manualshive.com logo in svg

Cisco Catalyst Blade 3032, Software Configuration Manual

Share
Download
Cisco Catalyst Blade 3032 Software Configuration Manual Download Page 267

 

9-19

Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide

OL-13270-06

Chapter 9      Configuring IEEE 802.1x Port-Based Authentication

Understanding IEEE 802.1x Port-Based Authentication

To configure per-user ACLs:

Enable AAA authentication.

Enable AAA authorization by using the 

network

 keyword to allow interface configuration from the 

RADIUS server.

Enable 802.1x authentication.

Configure the user profile and VSAs on the RADIUS server.

Configure the 802.1x port for single-host mode.

802.1x Authentication with Downloadable ACLs and Redirect URLs

You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x 
authentication or MAC authentication bypass of the host. You can also download ACLs during web 
authentication.

Note

A downloadable ACL is also referred to as a 

dACL

.

If more than one host is authenticated and the host is in single-host, MDA, or multiple-authentication 
mode, the switch changes the source address of the ACL to the host IP address.

You can apply the ACLs and redirect URLs to all the devices connected to the 802.1x-enabled port.

If no ACLs are downloaded during 802.1x authentication, the switch applies the static default ACL on 
the port to the host. On a voice VLAN port configured in multi-auth or MDA mode, the switch applies 
the ACL only to the phone as part of the authorization policies.

Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic 
auth-default ACL is created, and policies are enforced before dACLs are downloaded and applied. 

Note

The auth-default-ACL does not appear in the running configuration. 

The auth-default ACL is created when at least one host with an authorization policy is detected on the 
port. The auth-default ACL is removed from the port when the last authenticated session ends. You can 
configure the auth-default ACL by using the 

ip access-list extended auth-default-acl

 global 

configuration command.

Note

The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. 
You must configure a static ACL on the interface to support CDP bypass. 

The 802.1x and MAB authentication methods support two authentication modes, 

open

 and 

closed

. If 

there is no static ACL on a port in 

closed

 authentication mode:

An auth-default-ACL is created. 

The auth-default-ACL allows only DHCP traffic until policies are enforced. 

Summary of Contents for Catalyst Blade 3032

Page 1: ...an Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide Cisco IOS Release 12 2 58 SE April 2011 Text Part Number OL 13270 06 ...

Page 2: ...PRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILIT...

Page 3: ...Features 1 8 VLAN Features 1 9 Security Features 1 10 QoS and CoS Features 1 13 Layer 3 Features 1 14 Monitoring Features 1 15 Default Settings After Initial Switch Configuration 1 16 Network Configuration Examples 1 20 Design Concepts for Using the Switch 1 20 Small to Medium Sized Network 1 23 Where to Go Next 1 24 C H A P T E R 2 Using the Command Line Interface 2 1 Understanding Command Modes ...

Page 4: ...rocess 3 4 Understanding DHCP based Autoconfiguration and Image Update 3 5 DHCP Autoconfiguration 3 5 DHCP Auto Image Update 3 6 Limitations and Restrictions 3 6 Configuring DHCP Based Autoconfiguration 3 7 DHCP Server Configuration Guidelines 3 7 Configuring the TFTP Server 3 8 Configuring the DNS 3 8 Configuring the Relay Device 3 8 Obtaining Configuration Files 3 9 Example Configuration 3 10 Co...

Page 5: ... and DeviceID 4 4 Using Hostname DeviceID and ConfigID 4 4 Understanding Cisco IOS Agents 4 5 Initial Configuration 4 5 Incremental Partial Configuration 4 6 Synchronized Configuration 4 6 Configuring Cisco IOS Agents 4 6 Enabling Automated CNS Configuration 4 7 Enabling the CNS Event Agent 4 8 Enabling the Cisco IOS CNS Agent 4 9 Enabling an Initial Configuration 4 9 Enabling a Partial Configurat...

Page 6: ...C Address Change Notification Traps 5 16 Configuring MAC Address Move Notification Traps 5 18 Configuring MAC Threshold Notification Traps 5 19 Adding and Removing Static Address Entries 5 20 Configuring Unicast MAC Address Filtering 5 21 Disabling MAC Address Learning on a VLAN 5 23 Displaying Address Table Entries 5 24 Managing the ARP Table 5 24 C H A P T E R 6 Configuring Switch Based Authenti...

Page 7: ...ew 6 20 Change of Authorization Requests 6 21 CoA Request Response Code 6 22 CoA Request Commands 6 23 Stacking Guidelines for Session Termination 6 26 Configuring RADIUS 6 27 Default RADIUS Configuration 6 27 Identifying the RADIUS Server Host 6 27 Configuring RADIUS Login Authentication 6 30 Defining AAA Server Groups 6 32 Configuring RADIUS Authorization for User Privileged Access and Network S...

Page 8: ...d Clients 6 50 Certificate Authority Trustpoints 6 50 CipherSuites 6 51 Configuring Secure HTTP Servers and Clients 6 52 Default SSL Configuration 6 52 SSL Configuration Guidelines 6 52 Configuring a CA Trustpoint 6 53 Configuring the Secure HTTP Server 6 54 Configuring the Secure HTTP Client 6 55 Displaying Secure HTTP Server and Client Status 6 56 Configuring the Switch for Secure Copy Protocol ...

Page 9: ...Console Ports or Ethernet Management Ports 7 18 Connectivity to Specific Stack Members 7 19 Switch Stack Configuration Scenarios 7 19 Configuring the Switch Stack 7 21 Default Switch Stack Configuration 7 21 Enabling Persistent MAC Address 7 21 Assigning Stack Member Information 7 24 Assigning a Stack Member Number 7 24 Setting the Stack Member Priority Value 7 25 Provisioning a New Member for a S...

Page 10: ... Per User ACLs and Filter Ids 9 9 Authentication Manager CLI Commands 9 9 Ports in Authorized and Unauthorized States 9 11 802 1x Authentication and Switch Stacks 9 12 802 1x Host Mode 9 12 802 1x Multiple Authentication Mode 9 13 MAC Move 9 14 MAC Replace 9 14 802 1x Accounting 9 15 802 1x Accounting Attribute Value Pairs 9 15 802 1x Readiness Check 9 16 802 1x Authentication with VLAN Assignment...

Page 11: ...Authentication 9 33 Default 802 1x Authentication Configuration 9 34 802 1x Authentication Configuration Guidelines 9 35 802 1x Authentication 9 35 VLAN Assignment Guest VLAN Restricted VLAN and Inaccessible Authentication Bypass 9 36 MAC Authentication Bypass 9 37 Maximum Number of Allowed Devices Per Port 9 37 Configuring 802 1x Violation Modes 9 38 Configuring 802 1x Authentication 9 38 Configu...

Page 12: ...Ordering 9 64 Configuring Open1x 9 64 Disabling 802 1x Authentication on the Port 9 65 Resetting the 802 1x Authentication Configuration to the Default Values 9 66 Displaying 802 1x Statistics and Status 9 66 C H A P T E R 10 Configuring Web Based Authentication 10 1 Understanding Web Based Authentication 10 1 Device Roles 10 2 Host Detection 10 2 Session Creation 10 3 Authentication Process 10 3 ...

Page 13: ...s 11 2 Access Ports 11 3 Trunk Ports 11 3 Tunnel Ports 11 3 Routed Ports 11 4 Switch Virtual Interfaces 11 4 SVI Autostate Exclude 11 5 EtherChannel Port Groups 11 6 10 Gigabit Ethernet Interfaces 11 6 Connecting Interfaces 11 6 Using Interface Configuration Mode 11 8 Procedures for Configuring Interfaces 11 9 Configuring a Range of Interfaces 11 9 Configuring and Using Interface Range Macros 11 1...

Page 14: ... Smartports Macro Configuration 12 2 Smartports Macro Configuration Guidelines 12 2 Creating Smartports Macros 12 4 Applying Smartports Macros 12 5 Applying Cisco Default Smartports Macros 12 6 Displaying Smartports Macros 12 8 C H A P T E R 13 Configuring VLANs 13 1 Understanding VLANs 13 1 Supported VLANs 13 2 VLAN Port Membership Modes 13 3 Configuring Normal Range VLANs 13 4 Token Ring VLANs 1...

Page 15: ...sing STP Port Priorities 13 23 Load Sharing Using STP Path Cost 13 24 Configuring VMPS 13 26 Understanding VMPS 13 26 Dynamic Access Port VLAN Membership 13 27 Default VMPS Client Configuration 13 27 VMPS Configuration Guidelines 13 28 Configuring the VMPS Client 13 28 Entering the IP Address of the VMPS 13 28 Configuring Dynamic Access Ports on VMPS Clients 13 29 Reconfirming VLAN Memberships 13 ...

Page 16: ...Traffic 15 2 Cisco IP Phone Data Traffic 15 2 Configuring Voice VLAN 15 3 Default Voice VLAN Configuration 15 3 Voice VLAN Configuration Guidelines 15 3 Configuring a Port Connected to a Cisco 7960 IP Phone 15 4 Configuring Cisco IP Phone Voice Traffic 15 5 Configuring the Priority of Incoming Data Frames 15 6 Displaying Voice VLAN 15 7 C H A P T E R 16 Configuring Private VLANs 16 1 Understanding...

Page 17: ...EEE 802 1Q Tunneling Configuration Guidelines 17 4 Native VLANs 17 4 System MTU 17 5 IEEE 802 1Q Tunneling and Other Features 17 6 Configuring an IEEE 802 1Q Tunneling Port 17 6 Understanding Layer 2 Protocol Tunneling 17 7 Configuring Layer 2 Protocol Tunneling 17 10 Default Layer 2 Protocol Tunneling Configuration 17 11 Layer 2 Protocol Tunneling Configuration Guidelines 17 12 Configuring Layer ...

Page 18: ...g the Spanning Tree Mode 18 15 Disabling Spanning Tree 18 16 Configuring the Root Switch 18 16 Configuring a Secondary Root Switch 18 18 Configuring Port Priority 18 18 Configuring Path Cost 18 20 Configuring the Switch Priority of a VLAN 18 21 Configuring Spanning Tree Timers 18 22 Configuring the Hello Time 18 22 Configuring the Forwarding Delay Time for a VLAN 18 23 Configuring the Maximum Agin...

Page 19: ...he Root Switch 19 18 Configuring a Secondary Root Switch 19 19 Configuring Port Priority 19 20 Configuring Path Cost 19 22 Configuring the Switch Priority 19 23 Configuring the Hello Time 19 23 Configuring the Forwarding Delay Time 19 24 Configuring the Maximum Aging Time 19 25 Configuring the Maximum Hop Count 19 25 Specifying the Link Type to Ensure Rapid Transitions 19 26 Designating the Neighb...

Page 20: ... 21 Configuring Flex Links and the MAC Address Table Move Update Feature 21 1 Understanding Flex Links and the MAC Address Table Move Update 21 1 Flex Links 21 2 VLAN Flex Link Load Balancing and Support 21 3 Flex Link Multicast Fast Convergence 21 3 Learning the Other Flex Link Port as the mrouter Port 21 3 Generating IGMP Reports 21 4 Leaking IGMP Reports 21 4 Configuration Examples 21 4 MAC Add...

Page 21: ...dress Filtering 22 17 Source IP and MAC Address Filtering 22 17 IP Source Guard for Static Hosts 22 17 Configuring IP Source Guard 22 18 Default IP Source Guard Configuration 22 18 IP Source Guard Configuration Guidelines 22 18 Enabling IP Source Guard 22 19 Configuring IP Source Guard for Static Hosts 22 21 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 22 21 Configuring IP...

Page 22: ...2 IGMP Versions 24 3 Joining a Multicast Group 24 3 Leaving a Multicast Group 24 5 Immediate Leave 24 6 IGMP Configurable Leave Timer 24 6 IGMP Report Suppression 24 6 IGMP Snooping and Switch Stacks 24 7 Configuring IGMP Snooping 24 7 Default IGMP Snooping Configuration 24 7 Enabling or Disabling IGMP Snooping 24 8 Setting the Snooping Method 24 9 Configuring a Multicast Router Port 24 10 Configu...

Page 23: ...Pv6 MLD Snooping 25 1 Understanding MLD Snooping 25 1 MLD Messages 25 2 MLD Queries 25 3 Multicast Client Aging Robustness 25 3 Multicast Router Discovery 25 3 MLD Reports 25 4 MLD Done Messages and Immediate Leave 25 4 Topology Change Notification Processing 25 5 MLD Snooping in Switch Stacks 25 5 Configuring IPv6 MLD Snooping 25 5 Default MLD Snooping Configuration 25 5 MLD Snooping Configuratio...

Page 24: ...elines 26 12 Enabling and Configuring Port Security 26 13 Enabling and Configuring Port Security Aging 26 18 Port Security and Switch Stacks 26 19 Port Security and Private VLANs 26 20 Configuring Protocol Storm Protection 26 21 Understanding Protocol Storm Protection 26 21 Default Protocol Storm Protection Configuration 26 21 Enabling Protocol Storm Protection 26 22 Displaying Port Based Traffic ...

Page 25: ...ing UDLD 29 1 Understanding UDLD 29 1 Modes of Operation 29 1 Methods to Detect Unidirectional Links 29 2 Configuring UDLD 29 4 Default UDLD Configuration 29 4 Configuration Guidelines 29 4 Enabling UDLD Globally 29 5 Enabling UDLD on an Interface 29 6 Resetting an Interface Disabled by UDLD 29 6 Displaying UDLD Status 29 7 C H A P T E R 30 Configuring SPAN and RSPAN 30 1 Understanding SPAN and RS...

Page 26: ...FRSPAN 30 24 Configuration Guidelines 30 24 Configuring an FSPAN Session 30 25 Configuring an FRSPAN Session 30 27 Displaying SPAN and RSPAN Status 30 29 C H A P T E R 31 Configuring RMON 31 1 Understanding RMON 31 2 Configuring RMON 31 3 Default RMON Configuration 31 3 Configuring RMON Alarms and Events 31 3 Collecting Group History Statistics on an Interface 31 5 Collecting Group Ethernet Statis...

Page 27: ...tifications 33 5 SNMP ifIndex MIB Object Values 33 5 Configuring SNMP 33 6 Default SNMP Configuration 33 6 SNMP Configuration Guidelines 33 6 Disabling the SNMP Agent 33 7 Configuring Community Strings 33 8 Configuring SNMP Groups and Users 33 9 Configuring SNMP Notifications 33 12 Setting the CPU Threshold Notification Types and Values 33 16 Setting the Agent Contact and Location Information 33 1...

Page 28: ...d ACL 35 10 Creating a Numbered Extended ACL 35 11 Resequencing ACEs in an ACL 35 15 Creating Named Standard and Extended ACLs 35 15 Using Time Ranges with ACLs 35 17 Including Comments in ACLs 35 19 Applying an IPv4 ACL to a Terminal Line 35 19 Applying an IPv4 ACL to an Interface 35 20 Hardware and Software Treatment of IP ACLs 35 22 Troubleshooting ACLs 35 22 IPv4 ACL Configuration Examples 35 ...

Page 29: ...nding IPv6 ACLs 36 1 Supported ACL Features 36 2 IPv6 ACL Limitations 36 2 IPv6 ACLs and Switch Stacks 36 3 Configuring IPv6 ACLs 36 3 Default IPv6 ACL Configuration 36 4 Interaction with Other Features and Switches 36 4 Creating IPv6 ACLs 36 4 Applying an IPv6 ACL to an Interface 36 8 Displaying IPv6 ACLs 36 9 C H A P T E R 37 Configuring QoS 37 1 Understanding QoS 37 2 Basic QoS Model 37 4 Class...

Page 30: ...nfiguring Standard QoS 37 35 Default Standard QoS Configuration 37 36 Default Ingress Queue Configuration 37 36 Default Egress Queue Configuration 37 37 Default Mapping Table Configuration 37 38 Standard QoS Configuration Guidelines 37 38 QoS ACL Guidelines 37 38 IPv6 QoS ACL Guidelines 37 38 Applying QoS on Interfaces 37 39 Configuring IPv6 QoS on Switch Stacks 37 39 Policing Guidelines 37 40 Gen...

Page 31: ...ween the Ingress Queues 37 83 Configuring the Ingress Priority Queue 37 84 Configuring Egress Queue Characteristics 37 85 Configuration Guidelines 37 86 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set 37 86 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID 37 88 Configuring SRR Shaped Weights on Egress Queues 37 90 Configuring SRR Shared Weights on E...

Page 32: ...nk State Tracking 38 23 Configuring Link State Tracking 38 25 Default Link State Tracking Configuration 38 25 Link State Tracking Configuration Guidelines 38 25 Configuring Link State Tracking 38 26 Displaying Link State Tracking Status 38 27 C H A P T E R 39 Configuring IP Unicast Routing 39 1 Understanding IP Routing 39 2 Types of Routing 39 2 IP Routing and Switch Stacks 39 3 Steps for Configur...

Page 33: ...for Routed Access 39 30 OSPF Nonstop Forwarding 39 30 Configuring Basic OSPF Parameters 39 31 Configuring OSPF Interfaces 39 32 Configuring OSPF Area Parameters 39 33 Configuring Other OSPF Parameters 39 35 Changing LSA Group Pacing 39 36 Configuring a Loopback Interface 39 37 Monitoring OSPF 39 38 Configuring EIGRP 39 38 Default EIGRP Configuration 39 40 EIGRP Nonstop Forwarding 39 42 Configuring...

Page 34: ...ining ISO IGRP and IS IS 39 79 Configuring Multi VRF CE 39 80 Understanding Multi VRF CE 39 80 Default Multi VRF CE Configuration 39 82 Multi VRF CE Configuration Guidelines 39 82 Configuring VRFs 39 83 Configuring VRF Aware Services 39 84 User Interface for ARP 39 85 User Interface for PING 39 85 User Interface for SNMP 39 85 User Interface for HSRP 39 86 User Interface for Unicast RPF 39 86 User...

Page 35: ...eys 39 109 Monitoring and Maintaining the IP Network 39 111 C H A P T E R 40 Configuring IPv6 Unicast Routing 40 1 Understanding IPv6 40 1 IPv6 Addresses 40 2 Supported IPv6 Unicast Routing Features 40 3 128 Bit Wide Unicast Addresses 40 4 DNS for IPv6 40 4 Path MTU Discovery for IPv6 Unicast 40 4 ICMPv6 40 4 Neighbor Discovery 40 4 Default Router Preference 40 5 IPv6 Stateless Autoconfiguration a...

Page 36: ...ring Static Routes for IPv6 40 21 Configuring RIP for IPv6 40 22 Configuring OSPF for IPv6 40 23 Configuring EIGRP for IPv6 40 25 Configuring HSRP for IPv6 40 25 Enabling HSRP Version 2 40 26 Enabling an HSRP Group for IPv6 40 26 Displaying IPv6 40 28 C H A P T E R 41 Configuring HSRP and VRRP 41 1 Understanding HSRP 41 1 HSRP Versions 41 3 Multiple HSRP 41 4 HSRP and Switch Stacks 41 5 Configurin...

Page 37: ...Enhanced Object Tracking 43 1 Configuring Enhanced Object Tracking Features 43 2 Default Configuration 43 2 Tracking Interface Line Protocol or IP Routing State 43 2 Configuring a Tracked List 43 3 Configuring a Tracked List with a Boolean Expression 43 3 Configuring a Tracked List with a Weight Threshold 43 4 Configuring a Tracked List with a Percentage Threshold 43 5 Configuring HSRP Object Trac...

Page 38: ... and Switch Stacks 45 10 Configuring IP Multicast Routing 45 11 Default Multicast Routing Configuration 45 11 Multicast Routing Configuration Guidelines 45 11 PIMv1 and PIMv2 Interoperability 45 12 Auto RP and BSR Configuration Guidelines 45 12 Configuring Basic Multicast Routing 45 13 Configuring Source Specific Multicast 45 15 SSM Components Overview 45 15 How SSM Differs from Internet Standard ...

Page 39: ...e Use of PIM Shortest Path Tree 45 41 Modifying the PIM Router Query Message Interval 45 42 Configuring Optional IGMP Features 45 43 Default IGMP Configuration 45 43 Configuring the Switch as a Member of a Group 45 43 Controlling Access to IP Multicast Groups 45 44 Changing the IGMP Version 45 45 Modifying the IGMP Host Query Message Interval 45 46 Changing the IGMP Query Timeout for IGMPv2 45 47 ...

Page 40: ...46 Configuring MSDP 46 1 Understanding MSDP 46 1 MSDP Operation 46 2 MSDP Benefits 46 3 Configuring MSDP 46 4 Default MSDP Configuration 46 4 Configuring a Default MSDP Peer 46 4 Caching Source Active State 46 6 Requesting Source Information from an MSDP Peer 46 8 Controlling Source Information that Your Switch Originates 46 8 Redistributing Sources 46 9 Filtering Source Active Request Messages 46...

Page 41: ...ging 47 11 C H A P T E R 48 Troubleshooting 48 1 Recovering from a Software Failure 48 2 Recovering from a Lost or Forgotten Password 48 3 Procedure with Password Recovery Enabled 48 5 Procedure with Password Recovery Disabled 48 7 Preventing Switch Stack Problems 48 8 Preventing Autonegotiation Mismatches 48 9 SFP Module Security and Identification 48 9 Monitoring SFP Module Status 48 10 Monitori...

Page 42: ...ine Diagnostics 49 1 Understanding Online Diagnostics 49 1 Configuring Online Diagnostics 49 2 Scheduling Online Diagnostics 49 2 Configuring Health Monitoring Diagnostics 49 3 Running Online Diagnostic Tests 49 5 Starting Online Diagnostic Tests 49 5 Displaying Online Diagnostic Tests and Test Results 49 6 A P P E N D I X A Working with the Cisco IOS File System Configuration Files and Software I...

Page 43: ...ng the Startup Configuration File A 20 Deleting a Stored Configuration File A 21 Replacing and Rolling Back Configurations A 21 Understanding Configuration Replacement and Rollback A 21 Configuration Guidelines A 22 Configuring the Configuration Archive A 23 Performing a Configuration Replacement or Rollback Operation A 24 Working with Software Images A 25 Image Location on the Switch A 26 File Fo...

Page 44: ... Event Manager B 3 Unsupported Privileged EXEC Commands B 3 Unsupported Global Configuration Commands B 3 Unsupported Commands in Applet Configuration Mode B 3 Fallback Bridging B 4 Unsupported Privileged EXEC Commands B 4 Unsupported Global Configuration Commands B 4 Unsupported Interface Configuration Commands B 4 HSRP B 5 Unsupported Global Configuration Commands B 5 Unsupported Interface Confi...

Page 45: ...d Privileged EXEC Commands B 12 Unsupported Global Configuration Commands B 12 NetFlow Commands B 12 Unsupported Global Configuration Commands B 12 Network Address Translation NAT Commands B 13 Unsupported Privileged EXEC Commands B 13 QoS B 13 Unsupported Global Configuration Command B 13 Unsupported Interface Configuration Commands B 13 Unsupported Policy Map Configuration Command B 13 RADIUS B ...

Page 46: ...Contents xlvi Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 ...

Page 47: ...bout the standard Cisco IOS Release 12 2 commands see the Cisco IOS documentation set available from the Cisco com home page at Products Services Technical Support Documentation See Documentation Cisco IOS Software This guide does not provide detailed information on the GUIs for the embedded device manager or for Cisco Network Assistant hereafter referred to as Network Assistant that you can use t...

Page 48: ...out the switch and are available from this Cisco com site http www cisco com en US products ps8742 tsd_products_support_series_home html Note Before installing configuring or upgrading the switch see these documents For initial configuration information see the Using Express Setup section in the getting started guide or the Configuring the Switch with the CLI Based Setup Program appendix in the ha...

Page 49: ...es ps5455 products_device_support_tables_list html Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix Cisco 100 Megabit Ethernet SFP Modules Compatibility Matrix Cisco Small Form Factor Pluggable Modules Compatibility Matrix Compatibility Matrix for 1000BASE T Small Form Factor Pluggable Modules For information about the Network Admission Control NAC features see the Network Admission...

Page 50: ...lii Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Preface ...

Page 51: ...witch supports either the cryptographic supports encryption or the noncryptographic universal software image The cryptographic and noncryptographic universal software images support the IP base and IP services feature sets To enable a specific feature set you must have a Cisco IOS software license for that feature set For more information about the software license see the Cisco Software Activatio...

Page 52: ...For more information see Chapter 25 Configuring IPv6 MLD Snooping and Chapter 36 Configuring IPv6 ACLs For more information on IPv6 routing see Chapter 40 Configuring IPv6 Unicast Routing For more information about IPv6 ACLs see Chapter 36 Configuring IPv6 ACLs Note Unless otherwise noted all features described in this chapter and in this guide are supported on both the IP base and IP services fea...

Page 53: ...mber command line interface CLI commands to accomplish specific tasks Interactive guide mode that guides you in configuring complex features such as VLANs ACLs and quality of service QoS Configuration wizards that prompt you to provide only the minimum required information to configure complex features such as QoS priorities for video traffic priority levels for data applications and security Down...

Page 54: ...FP module interfaces that enables the interface to automatically detect the required cable connection type straight through or crossover and to configure the connection appropriately Support for the maximum packet size or maximum transmission unit MTU size for these types of frames Up to 9216 bytes for routed frames Up to 9216 bytes for frames that are bridged in hardware and software through Giga...

Page 55: ...features Introduction of a new switch database management SDM dual IPv4 and IPv6 template that supports more indirect routes Web Cache Communication Protocol WCCP for redirecting traffic to wide area application engines for enabling content requests to be fulfilled locally and for localizing web traffic patterns in the network requires the IP services feature set Support for deny ACL entries in We...

Page 56: ...ssis management controller CMC GUI The internal Ethernet management port also referred to as the Fa0 or fastethernet0 port on the switch sends and receives only management traffic between the switch and the CMC The port is connected to the CMC through the backplane connector Manageability Features These are the manageability features CNS embedded agents for automating switch management configurati...

Page 57: ... management access through the switch console port to a directly attached terminal or to a remote terminal through a serial connection or a modem Out of band management access through the internal Ethernet management port to a PC Secure Copy Protocol SCP feature to provide a secure and authenticated method for copying switch configuration or switch image files requires the cryptographic universal ...

Page 58: ...g rapid convergence of spanning tree instances UplinkFast cross stack UplinkFast only stacking capable switches and BackboneFast for fast convergence after a spanning tree topology change and for achieving load balancing between redundant uplinks including Gigabit uplinks and cross stack Gigabit uplinks only stacking capable switches IEEE 802 1s Multiple Spanning Tree Protocol MSTP for grouping VL...

Page 59: ...st and multicast traffic and network security by establishing VLAN groups for high security users and network resources Dynamic Trunking Protocol DTP for negotiating trunking and encapsulation on a link between two devices VLAN Trunking Protocol VTP and VTP pruning for reducing network traffic by restricting flooded traffic to links destined for stations receiving the traffic Voice VLAN for creati...

Page 60: ... defining security policies in the inbound direction on Layer 2 interfaces VLAN ACLs VLAN maps for providing intra VLAN security by filtering traffic based on information in the MAC IP and TCP UDP headers Source and destination MAC based ACLs for filtering non IP traffic IPv6 ACLs to be applied to interfaces to filter IPv6 traffic Support for dynamic creation or attachment of an auth default ACL o...

Page 61: ...o allow dormant PCs to be powered on based on the receipt of a specific Ethernet frame Voice aware IEEE 802 1x and MAC authentication bypass MAB security violation to shut down only the data VLAN on a port when a security violation occurs IEEE 802 1x readiness check to determine the readiness of connected end hosts before configuring IEEE 802 1x on the switch Network Edge Access Topology NEAT with...

Page 62: ...authentication and apply to the new policies IEEE 802 1x User Distribution to allow deployments with multiple VLANs for a group of users to improve scalability of the network by load balancing users across different VLANs Authorized users are assigned to the least populated VLAN in the group assigned by RADIUS server Support for critical VLAN with multiple host authentication so that when a port i...

Page 63: ...ry for detecting the presence of a Cisco IP Phone trusting the CoS value received and ensuring port security Policing Traffic policing policies on the switch port for managing how much of the port bandwidth should be allocated to a specific traffic flow If you configure multiple class maps for a hierarchical policy map each class map can be associated with its own port level second level policy ma...

Page 64: ...ols for load balancing and for constructing scalable routed backbones RIP Versions 1 and 2 Full OSPF support requires the IP services feature set The IP Base image supports OSPF for routed access to enable customers to extend Layer 3 routing capabilities to the access or wiring closet HSRP for IPv6 requires the IP services feature set Enhanced IGRP EIGRP requires the IP services feature set Border...

Page 65: ...ference DRP for improving the ability of a host to select an appropriate router IPv6 unicast routing capability for forwarding IPv6 traffic through configured interfaces requires the IP services feature set Support for EIGRP IPv6 which utilizes IPv6 transport communicates with IPv6 peers and advertises IPv6 routes IP unicast reverse path forwarding unicast RPF for confirming source packet IP addre...

Page 66: ...s and switch while the switch is connected to a live network On board failure logging OBFL to collect information about the switch and the power supplies connected to it Digital optical monitoring DOM to check status of X2 small form factor pluggable SFP modules Enhanced object tracking EOT for HSRP to determine the proportion of hosts in a LAN by tracking the routing table state or to trigger the...

Page 67: ...d is enabled and the DHCP relay agent is enabled only if the device is acting as a DHCP relay agent is configured and is enabled For more information see Chapter 3 Assigning the Switch IP Address and Default Gateway and Chapter 22 Configuring DHCP Features and IP Source Guard Switch stack is enabled not configurable For more information see Chapter 7 Managing Switch Stacks No passwords are defined...

Page 68: ...For more information see Chapter 15 Configuring Voice VLAN IEEE 802 1Q tunneling and Layer 2 protocol tunneling are disabled For more information see Chapter 17 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling STP PVST is enabled on VLAN 1 For more information see Chapter 18 Configuring STP MSTP is disabled For more information see Chapter 19 Configuring MSTP Optional spanning tree features ...

Page 69: ...onfiguring SPAN and RSPAN RMON is disabled For more information see Chapter 31 Configuring RMON Syslog messages are enabled and appear on the console For more information see Chapter 32 Configuring System Message Logging SNMP is enabled Version 1 For more information see Chapter 33 Configuring SNMP No ACLs are configured For more information see Chapter 35 Configuring Network Security with ACLs Qo...

Page 70: ...ance to degrade and how you can configure your network to increase the bandwidth available to your network users Table 1 1 Increasing Network Performance Network Demands Suggested Design Methods Too many users on a single network segment and a growing number of users accessing the Internet Create smaller network segments so that fewer users share the bandwidth and use VLANs and IP subnets to place...

Page 71: ...bility to provide always on mission critical applications Use switch stacks where all stack members are eligible stack masters in case of stack master failure All stack members have synchronized copies of the saved and running configuration files of the switch stack Use cross stack EtherChannels for providing redundant links across the switch stack Use Hot Standby Router Protocol HSRP for cluster ...

Page 72: ...ution layer connect the switches in the access layer to multilayer switches with routing capability The Gigabit interconnections minimize latency in the data flow QoS and policing on the switches provide preferential treatment for certain data streams They segment traffic streams into different paths for processing Security features on the switch ensure rapid handling of packets Fault tolerance fr...

Page 73: ...nt Data and multimedia traffic are configured on the same VLAN Voice traffic is configured on separate VVIDs If data multimedia and voice traffic are assigned to the same VLAN only one VLAN can be configured per wiring closet When an end station in one VLAN needs to communicate with an end station in another VLAN a router or Layer 3 switch routes the traffic to the destination VLAN In this network...

Page 74: ...ces and WAN and Internet access Figure 1 3 Switch Stack in a Collapsed Backbone Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 3 Assigning the Switch IP Address and Default Gateway To locate and download MIBs for a specific Cisco product and release use the Cisco MIB Locator http cisco com public sw ce...

Page 75: ...ter a question mark at the system prompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and cle...

Page 76: ... While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration...

Page 77: ...command as unique This example shows how to enter the show configuration privileged EXEC command in an abbreviated form Switch show conf Table 2 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviate...

Page 78: ...s In these cases the default command enables the command and sets variables to their default values Understanding CLI Error Messages Table 2 3 lists some error messages that you might encounter while using the CLI to configure your switch Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your switch to recog...

Page 79: ...ng Command History The software provides a history or record of commands that you have entered The command history feature is particularly useful for recalling long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size page 2 5 optional Recalling Commands page 2 6 optional Disa...

Page 80: ...onal Editing Command Lines that Wrap page 2 8 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing Table 2 4 Recal...

Page 81: ...of the command line Press Esc B Move the cursor back one word Press Esc F Move the cursor forward one word Press Ctrl T Transpose the character to the left of the cursor with the character located at the cursor Recall commands from the buffer and paste them in the command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buf...

Page 82: ...d of the line the line is again shifted ten spaces to the left Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 Switch config 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 Press Esc L Change the word at the curso...

Page 83: ...nclude or exclude and an expression that you want to search for or filter out command begin include exclude regular expression Expressions are case sensitive For example if you enter exclude output the lines that contain output are not displayed but the lines that contain Output appear This example shows how to include in the output display only lines where the expression protocol appears Switch s...

Page 84: ...ote Telnet session but your switch must first be configured for this type of access For more information see the Setting a Telnet Password for a Terminal Line section on page 6 6 You can use one of these methods to establish a connection with the switch Connect the switch console port to a management station or dial up modem or connect the Ethernet management port to a PC For information about con...

Page 85: ... this chapter see the command reference for this release and the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 2 This chapter consists of these sections Understanding the Boot Process page 3 2 Assigning Switch Information page 3 3 Checking and Saving the Running Configuration page 3 17 Modifying the Startup Configuration page 3 19 Scheduling a Reload of the Softwa...

Page 86: ... only to load uncompress and start the operating system After the boot loader gives the operating system control of the CPU the boot loader is not active until the next system reset or power on The boot loader also provides trap door access into the system if the operating system has problems serious enough that it cannot be used The trap door mechanism provides enough access to the system so that...

Page 87: ...hat you removed from the switch stack Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured Note If you are using DHCP do not respond to any of the questions in the setup program until the switch receives the dynamically assigned IP address and reads the configuration file If you are an experienced user familiar with the switch configur...

Page 88: ... servers remain accessible in case one of the connected stack members is removed from the switch stack The DHCP server for your switch can be on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay device between your switch and the DHCP server A relay device forwards broadcast traffic between two directly connected L...

