOS File System IGMP Internet Group Management Protocol IGRP Interior Ga...

Page 2036: ... media independent interface MLS Multilayer Switching MLSE maintenance loop signaling entity MOP Maintenance Operation Protocol MOTD message of the day MLSE maintenance loops signaling entity MRM multicast routing monitor MSDP Multicast Source Discovery Protocol MST Multiple Spanning Tree MSTI MST instance MTU maximum transmission unit MVAP multiple VLAN access port NBP Name Binding Protocol NCIA ...

Page 2037: ...ision point PDU protocol data unit PEP policy enforcement point PGM Pragmatic General Multicast PHY physical sublayer PIB policy information base PIM Protocol Independent Multicast PoE Power over Internet PPP Point to Point Protocol PRID Policy Rule Identifiers PVST per VLAN Spanning Tree QM QoS manager QoS quality of service RADIUS Remote Access Dial In User Service RAM random access memory RCP R...

Page 2038: ...Management and Delivery Systems SMF software MAC filter SMP Standby Monitor Present SMRP Simple Multicast Routing Protocol SMT Station Management SNAP Subnetwork Access Protocol SNMP Simple Network Management Protocol SPAN Switched Port Analyzer SSTP Cisco Shared Spanning Tree STP Spanning Tree Protocol SVC switched virtual circuit SVI switched virtual interface TACACS Terminal Access Controller A...

Page 2039: ...ce UTC Coordinated Universal Time VACL VLAN access control list VCC virtual channel circuit VCI virtual circuit identifier VCR Virtual Configuration Register VINES Virtual Network System VLAN virtual LAN VMPS VLAN Membership Policy Server VPN virtual private network VRF VPN routing and forwarding VTP VLAN Trunking Protocol VVID voice VLAN ID WFQ weighted fair queueing WRED weighted random early de...

Page 2040: ...A 8 Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide Cisco IOS XE 3 9 xE and IOS 15 2 5 Ex Chapter A Acronyms and Abbreviations ...

Page 2041: ...th other features 5 tunneling compatibility with other features 5 defaults 3 described 2 802 1Q VLANs trunk restrictions 4 802 1s See MST 802 1w See MST 802 1X See port based authentication 802 1X authentication Authentication Failed VLAN assignment 16 for Critical Authentication 14 for guest VLANs 10 for MAC Authentication Bypass 11 for Unidirectional Controlled Port 15 VLAN User Distribution 15 ...

Page 2042: ...compatibility on the same switch 3 configuring with VLAN maps 29 CPU impact 13 downloadable 7 hardware and software support 6 IP matching criteria for port ACLs 4 MAC extended 16 matching criteria for router ACLs 3 port and voice VLAN 5 defined 3 processing 13 selecting mode of capturing control packets 7 troubleshooting high CPU 7 types supported 3 understanding 2 VLAN maps 5 ACLs and VLAN maps e...

Page 2043: ...eling 3 attachment points Wireshark 6 attributes RADIUS vendor proprietary 112 vendor specific 111 Auth manager session for an interface verifying 125 Auth manager summary displaying 124 authentication NTP associations 4 RADIUS key 103 login 105 See also port based authentication TACACS defined 16 key 18 login 19 Authentication Failed configuring 80 1X 71 Authentication methods registered with the...

Page 2044: ...supported MST 23 understanding 21 See also STP banners configuring login 27 message of the day login 24 default configuration 24 when displayed 24 BFD and hardware support 7 configuration example BFD in a BGP network 25 BFD in an EIGRP network with echo mode enabled by default 17 BFD in an OSPF network 22 support for static routing 27 configuring Echo mode 15 session parameters on the interface 8 ...

Page 2045: ...farms See cache engine clusters Call Home description 24 1 message format options 2 messages format options 2 call home 1 alert groups 6 configuring e mail options 9 contact information 4 default settings 18 destination profiles 5 displaying information 13 mail server priority 10 pattern matching 8 periodic notification 8 rate limit messages 9 severity threshold 8 smart call home feature 2 SMTP se...

Page 2046: ...sscheck for VLANs 11 configuring fault alarms 16 configuring port MEP 14 configuring static remote MEP 13 16 18 crosscheck 5 defined 2 EtherChannel support 7 4 fault alarms configuring 16 IP SLAs support for 6 IP SLAs with endpoint discovers 21 maintenance domain 3 manually configuring IP SLAs ping or jitter 19 measuring network performance 6 monitoring 32 33 port MEP configuring 14 remote MEPs 5 ...