Page 89: ...erver usually reserves the address until the client has had a chance to formally request the address If the switch accepts replies from a BOOTP server and configures itself the switch broadcasts instead of unicasts TFTP requests to obtain the switch configuration file The DHCP hostname option allows a group of switches to obtain hostnames and a standard configuration from the central management DH...

Page 90: ... on page 3 7 and the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 After you install the switch in your network the auto image update feature starts The downloaded configuration file is saved in the running configuration of the switch and the new image is downloaded and installed on the switch When you reboot the switch the ...

Page 91: ...ress default gateway address to be used by the switch required If you want the switch to receive the configuration file from a TFTP server you must configure the DHCP server with these lease options TFTP server name required Boot filename the name of the configuration file that the client needs recommended Hostname optional Depending on the settings of the DHCP server the switch can receive IP add...

Page 92: ...ly configured these files are not accessed If you specify the TFTP server name in the DHCP server lease database you must also configure the TFTP server name to IP address mapping in the DNS server database If the TFTP server to be used is on a different LAN from the switch or if it is to be accessed by the switch through the broadcast address which occurs if the DHCP server response does not cont...

Page 93: ...ed lease the switch obtains its configuration information in these ways The IP address and the configuration filename is reserved for the switch and provided in the DHCP reply one file read method The switch receives its IP address subnet mask TFTP server address and the configuration filename from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the named configur...

Page 94: ...same name as its hostname hostname confg or hostname cfg depending on whether network confg or cisconet cfg was read earlier from the TFTP server If the cisconet cfg file is read the filename of the host is truncated to eight characters If the switch cannot read the network confg cisconet cfg or the hostname file it reads the router confg file If the switch cannot read the router confg file it rea...

Page 95: ...A through Switch D Configuration Explanation In Figure 3 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by...

Page 96: ...ool configuration mode Step 3 bootfile filename Specify the name of the configuration file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client ...

Page 97: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp pool name Create a name for the DHCP server address pool and enter DHCP pool configuration mode Step 3 bootfile filename Specify the name of the file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix...

Page 98: ...h config if ip address 10 10 10 1 255 255 255 0 Switch config if end Configuring the Client Beginning in privileged EXEC mode follow these steps to configure a switch to download a configuration file and new image from a DHCP server Step 15 no switchport Put the interface into Layer 3 mode Step 16 ip address address mask Specify the IP address and mask for the interface Step 17 end Return to privi...

Page 99: ...load 300 seconds Config Download via DHCP enabled next boot enabled Switch Note You should only configure and enable the Layer 3 interface Do not assign an IP address or DHCP based autoconfiguration with a saved configuration Manually Assigning IP Information Beginning in privileged EXEC mode follow these steps to manually assign IP information to multiple switched virtual interfaces SVIs Note If ...

Page 100: ...an vlan id command output are not the same as the MAC address that is printed on the switch label the base MAC address By default VLAN 1 is the interface that connects to the management network When the switch boots up the DHCP client switch requests an IP address from a DHCP server by using the MAC address of VLAN 1 For information on setting the switch system name protecting access to privileged...

Page 101: ...ed interface VLAN1 ip address 172 20 137 50 255 255 255 0 no ip directed broadcast ip default gateway 172 20 137 1 snmp server community private RW snmp server community public RO snmp server community private es0 RW snmp server community public es0 RO snmp server chassis id 0x12 end To store the configuration or changes you have made to your startup configuration in flash memory enter this privil...

Page 102: ...itch syncs with the stack and reloads automatically Beginning in privileged EXEC mode follow these steps to configure the NVRAM buffersize This example shows how to configure the NVRAM buffer size Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config boot buffersize 524288 Switch config end Switch show boot BOOT path list Config file flash config text Pr...

Page 103: ...tion Automatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP based autoconfiguration feature For more information see the Understanding DHCP Based Autoconfiguration section on page 3 4 Table 3 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up t...

Page 104: ... can configure it to manually boot up Note On stacking capable switches this command only works properly from a standalone switch Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot up during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to...

Page 105: ... reboot the system the switch is in boot loader mode shown by the switch prompt To boot up the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory and the name of the bootable image Filenames and directory names are case sensitive Step 5 copy running config startup config Optional Save your e...

Page 106: ... equal sign followed by the value of the variable A variable has no value if it is not listed in this file it has a value if it is listed in the file even if the value is a null string A variable that is set to a null string for example is a variable with a value Many environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code ...

Page 107: ...cally or manually boots Valid values are 1 yes 0 and no If it is set to no or 0 the boot loader attempts to automatically boot up the system If it is set to anything else you must manually boot up the switch from the boot loader mode boot manual Enables manually booting the switch during the next boot cycle and changes the setting of the MANUAL_BOOT environment variable The next time you reboot th...

Page 108: ...ours and minutes The reload must take place within approximately 24 days You can specify the reason for the reload in a string up to 255 characters in length To reload a specific switch in a switch stack use the reload slot stack member number privileged EXEC command reload at hh mm month day day month text This command schedules a reload of the software to take place at the specified time using a...

Page 109: ...e the switch prompts you to save the configuration before reloading During the save operation the system requests whether you want to proceed with the save if the CONFIG_FILE environment variable points to a startup configuration file that no longer exists If you proceed in this situation the system enters setup mode upon reload This example shows how to reload the software on the switch on the cu...

Page 110: ...3 26 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 111: ... 4 14 Understanding Cisco Configuration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and deliv...

Page 112: ...figuration Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configu...

Page 113: ...ven a unique group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses...

Page 114: ...f the connection to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re establishe...

Page 115: ...ress to the new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server ...

Page 116: ... showing an error status When the switch has applied the incremental configuration it can write it to NVRAM or wait until signaled to do so Synchronized Configuration When the switch receives a configuration it can defer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses ...

Page 117: ...ww cisco com en US docs net_mgmt configuration_engine 1 5 installation_linux guide setup_ 1 html Table 4 1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Pat...

Page 118: ...r either the hostname or the IP address of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway i...

Page 119: ...ect configuration mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout...

Page 120: ...r specify the point to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify m...

Page 121: ...everse ipaddress mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event...

Page 122: ...ge source ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finis...

Page 123: ...st Enabling a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure ...

Page 124: ...Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event st...

Page 125: ...page 5 11 Managing the MAC Address Table page 5 13 Managing the ARP Table page 5 24 Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamenta...

Page 126: ...than one packet per minute is necessary to synchronize two devices to within a millisecond of one another NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running...

Page 127: ...and downstream switches Switch E and the blade switch respectively Figure 5 1 Typical NTP Network Configuration If the network is isolated from the Internet Cisco s implementation of NTP allows a device to act as if it is synchronized through NTP when in fact it has learned the time by using other means Other devices then synchronize to that device through NTP When multiple sources of time are ava...

Page 128: ...bandwidth cost This feature leverages site local IPv6 multicast addresses For details about configuring NTPv4 see the Cisco IOS IPv6 Configuration Guide Release 12 4T Configuring Time and Date Manually If no other source of time is available you can manually configure the time and date after the system is restarted The time remains accurate until the next system restart We recommend that you use m...

Page 129: ...er the time is authoritative believed to be accurate If the system clock has been set by a timing source such as NTP the flag is set If the time is not authoritative it is used only for display purposes Until the clock is authoritative and the authoritative flag is set the flag prevents peers from synchronizing to the clock when the peers time is invalid The symbol that precedes the show clock dis...

Page 130: ... command is clock timezone AST 3 30 To set the time to UTC use the no clock timezone global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock timezone zone hours offset minutes offset Set the time zone The switch keeps internal time in universal time coordinated UTC so this command is used only for display purposes and when the time is man...

Page 131: ...witch config clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone re...

Page 132: ...t A greater than symbol is appended The prompt is updated whenever the system name changes If you are accessing a stack member through the stack master you must use the session stack member number privileged EXEC command The stack member number range is from 1 through 9 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privileg...

Page 133: ...distributed database with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as t...

Page 134: ... name name Define a default domain name that the software uses to complete unqualified hostnames names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At bootup time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default dom...

Page 135: ...ation command Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login bann...

Page 136: ...his example shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the ...

Page 137: ...e includes these types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note F...

Page 138: ...each port and adding the address and its associated port number to the address table As stations are added or removed from the network the switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured on a standalone switch or on the switch stack However the switch maintains an address table for each VLAN and STP can...

Page 139: ...associated VLANs For more information about private VLANs see Chapter 16 Configuring Private VLANs MAC Addresses and Switch Stacks The MAC address tables on all stack members are synchronized At any given time each stack member has the same copy of the address tables for each VLAN When an address ages out the address is removed from the address tables on all stack members When a switch joins a swi...

Page 140: ...dress table dynamic interface interface id or remove all addresses on a specified VLAN clear mac address table dynamic vlan vlan id To verify that dynamic entries have been removed use the show mac address table dynamic privileged EXEC command Configuring MAC Address Change Notification Traps MAC address change notification tracks users on a network by storing the MAC address change activity When ...

Page 141: ...traps mac notification change Enable the switch to send MAC address change notification traps to the NMS Step 4 mac address table notification change Enable the MAC address change notification feature Step 5 mac address table notification change interval value history size value Enter the trap interval time and the history table size Optional For interval value specify the notification trap interv...

Page 142: ...n verify your settings by entering the show mac address table notification change interface and the show mac address table notification change privileged EXEC commands Configuring MAC Address Move Notification Traps When you configure MAC move notification an SNMP notification is generated and sent to the network management system whenever a MAC address moves from one port to another within the sa...

Page 143: ...generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded Beginning in privileged EXEC mode follow these steps to configure the switch to send MAC address table threshold notification traps to an NMS host Step 5 end Return to privileged EXEC mode Step 6 show mac address table notification mac move show running config Verify your entries Ste...

Page 144: ...ed It can be a unicast or multicast address It does not age and is retained when the switch restarts You can add and remove static addresses and define the forwarding behavior for them The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission Because all ports are associated with at least one VLAN the switch acquires the VLAN ID for the address ...

Page 145: ...C address as its destination address the packet is forwarded to the specified port Switch config mac address table static c2f3 220a 12f4 vlan 4 interface gigabitethernet1 0 1 Configuring Unicast MAC Address Filtering When unicast MAC address filtering is enabled the switch drops packets with specific source or destination MAC addresses This feature is disabled by default and only supports unicast ...

Page 146: ... id interface interface id command the switch adds the MAC address as a static address You enable unicast MAC address filtering and configure the switch to drop packets with a specific address by specifying the source or destination unicast MAC address and the VLAN from which it is received Beginning in privileged EXEC mode follow these steps to configure the switch to drop a source or destination...

Page 147: ...lly by the switch If the VLAN ID that you enter is an internal VLAN the switch generates an error message and rejects the command To view internal VLANs in use enter the show vlan internal usage privileged EXEC command If you disable MAC address learning on a VLAN configured as a private VLAN primary VLAN MAC addresses are still learned on the secondary VLAN that belongs to the private VLAN and ar...

Page 148: ...he corresponding media or MAC addresses and the VLAN ID Using an IP address ARP finds the associated MAC address When a MAC address is found the IP MAC address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethern...

Page 149: ... Shell page 6 45 Configuring the Switch for Secure Socket Layer HTTP page 6 50 Configuring the Switch for Secure Copy Protocol page 6 57 Preventing Unauthorized Access to Your Switch You can prevent unauthorized users from reconfiguring your switch and viewing configuration information Typically you want network administrators to have access to your switch while you restrict access to users who di...

Page 150: ...XEC Commands A simple way of providing terminal access control in your network is to use passwords and assign privilege levels Password protection restricts access to a network or network device Privilege levels define what commands users can enter after they have logged into a network device These sections contain this configuration information Default Password and Privilege Level Configuration p...

Page 151: ...efault or any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Def...

Page 152: ... Enter global configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15...

Page 153: ...rrupts the bootup process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the...

Page 154: ...access the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port or attach a PC to the Ethernet management port The default data characteristics of the console port are 9600 8 1 no parity Y...

Page 155: ...ration information Setting the Privilege Level for a Command page 6 8 Changing the Default Privilege Level for Lines page 6 9 Logging into and Exiting a Privilege Level page 6 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specif...

Page 156: ...wd14 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Leve...

Page 157: ...d Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege leve...

Page 158: ...ACACS TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch Note We recommend a redundant connectio...

Page 159: ...s access control session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing...

Page 160: ...cation information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again contacted and it returns an ACCEPT or REJECT authorization response If an ACCEPT response i...

Page 161: ... host or host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a list of preferred hosts The software searches for hosts in the order ...

Page 162: ...t have a named method list explicitly defined A defined method list overrides the default method list A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method l...

Page 163: ...ssword by using the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 6 13 line Use the line password for authentication Before you can use this authentication method ...

Page 164: ...et parameters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in...

Page 165: ...r is Unreachable The aaa accounting system guarantee first command guarantees system accounting as the first record which is the default condition In some situations users might be prevented from starting a session on the console or terminal connection until after the system reloads which can take more than 3 minutes To establish a console or Telnet session with the router if the AAA server is unr...

Page 166: ...Server Version 3 0 Livingston Merit Microsoft or another software provider For more information see the RADIUS server documentation Note We recommend a redundant connection between a switch stack and the RADIUS server This is to help ensure that the RADIUS server remains accessible in case one of the connected stack members is removed from the switch stack Use RADIUS in these network environments ...

Page 167: ...ions Switch to switch or router to router situations RADIUS does not provide two way authentication RADIUS can be used to authenticate from one device to a non Cisco device if the non Cisco device requires authentication Networks using a variety of services RADIUS generally binds a user to one service model Figure 6 2 Transitioning from RADIUS to TACACS Services RADIUS Operation When a user attemp...

Page 168: ...dard RADIUS interface is typically used in a pulled model where the request originates from a network attached device and the response come from the queried servers Catalyst switches support the RADIUS Change of Authorization CoA extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication authorization an...

Page 169: ...a listener This section includes these topics CoA Request Response Code CoA Request Commands Session Reauthentication RFC 5176 Compliance The Disconnect Request message which is also referred to as Packet of Disconnect POD is supported by the switch for session termination Table 6 2 shows the IETF attributes are supported for this feature Table 6 3 shows the possible values for the Error Cause att...

Page 170: ... attribute 44 Unless all session identification attributes included in the CoA message match the session the switch returns a Disconnect NAK or CoA NAK with the Invalid Attribute Value error code attribute For disconnect and CoA requests targeted to a particular session any one of the following session identifiers can be used Calling Station ID IETF attribute 31 which should contain the MAC addres...

Page 171: ...AK Response Code A negative acknowledgement NAK indicates a failure to change the authorization state and can include attributes that indicate the reason for the failure Use show commands to verify a successful CoA CoA Request Commands This section includes Session Reauthentication Session Reauthentication in a Switch Stack Session Termination CoA Disconnect Request CoA Request Disable Host Port C...

Page 172: ...VLAN or critical VLAN or similar policies the reauthentication message restarts the access control methods beginning with the method configured to be attempted first The current authorization of the session is maintained until the reauthentication leads to a different authorization result Session Reauthentication in a Switch Stack When a switch stack receives a session reauthentication message It ...

Page 173: ...e session cannot be located the switch returns a CoA NAK message with the Session Context Not Found error code attribute If the session is located the switch disables the hosting port and returns a CoA ACK message If the switch fails before returning a CoA ACK to the client the process is repeated on the new active switch when the request is re sent from the client If the switch fails after return...

Page 174: ...ls before the port bounce completes a port bounce is initiated after stack master change over based on the original command which is subsequently removed If the stack master fails before sending a CoA ACK message the new stack master treats the re sent command as a new command Stacking Guidelines for CoA Request Disable Port Because the disable port command is targeted at a session not a port if t...

Page 175: ...uld configure a RADIUS server before configuring RADIUS features on your switch These sections contain this configuration information Default RADIUS Configuration page 6 27 Identifying the RADIUS Server Host page 6 27 required Configuring RADIUS Login Authentication page 6 30 required Defining AAA Server Groups page 6 32 optional Configuring RADIUS Authorization for User Privileged Access and Netw...

Page 176: ...t they are configured A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all RADIUS serv...

Page 177: ...ius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authen...

Page 178: ...med it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authen...

Page 179: ...figure the RADIUS server For more information see the Identifying the RADIUS Server Host section on page 6 27 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use ...

Page 180: ...ommand Reference Release 12 2 Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multi...

Page 181: ... no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure th...

Page 182: ... for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it...

Page 183: ...s the first record which is the default condition In some situations users might be prevented from starting a session on the console or terminal connection until after the system reloads which can take more than 3 minutes To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Step 3 ...

Page 184: ...ined in the Cisco TACACS specification and sep is for mandatory attributes and is for optional attributes The full set of features available for TACACS authorization can then be used for RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret text string used between the switch and all RADIUS servers Note The key is...

Page 185: ...his connection cisco avpair ip outacl 2 deny ip 10 10 10 10 0 0 255 255 any Other vendors have their own unique vendor IDs options and associated VSAs For more information about vendor IDs and VSAs see RFC 2138 Remote Authentication Dial In User Service RADIUS Beginning in privileged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attrib...

Page 186: ...al configuration command To disable the key use the no radius server key global configuration command This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Command Purpose Step 1 configure terminal Enter global configurati...

Page 187: ...ADIUS clients Step 7 auth type any all session key Specify the type of authorization the switch uses for RADIUS clients The client must match all the configured attributes for authorization Step 8 ignore session key Optional Configure the switch to ignore the session key For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com Step...

Page 188: ...w running config privileged EXEC command Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system which authenticates requests for network resources by using a trusted third party To use this feature the cryptographic that is supports encryption versions of the switch software must be installed on your switch You can download the crypt...

Page 189: ...s protocol The Kerberos credential scheme uses a process called single logon This process authenticates a user once and then allows secure authentication without encrypting another password wherever that user credential is accepted This software release supports Kerberos 5 which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that ...

Page 190: ...o another user or network service Note The Kerberos realm name must be in all uppercase characters Kerberos server A daemon that is running on a network host Users and network services register their identity with the Kerberos server Network services query the Kerberos server to authenticate to other network services KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and l...

Page 191: ...and password 3 The switch requests a TGT from the KDC for this user 4 The KDC sends an encrypted TGT that includes the user identity to the switch 5 The switch attempts to decrypt the TGT by using the password that the user entered If the decryption is successful the user is authenticated to the switch If the decryption is not successful the user repeats Step 2 either by re entering the username a...

Page 192: ...ies for the users in the KDC database When you add or create entries for the hosts and users follow these guidelines The Kerberos principal name must be in all lowercase characters The Kerberos instance name must be in all lowercase characters The Kerberos realm name must be in all uppercase characters Note A Kerberos server can be a switch that is configured as a network security server and that ...

Page 193: ...al Set the login authentication to use the local username database The default keyword applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6...

Page 194: ...set fails and is replaced by a switch that is running a noncryptographic image and the same feature set We recommend that a switch running the cryptographic software image and the IP base or IP services feature set be the stack master Encryption features are unavailable if the stack master is running the noncryptographic software image and the feature set SSH Servers Integrated Clients and Support...

Page 195: ...erver is running on a stack master and the stack master fails the new stack master uses the RSA key pair generated by the previous stack master If you get CLI error messages after entering the crypto key generate rsa global configuration command an RSA key pair has not been generated Reconfigure the hostname and domain and then enter the crypto key generate rsa command For more information see the...

Page 196: ... global configuration mode Step 2 hostname hostname Configure a hostname for your switch Step 3 ip domain name domain_name Configure a host domain for your switch Step 4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair We recommend that a minimum modulus size of 1024 bits When you generate RSA keys you are prompted to ente...

Page 197: ...ed sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns to the default of 10 minutes Specify the number of times that a client can re authenticate to the server The default is 3 the range is 0 to 5 Repeat this step when configuring both parameters Step 4 line vty line_number ending_line_number transport input s...

Page 198: ...yer encryption HTTP over SSL is abbreviated as HTTPS the URL of a secure connection begins with https instead of http The primary role of the HTTP secure server the switch is to listen for HTTPS requests on a designated port the default HTTPS port is 443 and pass the request to the HTTP 1 1 Web server The HTTP 1 1 server processes requests and passes responses pages back to the HTTP secure server ...

Page 199: ... signed 3080755072 certificate self signed 01 3082029F 30820208 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 59312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33303830 37353530 37323126 30240609 2A864886 F70D0109 02161743 45322D33 3535302D 31332E73 756D6D30 342D3335 3530301E 170D3933 30333031 30303030 35395A17 0D323030 31303130 30303030 305A3059 312...

Page 200: ... message digest 3 SSL_RSA_WITH_RC4_128_SHA RSA key exchange with RC4 128 bit encryption and SHA for message digest 4 SSL_RSA_WITH_3DES_EDE_CBC_SHA RSA key exchange with 3DES and DES EDE3 CBC for message encryption and SHA for message digest RSA in conjunction with the specified encryption and digest algorithm combinations is used for both key generation and authentication on SSL connections This u...

Page 201: ...efore you can obtain a certificate for the switch RSA key pairs are generated automatically You can use this command to regenerate the keys if needed Step 5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode Step 6 enrollment url url Specify the URL to which the switch should send certificate requests Step 7 enrollment http...

Page 202: ...number to be used for the HTTPS server The default port number is 443 Valid options are 443 or any number in the range 1025 to 65535 Step 5 ip http secure ciphersuite 3des ede cbc sha rc4 128 md5 rc4 128 sha des cbc sha Optional Specify the CipherSuites encryption algorithms to be used for encryption over the HTTPS connection If you do not have a reason to specify a particularly CipherSuite you sh...

Page 203: ...rver requires client authentication connections to the secure HTTP client fail Beginning in privileged EXEC mode follow these steps to configure a secure HTTP client Step 11 ip http timeout policy idle seconds life seconds requests value Optional Specify how long a connection to the HTTP server can remain open under the defined circumstances idle the maximum time period when no data is received or...

Page 204: ...y the CipherSuites encryption algorithms to be used for encryption over the HTTPS connection If you do not have a reason to specify a particular CipherSuite you should allow the server and client to negotiate a CipherSuite that they both support This is the default Step 4 end Return to privileged EXEC mode Step 5 show ip http client secure status Display the status of the HTTP secure server to ver...

Page 205: ...n the switch Because SCP relies on SSH for its secure transport the router must have an Rivest Shamir and Adelman RSA key pair Note When using SCP you cannot enter the password into the copy command You must enter the password when prompted Information About Secure Copy To configure Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp w...

Page 206: ...6 58 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 6 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Page 207: ...witches in a switch stack might cause the switch to work improperly or to fail Understanding Switch Stacks A switch stack is a set of up to nine stacking capable switches connected through their StackWise Plus ports One of the switches controls the operation of the stack and is called the stack master The stack master and the other switches in the stack are all stack members The stack members use ...

Page 208: ...ame IP address even if you remove the stack master or any other stack member from the stack You can use these methods to manage switch stacks Network Assistant available on Cisco com Command line interface CLI over a serial connection to the console port of any stack member or the Ethernet management port of a stack member A network management application through the Simple Network Management Prot...

Page 209: ...hat you add to or remove from the switch stack After adding or removing stack members make sure that the switch stack is operating at full bandwidth 64 Gb s Press the Mode button on a stack member until the Stack mode LED is on The last two right port LEDs on all switches in the stack should be green Depending on the switch model the last two right ports are 10 Gigabit Ethernet ports or small form...

Page 210: ... Creating a Switch Stack from Two Standalone Switches in Two Enclosures Blade switch Blade switch Blade switch 1 2 Blade switch Blade switch Blade switch Blade switch Blade switch Blade switch 3 Blade switch Blade switch Blade switch 1 2 Enclosure 1 Enclosure 2 Enclosure 1 Enclosure 2 Stack member 1 Stack member 1 Stack member 1 Stack member 2 and stack master 201911 ...

Page 211: ...witch Stacks Understanding Switch Stacks Figure 7 2 Creating a Switch Stack from Two Standalone Switches in the Same Enclosures Blade switch Blade switch Blade switch Blade switch Blade switch Blade switch 3 Enclosure Enclosure Stack member 1 Stack member 2 and stack master Stack member 1 Stack member 1 201912 1 2 2 ...

Page 212: ...his ensures that the switch is re elected as stack master if a re election occurs 3 The switch that is not using the default interface level configuration 1 Chassis management module 2 Internal Ethernet management port that is not active 3 Active internal Ethernet management port on the stack master Note The internal Ethernet management ports on the stack members are disabled Blade switch Blade sw...

Page 213: ... stack master retains its role unless one of these events occurs The switch stack is reset The stack master is removed from the switch stack The stack master is reset or powered off The stack master fails The switch stack membership is increased by adding powered on standalone switches or switch stacks In the events marked by an asterisk the current stack master might be re elected based on the li...

Page 214: ...number Every stack member including a standalone switch retains its member number until you manually change the number or unless the number is already being used by another member in the stack If you manually change the stack member number by using the switch current stack member number renumber new stack member number global configuration command the new number goes into effect after that stack m...

Page 215: ...an configure in advance the stack member number the switch type and the interfaces associated with a switch that is not currently part of the stack The configuration that you create on the switch stack is called the provisioned configuration The switch that is added to the switch stack and that receives this configuration is called the provisioned switch You manually create the provisioned configu...

Page 216: ...he default configuration to the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information The stack member number is not found in the provisioned configuration The switch stack applies the default configuration to the provisioned switch and adds it to the stack The provisioned configuration is changed to reflect the new information The stac...

Page 217: ...mmand that matches the new switch For configuration information see the Provisioning a New Member for a Switch Stack section on page 7 25 Effects of Replacing a Provisioned Switch in a Switch Stack When a provisioned switch in a switch stack fails is removed from the stack and is replaced with another switch the stack applies either the provisioned configuration or the default configuration to it ...

Page 218: ...or more information see the Stack Protocol Version Compatibility section on page 7 12 Stack Protocol Version Compatibility Each software image includes a stack protocol version The stack protocol version has a major version number and a minor version number for example 1 4 where 1 is the major version number and 4 is the minor version number Both version numbers determine the level of compatibilit...

Page 219: ...he boot auto copy sw global configuration command is enabled You can disable auto upgrade by using the no boot auto copy sw global configuration command on the stack master You can check the status of auto upgrade by using the show boot privileged EXEC command and by checking the Auto upgrade line in the display Auto copy automatically copies the software image running on any stack member to the s...

Page 220: ...software image Auto Upgrade and Auto Advise Example Messages When you add a switch that has a different minor version number to the switch stack the software displays messages in sequence assuming that there are no other system messages generated by the switch This example shows that the switch stack detected a new switch that is running a different minor version number than the switch stack Auto ...

Page 221: ...MGR 6 AUTO_COPY_SW extracting cbs31x0 universal mz 122 40 EX1 info 450 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW extracting info 104 bytes Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Installing renaming flash1 update cbs31x0 universal mz 122 0 0 313 EX1 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW flash1 cbs31x0 universal mz 122 40 EX1 Mar 11 20 3...

Page 222: ... file and by searching the directory structure on the switch stack If you download your image by using the copy tftp boot loader command instead of the archive download sw privileged EXEC command the proper directory structure is not created For more information about the info file see the File Format of Images on a Server or Cisco com section on page A 26 Incompatible Software and Stack Member Im...

Page 223: ...witch For information about the benefits of provisioning a switch stack see the Switch Stack Offline Configuration section on page 7 9 You back up and restore the stack configuration in the same way as you would for a standalone switch configuration For more information about file systems and configuration files see Appendix A Working with the Cisco IOS File System Configuration Files and Software...

Page 224: ...ctivity Note Stack members retain their IP addresses when you remove them from a switch stack To avoid a conflict by having two devices with the same IP address in your network change the IP addresses of any switches that you remove from the switch stack For related information about switch stack configurations see the Switch Stack Configuration Files section on page 7 16 Connectivity to the Switc...

Page 225: ...ic stack member Switch Stack Configuration Scenarios Table 7 2 provides switch stack configuration scenarios Most of the scenarios assume that at least two switches are connected through their StackWise Plus ports Table 7 2 Switch Stack Configuration Scenarios Scenario Result Stack master election specifically determined by existing stack masters Connect two powered on switch stacks through the St...

Page 226: ...tographic image installed and the IP base feature set enabled 2 Restart both stack members at the same time The stack member with the cryptographic image and the IP base feature set is elected stack master Stack master election specifically determined by the MAC address Assuming that both stack members have the same priority value configuration file and feature set restart both stack members at th...

Page 227: ...ues to use its MAC address as the stack MAC address even if the switch is now a stack member and not a stack master If Stack master failure Remove or power off the stack master Based on the factors described in the Stack Master Election and Re Election section on page 7 6 one of the remaining stack members becomes the new stack master All other stack members in the stack remain as stack members an...

Page 228: ...tack MAC address never changes If you enter a time delay of 1 to 60 minutes the stack MAC address of the previous stack master is used until the configured time period expires or until you enter the no stack mac persistent timer command Note If the entire switch stack reloads it uses with the MAC address of the stack master as the stack MAC address Beginning in privileged EXEC mode follow these st...

Page 229: ... feature Step 3 end Return to privileged EXEC mode Step 4 show running config or Verify that the stack MAC address timer is enabled If enabled the output shows stack mac persistent timer and the time in minutes Step 5 show switch If enabled the display includes Mac persistency wait time the number of minutes configured and the current stack MAC address Step 6 copy running config startup config Opt...

Page 230: ... 1 0 Ready Assigning Stack Member Information These sections describe how to assign stack member information Assigning a Stack Member Number page 7 24 optional Setting the Stack Member Priority Value page 7 25 optional Provisioning a New Member for a Switch Stack page 7 25 optional Assigning a Stack Member Number Note This task is available only from the stack master Beginning in privileged EXEC m...

Page 231: ... takes effect immediately but does not affect the current stack master The new priority value helps determine which stack member is elected as the new stack master when the current stack master or switch stack resets Step 3 end Return to privileged EXEC mode Step 4 reload slot stack member number Reset the stack member and apply this configuration change Step 5 show switch stack member number Veri...

Page 232: ...ing config command output shows the interfaces associated with the provisioned switch Switch config switch 2 provision WS CBS3130G Switch config end Switch show running config include switch 2 interface GigabitEthernet2 0 1 interface GigabitEthernet2 0 2 interface GigabitEthernet2 0 3 output truncated Accessing the CLI of a Specific Stack Member Note This task is only for debugging purposes and is...

Page 233: ...ion show platform stack manager all Display all stack information such as the stack protocol version show platform stack ports buffer history Display the stack port events and history show switch Display summary information about the stack including the status of provisioned switches and switches in version mismatch mode show switch stack member number Display information about a specific member s...

Page 234: ... can disable only one stack port This message appears Enabling disabling a stack port may cause undesired stack changes Continue confirm The stack is in the partial ring state you cannot disable the port This message appears Disabling stack port not allowed with current stack configuration Re Enabling a Stack Port While Another Member Starts Stack Port 1 on Switch 1 is connected to Port 2 on Switc...

Page 235: ...or is up Neighbor Switch number of the active member at the other end of the stack cable Cable Length Valid lengths are 50 cm 1 m or 3 m If the switch cannot detect the cable length the value is no cable The cable might not be connected or the link might be unreliable Link OK This shows if the link is stable The link partner is a stack port on a neighbor switch No The link partner receives invalid...

Page 236: ...K 1 50 cm Yes Yes Yes 1 No If you disconnect the stack cable from Port 1 on Switch 1 these messages appear 01 09 55 STACKMGR 4 STACK_LINK_CHANGE Stack Port 2 Switch 3 has changed to state DOWN 01 09 56 STACKMGR 4 STACK_LINK_CHANGE Stack Port 1 Switch 1 has changed to state DOWN Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Change...

Page 237: ... Loopback Examples Connected Stack Cables On Port 1 on Switch 1 the port status is Down and a cable is connected On Port 2 on Switch 1 the port status is Absent and no cable is connected Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 Down None 50 Cm No No No 1 No 1 2 Absent None No cable No No...

Page 238: ...6031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable Event type RAC 0000000013 1 FF08FF00 860302A5 AA55FFFF FFFFFFFF 1CE61CE6 Yes Yes No cable 0000000013 2 FF08FF00 86031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable On a member If a stack port has an connected stack cable the Loopback HW value for the stack port is No If the stack port does not have an connected stack cable the Loopback HW value ...

Page 239: ... NOT OK Stack Port 1 0000009732 1 FF01FF00 00015B12 5555FFFF A49CFFFF 0C140CE4 No No 50 cm 0000009732 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type RAC 0000009733 1 FF01FF00 00015B4A 5555FFFF A49CFFFF 0C140CE4 No No 50 cm 0000009733 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type LINK NOT OK Stack Port 2 0000010119 1 FF01FF00 00010E69 25953FFF FFFFFFFF 0C1...

Page 240: ...he cable connection for Port 2 on Switch 1 Port 2 on Switch 1 has a port or cable problem if The In Loopback value is Yes or The Link OK Link Active or Sync OK value is No Fixing a Bad Connection Between Stack Ports Stack cables connect all members Port 2 on Switch 1 connects to Port 1 on Switch 2 This is the port status Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link ...

Page 241: ... specific features depending on how the switch is used in the network You can select a template to provide maximum system usage for some functions for example use the default template to balance resources and use access template to obtain maximum ACL usage To allocate hardware resources for different usages the switch SDM templates prioritize system resources to optimize support for certain featur...

Page 242: ...4 traffic These SDM templates support IPv4 and IPv6 environments Dual IPv4 and IPv6 default template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 on the switch Dual IPv4 and IPv6 routing template supports Layer 2 multicast routing including policy based routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 on the switch Dual IPv4 and ...

Page 243: ...5 Ready 4 Member 0003 fd63 9c00 5 SDM Mismatch This is an example of a syslog message notifying the stack master that a stack member is in SDM mismatch mode 2d23h STACKMGR 6 SWITCH_ADDED_SDM Switch 2 has been ADDED to the stack SDM_MISMATCH 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE System 2 is incompatible with the SDM Table 8 2 Approximate Feature Resourc...

Page 244: ...elines Follow these guidelines when selecting and configuring SDM templates You must reload the switch for the configuration to take effect Use the sdm prefer vlan global configuration command only on switches intended for Layer 2 switching with no routing When you use the VLAN template no system resources are reserved for routing entries and any routing is done through software This overloads the...

Page 245: ...nd ipv6 default routing vlan indirect ipv4 and ipv6 routing routing vlan Specify the SDM template to be used on the switch The keywords have these meanings access Maximize system resources for ACLs default Give balance to all functions dual ipv4 and ipv6 Select a template that supports both IPv4 and IPv6 routing default Balance IPv4 and IPv6 Layer 2 and Layer 3 functionality routing Provide maximu...

Page 246: ...g Switch config end Switch reload Proceed with reload confirm This example shows how to configure the IPv4 and IPv6 default template Switch config sdm prefer dual ipv4 and ipv6 default Switch config exit Switch reload Proceed with reload confirm Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template To display the resource num...

Page 247: ...s is an example of output from the show sdm prefer dual ipv4 and ipv6 routing command Switch show sdm prefer dual ipv4 and ipv6 routing The current template is desktop IPv4 and IPv6 routing template The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 1 5K number of IPv4 IGMP groups mult...

Page 248: ...8 8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 8 Configuring SDM Templates Displaying the SDM Templates ...

Page 249: ... Exchange Protocol SXP This feature supports security group access control lists SGACLs which define ACL policies for a group of devices instead of an IP address The SXP control protocol allows tagging packets with SCTs without a hardware upgrade and runs between access layer devices at the Cisco TrustSec domain edge and distribution layer devices within the Cisco TrustSec domain The blade switche...

Page 250: ...hentication Process page 9 4 Authentication Initiation and Message Exchange page 9 6 Authentication Manager page 9 8 Ports in Authorized and Unauthorized States page 9 11 802 1x Authentication and Switch Stacks page 9 12 802 1x Host Mode page 9 12 802 1x Multiple Authentication Mode page 9 13 MAC Move page 9 14 MAC Replace page 9 14 802 1x Accounting page 9 15 802 1x Accounting Attribute Value Pai...

Page 251: ...al authentication of the client The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services Because the switch acts as the proxy the authentication service is transparent to the client In this release the RADIUS security system with Extensible Authentication Protocol EAP extensions is the only ...

Page 252: ...ity is valid and the 802 1x authentication succeeds the switch grants the client access to the network If 802 1x authentication times out while waiting for an EAPOL message exchange and MAC authentication bypass is enabled the switch can use the client MAC address for authorization If the client MAC address is valid and the authorization succeeds the switch grants the client access to the network ...

Page 253: ...r which re authentication occurs 281594 Client identity is invalid All authentication servers are down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins 1 This occurs if the switch does not detect EAPOL packets from the client Client MAC address identity is invalid Client MAC address identity is valid Yes Yes No IEEE...

Page 254: ...sponse identity frame However if during bootup the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If 802 1x authentication is not enabled or supported on the network access device any EAPOL frames from the client are dropped If the client does...

Page 255: ... is successful the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and stops 802 1x authentication Figure 9 4 shows the message exchange during MAC authentication bypass Figure 9 4 Message Exchan...

Page 256: ...uthentication Multiple Authentication22 2 Also referred to as multiauth 802 1x VLAN assignment Per user ACL Filter ID attribute Downloadable ACL3 Redirect URL 2 3 Supported in Cisco IOS Release 12 2 50 SE and later VLAN assignment VLAN assignment Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 MAC authentication ...

Page 257: ...nager interface configuration commands control all the authentication methods such as 802 1x MAC authentication bypass and web authentication The authentication manager commands determine the priority and order of authentication methods applied to a connected host The authentication manager commands control generic authentication features such as host mode violation mode and the authentication tim...

Page 258: ...n with the wake on LAN WoL feature and configure the port control as unidirectional or bidirectional authentication event dot1x auth fail vlan dot1x critical interface configuration dot1x guest vlan6 Enable the restricted VLAN on a port Enable the inaccessible authentication bypass feature Specify an active VLAN as an 802 1x guest VLAN authentication fallback fallback profile dot1x fallback fallba...

Page 259: ...guration command and these keywords force authorized disables 802 1x authentication and causes the port to change to the authorized state without any authentication exchange required The port sends and receives normal traffic without 802 1x based authentication of the client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by ...

Page 260: ...tivity If the switch that failed comes up and rejoins the switch stack the authentications might or might not fail depending on the boot up time and whether the connectivity to the RADIUS server is re established by the time the authentication is attempted To avoid loss of connectivity to the RADIUS server you should ensure that there is a redundant connection to it For example you can have a redu...

Page 261: ...ivate Beginning with Cisco IOS Release 12 2 55 SE you can assign a RADIUS server supplied VLAN in multi auth mode under these conditions The host is the first host authorized on the port and the RADIUS server supplies VLAN information Subsequent hosts are authorized with a VLAN that matches the operational VLAN A host is authorized on the port with no VLAN assignment and subsequent hosts either ha...

Page 262: ...cated on the new port MAC move is supported on all host modes The authenticated host can move to any port on the switch no matter which host mode is enabled on the that port When a MAC address moves from one port to another the switch terminates the authenticated session on the original port and initiates a new authentication sequence on the new port The MAC move feature applies to both voice and ...

Page 263: ...information Instead it sends this information to the RADIUS server which must be configured to log accounting messages 802 1x Accounting Attribute Value Pairs The information sent to the RADIUS server is represented in the form of Attribute Value AV pairs These AV pairs provide data for different applications For example a billing application might require information that is in the Acct Input Oct...

Page 264: ...LAN Assignment The switch supports 802 1x authentication with VLAN assignment After successful 802 1x authentication of a port the RADIUS server sends the VLAN assignment to configure the switch port The RADIUS server database maintains the username to VLAN mappings assigning the VLAN based on the username of the client connected to the switch port You can use this feature to limit network access ...

Page 265: ...ssigned VLAN behavior If 802 1x authentication is disabled on the port it is returned to the configured access VLAN and configured voice VLAN When the port is in the force authorized force unauthorized unauthorized or shutdown state it is put into the configured access VLAN If an 802 1x port is authenticated and put in the RADIUS server assigned VLAN any change to the port access VLAN configuratio...

Page 266: ...filtered by the router ACL To avoid configuration conflicts you should carefully plan the user profiles stored on the RADIUS server RADIUS supports per user attributes including vendor specific attributes These vendor specific attributes VSAs are in octet string format and are passed to the switch during the authentication process The VSAs used for per user ACLs are inacl n for the ingress directi...

Page 267: ... enabled port If no ACLs are downloaded during 802 1x authentication the switch applies the static default ACL on the port to the host On a voice VLAN port configured in multi auth or MDA mode the switch applies the ACL only to the phone as part of the authorization policies Beginning with Cisco IOS Release 12 2 55 SE if there is no static ACL on a port a dynamic auth default ACL is created and po...

Page 268: ...n a port without a configured ACL If the port is in open authentication mode the auth default ACL OPEN is created If the port is in closed authentication mode the auth default ACL is created The access control entries ACEs in the fallback ACL are converted to per user entries If the configured fallback profile does not include a fallback ACL the host is subject to the auth default ACL associated w...

Page 269: ...wnloadable ACLs and Redirect URLs section on page 9 60 VLAN ID based MAC Authentication You can use VLAN ID based MAC authentication if you wish to authenticate hosts based on a static VLAN ID instead of a downloadable VLAN When you have a static VLAN policy configured on your switch VLAN information is sent to an IAS Microsoft RADIUS server along with the MAC address of each host for authenticati...

Page 270: ...of 802 1x incapable clients are allowed access when the switch port is moved to the guest VLAN If an 802 1x capable client joins the same port on which the guest VLAN is configured the port is put into the unauthorized state in the user configured access VLAN and authentication is restarted Guest VLANs are supported on 802 1x ports in single host multiple host or multi domain modes You can configu...

Page 271: ... might connect through a hub When a client disconnects from the hub the port might not receive the link down or EAP logoff event After a port moves to the restricted VLAN a simulated EAP success message is sent to the client This prevents clients from indefinitely attempting authentication Some clients for example devices running Windows XP cannot implement DHCP without EAP success Restricted VLAN...

Page 272: ...n the critical authentication state in the current VLAN which might be the one previously assigned by the RADIUS server If the RADIUS server becomes unavailable during an authentication exchange the current exchange times out and the switch puts the critical port in the critical authentication state during the next authentication attempt You can configure the critical port to reinitialize hosts an...

Page 273: ...A voice VLAN port is a special access port associated with two VLAN identifiers VVID to carry voice traffic to and from the IP phone The VVID is used to configure the IP phone connected to the port PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone The PVID is the native VLAN of the port The IP phone uses the VVID for its voice traffic regardles...

Page 274: ... host that uses WoL is attached through an 802 1x port and the host powers off the IEEE 802 1x port becomes unauthorized The port can only receive and send EAPOL packets and WoL magic packets cannot reach the host When the PC is powered off it is not authorized and the switch port is not opened When the switch uses 802 1x authentication with WoL the switch forwards traffic to unauthorized IEEE 802...

Page 275: ...clear a VLAN group even when the active VLANs are mapped to the group When you clear a VLAN group none of the ports or users that are in the authenticated state in any VLAN within the group are cleared but the VLAN mappings to the VLAN group are cleared For more information see the Configuring 802 1x User Distribution section on page 9 56 802 1x Authentication with MAC Authentication Bypass You ca...

Page 276: ...US Usage Guidelines MAC authentication bypass interacts with the features 802 1x authentication You can enable MAC authentication bypass only if 802 1x authentication is enabled on the port Guest VLAN If a client has an invalid MAC address identity the switch assigns the client to a guest VLAN if one is configured Restricted VLAN This feature is not supported when the client connected to an IEEE 8...

Page 277: ...n Ordering You can use flexible authentication ordering to configure the order of methods that a port uses to authenticate a new host MAC authentication bypass and 802 1x can be the primary or secondary authentication methods and web authentication can be the fallback method if either or both of those authentication attempts fail For more information see the Configuring Flexible Authentication Ord...

Page 278: ...ion on either the voice or the data domain of a port it is error disabled Until a device is authorized the port drops its traffic Non Cisco IP phones or voice devices are allowed into both the data and voice VLANs The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information After the voice device starts sending on the voice VLAN its ...

Page 279: ... areas outside the wiring closet such as conference rooms This allows any type of device to authenticate on the port 802 1x switch supplicant You can configure a switch to act as a supplicant to another switch by using the 802 1x supplicant feature This configuration is helpful in a scenario where for example a switch is outside a wiring closet and is connected to an upstream switch through a trun...

Page 280: ...iguration on the authenticator switch port you can also use AutoSmart ports user defined macros instead of the switch VSA This allows you to remove unsupported configurations on the authenticator switch port and to change the port mode from access to trunk For more information see Chapter 12 Configuring Smartports Macros For more information see the Configuring an Authenticator and a Supplicant Sw...

Page 281: ...ID appears automatically No configuration is required Configuring 802 1x Authentication These sections contain this configuration information Default 802 1x Authentication Configuration page 9 34 802 1x Authentication Configuration Guidelines page 9 35 Configuring 802 1x Authentication page 9 38 required Configuring 802 1x Readiness Check page 9 40 Configuring 802 1x Violation Modes page 9 38 Conf...

Page 282: ... 9 4 shows the default 802 1x authentication configuration Table 9 4 Default 802 1x Authentication Configuration Feature Default Setting Switch 802 1x enable state Disabled Per port 802 1x enable state Disabled force authorized The port sends and receives normal traffic without 802 1x based authentication of the client AAA Disabled RADIUS server IP address UDP authentication port Key None specifie...

Page 283: ...an 802 1x port is assigned to shut down disabled or removed the port becomes unauthorized For example the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed The 802 1x protocol is supported on Layer 2 static access ports voice VLAN ports and Layer 3 routed ports but it is not supported on these port types Maximum retransmission number 2 times number of ...

Page 284: ...ver 802 1x authentication is disabled until the port is removed as a SPAN or RSPAN destination port You can enable 802 1x authentication on a SPAN or RSPAN source port Before globally enabling 802 1x authentication on a switch by entering the dot1x system auth control global configuration command remove the EtherChannel configuration from the interfaces on which 802 1x authentication and EtherChan...

Page 285: ...nges the port state to the critical authentication state and remains in the restricted VLAN You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802 1x restricted VLAN The restricted VLAN feature is not supported on internal VLANs routed ports or trunk ports it is supported only on access ports MAC Authentication Bypass These are the MAC authentication bypass configuration guideli...

Page 286: ...ble AAA Step 3 aaa authentication dot1x default method1 Create an 802 1x authentication method list To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to ...

Page 287: ... in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Note Though other keywords are visible in the command line help string only the group radius keywords are supported St...

Page 288: ...does not respond to the query the client is not 802 1x capable No syslog message is generated The readiness check can be sent on a port that handles multiple hosts for example a PC that is connected to an IP phone A syslog message is generated for each of the clients that respond to the readiness check within the timer period Beginning in privileged EXEC mode follow these steps to enable the 802 1...

Page 289: ...mand You disable voice aware 802 1x security by entering the no version of this command This command applies to all 802 1x configured ports in the switch Note If you do not include the shutdown vlan keywords the entire port is shut down when it enters the error disabled state If you use the errdisable recovery cause security violation global configuration command to configure error disabled recove...

Page 290: ...ress and UDP port number creates a unique identifier which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address If two different host entries on the same RADIUS server are configured for the same service for example authentication the second host entry configured acts as the fail over backup to the first one The RADIUS host entries are tried in the order that...

Page 291: ... server These settings include the IP address of the switch and the key string to be shared by both the server and the switch For more information see the RADIUS server documentation Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address auth port port number key string Configure the RADIUS server parameters For hostname ip address s...

Page 292: ...rface id Specify the port to which multiple hosts are indirectly attached and enter interface configuration mode Step 3 authentication host mode multi auth multi domain multi host single host Allow multiple hosts clients on an 802 1x authorized port The keywords have these meanings multi auth Allow one client on the voice VLAN and multiple authenticated clients on the data VLAN Note The multi auth...

Page 293: ...on and set the number of seconds between re authentication attempts to 4000 Switch config if authentication periodic Switch config if authentication timer reauthenticate 4000 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication periodic Enable periodic r...

Page 294: ... to change the quiet period This procedure is optional To return to the default quiet time use the no authentication timer inactivity interface configuration command This example shows how to set the quiet time on the switch to 30 seconds Switch config if authentication timer inactivity 30 Changing the Switch to Client Retransmission Time The client responds to the EAP request identity frame from ...

Page 295: ...and authentication servers Beginning in privileged EXEC mode follow these steps to set the switch to client frame retransmission number This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication timer reauthenticate seconds Set the n...

Page 296: ...the default re authentication number use the no dot1x max reauth req interface configuration command This example shows how to set 4 as the number of times that the switch restarts the authentication process before the port changes to the unauthorized state Switch config if dot1x max reauth req 4 Enabling MAC Move MAC move allows an authenticated host to move from one port on the switch to another...

Page 297: ...tup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication violation protect replace restrict shutdown Use the replace keyword to enable MAC replace on the interface The port remov...

Page 298: ...b Next enable CVS RADIUS Accounting in your RADIUS server System Configuration tab Beginning in privileged EXEC mode follow these steps to configure 802 1x accounting after AAA is enabled on your switch This procedure is optional Use the show radius statistics privileged EXEC command to display the number of RADIUS messages that do not receive the accounting response message This example shows how...

Page 299: ... an EAP request identity frame from the client before re sending the request and to enable VLAN 2 as an IEEE 802 1x guest VLAN when an 802 1x port is connected to a DHCP client Switch config if authentication timer inactivity 3 Switch config if authentication timer reauthenticate 15 Switch config if authentication event no response action authorize vlan 2 Command Purpose Step 1 configure terminal ...

Page 300: ...empts Beginning in privileged EXEC mode follow these steps to configure the maximum number of allowed authentication attempts This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configurati...

Page 301: ...rize vlan id Specify an active VLAN as an 802 1x restricted VLAN The range is 1 to 4094 You can configure any active VLAN except an internal VLAN routed port an RSPAN VLAN or a voice VLAN as an 802 1x restricted VLAN Step 6 authentication event retry retry count Specify a number of authentication attempts to allow before a port moves to the restricted VLAN The range is 1 to 3 and the default is 3 ...

Page 302: ...DIUS server accounting port ignore auth port Disable testing on the RADIUS server authentication port For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server The key is a text string that must match the encryption key used on the RADIUS server Note Always configure the key as the last item in the radius server host com...

Page 303: ...interface gigabitethernet 1 0 1 Switch config radius server deadtime 60 Switch config if dot1x critical Switch config if dot1x critical recovery action reinitialize Switch config if dot1x critical vlan 20 Switch config if end Step 6 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuratio...

Page 304: ...oup eng dept vlan list 30 switch config show vlan group eng dept Group Name Vlans Mapped eng dept 10 30 This example shows how to remove a VLAN from a VLAN group switch no vlan group eng dept vlan list 10 This example shows that when all the VLANs are cleared from a VLAN group the VLAN group is cleared switch config no vlan group eng dept vlan list 30 Vlan 30 is successfully cleared from vlan grou...

Page 305: ...ep 3 authentication control direction both in Enable 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional both Sets the port as bidirectional The port cannot receive packets from or send packets to the host By default the port is bidirectional in Sets the port as unidirectional The port can send packets to the host but cannot re...

Page 306: ...nterface interface id Verify your entries Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication event no response action authorize vlan vlan id ...

Page 307: ...n port control auto Switch config if dot1x pae authenticator Switch config if spanning tree portfast trunk Beginning in privileged EXEC mode follow these steps to configure a switch as a supplicant Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cisp enable Enable CISP Step 3 interface interface id Specify the port to be configured and enter interface configuration...

Page 308: ...onfigure the ACS For more information see the Cisco Secure ACS configuration guides Note You must configure a downloadable ACL on the ACS before downloading it to the switch After authentication on the port you can use the show ip access list privileged EXEC command to display the downloaded ACLs on the port Step 5 password password Create a password for the new username Step 6 dot1x supplicant fo...

Page 309: ...vice tracking table Step 3 aaa new model Enables AAA Step 4 aaa authorization network default group radius Sets the authorization method to local To remove the authorization method use the no aaa authorization network default group radius command Step 5 radius server vsa send authentication Configure the radius vsa send authentication Step 6 interface interface id Specify the port to be configured...

Page 310: ...e source Optional Enters log to cause an informational logging message about the packet that matches the entry to be sent to the console Step 3 interface interface id Enter interface configuration mode Step 4 ip access group acl id in Configure the default ACL on the port in the input direction Note The acl id is an access list name or number Step 5 exit Returns to global configuration mode Step 6...

Page 311: ...mmand to confirm the RADIUS attribute 32 For more information about this command see the Cisco IOS Debug Command Reference Release 12 2 at this URL http www cisco com en US docs ios debug command reference db_q1 html wp1123741 This example shows how to globally enable VLAN ID based MAC authentication on a switch Switch config terminal Enter configuration commands one per line End with CNTL Z Switc...

Page 312: ... port priority list Step 5 show authentication Optional Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication control direction both in Opti...

Page 313: ...hentication on the port This procedure is optional To configure the port as an 802 1x port access entity PAE authenticator which enables IEEE 802 1x on the port but does not allow clients connected to the port to be authorized use the dot1x pae authenticator interface configuration command This example shows how to disable 802 1x authentication on the port Switch config interface gigabitethernet2 ...

Page 314: ...ll details statistics summary privileged EXEC command To display the 802 1x administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command Beginning with Cisco IOS Release 12 2 55 SE you can use the no dot1x logging verbose global configuration command to filter verbose 802 1x authentication messages See the Authentication Manager CLI Co...

Page 315: ...not run the IEEE 802 1x supplicant Note You can configure web based authentication on Layer 2 and Layer 3 interfaces When you initiate an HTTP session web based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users The users enter their credentials which the web based authentication feature sends to the authentication authorization and accounting AA...

Page 316: ... Authenticates the client The authentication server validates the identity of the client and notifies the switch that the client is authorized to access the LAN and the switch services or that the client is denied Switch Controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client and the authentication ser...

Page 317: ... events occur The user initiates an HTTP session The HTTP traffic is intercepted and authorization is initiated The switch sends the login page to the user The user enters a username and password and the switch sends the entries to the authentication server If the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success pa...

Page 318: ...ion Expired You create a banner by using the ip admission auth proxy banner http global configuration command The default banner Cisco Systems and Switch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page as shown in Figure 10 2 Figure 10 2 Authentication Successful Banner You can also customize the banner as shown in Figure 10 3 Add a ...

Page 319: ...Customized Web Banner If you do not enable a banner only the username and password dialog boxes appear in the web authentication login screen and no banner appears when you log into the switch as shown in Figure 10 4 Figure 10 4 Login Screen With No Banner For more information see the Cisco IOS Security Command Reference and the Configuring a Web Authentication Local Banner section on page 10 16 ...

Page 320: ...age time out to set a hidden password or to confirm that the same page is not submitted twice The CLI command to redirect users to a specific URL is not available when the configured login form is enabled The administrator should ensure that the redirection is configured in the web page If the CLI command redirecting users to specific URL after authentication occurs is entered and then the command...

Page 321: ...ity page 10 7 LAN Port IP page 10 8 Gateway IP page 10 8 ACLs page 10 8 Context Based Access Control page 10 8 802 1x Authentication page 10 8 EtherChannel page 10 8 Port Security You can configure web based authentication and port security on the same port Web based authentication authenticates the port and port security manages network access for all MAC addresses including that of the client Yo...

Page 322: ...ased authentication host policy ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface the ACL is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a port ACL PACL as the default access policy for ingress traffic from hosts connected to the port After authentication the web based authentic...

Page 323: ...gress only feature You can configure web based authentication only on access ports Web based authentication is not supported on trunk ports EtherChannel member ports or dynamic trunk ports You must configure the default ACL on the interface before configuring web based authentication Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface You cannot authenticate hos...

Page 324: ...uring the Web Based Authentication Parameters page 10 15 Configuring the Web Based Authentication Parameters page 10 15 Removing Web Based Authentication Cache Entries page 10 16 Configuring the Authentication Rule and Interfaces This example shows how to enable web based authentication on Fast Ethernet port 5 1 Switch config ip admission name webauth1 proxy http Switch config interface fastethern...

Page 325: ...onfig aaa authentication login default group tacacs Switch config aaa authorization auth proxy default group tacacs Configuring Switch to RADIUS Server Communication RADIUS security servers identification Host name Host IP address Host name and specific UDP port numbers IP address and specific UDP port numbers Command Purpose Step 1 aaa new model Enables AAA functionality Step 2 aaa authentication...

Page 326: ...s by using with the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Cisco IOS Security Configuration Guide Release 12 2 and the Cisco IOS Security Command Reference Release 12 2 at this URL http www ...

Page 327: ...nter the ip http secure secure command the login page is always in HTTPS secure HTTP even if the user sends an HTTP request Customizing the Authentication Proxy Web Pages Specifying a Redirection URL for Successful Login Customizing the Authentication Proxy Web Pages You can configure web authentication to display four substitute HTML pages to the user in place of the switch default HTML pages dur...

Page 328: ...for the username and password and must show them as uname and pwd The custom login page should follow best practices for a web form such as page timeout hidden password and prevention of redundant submissions This example shows how to configure custom authentication proxy web pages Switch config ip admission proxy http login page file flash login htm Switch config ip admission proxy http success p...

Page 329: ...tion Proxy webpage not configured HTTP Authentication success redirect to URL http www cisco com Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch list is disabled Authentication Proxy Max HTTP process is 7 Authentication Proxy Auditing is disabled Max Login attempts per user...

Page 330: ...shows how to remove the web based authentication session for the client at the IP address 209 165 201 1 Switch clear ip auth proxy cache 209 165 201 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip admission auth proxy banner http banner text file path Enable the local banner Optional Create a custom banner by entering C banner text C where C is a delimiting ch...

Page 331: ... shows how to view only the global web based authentication status Switch show authentication sessions This example shows how to view the web based authentication settings for gigabit interface 3 27 Switch show authentication sessions interface gigabitethernet 3 27 Command Purpose Step 1 show authentication sessions interface type slot port Displays the web based authentication settings type faste...

Page 332: ...10 18 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 10 Configuring Web Based Authentication Displaying Web Based Authentication Status ...

Page 333: ...nterfaces page 11 29 Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information ...

Page 334: ...erver mode These VLANs are saved in the VLAN database In a switch stack the VLAN database is downloaded to all switches in a stack and all switches in the stack build the same VLAN database In a switch stack the running configuration and the saved configuration are the same for all switches in a stack Add ports to a VLAN by using the switchport interface configuration commands Identify the interfa...

Page 335: ...unk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database An IEEE 802 1Q trunk port supports simultaneous tagged and untagged traffic An IEEE 802 1Q trunk port is assigned a default port VLAN ID PVID and all untagged traffic travels on the port default PVID All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the por...

Page 336: ...tion commands Note Entering a no switchport interface configuration command shuts down the interface and then re enables it which might generate messages on the device to which the interface is connected When you put an interface that is in Layer 2 mode into Layer 3 mode the previous configuration information related to the affected interface might be lost The number of routed ports that you can c...

Page 337: ...es not become active until it is associated with a physical port SVIs support routing protocols and bridging configurations For more information about configuring IP routing see Chapter 39 Configuring IP Unicast Routing Chapter 45 Configuring IP Multicast Routing and Chapter 47 Configuring Fallback Bridging Note The IP base feature set supports static routing and RIP For more advanced routing or f...

Page 338: ...rts within the port group Exceptions are the DTP the Cisco Discovery Protocol CDP and the Port Aggregation Protocol PAgP which operate only on physical ports When you configure an EtherChannel you create a port channel logical interface and assign an interface to the EtherChannel For Layer 3 interfaces you manually create the logical interface by using the interface port channel global configurati...

Page 339: ...nly IP traffic When IP routing protocol parameters and address configuration are added to an SVI or routed port any IP traffic received from these ports is routed For more information see Chapter 39 Configuring IP Unicast Routing Chapter 45 Configuring IP Multicast Routing and Chapter 46 Configuring MSDP Fallback bridging forwards traffic that the switch does not route or traffic belonging to a no...

Page 340: ...ber on the switch that is always 0 Port number The interface number on the switch The internal 1000 Mb s ports are numbered consecutively from 1 to 16 for example gigabitethernet 1 0 1 On a switch with Cisco TwinGig Converter Modules in the 10 Gigabit Ethernet module slots the port numbers restart with the 10 Gigabit Ethernet ports tengigabitethernet1 0 1 If the switch has Cisco dual SFP X2 conver...

Page 341: ...abitethernet1 0 1 gi 1 0 1 or gi1 0 1 Step 3 Follow each interface command with the interface configuration commands that the interface requires The commands that you enter define the protocols and applications that will run on the interface The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode You can also c...

Page 342: ...nge macro macro_name Specify the range of interfaces VLANs or physical ports to be configured and enter interface range configuration mode You can use the interface range command to configure up to five port ranges or a previously defined macro The macro variable is explained in the Configuring and Using Interface Range Macros section on page 11 12 In a comma separated port range you must enter th...

Page 343: ...ed by the show running config command cannot be used with the interface range command All interfaces defined in a range must be the same type all Gigabit Ethernet ports all 10 Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can enter multiple ranges in a command This example shows how to use the interface range global configuration command to set the speed to 100 Mb s on ports 1...

Page 344: ...es tengigabitethernet stack member module first port last port where the module is always 0 for stacking capable switches port channel port channel number port channel number where the port channel number is 1 to 64 Note When you use the interface ranges with port channels the first and last port channel number must be active port channels You must add a space between the first interface number an...

Page 345: ...e terminal Switch config define interface range macro1 gigabitethernet1 0 1 2 gigabitethernet1 0 5 7 tengigabitethernet1 0 1 2 Switch config end This example shows how to enter interface range configuration mode for the interface range macro enet_list Switch configure terminal Switch config interface range macro enet_list Switch config if range This example shows how to delete the interface range ...

Page 346: ...ernet management port as a DCHP client by using the ip address dhcp interface configuration command In a switch stack only the Ethernet management port on the stack master is enabled The ports on the stack members are disabled You cannot modify the IP address of stack member by using the Chassis Management Module For a nonstacking capable switch or a standalone stacking capable switch connect the ...

Page 347: ...ough the Chassis Management Module to the PC If the stack master fails and a new stack master is elected the active link is now from the Ethernet management port on the new stack master through the Chassis Management Module to the PC In a stack that has members in multiple enclosures the PC must be connected to the Chassis Management Module of the enclosure with the stack master The PC should also...

Page 348: ...he Ethernet management port is enabled The switch cannot route packets from the Ethernet management port to a network port and the reverse 201910 PC Blade switch Blade switch Enclosure 1 Enclosure 2 Blade switch Stack member 1 Stack member 2 Stack member 3 Stack member 4 and stack master Stack member 5 Stack member 6 Stack member 7 1 2 3 2 Blade switch Blade switch Blade switch Blade switch 1 2 3 ...

Page 349: ...might fail Layer 3 Routing Configuration Guidelines When Layer 3 routing is enabled you should be aware of these guidelines If Routing Information Protocol RIP or Open Shortest Path First OSPF is enabled RIP or OSPF advertises routes with the internal Ethernet management port By default RIP and OSPF are disabled For traffic to be routed between VLAN 1 and the Ethernet management port IP routing mu...

Page 350: ...Interface page 11 24 Table 11 1 Boot Loader Commands Command Description arp ip_address Displays the currently cached ARP1 table when this command is entered without the ip_address parameter Enables ARP to associate a MAC address with the specified IP address when this command is entered with the ip_address parameter 1 ARP Address Resolution Protocol mgmt_clr Clears the statistics for the Ethernet...

Page 351: ...er 2 or switching mode switchport command Allowed VLAN range VLANs 1 4094 Default VLAN for access ports VLAN 1 Layer 2 interfaces only Native VLAN for IEEE 802 1Q trunks VLAN 1 Layer 2 interfaces only VLAN trunking Switchport mode dynamic auto supports DTP Layer 2 interfaces only Port enable state All ports are enabled Port description None defined Speed 1000 Mb s for the internal ports nonconfigu...

Page 352: ... 1000 Mb s ports support all speed options and all duplex options auto half and full However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode The internal Ethernet management ports do not support the speed and duplex features These ports operate only at 1000 Mb s and in full duplex mode For SFP module ports the speed and duplex CLI options change depending on the SFP m...

Page 353: ... to set a specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to autonegotiate speed with the connected device If you use the 10 100 or the 1000 keywords with the auto keyword the port autonegotiates only at the specified speeds The nonegotiate keyword is available only for SFP module ports SFP module ports operate only ...

Page 354: ...ity to receive pause frames to on off or desired The default state is off When set to desired an interface can operate with an attached device that is required to send flow control packets or with an attached device that is not required to but can send flow control packets These rules apply to flow control settings on the device receive on or desired The port cannot send pause frames but can opera...

Page 355: ...nable auto MDIX you must also set the interface speed and duplex to auto so that the feature operates correctly Auto MDIX is supported on all 10 100 1000 Mb s and on 10 100 1000BASE TX small form factor pluggable SFP module interfaces It is not supported on 1000BASE SX or LX SFP module interfaces Table 11 3 shows the link states that result from auto MDIX settings and correct and incorrect cabling...

Page 356: ... Use the no description interface configuration command to delete the description This example shows how to add a description on a port and how to verify the description Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet1 0 2 Switch config if description Connects to Marketing Switch config if end Switch show interfaces gigabi...

Page 357: ...the number of other features being configured might have an impact on CPU usage because of hardware limitations If the switch is using its maximum hardware resources attempts to create a routed port or SVI have these results If you try to create a new routed port the switch generates a message that there are not enough resources to convert the interface to a routed port and the interface remains a...

Page 358: ...p the SVI state up You can use this command to exclude the monitoring port status when determining the status of the SVI Beginning in privileged EXEC mode follow these steps to exclude a port from SVI state change calculations Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface gigabitethernet interface id vlan vlan id port channel port channel number Specify...

Page 359: ... switch does not support the MTU on a per interface basis You can enter the system mtu bytes global configuration command on a switch but the command does not take effect on the switch The system mtu jumbo global configuration commands do not take effect when you enter the system mtu routing command on a switch on which only Layer 2 ports are configured When you use the system mtu bytes or system ...

Page 360: ...abit Ethernet interfaces to an out of range number Switch config system mtu jumbo 25000 Invalid input detected at marker Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 system mtu jumbo bytes Optional Change the MTU size for all Gigabit Ethernet and 10 Gigabit Ethernet interfaces on the switch or the switch stack The range is from 1500 to 9198 bytes Step 3 system m...

Page 361: ...sabled Display interface status or a list of interfaces in the error disabled state show interfaces interface id switchport Display administrative and operational status of switching nonrouting ports You can use this command to find out if a port is in routing or in switching mode show interfaces interface id description Display the description configured on an interface or all interfaces and the ...

Page 362: ...on the specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to restart the int...

Page 363: ... a set of command line interface CLI commands that you define Smartports macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a Smartports macro on an interface the CLI commands within the macro are configured on the interface When the macro is applied to an interface the existing interface configurations are not lost The new commands are added to ...

Page 364: ...in a different command mode When creating a macro all CLI commands should be in the same configuration mode When creating a macro that requires the assignment of unique values use the parameter value keywords to designate values specific to the interface Keyword matching is case sensitive All matching occurrences of the keyword are replaced with the corresponding value Any full match of cisco phon...

Page 365: ...a syntax error or a configuration error the macro continues to apply the remaining commands Some CLI commands are specific to certain interface types If a macro is applied to an interface that does not accept the configuration the macro will fail the syntax check or the configuration check and the switch will return an error message Applying a macro to an interface range is the same as applying a ...

Page 366: ...ition and enter a macro name A macro definition can contain up to 3000 characters Enter the macro commands with one command per line Use the character to end the macro Use the character at the beginning of a line to enter comment text within the macro Optional You can define keywords within a macro by using a help string to specify the keywords Enter macro keywords word to define the keywords that...

Page 367: ...ut entering the keyword values the commands are invalid and are not applied Step 3 macro global description text Optional Enter a description about the macro that is applied to the switch Step 4 interface interface id Optional Enter interface configuration mode and specify the interface on which to apply the macro Step 5 default interface interface id Optional Clear all configuration from the spec...

Page 368: ...iption Interface Macro Description Gi1 0 2 desktop config This example shows how to apply the user created macro called desktop config and to replace all occurrences of VLAN 1 with VLAN 25 Switch config if macro apply desktop config vlan 25 Applying Cisco Default Smartports Macros Beginning in privileged EXEC mode follow these steps to apply a Smartports macro Command Purpose Step 1 show parser ma...