Page 2047: ...client processes tracking 1 clients in 802 1X authentication 3 clock See system clock clustering switches command switch characteristics and VTY 12 convert to a community 10 managing through CLI 13 overview 2 planning considerations CLI 13 passwords 8 CoA Request Commands 100 command modes 5 command switch cluster requirements 11 command line processing 3 commands b 3 b flash 3 boot 3 confreg 3 de...

Page 2048: ... status envents 46 configuring named IPv6 ACLs 18 configuring named MAC extended ACLs 16 17 Configuring QoS for AVC with DNS AS 11 configuring unicast MAC address filtering 16 configuring VLAN maps 21 confreg command 3 Connectivity Fault Management See CFM console configuration mode 5 console download 4 5 console port disconnecting user sessions 7 monitoring user sessions 6 contact information ass...

Page 2049: ...8 RMON 3 SNMP 5 SPAN and RSPAN 6 system message logging 3 TACACS 18 VLAN mapping 9 Y 1731 29 default gateway configuring 11 verifying configuration 11 default settings erase commad 34 default web based authentication configuration 802 1X 6 defining modifying deleting a capture point Wireshark 12 denial of service attacks IP address spoofing mitigating 5 Unicast RPF deploying 5 denying access to a ...

Page 2050: ...ine 1 Power On Self Test causes of failure 20 how it works 10 overview 10 Power On Self Test for Supervisor Engine V 10GE 13 Differentiated Services Code Point values See DSCP values DiffServ architecture QoS 2 Digital optical monitoring transceiver support 26 dir device command 3 disabled state RSTP comparisons table 24 disabling broadcast storm control 5 disabling multicast storm control 6 disco...

Page 2051: ...of dropped packets 4 overview 1 port channels their behavior 5 priority of static bindings 4 purpose of 2 rate limiting of ARP packets 4 configuring 16 validation checks performing 19 Dynamic Host Configuration Protocol snooping See DHCP snooping dynamic port VLAN membership example 28 limit on hosts 28 reconfirming 25 26 troubleshooting 28 E EAP frames changing retransmission time 85 exchanging f...

Page 2052: ...9 11 configuration guidelines 32 6 configuring 7 20 configuring tasks 30 configuring Layer 2 11 configuring Layer 3 7 DFC restriction see CSCdt27074 in the Release Notes displaying to a virtual switch system 20 interface port channel command 8 lacp system priority command example 16 modes 3 overview 1 PAgP Understanding 4 physical interface configuration 49 8 port channel interfaces 2 port channel...

Page 2053: ...ling globally 5 enabling on individual interface 7 enabling per interface 6 modes of operation 3 resetting disabled LAN interfaces 8 use case 2 Fast UDLD overview 1 FastDrop overview 11 fastethernet0 port See Ethernet management port Fast Hello dual active detection 24 Fast Hello dual active detection configuring 53 feature interactions Wireshark 10 FIB description 2 See also MFIB fiber optics int...

Page 2054: ...ty and ISSU for AVC with DNS AS 5 high CPU due to ACLs troubleshooting 7 history CLI 4 history table level and number of syslog messages 9 hop counts configuring MST bridges 28 Host 2 host limit on dynamic port 28 host modes MACsec 5 host ports kinds of 4 host presence CDP message 8 Hot Standby Routing Protocol See HSRP HSRP description 16 HSRP introduction 16 hw module module num power command 22...

Page 2055: ...overview 1 IGMP Snooping displaying group 16 hot membership 15 how to 15 MAC address entries 18 multicast router interfaces 17 on a VLAN interface 18 Querier information 19 IGMPSnooping Querier configuring 10 Immediate Leave IGMP enabling 8 immediate leave processing enabling 8 IGMP See fast leave processing ingress packets SPAN enhancement 12 inline power configuring on Cisco IP phones 5 insuffic...

Page 2056: ...M 3 Ethernet Management Port 29 Ethernet OAM Protocol 3 FAT File Management System Sup 60 E 6L E 4948E and 4900M 30 File System Management Sup 7 E and 7L E 29 Flex Link and MAC Address Table Move Update 3 Flexible Netflow Sup 7 E and 7L E 4 GLBP 15 hard based Control Plane Policing 37 HSRP 16 In Service Software Upgrade 19 Intelligent Power Management 30 Internet Group Management Protocol IGMP Sno...

Page 2057: ...ocal policy route map command 12 ip mask reply command 13 IP MTU sizes configuring 9 IP multicast clearing table entries 28 configuring 13 default configuration 14 displaying PIM information 24 displaying the routing table information 24 enabling dense mode PIM 15 enabling sparse mode 15 features not supported 13 hardware forwarding 9 IGMP snooping and 5 4 overview 1 routing protocols 2 software f...