Page 369: ... security age is greater than one minute and use inactivity timer switchport port security violation restrict switchport port security aging time 2 switchport port security aging type inactivity Configure port as an edge network port spanning tree portfast spanning tree bpduguard enable Switch Switch configure terminal Switch config gigabitethernet1 0 4 Switch config if macro apply cisco desktop A...

Page 370: ...use one or more of the privileged EXEC commands in Table 12 2 Table 12 2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros show parser macro name macro name Displays a specific macro show parser macro brief Displays the configured macro names show parser macro description interface interface id Displays the macro description for all interfac...

Page 371: ...LAN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded on...

Page 372: ...ge 11 4 and the Configuring Layer 3 Interfaces section on page 11 25 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm prefer vlan global configuration command to set the Switch Database Management sdm feature to the VLAN template which configures system resources to support the maximum number of unicast MAC addresses For more information on the S...

Page 373: ... Ports to a VLAN section on page 13 10 VTP is not required If you do not want VTP to globally propagate information set the VTP mode to transparent To participate in VTP there must be at least one trunk port on the switch or the switch stack connected to a trunk port of a second switch or switch stack Trunk IEEE 802 1Q A trunk port is a member of all VLANs by default including extended range VLANs...

Page 374: ...t file that is consistent with the stack master Voice VLAN A voice VLAN port is an access port attached to a Cisco IP Phone configured to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone For more information about voice VLAN ports see Chapter 15 Configuring Voice VLAN VTP is not required it has no effect on a voice VLAN Private VLAN A private VLA...

Page 375: ...er SAID Bridge identification number for TrBRF VLANs Ring number for FDDI and TrCRF VLANs Parent VLAN number for TrCRF VLANs Spanning Tree Protocol STP type for TrCRF VLANs VLAN number to use when translating from one VLAN type to another Note This section does not provide configuration details for most of these parameters For complete information on the commands and parameters that control VLAN c...

Page 376: ...on If extended VLANs are configured you cannot convert from VTP version 3 to version 1 or 2 See the Configuring Extended Range VLANs section on page 13 11 Before you can create a VLAN the switch must be in VTP server mode or VTP transparent mode If the switch is a VTP server you must define a VTP domain or VTP will not function The switch does not support Token Ring or FDDI media The switch does n...

Page 377: ...ys saved in the VLAN database vlan dat file If the VTP mode is transparent they are also saved in the switch running configuration file You can enter the copy running config startup config privileged EXEC command to save the configuration in the startup configuration file In a switch stack the whole stack uses the same vlan dat file and running configuration To display the VLAN configuration enter...

Page 378: ...n a number and name to the VLAN Note With VTP version 1 and 2 if the switch is in VTP transparent mode you can assign VLAN IDs greater than 1006 but they are not added to the VLAN database See the Configuring Extended Range VLANs section on page 13 11 For the list of default parameters that are assigned when you add a VLAN see the Configuring Normal Range VLANs section on page 13 4 Table 13 2 Ethe...

Page 379: ...hey remain associated with the VLAN and thus inactive until you assign them to a new VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter VLAN configuration mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information a...

Page 380: ...tch config if switchport access vlan 2 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mode Step 4 show vlan brief Verify the VLAN removal Step 5 copy running config startup config Optional If the switch is in VTP transparent mode the VLAN configuration...

Page 381: ...page 13 8 for the default configuration for Ethernet VLANs You can change only the MTU size private VLAN and the remote SPAN configuration state on extended range VLANs all other characteristics must remain at the default state Extended Range VLAN Configuration Guidelines Follow these guidelines when creating extended range VLANs VLAN IDs in the extended range are not saved in the VLAN database an...

Page 382: ...nfigured features affects the use of the switch hardware If you try to create an extended range VLAN and there are not enough hardware resources available an error message is generated and the extended range VLAN is rejected In a switch stack the whole stack uses the same running configuration and saved configuration and extended range VLAN information is shared across the stack Creating an Extend...

Page 383: ...ID you must temporarily shut down the routed port that is using the internal VLAN ID Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vtp mode transparent Configure the switch for VTP transparent mode disabling VTP Note This step is not required for VTP version 3 Step 3 vlan vlan id Enter an extended range VLAN ID and enter VLAN configuration mode The range is 1006 ...

Page 384: ...hut down the port to free the internal VLAN ID Step 5 exit Return to global configuration mode Step 6 vtp mode transparent Set the VTP mode to transparent for creating extended range VLANs Note This step is not required for VTP version 3 Step 7 vlan vlan id Enter the new extended range VLAN ID and enter VLAN configuration mode Step 8 exit Exit from VLAN configuration mode and return to global conf...

Page 385: ...end the VLANs across an entire network IEEE 802 1Q is an industry standard trunking encapsulation Figure 13 2 shows a network of switches that are connected by IEEE 802 1Q trunks Figure 13 2 Switches in an IEEE 802 1Q Trunking Environment You can configure a trunk on a single Ethernet interface or on an EtherChannel bundle For more information about EtherChannel see Chapter 38 Configuring EtherCha...

Page 386: ...less of whether or not the neighboring interface is a trunk interface switchport mode dynamic auto Makes the interface able to convert the link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk or desirable mode The default switchport mode for all Ethernet interfaces is dynamic auto switchport mode dynamic desirable Makes the interface actively at...

Page 387: ...arated by a cloud of non Cisco IEEE 802 1Q switches The non Cisco IEEE 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches Make sure the native VLAN for an IEEE 802 1Q trunk is the same on both ends of the trunk link If the native VLAN on one end of the trunk is different from the native VLAN on the other end spanning tree loops might result Disabling ...

Page 388: ...otiate encapsulation Interaction with Other Features Trunking interacts with other features in these ways A trunk port cannot be a secure port A trunk port cannot be a tunnel port Trunk ports can be grouped into EtherChannel port groups but all trunks in the group must have the same configuration When a group is first created all ports follow the parameters set for the first port to be added to th...

Page 389: ...k encapsulation dot1q negotiate Configure the port to support IEEE 802 1Q encapsulation or to negotiate the default with the neighboring interface for encapsulation type You must configure each end of the link with the same encapsulation type Step 4 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk required only if the interface is a Layer 2 access port or tun...

Page 390: ...dded to VLAN 1 regardless of the switchport trunk allowed setting The same is true for any VLAN that has been disabled on the port A trunk port can become a member of a VLAN if the VLAN is enabled if VTP knows of the VLAN and if the VLAN is in the allowed list for the port When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port the trunk port automatically become...

Page 391: ...use the no switchport trunk pruning vlan interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter interface configuration mode Step 3 switchport trunk pruning vlan add except none remove vlan list vlan vlan Configure the list of VLANs allowed to be pruned ...

Page 392: ...the bandwidth supplied by parallel trunks connecting switches To avoid loops STP normally blocks all but one parallel link between switches Using load sharing you divide the traffic between the links according to which VLAN the traffic belongs You configure load sharing on trunk ports by using STP port priorities or STP path costs For load sharing using STP port priorities both load sharing links ...

Page 393: ...arries traffic for VLANs 8 through 10 and Trunk 2 carries traffic for VLANs 3 through 6 If the active trunk fails the trunk with the lower priority takes over and carries the traffic for all of the VLANs No duplication of traffic occurs over any trunk port Figure 13 3 Load Sharing by Using STP Port Priorities Note If your switch is a member of a switch stack you must use the spanning tree vlan vla...

Page 394: ...t mode trunk Configure the port as a trunk port Step 11 end Return to privileged EXEC mode Step 12 show interfaces gigabitethernet1 0 1 switchport Verify the VLAN configuration Step 13 Repeat Steps 7 through 11 on Switch A for a second port in the switch or switch stack Step 14 Repeat Steps 7 through 11 on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A...

Page 395: ...tep 2 interface gigabitethernet1 0 1 Define the interface to be configured as a trunk and enter interface configuration mode Step 3 switchport trunk encapsulation dot1q negotiate Configure the port to support IEEE 802 1Q encapsulation You must configure each end of the link with the same encapsulation type Step 4 switchport mode trunk Configure the port as a trunk port Step 5 exit Return to global...

Page 396: ...s the MAC address of a new host it sends a VQP query to the VMPS When the VMPS receives this query it searches its database for a MAC address to VLAN mapping The server response is based on this mapping and whether or not the server is in open or secure mode In secure mode the server shuts down the port when an illegal host is detected In open mode the server simply denies the host access to the p...

Page 397: ...that port If the client switch was not previously configured it uses the domain name from the first VTP packet it receives on its trunk port from the VMPS If the client switch was previously configured it includes its domain name in the query packet to the VMPS to obtain its VLAN number The VMPS verifies that the domain name in the packet matches its own domain name before accepting the request an...

Page 398: ...n off trunking on the port before the dynamic access setting takes effect Dynamic access ports cannot be monitor ports Secure ports cannot be dynamic access ports You must disable port security on a port before it becomes dynamic Private VLAN ports cannot be dynamic access ports Dynamic access ports cannot be members of an EtherChannel group Port channels cannot be configured as dynamic access por...

Page 399: ...face configuration command Reconfirming VLAN Memberships Beginning in privileged EXEC mode follow these steps to confirm the dynamic access port VLAN membership assignments that the switch has received from the VMPS Step 5 show vmps Verify your entries in the VMPS Domain Server field of the display Step 6 copy running config startup config Optional Save your entries in the configuration file Comma...

Page 400: ...nicate with the VMPS The switch queries the VMPS that is using VQP Version 1 Reconfirm Interval the number of minutes the switch waits before reconfirming the VLAN to MAC address assignments Server Retry Count the number of times VQP resends a query to the VMPS If no response is received after this many tries the switch starts to query the secondary VMPS Command Purpose Step 1 configure terminal E...

Page 401: ...ation status VMPS Action other Troubleshooting Dynamic Access Port VLAN Membership The VMPS shuts down a dynamic access port under these conditions The VMPS is in secure mode and it does not allow the host to connect to the port The VMPS shuts down the port to prevent the host from connecting to the network More than 20 active hosts reside on a dynamic access port To re enable a disabled dynamic a...

Page 402: ...ver 2 Catalyst 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B Server 2 Server 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Swit...

Page 403: ...ecifications and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where ...

Page 404: ... changes for the domain By default the switch is in the VTP no management domain state until it receives an advertisement for a domain over a trunk link a link that carries the traffic of multiple VLANs or until you configure a domain name Until the management domain name is specified or learned you cannot create or modify VLANs on a VTP server and VLAN information is not propagated over the netwo...

Page 405: ...the domain that is in server mode In VTP versions 1 and 2 in VTP client mode VLAN configurations are not saved in NVRAM In VTP version 3 VLAN configurations are saved in NVRAM in client mode VTP transparent VTP transparent switches do not participate in VTP A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertise...

Page 406: ... update timestamp MD5 digest VLAN configuration including maximum transmission unit MTU size for each VLAN Frame format VTP advertisements distribute this VLAN information for each configured VLAN VLAN IDs IEEE 802 1Q VLAN name VLAN type VLAN state Additional VLAN configuration information specific to the VLAN type In VTP version 3 VTP advertisements also include the primary server ID an instance ...

Page 407: ...Ns are configured you cannot convert from VTP version 3 to version 1 or 2 Note VTP pruning still applies only to VLANs 1 to 1005 and VLANs 1002 to 1005 are still reserved and cannot be modified Private VLAN support Support for any database in a domain In addition to propagating VTP information version 3 can propagate Multiple Spanning Tree MST protocol database information A separate instance of t...

Page 408: ...Ns on trunk ports that are included in the pruning eligible list Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible switch trunk ports If the VLANs are configured as pruning ineligible the flooding continues VTP pruning is supported in all VTP versions Figure 14 1 shows a switched network without VTP pruning enabled Port 1 on Switch ...

Page 409: ...le VLAN 1 and VLANs 1002 to 1005 are always pruning ineligible traffic from these VLANs cannot be pruned Extended range VLANs VLAN IDs higher than 1005 are also pruning ineligible VTP pruning is not designed to function in VTP transparent mode If one or more switches in the network are in VTP transparent mode you should do one of these Turn off VTP pruning in the entire network Turn off VTP prunin...

Page 410: ...onfigure the persistent MAC address feature by entering the stack mac persistent timer 0 time value global configuration command when the new master is elected it sends a takeover message with the new master MAC address as the primary server If persistent MAC address is configured the new master waits for the configured stack mac persistent timer value If the previous master switch does not rejoin...

Page 411: ...e VLAN database matches that in the startup configuration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode or domain name in the startup configuration do not match the VLAN database the domain name and VTP mode and configuration for the fi...

Page 412: ...g VTP version 2 receives VTP version 3 advertisements it automatically moves to VTP version 2 If a switch running VTP version 3 is connected to a switch running VTP version 1 the VTP version 1 switch moves to VTP version 2 and the VTP version 3 switch sends scaled down versions of the VTP packets so that the VTP version 2 switch can update its database A switch running VTP version 3 cannot move to...

Page 413: ...witch the switch must be in VTP transparent mode VTP version 3 also supports creating extended range VLANs in client or server mode VTP does not support private VLANs VTP version 3 does support private VLANs If you configure private VLANs when the switch is running VTP version 1 or 2 the switch must be in VTP transparent mode When private VLANs are configured on the switch do not change the VTP mo...

Page 414: ... resets the VTP configuration to the default To keep the VTP configuration with VTP client mode after the switch restarts you must first configure the VTP domain name before the VTP mode Caution If all switches are operating in VTP client mode do not configure a VTP domain name If you do it is impossible to make changes to the VLAN configuration of that domain Therefore make sure you configure at ...

Page 415: ...racters If you configure a VTP password the VTP domain does not function properly if you do not assign the same password to each switch in the domain See the Configuring a VTP Version 3 Password section on page 14 13 for options available with VTP version 3 Step 5 end Return to privileged EXEC mode Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields ...

Page 416: ... vlan Enter VTP password mypassword This switch is becoming Primary server for vlan feature in the VTP domain VTP Database Conf Switch ID Primary Server Revision System Name VLANDB Yes 00d0 00b8 1400 00d0 00b8 1400 1 stp7 Do you want to continue y n n y Step 4 show vtp password Verify your entries Step 5 copy running config startup config Optional Save the configuration in the startup configuratio...

Page 417: ...n 2 In TrCRF and TrBRF Token ring environments you must enable VTP version 2 or VTP version 3 for Token Ring VLAN switching to function properly For Token Ring and Token Ring Net media disable VTP version 2 must be disabled VTP version 3 is supported on switches running Cisco IOS Release 12 2 52 SE or later Caution In VTP version 3 both the primary and secondary servers can exist on an instance in...

Page 418: ...runing eligible VLANs see the Changing the Pruning Eligible List section on page 13 21 Configuring VTP on a Per Port Basis With VTP version 3 you can enable or disable VTP on a per port basis You can enable VTP only on ports that are in trunk mode Incoming and outgoing VTP traffic are blocked not forwarded Beginning in privileged EXEC mode follow these steps to enable VTP on a port To disable VTP ...

Page 419: ... command to disable VTP on the switch and then to change its VLAN information without affecting the other switches in the VTP domain Command Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Con...

Page 420: ...p counters Display counters about VTP messages that have been sent and received show vtp devices conflict Display information about all VTP version 3 devices in the domain Conflicts are VTP version 3 devices with conflicting primary servers The show vtp devices command does not display information when the switch is in transparent or off mode show vtp interface interface id Display VTP status and ...

Page 421: ...960 IP Phone the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable ...

Page 422: ...AN untagged no Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 15 1 ...

Page 423: ...figure a voice VLAN only on Layer 2 ports Note Voice VLAN is only supported on access ports and not on trunk ports even though the configuration is allowed The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Ch...

Page 424: ... more information Note If you enable IEEE 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 26 6 for more information A source or destination port for a SPAN or RSPAN session Secure port See the Configuring Port Sec...

Page 425: ...re configuring the port trust state you must first globally enable QoS by using the mls qos global configuration command Step 4 switchport voice detect cisco phone full duplex vlan vlan id dot1p none untagged Configure how the Cisco IP Phone carries voice traffic detect Configure the interface to detect and recognize a Cisco IP phone cisco phone When you initially implement the switchport voice de...

Page 426: ...ll duplex Cisco IP Phone Switch config if switchport voice detect cisco phone full duplex full duplex full duplex keyword Switch config if end This example shows how to disable switchport voice detect on a Cisco IP Phone Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 0 1 Switch config if no switchport voice detect cisco...

Page 427: ...Displaying Voice VLAN To display voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Step 3 switchport priority extend cos value trust Set the priority of data traffic received from the Cisco IP Phone access port cos value Configure the phone to override the priority received from the PC or the attached device with the specified CoS val...

Page 428: ...15 8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 15 Configuring Voice VLAN Displaying Voice VLAN ...

Page 429: ... addresses two problems that service providers face when using VLANs Scalability The switch supports up to 1005 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support To enable IP routing each VLAN is assigned a subnet address space or a block of addresses which can result in wasting the unused IP addresses and cause I...

Page 430: ...d with the primary VLAN Isolated An isolated port is a host port that belongs to an isolated secondary VLAN It has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous ports Private VLANs block all traffic to isolated ports except traffic from promiscuous ports Traffic received from an isolated port is forwarded only to promiscuous ports Community A ...

Page 431: ...nicate outside the private VLAN You can use private VLANs to control access to end stations in these ways Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2 For example if the end stations are servers this configuration prevents Layer 2 communication between the servers Configure interfaces connected to default gateways and selected en...

Page 432: ...lly configure private VLANs on all switches in the Layer 2 network If you do not configure the primary and secondary VLAN association in some switches in the network the Layer 2 databases in these switches are not merged This can result in unnecessary flooding of private VLAN traffic on those switches Note When configuring private VLANs on the switch always use the default Switch Database Manageme...

Page 433: ... all promiscuous ports trunk ports and ports in the same community VLAN A promiscuous port sends a broadcast to all ports in the private VLAN other promiscuous ports trunk ports isolated ports and community ports Multicast traffic is routed or bridged across private VLAN boundaries and within a single community VLAN Multicast traffic is not forwarded between ports in the same isolated VLAN or betw...

Page 434: ...itch Stacks Configuring Private VLANs These sections contain this configuration information Tasks for Configuring Private VLANs page 16 6 Default Private VLAN Configuration page 16 7 Private VLAN Configuration Guidelines page 16 7 Configuring and Associating VLANs in a Private VLAN page 16 10 Configuring a Layer 2 Interface as a Private VLAN Host Port page 16 12 Configuring a Layer 2 Interface as ...

Page 435: ...d EXEC command to save the VTP transparent mode configuration and private VLAN configuration in the switch startup configuration file Otherwise if the switch resets it defaults to VTP server mode which does not support private VLANs VTP version 3 does support private VLANs VTP version 1 and 2 do not propagate private VLAN configuration You must configure private VLANs on each device where you want...

Page 436: ...ever we recommend that you configure the same VLAN maps on private VLAN primary and secondary VLANs When a frame is Layer 2 forwarded within a private VLAN the same VLAN map is applied at the ingress side and at the egress side When a frame is routed from inside a private VLAN to an external port the private VLAN map is applied at the ingress side For frames going upstream from a host port to a pr...

Page 437: ...orts associated with the VLAN become inactive Private VLAN ports can be on different network devices if the devices are trunk connected and the primary and secondary VLANs have not been removed from the trunk Limitations with Other Features When configuring private VLANs remember these limitations with other features Note In some cases the configuration is accepted with no error messages but the c...

Page 438: ...he private vlan commands do not take effect until you exit VLAN configuration mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vtp mode transparent Set VTP mode to transparent disable VTP Step 3 vlan vlan id Enter VLAN configuration mode and designate or create a VLAN that will be the primary VLAN The VLAN ID range is 2 to 1001 and 1006 to 4094 Step 4 private v...

Page 439: ... community VLANs to associate them in a private VLAN and to verify the configuration Switch configure terminal Switch config vlan 20 Switch config vlan private vlan primary Switch config vlan exit Switch config vlan 501 Switch config vlan private vlan isolated Switch config vlan exit Switch config vlan 502 Switch config vlan private vlan community Switch config vlan exit Switch config vlan 503 Swi...

Page 440: ...unking Encapsulation native Negotiation of Trunking Off Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association 20 501 Administrative private vlan mapping none Administrative private vlan trunk native VLAN none Administrative private vlan trunk Native VLAN tagging enabled Administrative p...

Page 441: ...onfigure an interface as a private VLAN promiscuous port and map it to a private VLAN The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it Switch configure terminal Switch config interface gigabitethernet1 0 2 Switch config if switchport mode private vlan promiscuous Switch config if switchport private vlan mapping 20 add 501 503 Switch config if end Use the...

Page 442: ...condary_vlan_list to map the secondary VLANs to the primary VLAN Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the primary VLAN This example shows how to map the interfaces of VLANs 501and 502 to primary VLAN 10 which permits routing of secondary VLAN ingress traffic from private VLANs 501 to 502 Switch configure terminal Switch config interface...

Page 443: ...an private vlan Primary Secondary Type Ports 10 501 isolated Gi2 0 1 Gi3 0 1 Gi3 0 2 10 502 community Gi2 0 11 Gi3 0 1 Gi3 0 4 10 503 non operational Table 16 1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces including the VLANs to which they belongs show vlan private vlan type Display the private VLAN information for the switch show interf...

Page 444: ...16 16 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 16 Configuring Private VLANs Monitoring Private VLANs ...

Page 445: ... page 17 7 Configuring Layer 2 Protocol Tunneling page 17 10 Monitoring and Maintaining Tunneling Status page 17 18 Understanding IEEE 802 1Q Tunneling Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same service provider network might overlap and traffic of customer...

Page 446: ...vice provider network they are encapsulated with another layer of an IEEE 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer IEEE 802 1Q tag is preserved in the encapsulated packet Therefore packets entering the service provider network are double tagged with the outer metro tag containing the customer s access VLAN ID and the inner VLAN ...

Page 447: ...VLAN numbering space used by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered It is possible to have multiple levels of tunneling and tagging but the switch supports only one level in this release If traffic coming from a customer network is not tagged native VLAN frames t...

Page 448: ... transmission units MTUs are explained in these next sections Native VLANs When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks or nontrunking links When IEEE 802 1Q trunks are used in these c...

Page 449: ...s larger than 1500 bytes by using the system mtu jumbo global configuration command The system jumbo MTU values do not include the IEEE 802 1Q header Because the IEEE 802 1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added you must configure all switches in the service provider network to be able to process maximum frames by adding 4 bytes to the system MTU and sys...

Page 450: ... groups are compatible with tunnel ports as long as the IEEE 802 1Q configuration is consistent within an EtherChannel port group Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP and UniDirectional Link Detection UDLD are supported on IEEE 802 1Q tunnel ports Dynamic Trunking Protocol DTP is not compatible with IEEE 802 1Q tunneling because you must manually configure asymmetr...

Page 451: ...ding Layer 2 Protocol Tunneling Customers at different sites connected across a service provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites as well as the local sites STP must run properly and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service provider network Cisco Discovery P...

Page 452: ... of controlling protocol tunneling You implement bypass mode by enabling Layer 2 protocol tunneling on the egress trunk port When Layer 2 protocol tunneling is enabled on the trunk port the encapsulated tunnel MAC address is removed and the protocol packets have their normal MAC address Layer 2 protocol tunneling can be used independently or can enhance IEEE 802 1Q tunneling If protocol tunneling ...

Page 453: ...tion of EtherChannels by emulating a point to point network topology When you enable protocol tunneling PAgP or LACP on the SP switch remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels Customer X Site 2 VLANs 1 to 100 Customer Y Site 2 VLANs 1 to 200 Customer Y Site 1 VLANs 1 to 200 Customer X Site 1 VLANs 1 to 100 VLAN 30 Trunk ports Switch A Trunk...

Page 454: ... switchport mode dynamic desirable The switch supports Layer 2 protocol tunneling for CDP STP and VTP For emulated point to point network topologies it also supports PAgP LACP and UDLD protocols The switch does not support Layer 2 protocol tunneling for LLDP Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tun...

Page 455: ...r 2 protocol tunneling configuration is distributed among all stack members Each stack member that receives an ingress packet on a local port encapsulates or decapsulates the packet and forwards it to the appropriate destination port On a single switch ingress Layer 2 protocol tunneled traffic is sent across all local ports in the same VLAN on which Layer 2 protocol tunneling is enabled In a stack...

Page 456: ...ts or on access ports If you enable PAgP or LACP tunneling we recommend that you also enable UDLD on the interface for faster link failure detection Loopback detection is not supported on Layer 2 protocol tunneling of PAgP LACP or UDLD packets EtherChannel port groups are compatible with tunnel ports when the IEEE 802 1Q configuration is consistent within an EtherChannel port group If an encapsula...

Page 457: ...ol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the co...

Page 458: ...Decapsulation Drop Threshold Threshold Counter Counter Counter Gi1 0 11 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp 0 0 0 lacp 0 0 0 udld 0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configure Layer 2 point to point tunneling to facilitate the automatic creation of EtherChannels you need to configure both the SP edge switch and the customer switch Configu...

Page 459: ...dld value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a shutdown threshold on this interface the d...

Page 460: ...ce id Enter the interface configuration mode This should be the customer switch port Step 3 switchport trunk encapsulation dot1q Set the trunking encapsulation format to IEEE 802 1Q Step 4 switchport mode trunk Enable trunking on the interface Step 5 udld enable Enable UDLD in normal mode on the interface Step 6 channel group channel group number mode desirable Assign the interface to a channel gr...

Page 461: ...h config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitethernet1 0 3 Switch config if switchport trunk encapsulation negotiate Switch config if switchport mode trunk SP edge switch 2 configuration Switch config interface g...

Page 462: ... config interface gigabitethernet1 0 4 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if udld enable Switch config if channel group 1 mode desirable Switch config if exit Switch config interface port channel 1 Switch config if shutdown Switch config if no shutdown Switch config if exit Monitoring and Maintaining Tunneling Status Table 17 ...

Page 463: ... see Chapter 19 Configuring MSTP For information about other spanning tree features such as Port Fast UplinkFast root guard and so forth see Chapter 20 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features...

Page 464: ... topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called...

Page 465: ...wards it with an updated message to all attached LANs for which it is the designated switch If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that p...

Page 466: ...n the switched network are placed in the spanning tree blocking mode Bridge ID Switch Priority and Extended System ID The IEEE 802 1D standard requires that each switch has an unique bridge identifier bridge ID which controls the selection of the root switch Because each VLAN is considered as a different logical bridge with PVST and rapid PVST the same switch must have a different bridge IDs for e...

Page 467: ...Propagation delays can occur when protocol information passes through a switched LAN As a result topology changes can take place at different times and at different places in a switched network When an interface transitions directly from nonparticipation in the spanning tree topology to the forwarding state it can create temporary data loops Interfaces must wait for new topology information to pro...

Page 468: ...ng state the interface continues to block frame forwarding as the switch learns end station location information for the forwarding database 4 When the forward delay timer expires spanning tree moves the interface to the forwarding state where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding After initi...

Page 469: ... from the listening state An interface in the learning state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames The interface enters the forwarding state from the learning state An interface in the forwarding sta...

Page 470: ...d stations in a switched network might not be ideal For instance connecting higher speed links to an interface that has a higher number than the root port can cause a root port change The goal is to make the fastest link the root port For example assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B a 10 100 link is the root port Network traffic might be mor...

Page 471: ... the switch or each switch in the stack forwards those packets as unknown multicast addresses Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes the default setting of the mac address table aging time global configuration command However a spanning tree reconfiguration can cause many station locations to change Because these stations could be unreachable ...

Page 472: ...me configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode each VLAN runs its own spanning tree instance up to the maximum supported MSTP ...

Page 473: ...equires only one spanning tree instance for all VLANs allowed on the trunks However in a network of Cisco switches connected through IEEE 802 1Q trunks the switches maintain one spanning tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PV...

Page 474: ...me bridge ID for a given spanning tree The bridge ID is derived from the MAC address of the stack master When a new switch joins the stack it sets its bridge ID to the stack master bridge ID If the newly added switch has the lowest ID and if the root path cost is the same among all stack members the newly added switch becomes the stack root When a stack member leaves the stack spanning tree reconv...

Page 475: ... optional Configuring Spanning Tree Timers page 18 22 optional Default Spanning Tree Configuration Table 18 3 shows the default spanning tree configuration Table 18 3 Default Spanning Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1 For more information see the Supported Spanning Tree Instances section on page 18 10 Spanning tree mode PVST Rapid PVST and MSTP are disabled ...

Page 476: ...ult in a broadcast storm Note If you have already used all available spanning tree instances on your switch adding another VLAN anywhere in the VTP domain creates a VLAN that is not running spanning tree on that switch If you have the default allowed list on the trunk ports of that switch the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop i...

Page 477: ...STP Select rapid pvst to enable rapid PVST Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 64 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Speci...

Page 478: ...he switch priority from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the speci...

Page 479: ...forward time and the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configurat...

Page 480: ... the forwarding state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 conf...

Page 481: ...figuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid val...

Page 482: ...onfiguration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forward...

Page 483: ...t primary and the spanning tree vlan vlan id root secondary global configuration commands to modify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter ...

Page 484: ...Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDU...

Page 485: ... and listening states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config ...

Page 486: ...ters by using the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing f...

Page 487: ...des rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based on the original IEEE 802 1D spanning tree with existing Cisco proprietary Multi...

Page 488: ...stently configure the switches with the same MST configuration information A collection of interconnected switches that have the same MST configuration comprises an MST region as shown in Figure 19 1 on page 19 4 The MST configuration controls to which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map Yo...

Page 489: ...nning tree algorithm running among switches that support the IEEE 802 1w IEEE 802 1s and IEEE 802 1D standards The CIST inside an MST region is the same as the CST outside a region For more information see the Operations Within an MST Region section on page 19 3 and the Operations Between MST Regions section on page 19 4 Note The implementation of the IEEE 802 1s standard changes some of the termi...

Page 490: ...ces combine with the IST at the boundary of the region to become the CST The IST connects all the MSTP switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain The root of the subtree is the CIST regional root The MST region appears as a virtual switch to adjacent STP switches and MST regions Figure 19 1 shows a network with three MST regions and a le...

Page 491: ...ST root This cost is left unchanged within an MST region Remember that an MST region looks like a single switch for the CIST The CIST external root path cost is the root path cost calculated between these virtual switches and switches that do not belong to any region The CIST regional root was called the IST master in the prestandard implementation If the CIST root is in the region the CIST region...

Page 492: ... it could have an impact on the MST instances When a message is internal the CIST part is received by the CIST and each MST instance receives its respective M record The Cisco prestandard implementation treats a port that receives an external message as a boundary port This means a port cannot receive a mix of internal and external messages An MST region includes both switches and LANs A segment b...

Page 493: ... of prestandard switches can fail you can use an interface configuration command to identify prestandard ports A region cannot be formed between a standard and a prestandard switch but they can interoperate by using the CIST Only the capability of load balancing over different instances is lost in that particular case The CLI displays different flags depending on the port configuration when a port...

Page 494: ...the same switch ID for a given spanning tree The switch ID is derived from the MAC address of the stack master If a switch that does not support MSTP is added to a switch stack that does support MSTP or the reverse the switch is put into a version mismatch state If possible the switch is automatically upgraded or downgraded to the same version of software that is running on the switch stack When a...

Page 495: ...ndary port A boundary port connects to a LAN the designated switch of which is either a single spanning tree switch or a switch with a different MST configuration Understanding RSTP The RSTP takes advantage of point to point wiring and provides rapid convergence of the spanning tree Reconfiguration of the spanning tree can occur in less than 1 second in contrast to 50 seconds with the default sett...

Page 496: ...nt links as follows Edge ports If you configure a port as an edge port on an RSTP switch by using the spanning tree portfast interface configuration command the edge port immediately transitions to the forwarding state An edge port is the same as a Port Fast enabled port and you should enable it only on ports that connect to a single end station Root ports If the RSTP selects a new root port it bl...

Page 497: ...aking progresses from the root toward the leaves of the spanning tree In a switch stack the cross stack rapid transition CSRT feature ensures that a stack member receives acknowledgments from all stack members during the proposal agreement handshaking before moving the port to the forwarding state CSRT is automatically enabled when the switch is in MST mode The switch learns the link type from the...

Page 498: ...g state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring that all of the ports are synchronized the switch sends an agreement ...

Page 499: ... according to the state of the sending port Processing Superior BPDU Information If a port receives superior root information lower switch ID lower path cost and so forth than currently stored for the port the RSTP triggers a reconfiguration If the port is proposed and is selected as the new root port RSTP forces all the other ports to synchronize If the BPDU received is an RSTP BPDU with the prop...

Page 500: ...ies with an IEEE 802 1D configuration BPDU with the TCA bit set However if the TC while timer the same as the topology change timer in IEEE 802 1D is active on a root port connected to an IEEE 802 1D switch and a configuration BPDU with the TCA bit set is received the TC while timer is reset This behavior is only required to support IEEE 802 1D switches The RSTP BPDUs never have the TCA bit set Pr...

Page 501: ...ing the Maximum Aging Time page 19 25 optional Configuring the Maximum Hop Count page 19 25 optional Specifying the Link Type to Ensure Rapid Transitions page 19 26 optional Designating the Neighbor Type page 19 26 optional Restarting the Protocol Migration Process page 19 27 optional Default MSTP Configuration Table 19 4 shows the default MSTP configuration For information about the supported num...

Page 502: ...n MST mode it uses the long path cost calculation method 32 bits to compute the path cost values With the long path cost calculation method these path cost values are supported All stack members run the same version of spanning tree all PVST rapid PVST or MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 18 11 VTP propagation of the MST con...

Page 503: ... MSTP This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst configuration Enter MST configuration mode Step 3 instance instance id vlan vlan range Map VLANs to an MST instance For instance id the range is 0 to 4094 For vlan vlan range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and t...

Page 504: ...iority and the switch MAC address is associated with each instance For a group of VLANs the switch with the lowest switch ID becomes the root switch To configure a switch to become the root use the spanning tree mst instance id root global configuration command to modify the switch priority from the default value 32768 to a significantly lower value so that the switch becomes the root switch for t...

Page 505: ...ult setting use the no spanning tree mst instance id root global configuration command Configuring a Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root the switch priority is modified from the default value 32768 to 28672 The switch is then likely to become the root switch for the specified instance if the primary root switch fails This is a...

Page 506: ...t interface configuration command instead of the spanning tree mst instance id port priority priority interface configuration command to select a port to put in the forwarding state Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last For more information see the Configuring Path Cost section on page 19 22 Command Purpose Step 1...

Page 507: ...ode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The port channel range is 1 to 64 Step 3 spanning tree mst instance id port priority priority Configure the port priority For instance id you can specify a single instance a range of instances separated by a hyphen or...

Page 508: ... to confirm the configuration To return the interface to its default setting use the no spanning tree mst instance id cost interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical int...

Page 509: ...figuration command Configuring the Hello Time You can configure the interval between the generation of configuration messages by the root switch by changing the hello time Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id priority priority Configure the switch priority For instance id you can specify a single instance a range of instance...

Page 510: ...time seconds Configure the hello time for all MST instances The hello time is the interval between the generation of configuration messages by the root switch These messages mean that the switch is alive For seconds the range is 1 to 10 the default is 2 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Optional Sav...

Page 511: ...nfiguration mode Step 2 spanning tree mst max age seconds Configure the maximum aging time for all MST instances The maximum aging time is the number of seconds a switch waits without receiving spanning tree configuration messages before attempting a reconfiguration For seconds the range is 6 to 40 the default is 20 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify you...

Page 512: ...rd compliant devices By default ports can automatically detect prestandard devices but they can still receive both standard and prestandard BPDUs When there is a mismatch between a device and its neighbor only the CIST runs on the interface You can choose to set a port to send only prestandard BPDUs The prestandard flag appears in all the show commands even if the port is in STP compatibility mode...

Page 513: ...the switch to which it is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring switches on the switch use the clear spanning tree detected protocols privileged EXEC command To restart the protocol migration process on a specific interface use the clear spanning tree detected protocols interface interface id privileged EXEC command Displ...

Page 514: ...19 28 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 19 Configuring MSTP Displaying the MST Configuration and Status ...

Page 515: ...nformation about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 19 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 20 1 Configuring Optional ...

Page 516: ... tree to converge Interfaces connected to a blade server should not receive bridge protocol data units BPDUs An interface with Port Fast enabled goes through the normal cycle of spanning tree status changes when the switch is restarted Note Because the purpose of Port Fast is to minimize the time interfaces must wait for spanning tree to converge it is effective only when used on interfaces connec...

Page 517: ... BPDU it is put in the error disabled state The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Understanding BPDU Filtering The BPDU filtering feature can be globally enabled on the switch or ...

Page 518: ...each address that was learned on the interface You can limit these bursts of multicast traffic by reducing the max update rate parameter the default for this parameter is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches ...

Page 519: ...stack UplinkFast CSUF provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a switch stack During the fast transition an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbone With this feature you can have a redundant and re...

Page 520: ...ternate stack root port on Switch 2 or Switch 3 and puts it into the forwarding state in less than 1 second Figure 20 5 Cross Stack UplinkFast Topology When certain link loss or spanning tree events occur described in the Events that Cause Fast Convergence section on page 20 7 the Fast Uplink Transition Protocol uses the neighbor list to send fast transition requests to stack members The switch se...

Page 521: ...ons occurs under these circumstances The stack root port link fails If two switches in the stack have alternate paths to the root only one of the switches performs the fast transition The failed link which connects the stack root to the spanning tree root recovers A network reconfiguration causes a new stack root switch to be selected A network reconfiguration causes a new port on the current stac...

Page 522: ...rnate paths to send a root link query RLQ request The stacking capable switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack The nonstacking capable switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in th...

Page 523: ...he forwarding state providing a path from Switch B to Switch A The root switch election takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 20 7 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 20 7 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a ...

Page 524: ...s shown in Figure 20 9 You can avoid this situation by enabling root guard on data center switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root swi...

Page 525: ... becoming designated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration i...

Page 526: ...e delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on an interface connected to a switch or hub could prevent spanning tree from detecting and disabling loops in your network which could cause broadcast storms and address learning problems If you enable the voice VLAN feature the Port Fast feature is automatically enabled When y...

Page 527: ...pens the switch shuts down the entire port on which the violation occurred To prevent the port from shutting down you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an ...

Page 528: ...ning tree portfast bpduguard default global configuration command by using the spanning tree bpduguard enable interface configuration command Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast enabled interfaces it prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switc...

Page 529: ...le interface configuration command Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority To enable UplinkFast on a VLAN with switch priority configured first restore the switch priority on the VLAN to the default value by using the no spanning tree vlan vlan id priority global configuration command Note When you enab...

Page 530: ... no spanning tree uplinkfast command Enabling Cross Stack UplinkFast When you enable or disable the UplinkFast feature by using the spanning tree uplinkfast global configuration command CSUF is automatically globally enabled or disabled on nonstack port interfaces For more information see the Enabling UplinkFast for Use with Redundant Links section on page 20 15 To disable UplinkFast on the switch...

Page 531: ...able the EtherChannel guard feature use the no spanning tree etherchannel guard misconfig global configuration command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel confi...

Page 532: ...g Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the s...

Page 533: ... show spanning tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 20 2 Commands fo...

Page 534: ...20 20 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 20 Configuring Optional Spanning Tree Features Displaying the Spanning Tree Status ...

Page 535: ...to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release The chapter consists of these sections Understanding Flex Links and the MAC Address Table Move Update page 21 1 Configuring Flex Links and MAC Address Table Move Update page 21 7 Monitoring Flex Links and the MAC Address Table ...

Page 536: ... comes back up it goes into standby mode and does not forward traffic STP is disabled on Flex Link interfaces In Figure 21 1 ports 1 and 2 on switch A are connected to uplink switches B and C Because they are configured as Flex Links only one of the interfaces is forwarding traffic the other is in standby mode If port 1 is the active link it begins forwarding traffic between port 1 and switch B th...

Page 537: ...he mrouter Port page 21 3 Generating IGMP Reports page 21 4 Leaking IGMP Reports page 21 4 Configuration Examples page 21 4 Learning the Other Flex Link Port as the mrouter Port In a typical multicast network there is a querier for each VLAN A switch deployed at the edge of a network has one of its Flex Link ports receiving queries Flex Link ports are also always forwarding at any given time A por...

Page 538: ... dropped at the ingress of the access switch no duplicate multicast traffic is received by the host When the Flex Link active link fails the access switch starts accepting traffic from the backup link immediately The only disadvantage of this scheme is that it consumes bandwidth on the link between the distribution switches and on the backup link between the distribution and access switches This f...

Page 539: ...e the backup port Gigabit Ethernet1 0 12 is blocked When the active link Gigabit Ethernet1 0 11 goes down the backup port GigabitEthernet1 0 12 begins forwarding As soon as this port starts forwarding the switch sends proxy reports for the groups 228 1 5 1 and 228 1 5 2 on behalf of the host The upstream router learns the groups and starts forwarding multicast data This is the default behavior of ...

Page 540: ... In Figure 21 3 switch A is an access switch and ports 1 and 2 on switch A are connected to uplink switches B and D through a Flex Link pair Port 1 is forwarding traffic and port 2 is in the backup state Traffic from the PC to the server is forwarded from port 1 to port 3 The MAC address of the PC has been learned on port 3 of switch C Traffic from the server to the PC is forwarded from port 3 to ...

Page 541: ...21 3 MAC Address Table Move Update Example Configuring Flex Links and MAC Address Table Move Update These sections contain this information Configuration Guidelines page 21 8 Default Configuration page 21 8 Configuring Flex Links page 21 9 Configuring VLAN Load Balancing on Flex Links page 21 11 Configuring the MAC Address Table Move Update Feature page 21 12 Switch C Port 3 Port 1 Port 2 Port 4 S...

Page 542: ...port channel as the active link However you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic STP is disabled on Flex Link ports A Flex Link port does not participate in STP even if the VLANs present on the port are configured for STP When STP is not enabled be sure that there are no loops i...

Page 543: ...ep 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 64 Step 3 switchport backup interface interface id Configure a physical Layer 2 interface or port channel as part of a Flex Link pair wi...

Page 544: ...t backup detail Active Interface Backup Interface State GigabitEthernet1 0 1 GigabitEthernet1 0 2 Active Up Backup Standby Interface Pair Gi1 0 1 Gi1 0 2 Preemption Mode forced Preemption Delay 50 seconds Bandwidth 100000 Kbit Gi1 0 1 100000 Kbit Gi1 0 2 Mac Address Move Update Vlan auto Step 4 switchport backup interface interface id preemption mode forced bandwidth off Configure a preemption mec...

Page 545: ...ns Preferred on Backup Interface 60 100 120 When a Flex Link interface goes down LINK_DOWN VLANs preferred on this interface are moved to the peer interface of the Flex Link pair In this example if interface Gi2 0 6 goes down Gi2 0 8 carries all VLANs of the Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet...

Page 546: ...ackup Interface 3 4 Preemption Mode off Bandwidth 10000 Kbit Fa1 0 3 100000 Kbit Fa1 0 4 Mac Address Move Update Vlan auto Configuring the MAC Address Table Move Update Feature This section contains this information Configuring a switch to send MAC address table move updates Configuring a switch to get MAC address table move updates Beginning in privileged EXEC mode follow these steps to configure...

Page 547: ...address table move update Switch ID 010b 4630 1780 Dst mac address 0180 c200 0010 Vlans Macs supported 1023 8320 Default Current settings Rcv Off On Xmt Off On Max packets per min Rcv 40 Xmt 60 Rcv packet count 5 Rcv conforming packet count 5 Rcv invalid packet count 0 Rcv packet count this min 0 Rcv threshold exceed count 0 Rcv last sequence this min 0 Rcv last interface Po2 Rcv last src mac addr...

Page 548: ...itoring Flex Links and the MAC Address Table Move Update Information Table 21 1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address table move update information Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table move update receive Enable the switch to get and process the MAC address table move updates ...

Page 549: ...eatures page 22 1 Configuring DHCP Features page 22 8 Displaying DHCP Snooping Information page 22 16 Understanding IP Source Guard page 22 16 Configuring IP Source Guard page 22 18 Displaying IP Source Guard Information page 22 26 Understanding DHCP Server Port Based Address Allocation page 22 26 Configuring DHCP Server Port Based Address Allocation page 22 27 Displaying DHCP Server Port Based Ad...

Page 550: ...es network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database also referred to as a DHCP snooping binding table For more information about this database see the Displaying DHCP Snooping Information section on page 22 16 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate betwe...

Page 551: ...ption 82 information when packets are received on an untrusted interface If DHCP snooping is enabled and packets are received on a trusted port the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the...

Page 552: ...iguring these suboptions see the Enabling DHCP Snooping and Option 82 section on page 22 12 If the IP address of the relay agent is configured the switch adds this IP address in the DHCP packet The blade switch forwards the DHCP request that includes the option 82 field to the DHCP server The DHCP server receives the packet If the server is option 82 capable it can use the remote ID the circuit ID...

Page 553: ... when the default suboption configuration is used For the circuit ID suboption the module number corresponds to the switch number in the stack The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command Figure 22 2 Suboption Packet Formats Figure 22 3 shows the packet formats for user configured remote ID ...

Page 554: ...tic address bindings see the Configuring DHCP chapter of the Cisco IOS IP Configuration Guide Release 12 2 DHCP Snooping Binding Database When DHCP snooping is enabled the switch uses the DHCP snooping binding database to store information about untrusted interfaces The database can have up to 64 000 bindings Each database entry binding has an IP address an associated MAC address the lease time in...

Page 555: ...ps This is the format of the file with bindings initial checksum TYPE DHCP SNOOPING VERSION 1 BEGIN entry 1 checksum 1 entry 2 checksum 1 2 entry n checksum 1 2 n END Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file The initial checksum entry on the first line distinguishes entries associated with the latest file update from e...

Page 556: ...mation about switch stacks see Chapter 7 Managing Switch Stacks Configuring DHCP Features These sections contain this configuration information Default DHCP Configuration page 22 8 DHCP Snooping Configuration Guidelines page 22 9 Configuring the DHCP Server page 22 10 DHCP Server and Switch Stacks page 22 10 Configuring the DHCP Relay Agent page 22 11 Specifying the Packet Forwarding Address page ...

Page 557: ...r can assign or exclude configure DHCP options for devices or set up the DHCP database agent If the DHCP relay agent is enabled but DHCP snooping is disabled the DHCP option 82 data insertion feature is not supported If a switch port is connected to a DHCP server configure a port as trusted by entering the ip dhcp snooping trust interface configuration command If a switch port is connected to a DH...

Page 558: ...istics by entering the show ip dhcp snooping statistics user EXEC command and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command Do not enable Dynamic Host Configuration Protocol DHCP snooping on RSPAN VLANs If DHCP snooping is enabled on RSPAN VLANs DHCP packets might not reach the RSPAN destination port Configuring the DHCP Se...

Page 559: ...are on the destination network segment Using the network address enables any DHCP server to respond to requests Beginning in privileged EXEC mode follow these steps to specify the packet forwarding address Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service dhcp Enable the DHCP server and relay agent on your switch By default this feature is enabled Step 3 end ...

Page 560: ...ning config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp snooping Enable DHCP snooping globally Step 3 ip dhcp snooping vlan vlan range Enable DHCP snooping on a VLAN or range of VLANs The range is 1 to 4094 You can enter a single VLAN ID identified by VLAN ID number a se...

Page 561: ...he VLAN and port identifier using a VLAN ID in the range of 1 to 4094 The default circuit ID is the port identifier in the format vlan mod port You can configure the circuit ID to be a string of 3 to 63 ASCII characters no spaces Optional Use the override keyword when you do not want the circuit ID suboption inserted in TLV format to define subscriber information Step 9 ip dhcp snooping trust Opti...

Page 562: ...condary VLANs If DHCP snooping is already configured on the primary VLAN and you configure DHCP snooping with different settings on a secondary VLAN the configuration for the secondary VLAN does not take effect You must configure DHCP snooping on the primary VLAN If DHCP snooping is not configured on the primary VLAN this message appears when you are configuring DHCP snooping on the secondary VLAN...

Page 563: ...er host filename tftp host filename Specify the URL for the database agent or the binding file by using one of these forms flash number filename Optional Use the number parameter to specify the stack member number of the stack master The range for number is 1 to 9 ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filen...

Page 564: ...t for DHCP packets allowed by DHCP snooping A port access control list ACL is applied to the interface The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic Note The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface The IP source binding table bindings are learned by DHCP snooping or are man...

Page 565: ...on the source IP and MAC addresses The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table When address filtering is enabled the switch filters IP and non IP traffic If the source MAC address of an IP or non IP packet matches a valid IP source binding the switch forwards the packet The switch drops all other types of packets except DHCP p...

Page 566: ...tic hosts by ARP and IP packets They are stored in the device tracking database When the number of IP addresses that have been dynamically learned or statically configured on a given port reaches a maximum the hardware drops any packet with a new IP address To resolve hosts that have moved or gone away for any reason IPSG for static hosts leverages IP device tracking to age out dynamically learned...

Page 567: ...rted IP source guard is not supported on EtherChannels You can enable this feature when IEEE 802 1x port based authentication is enabled If the number of ternary content addressable memory TCAM entries exceeds the maximum the CPU usage increases In a switch stack if IP source guard is configured on a stack member interface and you remove the the configuration of that switch by entering the no swit...

Page 568: ...ess filtering Enable IP source guard with source IP and MAC address filtering Note When you enable both IP Source Guard and Port Security by using the ip verify source port security interface configuration command there are two caveats The DHCP server must support option 82 or the client is not assigned an IP address The MAC address in the DHCP packet is not learned as a secure address The MAC add...

Page 569: ...table and globally enable IP device tracking Step 3 interface interface id Enter interface configuration mode Step 4 switchport mode access Configure a port as access Step 5 switchport access vlan vlan id Configure the VLAN for this port Step 6 ip verify source tracking port security Enable IPSG for static hosts with MAC address filtering Note When you enable both IP source guard and port security...

Page 570: ...ss Mac address Vlan Gi1 0 3 ip trk active 40 1 1 24 10 Gi1 0 3 ip trk active 40 1 1 20 10 Gi1 0 3 ip trk active 40 1 1 21 10 This example shows how to enable IPSG for static hosts with IP MAC filters on a Layer 2 access port to verify the valid IP MAC bindings on the interface Gi0 3 and to verify that the number of bindings on this interface has reached the maximum Switch configure terminal Enter ...

Page 571: ...nterface STATE 200 1 1 8 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 9 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 10 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 1 0001 0600 0000 9 GigabitEthernet0 2 ACTIVE 200 1 1 1 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200 1 1 2 0001 0600 0000 9 GigabitEthernet0 2 ACTIVE 200 1 1 2 0001 0600 0000 8 GigabitEthernet0 1 INACTIVE 200...

Page 572: ...count of all IP device tracking host entries for all interfaces Switch show ip device tracking all count Total IP Device Tracking Host entries 5 Interface Maximum Limit Number of Entries Gi1 0 3 5 Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port Note You must globally configure the ip device tracking maximum limit number interface configuration command globally for IPSG for...

Page 573: ...0 1 1 20 0000 0000 0305 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 21 0000 0000 0306 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 22 0000 0000 0307 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 23 0000 0000 0308 200 GigabitEthernet1 0 3 ACTIVE Step 10 exit Exit VLAN configuration mode Step 11 interface fastEthernet interface id Enter interface configuration mode Step 12 switchport mode private vlan host Optional E...

Page 574: ...egardless of the attached device client identifier or client hardware address When Ethernet switches are deployed in the network they offer connectivity to the directly connected devices In some environments such as on a factory floor if a device fails the replacement device must be working immediately in the existing network With the current DHCP implementation there is no guarantee that DHCP wou...

Page 575: ...hese are the configuration guidelines for DHCP port based address allocation Only one IP address can be assigned per port Reserved addresses preassigned cannot be cleared by using the clear ip dhcp binding global configuration command Preassigned addresses are automatically excluded from normal dynamic IP address assignment Preassigned addresses cannot be used in host pools but there can be multip...

Page 576: ...ce over this command Step 4 interface interface id Specify the interface to be configured and enter interface configuration mode Step 5 ip dhcp server use subscriber id client id Configure the DHCP server to use the subscriber identifier as the client identifier on all incoming DHCP messages on the interface Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries S...

Page 577: ...ient preassigned IP address 10 1 1 7 switch show running config Building configuration Current configuration 4899 bytes version 12 2 hostname switch no aaa new model clock timezone EST 0 ip subnet zero ip dhcp relay information policy removal pad no ip dhcp use vrf connected ip dhcp use subscriber id client id ip dhcp subscriber id interface name ip dhcp excluded address 10 1 1 1 10 1 1 3 ip dhcp ...

Page 578: ...Allocation To display the DHCP server port based address allocation information use one or more of the privileged EXEC commands in Table 22 4 Table 22 4 Commands for Displaying DHCP Port Based Address Allocation Information Command Purpose show interface interface id Display the status and configuration of a specific interface show ip dhcp pool Display the DHCP address pools show ip dhcp binding D...

Page 579: ... Inspection ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the...

Page 580: ...network It intercepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets ...

Page 581: ... given switch bypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 23 2 assume that ...

Page 582: ...ate limited to prevent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains ...

Page 583: ...onfiguring Dynamic ARP Inspection These sections contain this configuration information Default Dynamic ARP Inspection Configuration page 23 5 Dynamic ARP Inspection Configuration Guidelines page 23 6 Configuring Dynamic ARP Inspection in DHCP Environments page 23 7 required in DHCP environments Configuring ARP ACLs for Non DHCP Environments page 23 8 required in non DHCP environments Limiting the...

Page 584: ...hysical port remains suspended in the port channel A port channel inherits its trust state from the first physical port that joins the channel Consequently the trust state of the first physical port need not match the trust state of the channel Conversely when you change the trust state on the port channel the switch configures a new trust state on all the physical ports that comprise the channel ...

Page 585: ... shown in Figure 23 2 on page 23 3 Both switches are running dynamic ARP inspection on VLAN 1 where the hosts are located A DHCP server is connected to Switch A Both hosts acquire their IP addresses from the same DHCP server Therefore Switch A has the bindings for Host 1 and Host 2 and Switch B has the binding for Host 2 Note Dynamic ARP inspection depends on the entries in the DHCP snooping bindi...

Page 586: ...s of Host 2 is not static it is impossible to apply the ACL configuration on Switch A you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them Step 5 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the tru...

Page 587: ... more information see the Configuring the Log Buffer section on page 23 13 Step 4 exit Return to global configuration mode Step 5 ip arp inspection filter arp acl name vlan vlan range static Apply the ARP ACL to the VLAN By default no defined ARP ACLs are applied to any VLAN For arp acl name specify the name of the ACL created in Step 2 For vlan range specify the VLAN that the switches and hosts a...

Page 588: ...able error disabled recovery so that ports automatically emerge from this state after a specified timeout period Note Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you ente...

Page 589: ...ps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an upper limit for the number of incoming packets processed per second The range is 0 to 2048 pps Optional For burst interval seconds specify the consecutive interval in seconds over which the interface is monitored for a high rate of ARP packets The r...

Page 590: ...hese meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped For dst mac check the destination MAC address in the Ethernet header against the target MAC address in ARP body This check i...

Page 591: ...specified logs number entries and generates system messages at the configured rate For example if the interval rate is one entry per second up to five system messages are generated per second in a five member switch stack Beginning in privileged EXEC mode follow these steps to configure the log buffer This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration m...

Page 592: ...VLANs separated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packet...

Page 593: ... the privileged EXEC commands in Table 23 4 For more information about these commands see the command reference for this release Table 23 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MA...

Page 594: ...23 16 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 23 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Page 595: ...ing for IPv4 traffic For information about MLD snooping see Chapter 25 Configuring IPv6 MLD Snooping Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the IP Multicast Routing Commands section in the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Und...

Page 596: ...h it receives an IGMP join request The switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 0 0 xxx the command fails Because the switch uses IP multicast groups there are ...

Page 597: ...s It constrains traffic to approximately the same set of ports as the IGMP snooping feature on IGMPv2 or IGMPv1 hosts Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature Joining a Multicast Group When a blade server connected to t...

Page 598: ... the multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group If another blade server for example Blade Server 4 sends an unsolicited IGMP join message for the same group Figure 24 2 the CPU receives that message and adds the port number of...

Page 599: ...group maintained by IGMP snooping When blade servers want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave message from a blade server it sends a group specific query to learn if any other devices connected to that interface are interested in traffic for the specific multicast group The switch then updates the forwarding table for...

Page 600: ...me can be configured from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 24 12 IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports ...

Page 601: ...ight take longer to converge if the stack master is removed Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content These sections contain this configuration information Default IGMP Snooping Configuration page 24 7 Enabling or Disabling IGMP Snooping page 24 8 Setting the Snooping Method page 24 9 Configuring a Multicast...

Page 602: ...llow these steps to enable IGMP snooping on a VLAN interface To disable IGMP snooping on a VLAN interface use the no ip igmp snooping vlan vlan id global configuration command for the specified VLAN number IGMP snooping querier Disabled IGMP report suppression Enabled 1 TCN Topology Change Notification Table 24 3 Default IGMP Snooping Configuration continued Feature Default Setting Command Purpose...

Page 603: ...the ip igmp snooping vlan vlan id mrouter learn pim dvmrp global configuration command Note If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP proxy enabled you must enter the ip cgmp router only command to dynamically access the router For more information see Chapter 45 Configuring IP Multicast Routing Beginning in privileged EXEC mode follow these steps...

Page 604: ...face interface id global configuration command This example shows how to enable a static connection to a multicast router Switch configure terminal Switch config ip igmp snooping vlan 200 mrouter interface gigabitethernet0 2 Switch config end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter interface interface id Specify the mul...

Page 605: ...tely removes a port when it detects an IGMP Version 2 leave message on that port You should only use the Immediate Leave feature when there is a single receiver present on every port in the VLAN Note Immediate Leave is supported only on IGMP Version 2 blade servers Beginning in privileged EXEC mode follow these steps to enable IGMP Immediate Leave Command Purpose Step 1 configure terminal Enter gl...

Page 606: ...ode follow these steps to enable the IGMP configurable leave timer To globally reset the IGMP leave timer to the default setting use the no ip igmp snooping last member query interval global configuration command To remove the configured IGMP leave time setting from the specified VLAN use the no ip igmp snooping vlan vlan id last member query interval global configuration command Step 4 show ip ig...

Page 607: ...re relearned based on the general queries received during the TCN event Beginning in privileged EXEC mode follow these steps to configure the TCN flood query count To return to the default flooding query count use the no ip igmp snooping tcn flood query count global configuration command Recovering from Flood Mode When a topology change occurs the spanning tree root sends a special IGMP leave mess...

Page 608: ...flooding on an interface To re enable multicast flooding on an interface use the ip igmp snooping tcn flood interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping tcn query solicit Send an IGMP leave message global leave to speed the process of recovering from the flood mode caused during a TCN event By default query solici...

Page 609: ...nooping is disabled in the VLAN PIM is enabled on the SVI of the corresponding VLAN Beginning in privileged EXEC mode follow these steps to enable the IGMP snooping querier feature in a VLAN Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping querier Enable the IGMP snooping querier Step 3 ip igmp snooping querier address ip_address Optional Specify an...

Page 610: ...igmp snooping querier version 2 Switch config end Disabling IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This feature is not supported when the query includes IGMPv3 reports IGMP report suppression is enabled by default When it is enabled the switch forwards only one IGMP report per multicast router query When report ...

Page 611: ...ping user Display only the user configured multicast entries show ip igmp snooping groups vlan vlan id ip_address count dynamic count user count Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 to 4094 count Display the total number of entries for the specified command options instead of the actual e...

Page 612: ...e intercepts the IGMP messages and modifies the forwarding table to include or remove the subscriber as a receiver of the multicast stream even though the receivers might be in a different VLAN from the source This forwarding behavior selectively allows traffic to cross between different VLANs You can set the switch for compatible or dynamic mode of MVR operation In compatible mode multicast data ...

Page 613: ...from the multicast VLAN are called MVR source ports Figure 24 3 Multicast VLAN Registration Example When the subscriber changes channels or stops the multicast stream the server sends an IGMP leave message for the multicast stream The switch CPU sends a MAC based general query through the receiver port VLAN If there is another device in the VLAN still subscribing to this group that device must res...

Page 614: ...rding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN selectively allowing traffic to cross between two VLANs IGMP reports are sent to the same IP multicast group address as the multicast data The blade switch CPU must capture all IGMP join and leave messages from receiver ports and forward them to the multicast VLAN of the source up...

Page 615: ...eration to enable MVR is cancelled and you receive an error message MVR can coexist with IGMP snooping on a switch MVR data received on an MVR receiver port is not forwarded to MVR source ports MVR does not support IGMPv3 messages Configuring MVR Global Parameters You do not need to set the optional MVR parameters if you choose to use the default settings If you do want to change the default param...

Page 616: ...ed EXEC mode follow these steps to configure Layer 2 MVR interfaces Step 5 mvr vlan vlan id Optional Specify the VLAN in which multicast data is received all source ports must belong to this VLAN The VLAN range is 1 to 1001 and 1006 to 4094 The default is VLAN 1 Step 6 mvr mode dynamic compatible Optional Specify the MVR mode of operation dynamic Allows dynamic MVR membership on source ports compa...

Page 617: ...subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLAN The default configuration is as a non MVR port If you attempt to configure a non MVR port with MVR characteristics the operation fails Step 5 mvr vlan vlan id g...

Page 618: ... the multicast group the IGMP report from the port is forwarded for normal processing You can also set the maximum number of IGMP groups that a Layer 2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding o...

Page 619: ...mber of IGMP Groups page 24 27 optional Configuring the IGMP Throttling Action page 24 28 optional Default IGMP Filtering and Throttling Configuration Table 24 7 shows the default IGMP filtering configuration When the maximum number of groups is in forwarding table the default IGMP throttling action is to deny the IGMP report For configuration guidelines see the Configuring the IGMP Throttling Act...

Page 620: ...the default it would not appear in the show ip igmp profile output display Switch config ip igmp profile 4 Switch config igmp profile permit Switch config igmp profile range 229 9 9 0 Switch config igmp profile end Switch show ip igmp profile 4 IGMP Profile 4 permit range 229 9 9 0 229 9 9 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp profile profile nu...

Page 621: ...terface configuration command Use the no form of this command to set the maximum back to the default which is no limit This restriction can be applied to Layer 2 ports only you cannot set a maximum number of IGMP groups on routed ports or SVIs You also can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group Beginning in privileg...

Page 622: ...no maximum entering the ip igmp max groups action deny replace command has no effect If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table the forwarding table entries are either aged out or removed depending on the throttling action If you configure the throttling action as deny the entries that were prev...

Page 623: ...hysical interface to be configured and enter interface configuration mode The interface can be a Layer 2 port that does not belong to an EtherChannel group or an EtherChannel interface The interface cannot be a trunk port Step 3 ip igmp max groups action deny replace When an interface receives an IGMP report and the maximum number of entries is in the forwarding table specify the action that the i...

Page 624: ...24 30 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 24 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 625: ...ence for this release or the Cisco IOS documentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 25 1 Configuring IPv6 MLD Snooping section on page 25 5 Displaying MLD Snooping Information section on page 25 12 Understanding MLD Snooping In IP Version 4 IPv4 Layer 2 switches can use Internet Group Management Protocol IGMP snooping to...

Page 626: ...onstructed in software and hardware The switch then performs IPv6 multicast address based bridging in hardware According to IPv6 multicast standards the switch derives the MAC multicast address by performing a logical OR of the four low order octets of the switch MAC address with the MAC address of 33 33 00 00 00 00 For example the IPv6 MAC address of FF02 DEAD BEEF 1 3 maps to the Ethernet MAC ad...

Page 627: ...nd you are using extended VLANs in the range 1006 to 4094 IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch When a group exists in the MLD snooping database the switch responds to a group spe...

Page 628: ...bled and all MLDv1 reports are flooded to the ingress VLAN The switch also supports MLDv1 proxy reporting When an MLDv1 MASQ is received the switch responds with MLDv1 reports for the address on which the query arrived if the group exists in the switch on another port and if the port on which the query arrived is not the last member port for the address MLD Done Messages and Immediate Leave When t...

Page 629: ...witch Stacks The MLD IPv6 group and MAC address databases are maintained on all switches in the stack regardless of which switch learns of an IPv6 multicast group Report suppression and proxy reporting are done stack wide During the maximum response time only one received report for a group is forwarded to the multicast routers regardless of which switch the report arrives on The election of a new...

Page 630: ...tures at the same time on the switch The maximum number of multicast entries allowed on the switch or switch stack is determined by the configured SDM template The maximum number of address entries allowed for the switch or switch stack is 1000 Table 25 1 Default MLD Snooping Configuration Feature Default Setting MLD snooping Global Disabled MLD snooping per VLAN Enabled MLD snooping must be globa...

Page 631: ...N snooping Beginning in privileged EXEC mode follow these steps to globally enable MLD snooping on the switch To globally disable MLD snooping on the switch use the no ipv6 mld snooping global configuration command Beginning in privileged EXEC mode follow these steps to enable MLD snooping on a VLAN Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs in t...

Page 632: ...witch Step 3 ipv6 mld snooping vlan vlan id Enable MLD snooping on the VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 Note MLD snooping must be globally enabled for VLAN snooping to be enabled Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configura...

Page 633: ...to add a multicast router port to VLAN 200 Switch configure terminal Switch config ipv6 mld snooping vlan 200 mrouter interface gigabitethernet1 0 2 Switch config exit Enabling MLD Immediate Leave When you enable MLDv1 Immediate Leave the switch immediately removes a port from a multicast group when it detects an MLD Done message on that port You should only use the Immediate Leave feature when th...

Page 634: ...rivileged EXEC mode Step 4 show ipv6 mld snooping vlan vlan id Verify that Immediate Leave is enabled on the VLAN interface Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping robustness variable value Optional Set the number of queries that are sent before ...

Page 635: ...nterval interval Optional Set the maximum response time that the switch waits after sending out a MASQ before deleting a port from the multicast group The range is 100 to 32 768 thousands of a second The default is 1000 1 second Step 7 ipv6 mld snooping vlan vlan id last listener query interval interval Optional Set the last listener query interval on a VLAN basis This value overrides the value co...

Page 636: ...ify that IPv6 MLD snooping report suppression is disabled Step 5 copy running config startup config Optional Save your entries in the configuration file Table 25 2 Commands for Displaying MLD Snooping Information Command Purpose show ipv6 mld snooping vlan vlan id Display the MLD snooping configuration information for all VLANs on the switch or for a specified VLAN Optional Enter vlan vlan id to d...

Page 637: ...ess information for the switch or a VLAN Enter count to show the group count on the switch or in a VLAN Enter dynamic to display MLD snooping learned group information for the switch or for a VLAN Enter user to display MLD snooping user configured group information for the switch or for a VLAN show ipv6 mld snooping multicast address vlan vlan id ipv6 multicast address Display MLD snooping for the...

Page 638: ...25 14 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 25 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information ...

Page 639: ...mands used in this chapter see the command reference for this release This chapter consists of these sections Configuring Storm Control page 26 1 Configuring Protected Ports page 26 6 Configuring Port Blocking page 26 8 Configuring Port Security page 26 9 Configuring Protocol Storm Protection page 26 21 Displaying Port Based Traffic Control Settings page 26 23 Configuring Storm Control These secti...

Page 640: ...shold for small frames is configured for each interface Cisco IOS Release 12 2 44 SE or later With each method the port blocks traffic when the rising threshold is reached The port remains blocked until the traffic rate drops below the falling threshold if one is specified and then resumes normal forwarding If the falling suppression level is not specified the switch blocks all traffic until the t...

Page 641: ...for each traffic type Default Storm Control Configuration By default unicast broadcast and multicast storm control are disabled on the switch interfaces that is the suppression level is 100 percent Configuring Storm Control and Threshold Levels You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic However because of hardware l...

Page 642: ...t configure a falling suppression level it is set to the rising suppression level The range is 0 00 to 100 00 If you set the threshold to the maximum value 100 percent no limit is placed on the traffic If you set the threshold to 0 0 all broadcast multicast and unicast traffic on that port is blocked For bps bps specify the rising threshold level for broadcast multicast or unicast traffic in bits ...

Page 643: ...do not cause the switch storm control counters to increment In Cisco IOS Release 12 2 44 SE and later you can configure a port to be error disabled if small frames arrive at a specified rate threshold You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a sp...

Page 644: ...raffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwarding behavior between a protected port and a nonprotected port proceeds as usual Because a switch stack represents a single logical switch Layer 2 traffic is not forwarded between any prote...

Page 645: ...LAN port A private VLAN isolated port does not forward traffic to other isolated ports or community ports For more information about private VLANs see Chapter 16 Configuring Private VLANs Configuring a Protected Port Beginning in privileged EXEC mode follow these steps to define a port as a protected port To disable protected port use the no switchport protected interface configuration command Thi...