Page 2058: ... 2 troubleshooting 8 with conected host polling 3 with DHCP server and Relay agent 2 ip unreachables command 12 IPsec VPN introduction 40 IPv4 IPv6 and MAC ACLs configuring on a Layer 2 interface 33 IPv6 addresses 2 default configuration 8 defined 20 1 Enhanced Interior Gateway Routing Protocol EIGRP IPv6 6 Router ID 7 OSPF 6 IPv6 control traffic policing 20 IPv6 First Hop Security introduction 38...

Page 2059: ...default configuation 15 disabling 17 enabvling 15 guideline and restrictions 20 understanding 15 Layer 2 frames classification with CoS 2 Layer 2 interface applying ACLs 35 configuring access mode mode on 35 configuring IPv4 IPv6 and MAC ACLs 33 displaying an ACL configuration 36 Layer 2 interface type resetting 24 setting 24 Layer 2 interfaces assigning VLANs 7 configuring 5 configuring as PVLAN ...

Page 2060: ...ink monitoring Ethernet OAM 34 38 link status displaying UDLD 9 link state tracking configuration guidelines 26 default configuration 26 described 23 displaying status 27 generic configuration procedure 26 listening state STP RSTP comparisons table 24 LLDP configuring 4 characteristics 5 default configuration 5 disabling and enabling globally 6 on an interface 7 monitoring and maintaining 14 overv...

Page 2061: ...ics of 36 dropping 38 removing 37 sticky 4 sticky secure adding 5 MAC address table move update configuration guidelines 9 configuring 10 monitoring 12 MAC Authentication Bypass configure with 802 1X 60 MAC details displaying 126 MAC extended access lists 16 MAC PHY configuration status TLV 2 macl 17 macros See Auto SmartPorts macros See Auto Smartports macros See Smartports macros MACSec 802 1AE ...

Page 2062: ...s 7 defined 2 policies 3 replay protection 3 statistics 6 virtual ports 4 MLD Done messages and Immediate leave 4 MLD messages 2 MLD queries 3 MLD reports 4 MLD Snooping MLD Done messages and Immediate leave 4 MLD messages 2 MLD queries 3 MLD reports 4 Multicast client aging robustness 3 Multicast router discovery 3 overview 1 Mode of capturing control packets selecting 7 modules checking status 1...

Page 2063: ... 4 MTUS understanding 35 Multi authentication described 22 multiauthentication mode 8 multicast See IP multicast Multicast client aging robustness 3 multicast Ethernet loopback ETH LB 29 multicast Ethernet loopback using 31 Multicast Forwarding Information Base MFIB 12 multicast groups static joins 7 Multicast HA 13 Multicast implementation HA 13 MFIB 12 S M 224 4 13 multicast packets blocking 2 M...

Page 2064: ...o 40 NAC Layer 2 IP validation intro 40 named IPv6 ACLs configuring ACLs configuring named IPv6 ACLs 18 named MAC extended ACLs ACLs configuring named MAC extended 16 17 native VLAN and 802 1Q tunneling 3 specifying 5 NDAC 20 defined 20 MACsec 1 NEAT configuring 88 overview 24 neighbor offset numbers REP 5 NetFlow packet sampling about 1 NetFlow lite clear commands 9 display commands 8 Network Ass...

Page 2065: ...figuration 4 displaying the configuration 11 overview 2 restricting access creating an access group 9 disabling NTP services per interface 10 source IP address configuring 10 stratum 2 synchronizing devices 6 time services 2 synchronizing 2 ntroduction PPPoE Intermediate Agent 41 Storm Control 42 uRPF Strict Mode 42 NVRAM saving settings 10 O OAM client 34 features 34 sublayer 34 OAM manager confi...

Page 2066: ...figuration example 16 enabling 7 10 features 2 overview 1 route maps 2 route map processing logic 3 when to use 6 PE to CE routing configuring 9 percentage thresholds in tracked lists 7 Permanent Right To_Use 14 per port and VLAN Access Control List 19 per port per VLAN QoS enabling 36 70 overview 10 Per User ACL and Filter ID ACL configure 45 Per VLAN Rapid Spanning Tree 6 enabling 20 overview 6 ...

Page 2067: ...ns 33 on access ports 7 22 on private VLAN 14 host 14 promiscuous 16 topology 15 18 32 on trunk port 17 guidelines and restrictions 15 18 32 port mode changes 22 on voice ports 22 sticky learning 5 using with 802 1X 18 violations 6 with 802 1X Authentication 32 with DHCP and IP Source Guard 31 with other features 33 port states description 5 port VLAN ID TLV 2 port based authentication 802 1X with...