Page 646: ...to not block flooding of unknown multicast and unicast traffic out of a port but to flood these packets to all ports Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group When you block multicast or unicast traffic for a port channel it is blocked on all ports in the port channel group Beginning in privileged EXEC mode follow these steps t...

Page 647: ...ured the full bandwidth of the port If a uplink port is configured as a secure port and the maximum number of secure MAC addresses is reached when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses a security violation occurs Also if a station with a secure MAC address configured or learned on one secure port attempts to access a...

Page 648: ...MAC addresses in the configuration file when the switch restarts the interface does not need to relearn these addresses If you do not save the sticky secure addresses they are lost If sticky learning is disabled the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration The maximum number of secure MAC addresses that you can configure o...

Page 649: ... violation mode per VLAN In this mode the VLAN is error disabled instead of the entire port when a violation occurs Table 26 1 shows the violation mode and the actions taken when you configure an interface for port security Default Port Security Configuration Table 26 2 shows the default port security configuration for an interface Table 26 1 Security Violation Mode Actions Violation Mode Traffic ...

Page 650: ...he Cisco IP phone you must configure enough secure addresses to allow one for each PC and one for the phone When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic entering the switchport voice and switchport priority extend interface configuration commands has no effect When a connected device uses the same MAC address ...

Page 651: ... switchport access vlan dynamic interface configuration command 4 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN Table 26 3 Port Security Compatibility with Other Switch Features continued Type of Port or Feature on Port Compatible with Port Security Command Purpose Step 1 configure terminal Enter global c...

Page 652: ...e This number is the total of available MAC addresses including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces Optional vlan set a per VLAN maximum value Enter one of these options after you enter the vlan keyword vlan list On a trunk port you can set a per VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separate...

Page 653: ...e port has not reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface...

Page 654: ...rface is configured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC a...

Page 655: ...igured dynamic or sticky on the switch or on an interface To delete a specific secure MAC address from the address table use the no switchport port security mac address mac address interface configuration command To delete all dynamic secure addresses on an interface from the address table enter the no switchport port security interface configuration command followed by the switchport port securit...

Page 656: ...security mac address sticky 0000 0000 0001 vlan voice Switch config if switchport port security mac address 0000 0000 0004 vlan voice Switch config if switchport port security maximum 10 vlan access Switch config if switchport port security maximum 10 vlan voice Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for all secure addresses on a port Two...

Page 657: ...cure addresses are downloaded by the new stack member from the other stack members When a switch either the stack master or a stack member leaves the stack the remaining stack members are notified and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table For more information about switch stacks see Chapter 7 Managing Switch Stacks Step 3 switch...

Page 658: ...cure PVLAN ports When a secure address is learned on a secure PVLAN port the same secure address cannot be learned on another secure PVLAN port belonging to the same primary VLAN However an address learned on unsecure PVLAN port can be learned on a secure PVLAN port belonging to same primary VLAN Secure addresses that are learned on host port get automatically replicated on associated primary VLAN...

Page 659: ...can control the rate at which control packets are sent to the switch by specifying the upper threshold for the packet flow rate The supported protocols are ARP ARP snooping Dynamic Host Configuration Protocol DHCP v4 DHCP snooping Internet Group Management Protocol IGMP and IGMP snooping When the packet rate exceeds the defined threshold the switch drops all traffic arriving on the specified virtu...

Page 660: ... storm protection is configured a counter records the number of dropped packets To see this counter use the show psp statistics arp igmp dhcp privileged EXEC command To clear the counter for a protocol use the clear psp counter arp igmp dhcp command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 psp arp dhcp igmp pps value Configure protocol storm protection for A...

Page 661: ...al status of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered show port security interface interface id Di...

Page 662: ...26 24 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 26 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 663: ...etwork management applications to discover Cisco devices that are neighbors of already known devices With CDP network management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that ...

Page 664: ...stack appears as a single switch in the network Therefore CDP discovers the switch stack not the individual stack members The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership such as stack members being added or removed Configuring CDP These sections contain this configuration information Default CDP Configuration page 27 2 Config...

Page 665: ...d Maintaining CDP section on page 27 5 Disabling and Enabling CDP CDP is enabled by default Beginning in privileged EXEC mode follow these steps to disable the CDP device discovery capability Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp timer seconds Optional Set the transmission frequency of CDP updates in seconds The range is 5 to 254 the default is 60 sec...

Page 666: ...bitethernet1 0 1 Switch config if cdp enable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP after disabling it Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interf...

Page 667: ...neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You ...

Page 668: ...27 6 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 27 Configuring CDP Monitoring and Maintaining CDP ...

Page 669: ...ice LLDP The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network To support non Cisco devices and to allow for interoperability between other...

Page 670: ...s switches It specifically provides support for voice over IP VoIP applications and provides additional TLVs for capabilities discovery network policy Power over Ethernet inventory management and location information By default all LLDP MED TLVs are enabled LLDP MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine the capabilities that the connected device suppo...

Page 671: ...vices Engine MSE The tracked device can be a wireless endpoint a wired endpoint or a wired switch or controller The switch notifies the MSE of device link up and link down events through the Network Mobility Services Protocol NMSP location and attachment notifications The MSE starts the NMSP connection to the switch which opens a server port When the MSE connects to the switch there are a set of m...

Page 672: ...ired clients associated with the switch If you change a location address on the switch the switch sends an NMSP location notification message that identifies the affected ports and the changed address information Configuring LLDP LLDP MED and Wired Location Service Default LLDP Configuration page 28 4 Configuration Guidelines page 28 5 Enabling LLDP page 28 5 Configuring LLDP Characteristics page ...

Page 673: ...iguration command Enabling LLDP Beginning in privileged EXEC mode follow these steps to enable LLDP To disable LLDP use the no lldp run global configuration command To disable LLDP on an interface use the no lldp transmit and the no lldp receive interface configuration commands This example shows how to globally enable LLDP Switch configure terminal Switch config lldp run Switch config end This ex...

Page 674: ...er 30 Switch config end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information from your device before discarding it The range is 0 to 65535 seconds the default is 120 seconds Step 3 lldp reinit delay Optional Specify the delay time in seconds for LLDP to initialize on...

Page 675: ... config if end Configuring Network Policy TLV Beginning in privileged EXEC mode follow these steps to create a network policy profile configure the policy attributes and apply it to an interface Table 28 2 LLDP MED TLVs LLDP MED TLV Description inventory management LLDP MED inventory management TLV location LLDP MED location TLV network policy LLDP MED network policy TLV power management LLDP MED ...

Page 676: ...signaling application type vlan Specify the native VLAN for voice traffic vlan id Optional Specify the VLAN for voice traffic The range is 1 to 4094 cos cvalue Optional Specify the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 5 dscp dvalue Optional Specify the differentiated services code point DSCP value for the configured VLAN The range is 0 to...

Page 677: ...ic location string Specify the site or location information in alphanumeric format Step 3 exit Return to global configuration mode Step 4 interface interface id Specify the interface on which you are configuring the location information and enter interface configuration mode Step 5 location additional location information word civic location id id elin location id id Enter location information for...

Page 678: ...our switch must be running the cryptographic encrypted software image to enable the nmsp global configuration commands This example shows how to enable NMSP on a switch and to set the location notification time to 10 seconds Switch config nmsp enable Switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 nmsp enable Enable the NMSP features on the switch Step 3 nms...

Page 679: ...n enter an asterisk to display all neighbors or you can enter the neighbor name show lldp interface interface id Display information about interfaces with LLDP enabled You can limit the display to a specific interface show lldp neighbors interface id detail Display information about neighbors including device type interface type and number holdtime settings capabilities and port ID You can limit t...

Page 680: ...talyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 28 Configuring LLDP LLDP MED and Wired Location Service Monitoring and Maintaining LLDP LLDP MED and Wired Location Service ...

Page 681: ...the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traf...

Page 682: ...onversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a Layer 1 perspective UDLD in aggressive mode detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be per...

Page 683: ...any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state is still undetermined Figure 29 1 shows an example of a unidi...

Page 684: ... UDLD is not supported on ATM ports A UDLD capable port cannot detect a unidirectional link if it is connected to a UDLD incapable port of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that ...

Page 685: ...n all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 29 1 message time message timer interval Configures the period of ti...

Page 686: ...ation command enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface conf...

Page 687: ...apter 29 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release ...

Page 688: ...29 8 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 29 Configuring UDLD Displaying UDLD Status ...

Page 689: ...etwork analyzer or other monitoring or security device SPAN copies or mirrors traffic received or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do ...

Page 690: ...orts are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis For example in Figure 30 1 all traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10 receives all network traffic from port 5 without being physically attached to port 5 Fig...

Page 691: ...r specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as RSPAN sources The destination is always a physical port as sh...

Page 692: ...ts specified by the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of sour...

Page 693: ...PAN source ports and VLANs Both switched and routed ports can be configured as SPAN sources and destinations You can have multiple destination ports in a SPAN session but no more than 64 destination ports per switch stack SPAN sessions do not interfere with the normal operation of the switch However an oversubscribed SPAN destination for example a 10 Mb s port monitoring a 100 Mb s port can result...

Page 694: ...ese changes occur Packets are sent on the destination port with the same encapsulation untagged or IEEE 802 1Q that they had on the source port Packets of all types including BPDU and Layer 2 protocol packets are monitored Therefore a local SPAN session with encapsulation replicate enabled can have a mixture of untagged and IEEE 802 1Q tagged packets appear on the destination port Switch congestio...

Page 695: ...rce ports and can be monitored in either or both directions On a given port only traffic on the monitored VLAN is sent to the destination port If a destination port belongs to a source VLAN it is excluded from the source list and is not monitored If ports are added to or removed from the source VLANs the traffic on the source VLAN received by those ports is added to or removed from the sources bei...

Page 696: ...outed port it is no longer a routed port It can be any Ethernet physical port It cannot be a secure port It cannot be a source port It cannot be an EtherChannel group or a VLAN It can participate in only one SPAN session at a time a destination port in one SPAN session cannot be a destination port for a second SPAN session When it is active incoming traffic is disabled The port does not transmit a...

Page 697: ...es Routing SPAN does not monitor routed traffic VSPAN only monitors traffic that enters or exits the switch not traffic that is routed between VLANs For example if a VLAN is being Rx monitored and the switch routes traffic from another VLAN to the monitored VLAN that traffic is not monitored and not received on the SPAN destination port STP A destination port does not participate in STP while its ...

Page 698: ...y ports with monitored egress An IEEE 802 1x port can be a SPAN source port You can enable IEEE 802 1x on a port that is a SPAN destination port however IEEE 802 1x is disabled until the port is removed as a SPAN destination For SPAN sessions do not enable IEEE 802 1x on ports with monitored egress when ingress forwarding is enabled on the destination port For RSPAN source sessions do not enable I...

Page 699: ...from memory to allow space for the security ACLs A system message notifies you of this action which is called unloading When there is again space for the FSPAN ACLs to reside in memory they are added to the hardware memory on the switch A system message notifies you of this action which is called reloading The IPv4 IPv6 and MAC FSPAN ACLs can be unloaded or reloaded independently If a VLAN based F...

Page 700: ...the same destination port When you configure a switch port as a SPAN destination port it is no longer a normal switch port only monitored traffic passes through the SPAN destination port Entering SPAN configuration commands does not remove previously configured SPAN parameters You must enter the no monitor session session_number all local remote global configuration command to delete configured SP...

Page 701: ...session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port For session_number the range is 1 to 66 For interface id specify the source port or source VLAN to monitor For source interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel por...

Page 702: ...thernet1 0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet1 0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Step 4 monitor session session_number destination interf...

Page 703: ...ion session_number all local remote Remove any existing SPAN configuration for the session Step 3 monitor session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port Step 4 monitor session session_number destination interface interface id encapsulation replicate ingress dot1q vlan vlan id untagged vlan vlan id vlan vlan i...

Page 704: ...ion replicate ingress dot1q vlan 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose Command Purpose ...

Page 705: ...n RSPAN Source Session page 30 19 Specifying VLANs to Filter page 30 21 Creating an RSPAN Destination Session page 30 22 Creating an RSPAN Destination Session and Configuring Incoming Traffic page 30 23 Step 5 monitor session session_number destination interface interface id encapsulation replicate Specify the SPAN session and the destination port monitoring port For session_number specify the ses...

Page 706: ...nk ports have active RSPAN VLANs RSPAN VLANs can also be sources in SPAN sessions However since the switch does not monitor spanned traffic it does not support egress spanning of packets on any RSPAN VLAN identified as the destination of an RSPAN source session on the switch You can configure any VLAN as an RSPAN VLAN as long as these conditions are met The same RSPAN VLAN is used for an RSPAN ses...

Page 707: ...d Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID to create a VLAN or enter the VLAN ID of an existing VLAN and enter VLAN configuration mode The range is 2 to 1001 and 1006 to 4094 The RSPAN VLAN cannot be VLAN 1 the default VLAN or VLAN IDs 1002 through 1005 reserved for Token Ring and FDDI VLANs Step 3 remote span Configure the VLAN as an RS...

Page 708: ... session_number the range is 1 to 66 Enter a source port or source VLAN for the RSPAN session For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 64 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A sing...

Page 709: ... to 66 Specify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id Specify the characteristics of the source port monitored port and SPAN session For session_number the range is 1 to 66 For interface id specify the source port to monitor The interface specified must alrea...

Page 710: ...gated through the VTP network Step 3 remote span Identify the VLAN as the RSPAN VLAN Step 4 exit Return to global configuration mode Step 5 no monitor session session_number all local remote Remove any existing RSPAN configuration for the session For session_number the range is 1 to 66 Specify all to remove all RSPAN sessions local to remove all local sessions or remote to remove all remote SPAN s...

Page 711: ...d Specify the RSPAN session and the source RSPAN VLAN For session_number the range is 1 to 66 For vlan id specify the source RSPAN VLAN to monitor Step 4 monitor session session_number destination interface interface id ingress dot1q vlan vlan id untagged vlan vlan id vlan vlan id Specify the SPAN session the destination port the packet encapsulation and the incoming VLAN and encapsulation For ses...

Page 712: ...RSPAN You can attach ACLs to only one SPAN or RSPAN session at a time When no FSPAN ACLs are attached FSPAN is disabled and all traffic is copied to the SPAN destination ports When at least one FSPAN ACL is attached FSPAN is enabled When you attach an empty FSPAN ACL to a SPAN session it does not filter packets and all traffic is monitored When you attach at least one FSPAN ACL that is not empty t...

Page 713: ... FSPAN ACLs with TCP flags or the log keyword are not supported If you configure an IPv6 FSPAN ACL when the switch is running the advanced IP services feature set but later run a different feature set after rebooting the switch the switch might lose the IPv6 FSPAN ACL configuration IPv6 FSPAN ACLs are supported only on IPv6 enabled SDM templates If you configure an IPv6 FSPAN ACL when running an I...

Page 714: ...onitors both sent and received traffic both Monitor both sent and received traffic This is the default rx Monitor received traffic tx Monitor sent traffic Note You can use the monitor session session_number source command multiple times to configure multiple source ports Step 4 monitor session session_number destination interface interface id encapsulation replicate Specify the SPAN session and th...

Page 715: ...cify the session number entered in Step 3 For accessl list number specify the ACL number that you want to use to filter traffic For name specify the ACL name that you want to use to filter traffic Step 6 end Return to privileged EXEC mode Step 7 show monitor session session_number show running config Verify the configuration Step 8 copy running config startup config Optional Save the configuration...

Page 716: ...ived traffic both Monitor both received and sent traffic rx Monitor received traffic tx Monitor sent traffic Step 4 monitor session session_number destination remote vlan vlan id Specify the RSPAN session and the destination RSPAN VLAN For session_number enter the number defined in Step 3 For vlan id specify the source RSPAN VLAN to monitor Step 5 vlan vlan id Enter the VLAN sub mode For vlan id s...

Page 717: ...apter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 718: ...30 30 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status ...

Page 719: ...an be exchanged between RMON compliant console systems and network probes RMON provides you with comprehensive network fault diagnosis planning and performance tuning information Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 from the Cisco com...

Page 720: ...on Ethernet ports including Fast Ethernet and Gigabit Ethernet statistics depending on the switch type and supported interfaces for a specified polling interval Alarm RMON group 3 Monitors a specific management information base MIB object for a specified interval triggers an alarm at a specified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with ...

Page 721: ...Interface page 31 6 optional Default RMON Configuration RMON is disabled by default no alarms or events are configured Configuring RMON Alarms and Events You can configure your switch for RMON by using the command line interface CLI or an SNMP compatible network management station We recommend that you use a generic RMON console application on the network management station NMS to take advantage o...

Page 722: ...range is 1 to 4294967295 seconds Specify the absolute keyword to test each MIB variable directly Specify the delta keyword to test the change between samples of a MIB variable For value specify a number at which the alarm is triggered and one for when the alarm is reset The range for the rising threshold and falling threshold values is 2147483648 to 2147483647 Optional For event number specify the...

Page 723: ...tErrors owner jjones Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information Beginning in privileged EXEC mode follow these steps to collect group history statistics on an interface This procedure is optional To disable history collection use the no rmon collection history index interface configuration command Command Pu...

Page 724: ...Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which to collect statistics and enter interface configuration mode Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specif...

Page 725: ...s the output from system messages and debug privileged EXEC commands to a logging process Stack members can trigger system messages A stack member that generates a system message appends its hostname in the form of hostname n where n is a switch number from 1 to 9 and redirects the output to the logging process on the stack master Though the stack master is a stack member it does not append its ho...

Page 726: ...em Message Logging These sections contain this configuration information System Log Message Format page 32 2 Default System Message Logging Configuration page 32 4 Disabling Message Logging page 32 4 optional Setting the Message Display Destination Device page 32 5 optional Synchronizing Log Messages page 32 6 optional Enabling and Disabling Time Stamps on Log Messages page 32 8 optional Enabling ...

Page 727: ...EPROTO 5 UPDOWN Line protocol on Interface Vlan1 changed state to down Switch 2 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet2 0 1 changed state to down 2 Switch 2 Table 32 1 System Log Message Elements Element Description seq no Stamps log messages with a sequence number only if the service sequence numbers global configuration command is configured For more information s...

Page 728: ...ogging configuration Disabling Message Logging Message logging is enabled by default It must be enabled to send messages to any destination other than the console When enabled log messages are sent to a logging process which logs messages to designated locations asynchronously to the processes that generated the messages Beginning in privileged EXEC mode follow these steps to disable message loggi...

Page 729: ...ig or show logging Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging buffered size Log messages to an internal buffer on the switch or on a standalone switch or in the case of a switch stack on the stack master The range is 4096 t...

Page 730: ...ages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solicited device output and prompts After the unsoli...

Page 731: ... line numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 logging synchronous level severity level all limit number...

Page 732: ...ore than one log message can have the same time stamp you can display messages with sequence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global configur...

Page 733: ...lobal configuration command To disable logging to syslog servers use the no logging trap global configuration command Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logged...

Page 734: ...k messages displayed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the swit...

Page 735: ... entering the no logging enable command followed by the logging enable command to disable and re enable logging Use the show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that configuration logging is disabled For inf...

Page 736: ...art stop group radius 41 13 unknown user vty3 no aaa accounting system default 42 14 temi vty4 interface GigabitEthernet4 0 1 43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface GigabitEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and...

Page 737: ... sends messages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid Fo...

Page 738: ...XEC command For information about the fields in this display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Step 4 logging facility facility type Configure the syslog facility See Table 32 4 on page 32 14 for facility type keywords The default is local7 Step 5 end Return ...

Page 739: ...the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respon...

Page 740: ...these security features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted universal software ima...

Page 741: ... or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic universal software image MD5 or SHA Data Encryption Standard DES or Advanced Encryption Standard AES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Allows specifying the User based Security Model USM with these encryption algorithms DES 56 bit encryption in addition to authentication based on the CBC DES DES 5...

Page 742: ...n have one of these attributes Read only RO Gives read access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the C...

Page 743: ...rm request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs require a trade off between reliability and resources If it is important that the SNMP manager receive every notification use in...

Page 744: ...tarts and the switch startup configuration has at least one snmp server global configuration command the SNMP agent is enabled An SNMP group is a table that maps SNMP users to SNMP views An SNMP user is a member of an SNMP group An SNMP host is the recipient of an SNMP trap operation An SNMP engine ID is a name for the local or remote SNMP engine Table 33 4 Default SNMP Configuration Feature Defau...

Page 745: ...forms to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has important side effects A user s password entered on the command line is converted to an MD5 or SHA security digest based on the password and the local engine ID The command line password is...

Page 746: ...igure one or more community strings of any length Optional For view specify the view record accessible to the community Optional Specify either read only ro if you want authorized management stations to retrieve MIB objects or specify read write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects O...

Page 747: ... add new users to the SNMP group Beginning in privileged EXEC mode follow these steps to configure SNMP on the switch Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string ...

Page 748: ...acket authentication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic universal software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in w...

Page 749: ...yword is specified auth is an authentication level setting session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v3 and the switch is running the cryptographic software image you can also configure a private priv encryption algorithm and password string priv password not to ex...

Page 750: ...uration changes config Generates a trap for SNMP configuration changes copy config Generates a trap for SNMP copy configuration changes cpu threshold Allow CPU related traps entity Generates a trap for SNMP entity changes envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown status supply temperature flash Generates SNMP FLASH notification...

Page 751: ... the notification type port security configure the port security trap first and then configure the port security trap rate snmp server enable traps port security snmp server enable traps port security trap rate rate rtr Generates a trap for the SNMP Response Time Reporter RTR snmp Generates a trap for SNMP type notifications for authentication cold start warm start link up or link down storm contr...

Page 752: ...For host addr specify the name or Internet address of the host the targeted recipient Optional Enter informs to send SNMP informs to the host Optional Enter traps the default to send SNMP traps to the host Optional Specify the SNMP version 1 2c or 3 SNMPv1 does not support informs Optional For Version 3 select authentication level auth noauth or priv Note The priv keyword is available only when th...

Page 753: ...er host informs global configuration command To disable a specific trap type use the no snmp server enable traps notification types global configuration command Step 7 snmp server trap source interface id Optional Specify the source interface which provides the IP address for the trap message This command also sets the source IP address for informs Step 8 snmp server queue length length Optional E...

Page 754: ...rrupt utilization rising percentage the percentage 1 to 100 of CPU resources that when exceeded for the configured interval sends a CPU threshold notification interval seconds the duration of the CPU threshold violation in seconds 5 to 86400 that when met sends a CPU threshold notification falling fall percentage the percentage 1 to 100 of CPU resources that when usage falls below this level for t...

Page 755: ...access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permi...

Page 756: ...e community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabl...

Page 757: ...tals Command Reference Table 33 6 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP group on the network show snmp pending Displays information on pending SNMP...

Page 758: ...33 20 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 33 Configuring SNMP Displaying SNMP Status ...

Page 759: ...de Embedded Event Manager Overview http www cisco com en US docs ios netmgmt configuration guide nm_eem_overview html Writing Embedded Event Manager Policies Using the Cisco IOS CLI http www cisco com en US docs ios netmgmt configuration guide nm_eem_policy_cli html Writing Embedded Event Manager Policies Using Tcl http www cisco com en US docs ios netmgmt configuration guide nm_eem_policy_tcl htm...

Page 760: ...cies then implement recovery based on the current state of the system and the actions specified in the policy for the given event Figure 34 1 Embedded Event Manager Core Event Detectors See the EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment These sections contain this conceptual information Event Detectors page 34 3 Embedded Event Manager Acti...

Page 761: ...o publishes an event about an interface based on the rate of change for the entry and exit values None event detector Publishes an event when the event manager run CLI command executes an EEM policy EEM schedules and runs policies on the basis on an event specification within the policy itself An EEM policy must be manually identified and registered before the event manager run command executes On...

Page 762: ...lishing an application specific event Generating an SNMP trap Generating prioritized syslog messages Reloading the Cisco IOS software Reloading the switch stack Reloading the master switch in the event of a master switchover If this occurs a new master switch is elected Embedded Event Manager Policies EEM can monitor events and provide information or take corrective action when the monitored event...

Page 763: ... exit status for policies triggered from synchronous events Cisco defined environment variables and Cisco system defined environment variables might apply to one specific event detector or to all event detectors Environment variables that are user defined or defined by Cisco in a sample policy are set by using the event manager environment global configuration command You must defined the variable...

Page 764: ...TCL Script page 34 7 For complete information about configuring embedded event manager see the Cisco IOS Network Management Configuration Guide Release 12 4T Registering and Defining an Embedded Event Manager Applet Beginning in privileged EXEC mode perform this task to register an applet with EEM and to define the EEM applet using the event applet and action applet configuration commands Note Onl...

Page 765: ...ority level msg msg text Specify the action when an EEM applet is triggered Repeat this action to add other CLI commands to the applet Optional The priority keyword specifies the priority level of the syslog messages If selected you need to define the priority level argument For msg text the argument can be character text an environment variable or a combination of the two Step 5 end Exit applet c...

Page 766: ...ond minute every hour of every day Switch config event manager environment_cron_entry 0 59 2 0 23 1 0 6 This example shows the sample EEM policy named tm_cli_cmd tcl registered as a system policy The system policies are part of the Cisco IOS image User defined TCL scripts must first be copied to flash memory Switch config event manager policy tm_cli_cmd tcl type system Displaying Embedded Event Ma...

Page 767: ...witch also supports Cisco TrustSec Security Group Tag SCT Exchange Protocol SXP This feature supports security group access control lists SGACLs which define ACL policies for a group of devices instead of an IP address The SXP control protocol allows tagging packets with SCTs without a hardware upgrade and runs between access layer devices at the Cisco TrustSec domain edge and distribution layer d...

Page 768: ...s to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces For example you can allow e mail traffic to be forwarded but not Telnet traffic ACLs can be configured to block inbound traffic outbound traffic or both An ACL contains an ordered list of access control entries ACEs Each ACE specifies permit or deny and...

Page 769: ...d are filtered by the port ACL Outgoing routed IP packets are filtered by the router ACL Other packets are not filtered When a VLAN map input router ACL and input port ACL exist in an SVI incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL Incoming routed IP packets received on other ports are filtered by both the VLAN map and the router ACL Othe...

Page 770: ... port ACL to a port with voice VLAN the ACL filters traffic on both data and voice VLANs With port ACLs you can filter IP traffic by using IP access lists and non IP traffic by using MAC addresses You can filter both IP and non IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface Note You cannot apply more than one IP access list and on...

Page 771: ...can be used to control access to a network or to part of a network In Figure 35 1 ACLs applied at the router input allow Host A to access the Human Resources network but prevent Host B from accessing the same network VLAN Maps Use VLAN ACLs or VLAN maps to access control all traffic You can apply VLAN maps to all packets that are routed into or out of a VLAN or are bridged within a VLAN in the swi...

Page 772: ...ord after the destination address means to test for the TCP destination port well known numbers equaling Simple Mail Transfer Protocol SMTP and Telnet respectively Packet A is a TCP packet from host 10 2 2 2 port 65000 going to host 10 1 1 1 on the SMTP port If this packet is fragmented the first fragment matches the first ACE a permit as if it were a complete packet because all Layer 4 informatio...

Page 773: ...e to be elected as the new stack master When a stack master fails and a new stack master is elected the newly elected master reparses the backed up running configuration See Chapter 7 Configuring the Switch Stack The ACL configuration that is part of the running configuration is also reparsed during this step The new stack master distributes the ACL information to all switches in the stack Configu...

Page 774: ... of ACLs or access lists for IPv4 Standard IP access lists use source addresses for matching operations Extended IP access lists use source and destination addresses for matching operations and optional protocol type information for finer granularity of control These sections describe access lists and how to create them Access List Numbers page 35 8 ACL Logging page 35 9 Creating a Numbered Standa...

Page 775: ...are and logging is done in software if a large number of packets match a permit or deny ACE containing a log keyword the software might not be able to match the hardware processing rate and not all packets will be logged The first packet that triggers the ACL causes a logging message right away and subsequent packets are collected over 5 minute intervals before they appear or logged The logging me...

Page 776: ...s lists Standard IP access list 2 10 deny 171 69 198 102 20 permit any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify ...

Page 777: ...t the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic rout...

Page 778: ...l specific parameters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wil...

Page 779: ...mission Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a ...

Page 780: ...essage precedence precedence tos tos fragments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these...

Page 781: ... your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199...

Page 782: ...ep 4 end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and enter access list configuratio...

Page 783: ...et the times and the dates or the days of the week in the time range Then enter the time range name when applying an ACL to set restrictions to the access list You can use the time range to define when the permit or deny statements in the ACL are in effect for example during a specified time period or on specified days of the week The time range keyword and argument are referenced in the named and...

Page 784: ... verify extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp ...

Page 785: ...ociated permit or deny statements and some remarks after the associated statements To include a comment for IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command To remove the remark use the no form of this command In this example the server that belongs to Jones is allowed access and the workstation that belongs to Smith is not all...

Page 786: ...2 interfaces When private VLANs are configured you can apply router ACLs only on the primary VLAN SVIs The ACL is applied to both primary and secondary VLAN Layer 3 traffic Note By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group These access group denied packets are not dropped in hardware but are bridged to the switch...

Page 787: ...hecks the packet against the ACL If the ACL permits the packet the switch sends the packet If the ACL rejects the packet the switch discards the packet By default the input interface sends ICMP Unreachable messages whenever a packet is discarded regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface ICMP Unreachables are...

Page 788: ...n cannot be applied in hardware packets arriving in a VLAN that must be routed are routed in software but are bridged in hardware If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware U...

Page 789: ...ource source wildcard destination destination wildcard permit tcp source source wildcard destination destination wildcard range 5 60 permit tcp source source wildcard destination destination wildcard range 15 160 permit tcp source source wildcard destination destination wildcard range 115 1660 or Rename the ACL with a name or number that alphanumerically precedes the other ACLs for example rename ...

Page 790: ...gigabitethernet1 0 1 Switch config if ip access group 6 out This example uses an extended ACL to filter traffic coming from blade server B into a port permitting traffic from any source address in this case Server B to only the Accounting destination addresses 172 20 128 64 to 172 20 128 95 The ACL is applied to traffic going into routed Port 1 permitting it to go only to the specified destination...

Page 791: ...that you have a network connected to the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same p...

Page 792: ...ny tcp any any Switch config ext nacl permit icmp any any Switch config ext nacl deny udp any 171 69 0 0 0 0 255 255 lt 1024 Switch config ext nacl deny ip any any log Switch config ext nacl exit The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to incoming traffic on a Layer 3 port Switch config interface gigabitethernet3 0 2 Switch config if no switchp...

Page 793: ...lnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet out Switch config ext nacl deny tcp 171 69 0 0 0 0 255 255 any eq telnet ACL Logging Two variations of logging are supported on router ACLs The log keyword sends an informational logging message to the console about the packet that matches the entry the log input keyword includes...

Page 794: ... kind of ACL and the access entry that has been matched This is an example of an output message when the log input keyword is entered 00 04 21 SEC 6 IPACCESSLOGDP list inputlog permitted icmp 10 1 1 10 Vlan1 0001 42ef a400 10 1 1 61 0 0 1 packet A log message for the same sort of packet using the log keyword does not include the input interface information 00 05 47 SEC 6 IPACCESSLOGDP list inputlo...

Page 795: ... access list filters only IP packets and the MAC access list filters non IP packets Step 3 deny permit any host source MAC address source MAC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 655...

Page 796: ... permits all packets Remember this behavior if you use undefined ACLs for network security Configuring VLAN Maps This section describes how to configure VLAN maps which is the only way to control filtering within a VLAN VLAN maps have no direction To filter traffic in a specific direction by using a VLAN map you need to include an ACL with specific source or destination addresses If there is a mat...

Page 797: ...on VLAN Map Configuration Guidelines page 35 31 Creating a VLAN Map page 35 32 Applying a VLAN Map to a VLAN page 35 35 Using VLAN Maps in Your Network page 35 35 Configuring VACL Logging page 35 36 VLAN Map Configuration Guidelines Follow these guidelines when configuring VLAN maps If there is no ACL configured to deny traffic on an interface and no VLAN map is configured all traffic is permitted...

Page 798: ...EXEC mode follow these steps to create add to or delete a VLAN map entry Use the no vlan access map name global configuration command to delete a map Use the no vlan access map name number global configuration command to delete a single sequence entry from within the map Use the no action access map configuration command to enforce the default action which is to forward Command Purpose Step 1 conf...

Page 799: ...ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded In this map any IP packets that did not match any of the previous ACLs that is packets that are not TCP packets or UDP packets would get dropped Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch config ext nacl exit Switch config vlan access map map_1 20 Switch config access ma...

Page 800: ... mac access list extended good protocols Switch config ext macl permit any any decnet ip Switch config ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Switch confi...

Page 801: ... You can restrict access to a server on another VLAN For example server 10 1 1 100 in VLAN 10 needs to have access denied to these hosts see Figure 35 4 Hosts in subnet 10 1 2 0 8 in VLAN 20 should not have access Hosts 10 1 1 4 and 10 1 1 8 in VLAN 10 should not have access Figure 35 4 Deny Access to a Server on Another VLAN Command Purpose Step 1 configure terminal Enter global configuration mod...

Page 802: ...L Switch config vlan access map SERVER1_MAP Switch config access map match ip address SERVER1_ACL Switch config access map action drop Switch config vlan access map SERVER1_MAP 20 Switch config access map action forward Switch config access map exit Step 3 Apply the VLAN map to VLAN 10 Switch config vlan filter SERVER1_MAP vlan list 10 Configuring VACL Logging When you configure VACL logging syslo...

Page 803: ...sequence number range is from 0 to 65535 When you create VLAN maps with the same name numbers are assigned sequentially in increments of 10 When modifying or deleting maps you can enter the number of the map entry that you want to modify or delete Specifying the map name and optionally a number enters the access map configuration mode Step 3 action drop log Set the VLAN access map to drop and log ...

Page 804: ...rfaces and you can define a VLAN map to access control the bridged traffic If a packet flow matches a VLAN map deny clause in the ACL regardless of the router ACL configuration the packet flow is denied Note When you use router ACLs with VLAN maps packets that require logging on the router ACLs are not logged if they are denied by a VLAN map If the VLAN map has a match clause for the type of packe...

Page 805: ... permit ip any any To define multiple actions in an ACL permit deny group each action type together to reduce the number of entries Avoid including Layer 4 information in an ACL adding this information complicates the merging process The best merge results are obtained if the ACLs are filtered based on IP addresses source and destination and not on the full flow source IP address destination IP ad...

Page 806: ... on fallback bridged packets For bridged packets only Layer 2 ACLs are applied to the input VLAN Only non IP non ARP packets can be fallback bridged Figure 35 6 Applying ACLs on Bridged Packets VLAN 10 map Frame Input router ACL Output router ACL Routing function or fallback bridge VLAN 10 VLAN 20 Blade server B VLAN 10 Blade server A VLAN 10 VLAN 20 map Packet 201776 Frame Fallback bridge VLAN 10...

Page 807: ...two different kinds of filters applied one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed The packet might be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be perm...

Page 808: ...0 Blade server B VLAN 20 VLAN 20 map Packet 201779 Table 35 2 Commands for Displaying Access Lists and Access Groups Command Purpose show access lists number name Display the contents of one or all current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Display the contents of all current IP access lists or a specific IP access list numb...

Page 809: ...out VLAN access maps or VLAN filters Use the privileged EXEC commands in Table 35 3 to display VLAN map information Table 35 3 Commands for Displaying VLAN Map Information Command Purpose show vlan access map mapname Show information about all VLAN access maps or the specified access map show vlan filter access map name vlan vlan id Show information about all VLAN filters or about a specified VLAN...

Page 810: ...35 44 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 35 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 811: ...related information see these chapters For more information about SDM templates see Chapter 8 Configuring SDM Templates For information about IPv6 on the switch see Chapter 40 Configuring IPv6 Unicast Routing For information about ACLs on the switch see Chapter 35 Configuring Network Security with ACLs Note For complete syntax and usage information for the commands used in this chapter see the com...

Page 812: ...ts to which a port ACL is applied are filtered by the port ACL Routed IP packets received on other ports are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SVI packets received on the ports to which a port ACL is applied are filtered by the port ACL Outgoing routed IPv6 packets are filtered by the router ACL Other packets are not ...

Page 813: ... rejected If an ACL is applied to an interface and you attempt to add an access control entry ACE with an unsupported keyword the switch rejects the ACE addition to the ACL IPv6 ACLs and Switch Stacks The stack master supports IPv6 ACLs in hardware and distributes the IPv6 ACLs to the stack members Note For full IPv6 functionality in a switch stack all stack members must be running the IP services...

Page 814: ...ped due to a port ACL the frame is not bridged You can create both IPv4 and IPv6 ACLs on a switch or switch stack and you can apply both IPv4 and IPv6 ACLs to the same interface Each ACL must have a unique name an error message appears if you try to use a name that is already configured You use different commands to create IPv4 and IPv6 ACLs and to attach them to the same Layer 2 or Layer 3 interf...

Page 815: ...pecified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix p...

Page 816: ...e port protocol routing sequence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP but the operator port port number or name must be a UDP port number or name and the established parameter is not valid for UDP Step 3d deny permit icmp source ipv6 prefix prefix length ...

Page 817: ...f the switch is running the IP services or IP base feature set you can apply ACLs only to inbound management traffic on Layer 3 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface Use the no ipv6 traffic filter access list name interface configuration command to remove an access list from an interface Command Purpose Step 1 configure terminal Enter glo...

Page 818: ... access lists that are configured on the switch or switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 input and output access lists configured on the switch or switch stack Switch show ipv6 ac...

Page 819: ...36 9 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 36 Configuring IPv6 ACLs Displaying IPv6 ACLs ...

Page 820: ...36 10 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 36 Configuring IPv6 ACLs Displaying IPv6 ACLs ...

Page 821: ...IOS release 12 2 52 SE and later supports QoS for both IPv4and IPv6 traffic when a dual IPv4 and IPv6 SDM template is configured You can configure QoS on physical ports and on switch virtual interfaces SVIs Other than to apply policy maps you configure the QoS settings such as classification queueing and scheduling the same way on physical ports and SVIs When configuring QoS on a physical port you...

Page 822: ...fication is carried in the IP packet header using 6 bits from the deprecated IP type of service ToS field to carry the classification class information Classification can also be carried in the Layer 2 frame These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 37 1 Prioritization bits in Layer 2 frames Layer 2 802 1Q frame headers have a 2 byte Tag Con...

Page 823: ... resources allocated per traffic class The behavior of an individual device when handling traffic in the DiffServ architecture is called per hop behavior If all devices along a path provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking device...

Page 824: ...ction to be taken when a packet is out of profile and determines what to do with the packet pass through a packet without modification mark down the QoS label in the packet or drop the packet For more information see the Policing and Marking section on page 37 9 Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet...

Page 825: ...non IP traffic you have these classification options as shown in Figure 37 3 Trust the CoS value in the incoming frame configure the port to trust CoS Then use the configurable CoS to DSCP map to generate a DSCP value for the packet Layer 2 802 1Q frame headers carry the CoS value in the 3 most significant bits of the Tag Control Information field CoS values range from 0 for low priority to 7 for ...

Page 826: ...ge from 0 for low priority to 7 for high priority Beginning with Cisco IOS Release 12 2 52 SE there is an option to classify IP traffic based on IPv6 IP precedence Trust the CoS value if present in the incoming packet and generate a DSCP value for the packet by using the CoS to DSCP map If the CoS value is not present use the default port CoS value Override the configured CoS of incoming packets a...

Page 827: ...to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the QoS label Assign the default DSCP 0 Are there any more QoS ACLs configured for this interface Ch...

Page 828: ...st global configuration command you implement Layer 2 MAC ACLs to classify non IP traffic by using the mac access list extended global configuration command For configuration information see the Configuring a QoS Policy section on page 37 48 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name a specific traffic flow or class and to isolate it from all...

Page 829: ...e traffic Packets that exceed the limits are out of profile or nonconforming Each policer decides on a packet by packet basis whether the packet is in or out of profile and specifies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the ...

Page 830: ...the switch verifies that there is enough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average rate The size of the bucket imposes a...

Page 831: ...ndary interface level of the hierarchical policy map A hierarchical policy map has two levels The first level the VLAN level specifies the actions to be taken against a traffic flow on an SVI The second level the interface level specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface level policy map 86835 Yes Yes No No ...

Page 832: ...level policy map only supports individual policers and does not support aggregate policers You can configure different interface level policy maps for each class defined in the VLAN level policy map See the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 37 64 for an example of a hierarchical policy map Figure 37 5 shows the policing and marking p...

Page 833: ...nfigure this map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or through the CoS input and output queue ...

Page 834: ...at QoS label the space available in the destination queue is less than the size of the frame the switch drops the frame Each queue has three threshold values The QOS label is determines which of the three threshold values is subjected to the frame Of the three thresholds two are configurable explicit and one is not implicit Figure 37 7 shows an example of WTD operating on a queue whose size is 100...

Page 835: ...e of the bandwidth and they are rate limited to that amount Shaped traffic does not use more than the allocated bandwidth even if the link is idle Shaping provides a more even flow of traffic over time and reduces the peaks and valleys of bursty traffic With shaping the absolute value of each weight is used to compute the bandwidth available for the queues In shared mode the queues share the bandw...

Page 836: ...e the queue according to the SRR weights Send packet to the stack ring Drop packet Start Yes No Table 37 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network and stack operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flows...

Page 837: ...of space with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a percentage by using the mls qos srr queue input bandwidth weight1 ...

Page 838: ...ss Ports Each port supports four egress queues one of which queue 1 can be the egress expedite queue These queues are assigned to a queue set All traffic exiting the switch flows through one of these four queues and is subjected to a threshold based on the QoS label assigned to the packet 86694 Receive packet from the stack ring Read QoS label DSCP or CoS value Determine egress queue number and th...

Page 839: ...or a queue set by using the mls qos queue set output qset id threshold queue id drop threshold1 drop threshold2 reserved threshold maximum threshold global configuration command Each threshold value is a percentage of the queue s allocated memory which you specify by using the mls qos queue set output qset id buffers allocation1 allocation4 global configuration command The sum of all the allocated...

Page 840: ...onfiguration command For an explanation of the differences between shaping and sharing see the SRR Shaping and Sharing section on page 37 15 The buffer allocation together with the SRR weight ratios control how much data can be buffered and sent before packets are dropped The weight ratio is the ratio of the frequency in which the SRR scheduler sends packets from each queue All four queues partici...

Page 841: ...nfiguring Auto QoS You can use the auto QoS feature to simplify the deployment of QoS features Auto QoS determines the network design and enables QoS configurations so that the switch can prioritize different traffic flows It uses the ingress and egress queues instead of using the default disabled QoS behavior The switch offers best effort service to each packet regardless of the packet contents o...

Page 842: ...s in or out of profile and specifies the action on the packet VOIP Device Specifics When you enter the auto qos voip cisco phone command on a port at the network edge connected to a Cisco IP Phone the switch enables the trusted boundary feature If the packet does not have a DSCP value of 24 26 or 46 or is out of profile the switch changes the DSCP value to 0 When there is no Cisco IP Phone the ing...

Page 843: ...ues VoIP1 Data Traffic 1 VoIP voice over IP VoIP Control Traffic Routing Protocol Traffic STP BPDU Traffic Real Time Video Traffic All Other Traffic DSCP 46 24 26 48 56 34 CoS 5 3 6 7 3 CoS to Ingress Queue Map 4 5 queue 2 0 1 2 3 6 7 queue 1 CoS to Egress Queue Map 4 5 queue 1 2 3 6 7 queue 2 0 queue 3 2 queue 3 0 1 queue 4 Table 37 3 Auto QoS Configuration for the Ingress Queues Ingress Queue Qu...

Page 844: ...S occurs when A switch is booted with a 12 2 55 SE image and QoS is not enabled Any video or voice trust configuration on the interface automatically generates enhanced auto QoS commands A switch is enabled with QoS these guidelines take effect If you configure the interface for conditional trust on a voice device only the legacy auto QoS VoIP configuration is generated If you configure the interf...

Page 845: ...srr queue input cos map queue 2 threshold 3 3 5 Switch config no mls qos srr queue input cos map Switch config mls qos srr queue input cos map queue 1 threshold 2 3 Switch config mls qos srr queue input cos map queue 1 threshold 3 6 7 Switch config mls qos srr queue input cos map queue 2 threshold 1 4 The switch automatically maps CoS values to an egress queue and to a threshold ID Switch config n...

Page 846: ...ap queue 2 threshold 2 49 50 51 52 53 54 55 56 Switch config mls qos srr queue input dscp map queue 2 threshold 2 57 58 59 60 61 62 63 Switch config mls qos srr queue input dscp map queue 2 threshold 3 24 25 26 27 28 29 30 31 Switch config mls qos srr queue input dscp map queue 2 threshold 3 40 41 42 43 44 45 46 47 Switch config no mls qos srr queue input dscp map Switch config mls qos srr queue i...

Page 847: ...t dscp map queue 4 threshold 2 9 10 11 12 13 14 15 Switch config mls qos srr queue output dscp map queue 4 threshold 3 0 1 2 3 4 5 6 7 Switch config no mls qos srr queue output dscp map Switch config mls qos srr queue output dscp map queue 1 threshold 3 32 33 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 1 16 17 18 19 20 21 22 23 Switch config mls qos sr...

Page 848: ...uffers 67 33 Switch config no mls qos srr queue input priority queue 1 Switch config no mls qos srr queue input priority queue 2 Switch config mls qos srr queue input bandwidth 70 30 Switch config mls qos srr queue input threshold 1 80 90 Switch config mls qos srr queue input priority queue 2 bandwidth 30 The switch automatically configures the egress queue buffer sizes It configures the bandwidth...

Page 849: ... ip dscp ef Switch config class map match all AutoQoS VoIP Control Trust Switch config cmap match ip dscp cs3 af31 Switch config policy map AutoQoS Police CiscoPhone Switch config pmap class AutoQoS VoIP RTP Trust Switch config pmap c set dscp ef Switch config pmap c police 320000 8000 exceed action policed dscp transmit Switch config pmap class AutoQoS VoIP Control Trust Switch config pmap c set ...

Page 850: ...UTOQOS_DEFAULT_CLASS Switch config pmap c set dscp default Switch config if service policy input AUTOQOS SRND4 CLASSIFY POLICY If you entered the auto qos classify police command the switch automatically creates class maps and policy maps Switch config mls qos map policed dscp 0 10 18 to 8 Switch config mls qos map cos dscp 0 8 16 24 32 46 48 56 Switch config class map match all AUTOQOS_MULTIENHAN...

Page 851: ...UTOQOS SRND4 CISCOPHONE POLICY This is the enhanced configuration for the auto qos voip cisco softphone command Switch config mls qos map policed dscp 0 10 18 to 8 Switch config mls qos map cos dscp 0 8 16 24 32 46 48 56 Switch config class map match all AUTOQOS_MULTIENHANCED_CONF_CLASS Switch config cmap match access group name AUTOQOS ACL MULTIENHANCED CONF Switch config class map match all AUTO...

Page 852: ... overridden by the generated commands These actions occur without warning If all the generated commands are successfully applied any user entered configuration that was not overridden remains in the running configuration Any user entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory If the generated commands are not ap...

Page 853: ... legacy auto qos voip commands are executed on the switch and the mls qos command is disabled the enhanced auto QoS configuration is generated Otherwise legacy auto QoS commands are executed Enabling Auto QoS For optimum QoS performance enable auto QoS on all the devices in your network Beginning in privileged EXEC mode follow these steps to enable auto QoS devices within a QoS domain Command Purp...

Page 854: ...CoS DSCP and IP precedence values in the packet are not changed Traffic is switched in pass through mode packets are switched without any rewrites and classified as best effort without any policing auto qos video cts ip camera or Enable auto QoS for a video device cts A port connected to a Cisco TelePresence system ip camera A port connected to an IP camera QoS labels of incoming packets are trust...

Page 855: ... about these commands see the command reference for this release Configuring Standard QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requireme...

Page 856: ... Queue Configuration section on page 37 36 and the Default Egress Queue Configuration section on page 37 37 Default Ingress Queue Configuration Table 37 6 shows the default ingress queue configuration when QoS is enabled Table 37 7 shows the default CoS input queue threshold map when QoS is enabled Table 37 8 shows the default DSCP input queue threshold map when QoS is enabled Table 37 6 Default I...

Page 857: ...ueue 2 Queue 3 Queue 4 Buffer allocation 25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 1 A shaped weight ...

Page 858: ...section on page 37 39 Configuring IPv6 QoS on Switch Stacks section on page 37 39 Policing Guidelines section on page 37 40 General QoS Guidelines section on page 37 40 QoS ACL Guidelines These are the guidelines with for configuring QoS with access control lists ACLs It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS IP fragments are sent as best effort IP...

Page 859: ...ic access port You cannot configure policers at the VLAN level of the hierarchical policy map The switch does not support aggregate policers in hierarchical policy maps After the hierarchical policy map is attached to an SVI the interface level policy map cannot be modified or removed from the hierarchical policy map A new interface level policy map also cannot be added to the hierarchical policy ...

Page 860: ...olicy map However you cannot use the aggregate policer across different policy maps On a port configured for QoS all traffic received through the port is classified policed and marked according to the policy map attached to the port On a trunk port configured for QoS traffic in all VLANs received through the port is classified policed and marked according to the policy map attached to the port If ...

Page 861: ... ports that are specified in the interface level of a hierarchical policy map on an SVI Use the no mls qos vlan based interface configuration command to disable VLAN based QoS on the physical port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS globally QoS runs with the default settings described in the Default Standard QoS Configuration section...

Page 862: ... Interface page 37 43 Configuring a Trusted Boundary to Ensure Port Security page 37 44 Enabling DSCP Transparency Mode page 37 46 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 37 46 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the swit...

Page 863: ...nterface configuration mode Valid interfaces include physical ports Step 3 mls qos trust cos dscp ip precedence Configure the port trust state By default the port is not trusted If no keyword is specified the default is dscp The keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS ...

Page 864: ...ust the CoS labels of all traffic received on that port Use the mls qos trust dscp interface configuration command to configure a routed port to which the telephone is connected to trust the DSCP labels of all traffic received on that port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface co...

Page 865: ...one through the switch CLI to override the priority of the traffic received from the PC Beginning in privileged EXEC mode follow these steps to enable trusted boundary on a port To disable the trusted boundary feature use the no mls qos trust device interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP globally By defaul...

Page 866: ... switch to modify the DSCP value based on the trust setting or on an ACL by disabling DSCP transparency use the mls qos rewrite ip dscp global configuration command If you disable QoS by using the no mls qos global configuration command the CoS and DSCP values are not changed the default QoS setting If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparenc...

Page 867: ...p is a null map which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map by specifying a new name For in dscp enter up to eight DSCP values separated by spaces Then enter the to keyword For out dscp enter a single DSCP value The DSCP range is 0 to 63 Step 3 interface interface id Specify the port to be trusted and ...

Page 868: ...tation Switch config if end Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes configuring policies applied to those traffic classes and attaching policies to ports For background information see the Classification section on page 37 5 and the Policing and Marking section on page 37 9 For configuration guidelines see the Standard QoS Configuration...

Page 869: ...ll other access implicitly denied Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Use the permit keyword to permit a certain type of tra...

Page 870: ... number The range is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet...

Page 871: ...Beginning in privileged EXEC mode follow these steps to create an IPv6 ACL for IP traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 access list access list name Create an IPv6 ACL and enter IPv6 access list configuration mode Access list names cannot contain a space or quotation mark or begin with a numeric ...

Page 872: ...cified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix pre...

Page 873: ... to extended MAC ACL configuration Step 3 permit deny host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Specify the type of traffic to permit or deny if the conditions are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by usin...

Page 874: ...plicitly denied Classifying Traffic by Using Class Maps You use the class map global configuration command to name and to isolate a specific traffic flow or class from all other traffic The class map defines the criteria to use to match against a specific traffic flow to further classify it Match statements can include criteria such as an ACL IP precedence values or DSCP values The match criterion...

Page 875: ...P traffic or a Layer 2 MAC ACL for non IP traffic repeating the command as many times as necessary For more information see the Classifying Traffic by Using ACLs section on page 37 49 Note When creating an access list remember that by default the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end Step 3 class map match all m...

Page 876: ...nd Note This command is available only when the dual IPv4 and IPv6 SDM template is configured You can use the match protocol command with the match ip dscp or match precedence commands but not with the match access group command For more information about the match protocol command see the Cisco IOS Quality of Service Solutions Command Reference Step 5 match access group acl index or name ip dscp ...

Page 877: ...use the match protocol command with the ip keyword To apply the primary match criteria to only IPv6 traffic use the match protocol command with the ipv6 keyword For more information about the match protocol command see the Cisco IOS Quality of Service Solutions Command Reference Beginning in privileged EXEC mode follow these steps to create a class map define the match criterion to classify traffi...

Page 878: ...icy input pm1 This example shows how to configure a class map that applies to both IPv4 and IPv6 traffic Switch config ip access list 101 permit ip any any Switch config ipv6 access list ipv6 any permit ip any any Switch config class map cm 1 Switch config cmap match access group 101 Switch config cmap exit Switch config class map cm 2 Switch config cmap match access group name ipv6 any Switch con...

Page 879: ...ing the mls qos map ip prec dscp dscp1 dscp8 global configuration command the settings only affect packets on ingress interfaces that are configured to trust the IP precedence value In a policy map if you set the packet IP precedence value to a new value by using the set ip precedence new precedence policy map class configuration command the egress DSCP value is not affected by the IP precedence t...

Page 880: ...d per class map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 35 15 for limitations when using the match all and the match any keywords Step 3 policy map policy map name Creates a policy map by entering the policy map name and enter policy map configuration mode By default no policy maps are defined The default...

Page 881: ...d CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 37 75 Step 6 set dscp new dscp ip precedence new precedence Classifies IP traffic by setting a new value in the packet For dscp new dscp enter a ...

Page 882: ...witch config pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet2 0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address ...

Page 883: ...ap class cm 2 Switch config pmap c set dscp 6 Switch config pmap c exit Switch config pmap class class default Switch config pmap c set dscp 10 Switch config pmap c exit Switch config pmap exit Switch config interface G0 1 Switch config if switch mode access Switch config if service policy input pm1 Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps You can configur...

Page 884: ...er the set ip dscp command this setting appears as set dscp in the switch configuration You can use the set ip precedence or the set precedence policy map class configuration command to change the packet IP precedence value This setting appears as set ip precedence in the switch configuration If VLAN based QoS is enabled the hierarchical policy map supersedes the previously configured port based p...

Page 885: ...fic that does not meet the match criteria specified in the traffic classes is treated as default traffic class class default Beginning in privileged EXEC mode follow these steps to create a hierarchical policy map Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 class map match all match any class map name Creates a VLAN level class map and enter class map configur...

Page 886: ...e list enter a list of up to eight IP precedence values to match against incoming packets Separate each value with a space The range is 0 to 7 Step 4 match protocol ip ipv6 Optional Specifies the IP protocol to which the class map applies Use the argument ip to specify IPv4 traffic and ipv6 to specify IPv6 traffic When you use the match protocol command only the match all keyword is supported for ...

Page 887: ...itations when using the match all and the match any keywords Step 8 match input interface interface id list Specifies the physical ports on which the interface level class map acts You can specify up to six ports as follows A single port counts as one entry A list of ports separated by a space each port counts as an entry A range of ports separated by a hyphen counts as two entries This command ca...

Page 888: ... the Policed DSCP Map section on page 37 77 Step 14 exit Returns to policy map configuration mode Step 15 exit Returns to global configuration mode Step 16 policy map policy map name Creates a VLAN level policy map by entering the policy map name and enter policy map configuration mode By default no policy maps are defined The default behavior of a policy map is to set the DSCP to 0 if the packet ...

Page 889: ...om the ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 37 75 S...

Page 890: ...input policy map name interface configuration command This example shows how to create a hierarchical policy map Switch enable Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config access list 101 permit ip any any Switch config class map cm 1 Switch config cmap match access 101 Switch config cmap exit Switch config exit Switch Switch Step 24 service pol...

Page 891: ... 10 Switch config pmap c service policy port plcmap 1 Switch config pmap exit Switch config pmap class cm 3 Switch config pmap c set dscp 20 Switch config pmap c service policy port plcmap 2 Switch config pmap exit Switch config pmap class cm 4 Switch config pmap c trust dscp Switch config pmap exit Switch config interface vlan 10 Switch config if service input vlan plcmap Switch config if exit Sw...

Page 892: ...p class cm 3 Switch config pmap c set dscp 4 Switch config pmap c exit Switch config pmap class cm 4 Switch config pmap c trust cos Switch config pmap c exit Switch config pmap exit This example shows how the default traffic class is automatically placed at the end of policy map pm3 even though class default was configured first Switch show policy map pm3 Policy Map pm3 Class cm 3 set dscp 4 Class...

Page 893: ...re information see the Configuring the Policed DSCP Map section on page 37 77 Step 3 class map match all match any class map name Creates a class map to classify traffic as necessary For more information see the Classifying Traffic by Using Class Maps section on page 37 54 and the Creating Named Standard and Extended ACLs section on page 35 15 Step 4 policy map policy map name Creates a policy map...

Page 894: ...he policy map is attached to an ingress port Switch config access list 1 permit 10 1 0 0 0 0 255 255 Switch config access list 2 permit 11 3 1 1 Switch config mls qos aggregate police transmit1 48000 8000 exceed action policed dscp transmit Switch config class map ipclass1 Switch config cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match acce...

Page 895: ...lobally defined and are applied to all ports Configuring the CoS to DSCP Map You use the CoS to DSCP map to map CoS values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 37 12 shows the default CoS to DSCP map If these values are not appropriate for your network you need to modify them Beginning in privileged EXEC mode follow these steps...

Page 896: ... Table 37 13 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Beginning in privileged EXEC mode follow these steps to modify the IP precedence to DSCP map This procedure is optional Step 4 show mls qos maps cos dscp Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration fi...

Page 897: ... DSCP value to the same DSCP value Beginning in privileged EXEC mode follow these steps to modify the policed DSCP map This procedure is optional To return to the default map use the no mls qos policed dscp global configuration command Step 4 show mls qos maps ip prec dscp Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Pur...

Page 898: ... 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of 53 corresponds to a marked down DSCP va...

Page 899: ...CP to CoS map a DSCP value of 08 corresponds to a CoS value of 0 Configuring the DSCP to DSCP Mutation Map If two QoS domains have different DSCP definitions use the DSCP to DSCP mutation map to translate one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With...

Page 900: ...0 00 00 00 00 00 00 00 00 10 10 1 10 10 10 10 14 15 16 17 18 19 2 20 20 20 23 24 25 26 27 28 29 3 30 30 30 30 30 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mu...

Page 901: ...ou might need to perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by DSCP or CoS value to each queue What drop percentage thresholds apply to each queue and which CoS or DSCP values map to each threshold How much of the available buffer space is allocated between the queues How much of the available bandwidth is al...

Page 902: ...are mapped to queue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separat...

Page 903: ...n to the default setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is alloc...

Page 904: ...rd in the mls qos srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls q...

Page 905: ...in the next sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth of ...

Page 906: ...dite queue is disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the a...

Page 907: ...Configure the WTD thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 4...

Page 908: ...ent as the maximum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet1 0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with p...

Page 909: ...d to queue 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop thr...

Page 910: ...s 1 8 which is 12 5 percent Switch config interface gigabitethernet2 0 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the e...

Page 911: ...is example shows how to configure the weight ratio of the SRR scheduler running on an egress port Four queues are used and the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of que...

Page 912: ... Bandwidth on an Egress Interface You can limit the bandwidth on an egress port For example if a customer pays only for a small percentage of a high speed link you can limit the bandwidth to that amount Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet you...

Page 913: ...XEC commands in Table 37 15 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be rate limited and enter interface configuration mode Step 3 srr queue bandwidth limit weight1 Specify the percentage of the port speed to which the port should be limited The range is 10 to 90 By default the port is not rate limited and is set to...

Page 914: ...w mls qos vlan vlan id Display the policy maps attached to the specified SVI show policy map policy map name class class map name Display QoS policy maps which define classification criteria for incoming traffic Note Do not use the show policy map interface privileged EXEC command to display classification information for incoming traffic The control plane and interface keywords are not supported ...

Page 915: ...g links in the channel without intervention This chapter also describes how to configure link state tracking Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding EtherChannels page...

Page 916: ...th ends of the EtherChannel in the same mode When you configure one end of an EtherChannel in either PAgP or LACP mode the system negotiates with the other end of the channel to determine which ports should become active If the remote port cannot negotiate an EtherChannel the local port is put into an independent state and continues to carry data traffic as would any other single link The port con...

Page 917: ... Tracking Understanding EtherChannels Figure 38 2 Single Switch EtherChannel Figure 38 3 Cross Stack EtherChannel Switch 1 Blade switch stack Switch 2 Channel group 1 Channel group 2 StackWise Plus port connections Switch 3 Switch A 201782 Switch 1 Blade switch stack Switch 2 Channel group 1 StackWise Plus port connections Switch 3 Switch A 201783 ...

Page 918: ...l configuration command followed by the no switchport interface configuration command Then you manually assign an interface to the EtherChannel by using the channel group interface configuration command For both Layer 2 and Layer 3 ports the channel group command binds the physical port and the logical interface together as shown in Figure 38 4 Each EtherChannel has a port channel logical interfac...

Page 919: ...artner ports configured in the auto or desirable modes Ports configured in the on mode do not exchange PAgP packets Both the auto and desirable modes enable ports to negotiate with partner ports to form an EtherChannel based on criteria such as port speed and for Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in different PAgP modes as long as th...

Page 920: ...tch fails or resets the standby switch takes over as the active switch If the VSL goes down one core switch knows the status of the other and does not change state PAgP Interaction with Other Features The Dynamic Trunking Protocol DTP and the Cisco Discovery Protocol CDP send and receive packets over the physical ports in the EtherChannel Trunk ports send and receive PAgP protocol data units PDUs ...

Page 921: ...f this port is removed from the bundle one of the remaining ports in the bundle provides its MAC address to the EtherChannel For Layer 3 EtherChannels the MAC address is allocated by the stack master as soon as the interface is created through the interface port channel global configuration command LACP sends and receives LACP PDUs only from ports that are up and have LACP enabled for the active o...

Page 922: ...f load distribution can be used if it is not clear whether source MAC or destination MAC address forwarding is better suited on a particular switch With source and destination MAC address forwarding packets sent from host A to host B host A to host C and host C to host B could all use different ports in the channel With source IP address based forwarding when packets are forwarded to an EtherChann...

Page 923: ...cks If a stack member that has ports participating in an EtherChannel fails or leaves the stack the stack master removes the failed stack member switch ports from the EtherChannel The remaining ports of the EtherChannel if any continue to provide connectivity When a switch is added to an existing stack the new switch receives the running configuration from the stack master and updates itself with ...

Page 924: ...h Stacks Configuring EtherChannels These sections contain this configuration information Default EtherChannel Configuration page 38 10 EtherChannel Configuration Guidelines page 38 11 Configuring Layer 2 EtherChannels page 38 12 required Configuring Layer 3 EtherChannels page 38 15 required Configuring EtherChannel Load Balancing page 38 18 optional Configuring the PAgP Learn Method and Priority p...

Page 925: ...e parameters you must also make the changes to all ports in the group Allowed VLAN list Spanning tree path cost for each VLAN Spanning tree port priority for each VLAN Spanning tree Port Fast setting Do not configure a port to be a member of more than one EtherChannel group Do not configure an EtherChannel in both the PAgP and LACP modes EtherChannel groups running PAgP and LACP can coexist on the...

Page 926: ...the auto or desirable mode Ports with different spanning tree path costs can form an EtherChannel if they are otherwise compatibly configured Setting different spanning tree path costs does not by itself make ports incompatible for the formation of an EtherChannel For Layer 3 EtherChannels assign the Layer 3 address to the port channel logical interface not to the physical ports in the channel For...

Page 927: ...e id Specify a physical port and enter interface configuration mode Valid interfaces include physical ports For a PAgP EtherChannel you can configure up to eight ports of the same type and speed for the same group For a LACP EtherChannel you can configure up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode Step 3 switchport mode acc...

Page 928: ...itch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent ...

Page 929: ...EtherChannel It uses LACP passive mode and assigns two ports on stack member 2 and one port on stack member 3 as static access ports in VLAN 10 to channel 5 Switch configure terminal Switch config interface range gigabitethernet2 0 4 5 Switch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode active Switch config if r...

Page 930: ...hannel logical interface and enter interface configuration mode For port channel number the range is 1 to 64 Step 3 no switchport Put the interface into Layer 3 mode Step 4 ip address ip address mask Assign an IP address and subnet mask to the EtherChannel Step 5 end Return to privileged EXEC mode Step 6 show etherchannel channel group number detail Verify your entries Step 7 copy running config s...

Page 931: ...erent switches in the switch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do...

Page 932: ...if no switchport Switch config if channel group 7 mode active Switch config if exit Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 38 8 Beginning in privileged EXEC mode follow these steps to co...

Page 933: ...figure a single port within the group for all transmissions and use other ports for hot standby The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The h...

Page 934: ...inal Enter global configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not impo...

Page 935: ...ity and the LACP port priority to affect how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 38 21 and the Configuring the LACP Port Priority section on page 38 22 Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system prio...

Page 936: ... system might have more restrictive hardware limitations all the ports that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Beginning in privileged EXEC mode follow these steps to configure the LACP port priority This procedure is optional To return the LACP port priority to the default value use the no lacp por...

Page 937: ...38 6 on page 38 24 shows a network configured with link state tracking To enable link state tracking create a link state group and specify the interfaces that are assigned to the link state group An interface can be an aggregation of ports an EtherChannel a single physical port in access or trunk mode or a routed port In a link state group these interfaces are bundled together The downstream inter...

Page 938: ... all the blade servers to distribution switch 2 through port channel 2 The blade servers can choose which Ethernet server interfaces are active To balance the network traffic flow some Ethernet interfaces in link state group 1 and some Ethernet interfaces in link state group 2 are active For example when half of the Ethernet server interfaces connected to blade switch 1 are active and the remainin...

Page 939: ...nfigured link state tracking is disabled and the upstream interfaces lose connectivity the link states of the downstream interfaces remain unchanged The server does not recognize that upstream connectivity has been lost and does not failover to the secondary interface You can recover a downstream interface link down condition by removing the failed downstream port from the link state group To reco...

Page 940: ...el 1 Switch config if link state group 1 upstream Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 link state track number Create a link state group and enable link state tracking For nonstacking capable switches the group number can be 1 to 2 For stacking capable switches the group number can be 1 to 10 The default is 1 Step 3 interface interfa...

Page 941: ...without keywords to display information about all link state groups Enter the group number to display information specific to the group Enter the detail keyword to display detailed information about the group This is an example of output from the show link state group 1 command Switch show link state group 1 Link State Group 1 Status Enabled Down This is an example of output from the show link sta...

Page 942: ...38 28 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 38 Configuring EtherChannels and Link State Tracking Configuring Link State Tracking ...

Page 943: ...nformation about configuring IPv6 on the switch see Chapter 40 Configuring IPv6 Unicast Routing For more detailed IP unicast configuration information see the Cisco IOS IP Configuration Guide Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Configuration Guides For complete syntax and usage information for the commands used in this chapter see these command...

Page 944: ...r 3 device router to route traffic between the VLAN referred to as inter VLAN routing You configure one or more routers to route traffic to the appropriate destination VLAN Figure 39 1 shows a basic routing topology Switch A is in VLAN 10 and Switch B is in VLAN 20 The router has an interface in each VLAN Figure 39 1 Routing Topology Example When Host A in VLAN 10 needs to communicate with Host B ...

Page 945: ...protocols Distance vector protocols supported by the switch use Routing Information Protocol RIP a single distance metric cost that determines the best path and Border Gateway Protocol BGP which adds a path vector mechanism The switch also supports the Open Shortest Path First OSPF link state protocol and Enhanced IGRP EIGRP which adds some link state routing features to traditional Interior Gatew...

Page 946: ...itch stack supports NSF capable routing for OSPF and EIGRP For more information see the OSPF NSF Capability section on page 39 31 and the EIGRP NSF Capability section on page 39 42 Upon election the new stack master performs these functions It starts generating receiving and processing routing updates It builds routing tables generates the CEF database and distributes it to stack members It uses i...

Page 947: ... routing will occur must have IP addresses assigned to them See the Assigning IP Addresses to Network Interfaces section on page 39 7 A Layer 3 switch can have an IP address assigned to each routed port and SVI The number of routed ports and SVIs that you can configure is not limited by software However the interrelationship between this number and the number and volume of features being implement...