Page 2068: ...ing 88 overview 24 topologies supported 26 using with ACL assignments and redirect URLs 19 using with port security 18 voice aware 802 1x security configuring 74 described 21 74 with Critical Authentication 14 with Guest VLANs 10 with MAC Authentication Bypass 11 with Unidirectional Controlled Port 15 with VLAN assignment 9 with VLAN User Distribution 15 port channel see EtherChannel port channel ...

Page 2069: ...e port based authentication preempt delay time REP 5 primary edge port REP 4 primary VLANs 2 4 associating with secondary VLANs 16 configuring as a PVLAN 15 priority overriding CoS of incoming frames 4 priority queuing QoS on Sup 6 E 30 64 private VLAN configure port security 14 15 enabling DHCP Snooping 12 private VLANs across multiple switches 5 and SVIs 10 benefits of 2 community ports 3 commun...

Page 2070: ... via DBL 34 68 active queue management via DBL 27 34 61 68 classification 16 50 configuring 13 47 configuring CoS mutation 45 79 configuring the policy map marking action 23 57 hardware capabilities for marking 23 57 how to implement policing 18 52 marking action drivers 21 55 marking network traffic 18 52 MQC based QoS configuration 13 48 multi attribute marking support 22 56 platform hardware ca...

Page 2071: ...f 97 server load balancing 115 suggested network environments 96 tracking services accessed by user 110 understanding 96 RADIUS Change of Authorization 97 RADIUS server configure to Switch communication 32 configuring settings 34 parameters on the switch 32 RADIUS controlling switch access with 95 range command 4 range macros defining 10 ranges of interfaces configuring 4 Rapid Spanning Tree See R...

Page 2072: ...dary edge port 4 segments 1 characteristics 2 SNMP traps configuring 14 supported interfaces 1 triggering VLAN load balancing 6 verifying link integrity 4 VLAN blocking 13 VLAN load balancing 4 replication description 9 report suppression IGMP disabling 10 reserved range VLANs See VLANs reset command 3 resetting a switch to defaults 34 resetting an interface to default configuration 48 Resilient E...

Page 2073: ...l See RIP RPF See Unicast RPF RSPAN configuration guidelines 16 destination ports 5 IDS 2 monitored ports 4 monitoring ports 5 received traffic 3 sessions creating 17 defined 3 limiting source traffic to specific VLANs 23 monitoring VLANs 21 removing source monitored ports 20 specifying monitored ports 17 source ports 4 transmitted traffic 4 VLAN based 5 RSTP compatibility 23 description 22 port r...

Page 2074: ...nd 48 show ciscoview version command 48 show cluster members command 13 show configuration command 32 show debugging command 3 show environment command 2 show history command 4 show interfaces command 37 38 44 46 47 show interfaces status command 2 show ip cef command 8 show ip eigrp interfaces command 20 show ip eigrp neighbors command 20 show ip eigrp topology command 20 show ip eigrp traffic co...

Page 2075: ...g 7 overview 4 configuration examples 15 configuration guidelines 6 default configuration 5 enabling 4 engine ID 6 groups 6 9 host 6 informs and trap keyword 11 described 5 differences from traps 5 enabling 14 limiting access by TFTP servers 15 limiting system log messages to NMS 9 manager functions 3 notifications 5 overview 1 4 status displaying 16 system contact and location 14 trap manager con...

Page 2076: ...ree uplinkfast command 20 spanning tree vlan command 9 command example 9 spanning tree vlan command 8 spanning tree vlan cost command 16 spanning tree vlan forward time command 19 spanning tree vlan hello time command 18 spanning tree vlan max age command 18 spanning tree vlan port priority command 13 spanning tree vlan priority command 17 spanning tree vlan root primary command 10 spanning tree v...

Page 2077: ...or engine accessing the redundant 14 configuring 8 13 copying files to standby 14 default configuration 1 default gateways 11 environmental monitoring 1 redundancy 1 ROM monitor 26 startup configuration 25 static routes 11 synchronizing configurations 11 10 Supervisor Engine 7L E selecting the uplink port 25 Supervisor Engine II TS insufficient inline power handling 22 12 Smartports macros See als...

Page 2078: ...configuration 12 enabling 4 facility keywords described 12 level keywords described 8 limiting messages 9 message format 2 overview 1 sequence numbers enabling and disabling 7 setting the display destination device 4 synchronizing log messages 5 timestamps enabling and disabling 6 UNIX syslog servers configuring the daemon 10 configuring the logging facility 11 facilities supported 12 system MTU 8...

Page 2079: ...ed 7 2 LLDP MED 2 Token Ring media not supported note 5 9 Topology change notification processing MLD Snooping Topology change notification processing 4 TOS description 4 trace command 9 traceroute See IP traceroute See Layer 2 Traceroute traceroute mac command 11 traceroute mac ip command 11 track state tracking IP SLAs 10 tracked lists configuring 3 types 3 tracked objects by Boolean expression ...

Page 2080: ...DNS Resource Record 3 TXT record 3 type length value See TLV type of service See TOS U UDLD configuring probe message interval per interface 8 default configuration 3 disabling on fiber optic interfaces 7 disabling on non fiber optic interfaces 7 displaying link status 9 enabling globally 5 enabling per interface 6 modes of operation 3 resetting disabled LAN interfaces 8 use case 2 UDLD overview 1...

Page 2081: ...verifying 10 unicast traffic blocking 2 Unidirectional Controlled Port configuring 802 1X 66 unidirectional ethernet enabling 2 example of setting 2 overview 1 UniDirectional Link Detection Protocol See UDLD Universal PoE configuring 16 UNIX syslog servers daemon configuration 10 facilities supported 12 message logging configuration 11 uplink forwarding quad supervisor 6 uplink mode selecting on s...

Page 2082: ...guring 11 types of 7 VLAN maps applying to a VLAN 25 configuration example 26 configuration guidelines 22 configuring 21 creating and deleting entries 22 defined 41 denying access example 27 denying packets 23 displaying 28 order of entries 22 permitting packets 23 router ACLs and 29 using figure 5 using in your network 25 VLAN maps PACL and Router ACLs 36 VLAN Trunking Protocol See VTP VLAN trunk...

Page 2083: ...curity port based authentication configuring 74 described 21 74 voice interfaces configuring 1 Voice over IP configuring 1 voice ports configuring VVID 3 voice traffic 2 5 voice VLAN IP phone data traffic described 2 IP phone voice traffic described 2 voice VLAN ports using 802 1X 21 Voice VLAN configure 802 1X 73 VPN configuring routing in 8 forwarding 3 routes 2 routing and forwarding table See ...

Page 2084: ...also WCCP web based authentication authentication proxy web pages 4 description 43 13 1 web based authentication interactions with other features 4 weight thresholds in tracked lists 6 wireless mode 29 30 Wireshark activating and deactivating capture points conceptual 10 attachment points 6 capture filter 7 capture points 6 core system filter 7 decoding and displaying packets 9 display filter 7 fe...

Page 2085: ...Index IN 45 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E multicast Ethernet loopback 31 multicast ETH LB 29 terminology 27 ...

Page 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...

Reviews:

No comments

Related manuals for Catalyst 4500 Series

Barracuda Networks Network Quick Start Manual preview
Network
Brand: Barracuda Networks Pages: 2
Patton electronics 2888 Quick Start Manual preview
2888
Brand: Patton electronics Pages: 8
Watchguard XTM 850 Hardware Manual preview
XTM 850
Brand: Watchguard Pages: 30
B&B Electronics EIP308 Product Information preview
EIP308
Brand: B&B Electronics Pages: 2
ADTRAN TRACER 5045 Manual preview
TRACER 5045
Brand: ADTRAN Pages: 9
ExtraHop EDA 4200 Install preview
EDA 4200
Brand: ExtraHop Pages: 2
ICP DAS USA ZT-2005-C8 User Manual preview
ZT-2005-C8
Brand: ICP DAS USA Pages: 60
MTI BR5811 User Manual preview
BR5811
Brand: MTI Pages: 41
Mellanox Technologies SwitchX-2 MSX1024B-1BFS Installation Manual preview
SwitchX-2 MSX1024B-1BFS
Brand: Mellanox Technologies Pages: 31
MikroTik LHG 60G Quick Manual preview
LHG 60G
Brand: MikroTik Pages: 25
Aim RPM Bridge User Manual preview
RPM Bridge
Brand: Aim Pages: 12
Zte MF279T User Manual preview
MF279T
Brand: Zte Pages: 36
Edge-Core SDW101 Quick Start Manual preview
SDW101
Brand: Edge-Core Pages: 5
ADTRAN ACT 1900 Specification Sheet preview
ACT 1900
Brand: ADTRAN Pages: 2
rialto WhiteBox Installation Manual preview
WhiteBox
Brand: rialto Pages: 21
Gigafast EE400-RP User Manual preview
EE400-RP
Brand: Gigafast Pages: 40
Advantech ICR-3200 User Manual preview
ICR-3200
Brand: Advantech Pages: 43
Link electronics 860-XL165V Specification Sheet preview
860-XL165V
Brand: Link electronics Pages: 2

Brands by name

Popular brands

Load more brands