Page 948: ...hernet style ARP Timeout 14400 seconds 4 hours IP broadcast address 255 255 255 255 all ones IP classless routing Enabled IP default gateway Disabled IP directed broadcast Disabled all IP directed broadcasts are dropped IP domain Domain list No domain names defined Domain lookup Enabled Domain name Enabled IP forward protocol If a helper address is defined or User Datagram Protocol UDP flooding is...

Page 949: ...se the all ones subnet 131 108 255 0 and even though we discourage this practice you can enable the subnet zero if you need the entire subnet space for your IP address Beginning in privileged EXEC mode follow these steps to enable subnet zero Use the no ip subnet zero global configuration command to restore the default and to disable the use of subnet zero Command Purpose Step 1 configure terminal...

Page 950: ... the pressure on the rapidly depleting Class B address space In Figure 39 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet Figure 39 ...

Page 951: ...l segment or LAN and a network address which identifies the network to which the device belongs Note In a switch stack network communication uses a single MAC address and the IP address of the stack The local address or the MAC address is known as a data link address because it is contained in the data link layer Layer 2 section of the packet header and is read by data link Layer 2 devices To comm...

Page 952: ...the router interface Use the ip rarp server address interface configuration command to identify the server For more information on RARP see the Cisco IOS Configuration Fundamentals Configuration Guide Release 12 2 under Documentation Cisco IOS Software 12 2 Mainline Configuration Guides from the Cisco com page You can perform these tasks to configure address resolution Define a Static ARP Cache pa...

Page 953: ...ter interface configuration mode and specify the interface to configure Step 5 arp timeout seconds Optional Set the length of time that an ARP cache entry stays in the cache The range is 0 to 2147483 seconds The default is 14400 seconds 4 hours Step 6 end Return to privileged EXEC mode Step 7 show interfaces interface id Verify the type of ARP and the timeout value used on all interfaces or on a s...

Page 954: ...t If it does it sends an ARP reply packet with its own Ethernet MAC address The host that sent the request then sends the packet to the switch which forwards it to the intended host Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address Proxy ARP is enabled by default To enable it after it has been disabled see the Enable Proxy ARP section on page 39 12 P...

Page 955: ...time out because of excessive retransmissions The only required task for IRDP routing on an interface is to enable IRDP processing on that interface When enabled the default parameters apply You can change any of these parameters Beginning in privileged EXEC mode follow these steps to enable and configure IRDP on an interface Command Purpose Step 1 configure terminal Enter global configuration mod...

Page 956: ...g intelligent bridges because they are Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most IP implementations you can set the broadcast address Many implementations including the one in the switch support several addressing schemes for forwardin...

Page 957: ...roadcasts Use the no ip forward protocol global configuration command to remove a protocol or a port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to configure Step 3 ip directed broadcast access list number Enable directed broadcast to physical broadcast translation on the interf...

Page 958: ...ny UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring the router to act as a BOOTP forwarding agent BOOTP packets carry DHCP information Beginning in privileged EXEC mode follow these steps to enable forwarding of UDP broadcast packets on an interface and to specify the destination address Use the no ip helper address interface con...

Page 959: ...sing IP helper addresses The packet must be a MAC level broadcast The packet must be an IP level broadcast The packet must be a TFTP DNS Time NetBIOS Network Disk or BOOTP packet or a UDP specified by the ip forward protocol udp global configuration command The time to live TTL value of the packet must be at least 2 A flooded UDP datagram is given the destination address specified with the ip broa...

Page 960: ...ache table or database have become or are suspected to be invalid you can remove all its contents by using the clear privileged EXEC commands Table 39 2 lists the commands for clearing contents Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip forward protocol spanning tree Use the bridging spanning tree database to flood UDP datagrams Step 3 end Return to privile...

Page 961: ... aliases Display IP addresses mapped to TCP ports aliases show ip arp Display the IP ARP cache show ip interface interface id Display the IP status of interfaces show ip irdp Display IRDP values show ip masks address Display the masks used for network addresses and the number of subnets using each mask show ip redirects Display the address of a default gateway show ip route address mask protocol D...

Page 962: ...outing protocol supported by the IP base feature set other routing protocols require the switch or the stack master to be running the IP services feature set Using RIP the switch sends routing information updates advertisements every 30 seconds If a router does not receive an update from another router for 180 seconds or more it marks the routes served by that router as unusable If there is still ...

Page 963: ... summary Enabled Default information originate Disabled Default metric Built in automatic metric translations IP RIP authentication key chain No authentication Authentication mode clear text IP RIP receive version According to the version router configuration command IP RIP send version According to the version router configuration command IP RIP triggered According to the version router configura...

Page 964: ... networks Step 6 offset list access list number name in out offset type number Optional Apply an offset list to routing metrics to increase incoming and outgoing metrics to routes learned through RIP You can limit the offset list with an access list or an interface Step 7 timers basic update invalid holddown flush Optional Adjust routing protocol timers Valid ranges for all timers are 0 to 4294967...

Page 965: ...s of incoming RIP routing updates By default the switch validates the source IP address of incoming RIP routing updates and discards the update if the source address is not valid Under normal circumstances we do not recommend that you disable this feature However if you have a router that is off network and you want to receive its updates you can use this command Step 11 output delay delay Optiona...

Page 966: ...n interface to advertise a summarized local IP address and to disable split horizon on the interface To disable IP summarization use the no ip summary address rip router configuration command In this example the major net is 10 0 0 0 The summary address of 10 2 0 0 overrides the autosummary address of 10 0 0 0 so that 10 2 0 0 is advertised from interface Gigabit Ethernet port 2 and 10 0 0 0 is no...

Page 967: ... that your application requires it to properly advertise routes Beginning in privileged EXEC mode follow these steps to disable split horizon on the interface To enable the split horizon mechanism use the ip split horizon interface configuration command Configuring OSPF This section briefly describes how to configure Open Shortest Path First OSPF For a complete description of the OSPF commands see...

Page 968: ...er 39 Configuring IP Unicast Routing Configuring OSPF OSPF is an Interior Gateway Protocol IGP designed expressly for IP networks supporting IP subnetting and tagging of externally derived routing information OSPF also allows packet authentication and uses IP multicast when sending and receiving packets ...

Page 969: ...ransmit delay router priority router dead and hello intervals and authentication key Virtual links are supported Not so stubby areas NSSAs per RFC 1587are supported OSPF typically requires coordination among many internal routers area border routers ABRs connected to multiple areas and autonomous system boundary routers ASBRs The minimum configuration would use all default parameter values no auth...

Page 970: ...ult information originate Disabled When enabled the default metric setting is 10 and the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 dist3 routes from other routing domains 110 OSPF database filter Disabled All outgo...

Page 971: ...ortest path first spf spf delay 5 seconds spf holdtime 10 seconds Virtual link No area ID or router ID defined Hello interval 10 seconds Resend interval 5 seconds Send delay 1 second Dead interval 40 seconds Authentication key no key predefined Message digest key MD5 no key predefined 1 NSF nonstop forwarding 2 OSPF NSF awareness is enabled for IPv4 on switches running the IP services feature set ...

Page 972: ...e wiring closet switch need not hold a complete routing table A best practice design where the distribution switch sends a default route to the wiring closet switch to reach interarea and external routes OSPF stub or totally stub area configuration should be used when OSPF for Routed Access is used in the wiring closet For more details perform a Google search on High Availability Campus Network De...

Page 973: ...rs and routing information is exchanged between the OSPF neighbors The new stack master uses this routing information to remove stale routes to update the routing information database RIB and to update the forwarding information base FIB with the new information The OSPF protocols then fully converge Note OSPF NSF requires that all neighbor networking devices be NSF aware If an NSF capable router ...

Page 974: ...ices are detected Optional Enable IETF NSF operations for OSPF The restart interval keyword specifies the length of the graceful restart interval in seconds The range is from 1 to 1800 The default is 120 Step 4 network address wildcard mask area area id Define an interface on which OSPF runs and the area ID for that interface You can use the wildcard mask to use a single command to define more tha...

Page 975: ...conds Optional Set the number of seconds after the last device hello packet was seen before its neighbors declare the OSPF router to be down The value must be the same for all nodes on a network The range is 1 to 65535 seconds The default is 4 times the hello interval Step 9 ip ospf authentication key key Optional Assign a password to be used by neighboring OSPF routers The password can be any str...

Page 976: ...Optional Enable MD5 authentication on the area Step 5 area area id stub no summary Optional Define an area as a stub area The no summary keyword prevents an ABR from sending summary link advertisements into the stub area Step 6 area area id nssa no redistribution default information originate no summary Optional Defines an area as a NSSA Every router within the same area must agree that the area i...

Page 977: ...s calculated as ref bw divided by bandwidth where ref is 10 by default and bandwidth bw is specified by the bandwidth interface configuration command For multiple links with high bandwidth you can specify a larger number to differentiate the cost on those links Administrative distance is a rating of the trustworthiness of a routing information source an integer between 0 and 255 with a higher valu...

Page 978: ...into the OSPF routing domain Parameters are all optional Step 6 ip ospf name lookup Optional Configure DNS name lookup The default is disabled Step 7 ip auto cost reference bandwidth ref bw Optional Specify an address range for which a single route is advertised Use this command only with area border routers Step 8 distance ospf inter area dist1 inter area dist2 external dist3 Optional Change the ...

Page 979: ...erface over other interfaces and it chooses the highest IP address among all loopback interfaces Beginning in privileged EXEC mode follow these steps to configure a loopback interface Use the no interface loopback 0 global configuration command to disable the loopback interface Step 3 timers lsa group pacing seconds Change the group pacing of LSAs Step 4 end Return to privileged EXEC mode Step 5 s...

Page 980: ... as IGRP however the convergence properties and the operating efficiency of EIGRP are significantly improved The convergence technology employs an algorithm referred to as the diffusing update algorithm DUAL which guarantees loop free operation at every instant throughout a route computation All devices involved in a topology change can synchronize at the same time Routers that are not affected by...

Page 981: ...traversed 15 routers and the next hop to the destination was learned through EIGRP When a RIP route is used as the next hop to the destination the transport control field increments as usual EIGRP offers these features Fast convergence Incremental updates when the state of a destination changes rather than sending the entire contents of the routing table minimizing the bandwidth required for EIGRP...

Page 982: ...r all route computations It tracks all routes advertised by all neighbors DUAL uses the distance information known as a metric to select efficient loop free paths DUAL selects routes to be inserted into a routing table based on feasible successors A successor is a neighboring router used for packet forwarding that has a least cost path to a destination that is guaranteed not to be part of a routin...

Page 983: ...n 0 and 255 255 is 100 percent loading MTU maximum transmission unit size of the route in bytes 0 or any positive integer Distance Internal distance 90 External distance 170 EIGRP log neighbor changes Disabled No adjacency changes logged IP authentication key chain No authentication provided IP authentication mode No authentication provided IP bandwidth percent 50 percent IP hello interval For low...

Page 984: ...s feature cannot be disabled For more information on this feature see the EIGRP Nonstop Forwarding NSF Awareness section of the Cisco IOS IP Routing Protocols Configuration Guide Release 12 4 EIGRP NSF Capability Beginning with Cisco IOS Release 12 2 58 SE the switch supports EIGRP Cisco NSF routing to speed up convergence and eliminate traffic loss following a stack master change For details abou...

Page 985: ...e command reference for this release for information about the nsf command Configuring Basic EIGRP Parameters Beginning in privileged EXEC mode follow these steps to configure EIGRP Configuring the routing process is required other steps are optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router eigrp autonomous system Enable an EIGRP routing process and e...

Page 986: ... interface The default is 50 percent Step 4 ip summary address eigrp autonomous system number address mask Optional Configure a summary aggregate address for a specified interface not usually necessary if auto summary is enabled Step 5 ip hello interval eigrp autonomous system number seconds Optional Change the hello time interval for an EIGRP routing process The range is 1 to 65535 seconds The de...

Page 987: ...t Return to global configuration mode Step 6 key chain name of chain Identify a key chain and enter key chain configuration mode Match the name configured in Step 4 Step 7 key number In key chain configuration mode identify the key number Step 8 key string text In key chain key configuration mode identify the key string Step 9 accept lifetime start time infinite end time duration seconds Optional ...

Page 988: ... stub Only specified routes are propagated from the switch The switch responds to all queries for summaries connected routes and routing updates Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes and a router that has a stub peer does not query that peer The stub router depends on the distribution router to send the proper updates to a...

Page 989: ...dix B Unsupported Commands in Cisco IOS Release 12 2 58 SE Routers belonging to the same autonomous system and exchanging BGP updates run internal BGP IBGP Routers belonging to different autonomous systems and exchanging BGP updates run external BGP EBGP Most configuration commands are the same for configuring EBGP and IBGP The difference is that the routing updates are exchanged either between au...

Page 990: ...d AS 300 BGP peers first exchange their full BGP routing tables and then send only incremental updates BGP peers also exchange keepalive messages to ensure that the connection is up and notification messages in response to errors or special conditions In BGP each route consists of a network number a list of autonomous systems that information has passed through the autonomous system path and a lis...

Page 991: ...lt BGP Configuration Feature Default Setting Aggregate address Disabled None defined Autonomous system path access list None defined Auto summary Enabled Best path The router considers as path in choosing a route and does not compare similar routes from external BGP peers Compare router ID Disabled BGP community list Number None defined When you permit a value for the community number the list def...

Page 992: ...omparison is disabled Neighbor Advertisement interval 30 seconds for external peers 5 seconds for internal peers Change logging Enabled Conditional advertisement Disabled Default originate No default route is sent to the neighbor Description None Distribute list None defined External BGP multihop Only directly connected neighbors are allowed Filter list None used Maximum number of prefixes receive...

Page 993: ...ckets from a neighboring NSF capable router during hardware or software changes Route reflector None configured Synchronization BGP and IGP Enabled Table map update Disabled Timers Keepalive 60 seconds holdtime 180 seconds 1 NSF nonstop forwarding 2 NSF awareness can be enabled for IPv4 on switches with the IP services feature set by enabling graceful restart Table 39 9 Default BGP Configuration c...

Page 994: ...d given to systems whose routes are not advertised to external neighbors The private autonomous system numbers are from 64512 to 65535 You can configure external neighbors to remove private autonomous system numbers from the autonomous system path by using the neighbor remove private as router configuration command Then when an update is passed to an external neighbor if the autonomous system path...

Page 995: ...ional Remove private autonomous system numbers from the autonomous system path in outbound routing updates Step 7 no synchronization Optional Disable synchronization between BGP and an IGP Step 8 no auto summary Optional Disable automatic network summarization By default when a subnet is redistributed from an IGP into BGP only the network route is inserted into the BGP table Step 9 bgp fast extern...

Page 996: ...leged EXEC command This is the output of this command on Router A Switch show ip bgp neighbors BGP neighbor is 129 213 1 1 remote AS 200 external link BGP version 4 remote router ID 175 220 212 1 BGP state established table version 3 up for 0 10 59 Last read 0 00 29 hold time is 180 keepalive interval is 60 seconds Minimum time between advertisement runs is 30 seconds Received 2828 messages 0 noti...

Page 997: ...nbound reset causes the new inbound policy to take effect A soft outbound reset causes the new local outbound policy to take effect without resetting the BGP session As a new set of updates is sent during outbound policy reset a new inbound policy can also take effect Table 39 10 lists the advantages and disadvantages hard reset and soft reset Beginning in privileged EXEC mode follow these steps t...

Page 998: ...ght a Cisco proprietary parameter The weight attribute is local to the router and not propagated in routing updates By default the weight attribute is 32768 for paths that the router originates and zero for other paths Routes with the largest weight are preferred You can use access lists route maps or the neighbor weight router configuration command to set weights 3 Prefer the route with the highe...

Page 999: ...cting a route Step 4 neighbor ip address peer group name next hop self Optional Disable next hop processing on BGP updates to a neighbor by entering a specific IP address to be used instead of the next hop address Step 5 neighbor ip address peer group name weight weight Optional Assign a weight to a neighbor connection Values are from 0 to 65535 the largest weight is the preferred route Routes lea...

Page 1000: ...e default is to only enter the best path in the routing table The range is from 1 to 16 Having multiple paths allows load balancing among the paths Although the switch software allows a maximum of 32 equal cost routes the switch hardware never uses more than 16 paths per route Step 13 end Return to privileged EXEC mode Step 14 show ip bgp show ip bgp neighbors Verify the reset by reviewing routing...

Page 1001: ...community based matching requires the match community list route map command and network based matching requires the ip access list global configuration command Beginning in privileged EXEC mode follow these steps to apply a per neighbor route map Use the no neighbor distribute list command to remove the access list from the neighbor Use the no neighbor route map map tag router configuration comma...

Page 1002: ...prefix is permitted or denied is based upon these rules An empty prefix list permits all prefixes An implicit deny is assumed if a prefix does not match any entries in a prefix list When multiple entries of a prefix list match a prefix the sequence number of a prefix list entry identifies the entry with the lowest sequence number By default sequence numbers are generated automatically and incremen...

Page 1003: ...belongs By default all destinations belong to the general Internet community The community is identified by the COMMUNITIES attribute an optional transitive global attribute in the numerical range from 1 to 4294967200 These are some predefined well known communities internet Advertise this route to the Internet community All routers belong to it no export Do not advertise this route to EBGP peers ...

Page 1004: ...these steps to create and to apply a community list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip community list community list number permit deny community number Create a community list and assign it a number The community list number is an integer from 1 to 99 that identifies one or more permit or deny groups of communities The community number is the numbe...

Page 1005: ...XEC mode use these commands to configure BGP peers Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 neighbor peer group name peer group Create a BGP peer group Step 4 neighbor ip address peer group peer group name Make a BGP neighbor a member of the peer group Step 5 neighbor ip address peer gro...

Page 1006: ...send community Optional Specify that the COMMUNITIES attribute is sent to the neighbor at this IP address Step 18 neighbor ip address peer group name timers keepalive holdtime Optional Set timers for the neighbor or peer group The keepalive interval is the time within which keepalive messages are sent to peers The range is 1 to 4294967295 seconds the default is 60 The holdtime is the interval afte...

Page 1007: ... local preference information is preserved You can then use a single IGP for all of the autonomous systems Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the auton...

Page 1008: ...utside their cluster When the route reflector receives an advertised route it takes one of these actions depending on the neighbor A route from an external BGP speaker is advertised to all clients and nonclient peers A route from a nonclient peer is advertised to all clients A route from a client is advertised to all clients and nonclient peers Hence the clients need not be fully meshed Usually a ...

Page 1009: ... 3 neighbor ip address peer group name route reflector client Configure the local router as a BGP route reflector and the specified neighbor as a client Step 4 bgp cluster id cluster id Optional Configure the cluster ID if the cluster has more than one route reflector Step 5 no bgp client to client reflection Optional Disable client to client route reflection By default the routes from a route ref...

Page 1010: ...it less likely that a route is dampened Step 9 clear ip bgp dampening Optional Clear route dampening information and unsuppress the suppressed routes Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 39 11 IP BGP Clear and Show Commands Command Purpose clear ip bgp address Reset a particular BGP connection clear ip bgp Reset all B...

Page 1011: ...uters know how to reach the proper area IS IS supports two levels of routing station routing within an area and area routing between areas The key difference between the ISO IGRP and IS IS NSAP addressing schemes is in the definition of area addresses Both use the system ID for Level 1 routing routing within an area However they differ in the way addresses are specified for area routing An ISO IGR...

Page 1012: ...ing in up to 29 areas and can perform Level 2 routing in the backbone In general each routing process corresponds to an area By default the first instance of the routing process configured performs both Level 1and Level 2 routing You can configure additional router instances which are automatically treated as Level 1 areas You must configure the parameters for each instance of the IS IS routing pr...

Page 1013: ... LSP packet is deleted LSP refresh interval Send LSP refreshes every 900 seconds 15 minutes Maximum LSP packet size 1497 bytes NSF Awareness1 1 NSF Nonstop Forwarding Enabled2 Allows Layer 3 switches to continue forwarding packets from a neighboring NSF capable router during hardware or software changes 2 IS IS NSF awareness is enabled for IPv4 on switches running Cisco IOS Release 12 2 25 SEG or ...

Page 1014: ...tionless routing on the switch Step 3 router isis area tag Enable the IS IS routing for the specified routing process and enter IS IS routing configuration mode Optional Use the area tag argument to identify the area to which the IS IS router is assigned You must enter a value if you are configuring multiple IS IS areas The first IS IS instance configured is Level 1 2 by default Later instances ar...

Page 1015: ...net 49 0001 0000 0000 000b 00 Switch config router exit Switch config interface gigabitethernet1 0 1 Switch config if ip router isis Switch config if clns router isis Switch config interface gigabitethernet1 0 2 Switch config if ip router isis Switch config if clns router isis Switch config router exit Router C Switch config clns routing Switch config router isis Switch config router net 49 0001 0...

Page 1016: ...in the network has a maximum transmission unit MTU size of less than 1500 bytes you can lower the LSP MTU so that routing will still occur The partition avoidance router configuration command prevents an area from becoming partitioned when full connectivity is lost among a Level1 2 border router adjacent Level 1 routers and end hosts Beginning in privileged EXEC mode follow these steps to configur...

Page 1017: ...seconds The default is to send LSP refreshes every 900 seconds 15 minutes Step 11 max lsp lifetime seconds Optional Set the maximum time that LSP packets remain in the router database without being refreshed The range is from 1 to 65535 seconds The default is 1200 seconds 20 minutes After the specified time interval the LSP packet is deleted Step 12 lsp gen interval level 1 level 2 lsp max wait ls...

Page 1018: ... for another hello packet before declaring the neighbor down This determines how quickly a failed link or neighbor is detected so that routes can be recalculated Change the hello multiplier in circumstances where hello packets are lost Step 14 prc interval prc max wait prc initial wait prc second wait Optional Sets IS IS partial route computation PRC throttling timers prc max wait the maximum inte...

Page 1019: ...mand Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode If the interface is not already configured as a Layer 3 interface enter the no switchport command to put it into Layer 3 mode Step 3 isis metric default metric level 1 level 2 Optional Configure the metric or cost for the...

Page 1020: ...rom 0 to 127 The default is 64 Step 10 isis circuit type level 1 level 1 2 level 2 only Optional Configure the type of adjacency desired for neighbors on the specified interface specify the interface circuit type level 1 a Level 1 adjacency is established if there is at least one area address common to both this node and its neighbors level 1 2 a Level 1 and 2 adjacency is established if the neigh...

Page 1021: ...route Remove dynamically derived CLNS routing information show clns Display information about the CLNS network show clns cache Display the entries in the CLNS routing cache show clns es neighbors Display ES neighbor entries including the associated areas show clns filter expr Display filter expressions show clns filter set Display filter sets show clns interface interface id Display the CLNS speci...

Page 1022: ...a VPN Routing Session page 39 89 Configuring BGP PE to CE Routing Sessions page 39 90 Multi VRF CE Configuration Example page 39 90 Displaying Multi VRF CE Status page 39 94 Understanding Multi VRF CE Multi VRF CE is a feature that allows a service provider to support two or more VPNs overlapping IP addresses among the VPNs Multi VRF CE uses input interfaces to distinguish routes for different VPN...

Page 1023: ...switch receives a command to add a Layer 3 interface to a VRF it sets up the mapping between the VLAN ID and the policy label PL in multi VRF CE related data structures and adds the VLAN ID and PL to the VLAN database When multi VRF CE is configured the Layer 3 forwarding table is virtually partitioned into two sections The multi VRF CE routing section contains the routes from different VPNs The g...

Page 1024: ...on to all members of a VPN community You need to configure BGP peering in all PE routers within a VPN community VPN forwarding transports all traffic between all VPN community members across a VPN service provider network Default Multi VRF CE Configuration Table 39 14 shows the default multi VRF CE configuration Multi VRF CE Configuration Guidelines To use multi VRF CE you must have the IP service...

Page 1025: ...ticast is not supported You can configure 104 policies whether or not VRFs are configured on the switch or the switch stack You can enable VRF on a private VLAN and the reverse You cannot enable VRF when policy based routing PBR is enabled on an interface and the reverse You cannot enable VRF when Web Cache Communication Protocol WCCP is enabled on an interface and the reverse Configuring VRFs Beg...

Page 1026: ...have the following characteristics The user can ping a host in a user specified VRF ARP entries are learned in separate VRFs The user can display Address Resolution Protocol ARP entries for specific VRFs These services are VRF aware ARP Ping Simple Network Management Protocol SNMP Hot Standby Router Protocol HSRP Syslog Traceroute FTP and TFTP RADIUS Note VRF Aware services are not supported for U...

Page 1027: ...n for the commands refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 2 Command Purpose show ip arp vrf vrf name Display the ARP table in the specified VRF Command Purpose ping vrf vrf name ip host Display the ARP table in the specified VRF Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp ser...

Page 1028: ...OS Switching Services Command Reference Release 12 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 4 ip vrf forwarding vrf name Configure VRF on the in...

Page 1029: ...ion IP address These changes are backward compatible and do not affect existing behavior That is you can use the source interface CLI to send packets out a particular interface even if no VRF is configured on that interface To specify the source IP address for FTP connections use the ip ftp source interface show mode command To use the address of the interface where the connection is made use the ...

Page 1030: ...ctions Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing mode Step 3 ip vrf vrf name Name the VRF and enter VRF configuration mode Step 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an autonomous system number and an arbitrary number nnn y or an IP ad...

Page 1031: ...sociate the VPN forwarding table from the OSPF routing process Step 12 end Return to privileged EXEC mode Step 13 show ip vrf brief detail interfaces vrf name Verify the configuration Display information about the configured VRFs Step 14 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global con...

Page 1032: ...commands for configuring traffic to Switch A for a Catalyst 6000 or Catalyst 6500 switch acting as a PE router Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system number Configure the BGP routing process with the autonomous system number passed to other BGP routers and enter router configuration mode Step 3 network network number mask netwo...

Page 1033: ...witch config vrf route target import 800 2 Switch config vrf exit Configure the loopback and physical interfaces on Switch A Gigabit Ethernet port 1 is a trunk connection to the PE Gigabit Ethernet ports 8 and 11 connect to VPNs Switch config interface loopback1 Switch config if ip vrf forwarding v11 Switch config if ip address 8 8 1 8 255 255 255 0 Switch config if exit Switch config interface lo...

Page 1034: ...fig interface vlan20 Switch config if ip vrf forwarding v12 Switch config if ip address 83 0 0 8 255 255 255 0 Switch config if exit Switch config interface vlan118 Switch config if ip vrf forwarding v12 Switch config if ip address 118 0 0 8 255 255 255 0 Switch config if exit Switch config interface vlan208 Switch config if ip vrf forwarding v11 Switch config if ip address 208 0 0 8 255 255 255 0...

Page 1035: ...nnection to Switch A by using these commands Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config interface gigabitethernet1 0 1 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if no ip address Switch config if exit Switch config interface vlan118 Switch config if ip add...

Page 1036: ...Router config router af neighbor 83 0 0 8 remote as 800 Router config router af neighbor 83 0 0 8 activate Router config router af network 3 3 2 0 mask 255 255 255 0 Router config router af exit Router config router address family ipv4 vrf vl Router config router af neighbor 38 0 0 8 remote as 800 Router config router af neighbor 38 0 0 8 activate Router config router af network 3 3 1 0 mask 255 2...

Page 1037: ...r a complete description of the IP routing protocol independent commands in this chapter see the IP Routing Protocol Independent Commands chapter of the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References These sections contain this configuration information Configuring Cisco Exp...

Page 1038: ...onfiguration command disables CEF for traffic that is being forwarded by software This command does not affect the hardware forwarding path You can re enable CEF or dCEF by using the ip cef or ip cef distributed global configuration command To enable CEF on an interface for the software forwarding path use the ip route cache cef interface configuration command Caution Although the no ip route cach...

Page 1039: ...r configuration command to restore the default value Configuring Static Unicast Routes Static unicast routes are user defined routes that cause packets moving between a source and a destination to take a specified path Static routes can be important if the router cannot dynamically build a route to a particular destination and are useful for specifying a gateway of last resort to which all unrouta...

Page 1040: ...ng protocols advertise the route unless a redistribute static command is specified for these protocols When an interface goes down all static routes through that interface are removed from the IP routing table When the software can no longer find a valid next hop for the address specified as the forwarding router address in a static route the static route is also removed from the IP routing table ...

Page 1041: ...es have a path to it the network is considered as a possible candidate and the gateway to the best default path becomes the gateway of last resort Using Route Maps to Redistribute Routing Information The switch can run multiple routing protocols simultaneously and it can redistribute information from one routing protocol to another Information redistribution from one routing protocol to another ap...

Page 1042: ...ese steps to configure a route map for redistribution Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 route map map tag permit deny sequence number Define any route maps used to control redistribution and enter route map configuration mode map tag A meaningful name for the route map The redistribute router configuration command uses this name to reference this rout...

Page 1043: ...1 level 2 level 1 2 stub area backbone Set the level for routes that are advertised into the specified area of the routing domain The stub area and backbone are OSPF NSSA and backbone areas Step 17 set metric metric value Set the metric value to give the redistributed routes only for EIGRP The metric value is an integer from 294967295 to 294967295 Step 18 set metric bandwidth delay reliability loa...

Page 1044: ...otocols if a default mode is in effect Step 21 set weight Set the BGP weight for the routing table The value is from 1 to 65535 Step 22 end Return to privileged EXEC mode Step 23 show route map Display all configured route maps or only the one specified to verify configuration Step 24 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Pu...

Page 1045: ...ent through the normal forwarding channels and destination based routing is performed For PBR route map statements marked as deny are not supported For more information about configuring route maps see the Using Route Maps to Redistribute Routing Information section on page 39 99 You can use standard IP ACLs to specify match criteria for a source address or extended IP ACLs to specify match criter...

Page 1046: ... PBR are mutually exclusive on a switch interface You cannot enable VRF when PBR is enabled on an interface The reverse is also true you cannot enable PBR when VRF is enabled on an interface Web Cache Communication Protocol WCCP and PBR are mutually exclusive on a switch interface You cannot enable WCCP when PBR is enabled on an interface The reverse is also true you cannot enable PBR when WCCP is...

Page 1047: ... terminal Enter global configuration mode Step 2 route map map tag permit sequence number Define any route maps used to control from where packets are sent and enter route map configuration mode map tag A meaningful name for the route map The ip policy route map interface configuration command uses this name to reference the route map Multiple route maps might share the same map tag name Optional ...

Page 1048: ...nformation is neither sent nor received through that interface Step 6 interface interface id Enter interface configuration mode and specify the interface to configure Step 7 ip policy route map map tag Enable PBR on a Layer 3 interface and identify the route map to use You can configure only one route map on an interface However you can have multiple route map entries with different sequence numbe...

Page 1049: ...many of the distribution routers have more than 200 interfaces Controlling Advertising and Processing in Routing Updates You can use the distribute list router configuration command with access control lists to suppress routes from being advertised in routing updates and to prevent other routers from learning one or more routes When used in OSPF this feature applies only to external routes and you...

Page 1050: ... protocol has the lowest administrative distance Table 39 16 on page 39 98 shows the default administrative distances for various routing information sources Because each network has its own requirements there are no general guidelines for assigning administrative distances Beginning in privileged EXEC mode follow these steps to filter sources of routing information Command Purpose Step 1 configur...

Page 1051: ... examines the key numbers in order from lowest to highest and uses the first valid key it encounters The lifetimes allow for overlap during key changes Note that the router must know these lifetimes Beginning in privileged EXEC mode follow these steps to manage authentication keys Step 3 distance weight ip address ip address mask ip access list Define an administrative distance weight The administ...

Page 1052: ...forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 6 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be sent The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the ...

Page 1053: ...le 39 17 Commands to Clear IP Routes or Display Route Status Command Purpose clear ip route network mask Clear one or more routes from the IP routing table show ip protocols Display the parameters and state of the active routing protocol process show ip route address mask longer prefixes protocol process id Display the state of the routing table show ip route summary Display the state of the routi...

Page 1054: ...39 112 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 39 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network ...

Page 1055: ...e a dual IPv4 and IPv6 switch database management SDM template See the Dual IPv4 and IPv6 Protocol Stacks section on page 40 6 Unless otherwise noted the term switch refers to a standalone switch and to a switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation referenced in the procedures This chapter consists of these secti...

Page 1056: ...itations page 40 9 IPv6 and Switch Stacks page 40 10 IPv6 Addresses The switch supports only IPv6 unicast addresses It does not support site local unicast addresses anycast addresses or multicast addresses The IPv6 128 bit addresses are represented as a series of eight 16 bit hexadecimal fields separated by colons in the format n n n n n n n n This is an example of an IPv6 address 2031 0000 130F 0...

Page 1057: ...tion and Duplicate Address Detection page 40 5 IPv6 Applications page 40 5 Dual IPv4 and IPv6 Protocol Stacks page 40 6 DHCP for IPv6 Address Assignment page 40 6 Static Routes for IPv6 page 40 7 RIP for IPv6 page 40 7 OSPF for IPv6 page 40 7 EIGRP for IPv6 page 40 7 HSRP for IPv6 page 40 8 SNMP and Syslog Over IPv6 page 40 8 HTTP S Over IPv6 page 40 8 Support on the switch includes expanded addre...

Page 1058: ... unicast addresses in the Implementing IPv6 Addressing and Basic Connectivity chapter in the Cisco IOS IPv6 Configuration Library on Cisco com DNS for IPv6 IPv6 supports Domain Name System DNS record types in the DNS name to address and address to name lookup processes The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4 The switch supports DN...

Page 1059: ...her select the same router every time or cycle through the router list By using DRP you can configure an IPv6 host to prefer one router over another provided both are reachable or probably reachable For more information about DRP for IPv6 see the Implementing IPv6 Addresses and Basic Connectivity chapter in the Cisco IOS IPv6 Configuration Library on Cisco com IPv6 Stateless Autoconfiguration and ...

Page 1060: ... routes both IPv4 and IPv6 packets and applies IPv4 QoS in hardware The switch does not support IPv6 QoS If you do not plan to use IPv6 do not use the dual stack template because this template results in less TCAM capacity for each resource For more information about IPv4 and IPv6 protocol stacks see the Implementing IPv6 Addressing and Basic Connectivity chapter of Cisco IOS IPv6 Configuration Li...

Page 1061: ... graceful restart feature in OSPFv3 This feature allows nonstop data forwarding along known routes while the OSPFv3 routing protocol information is being restored A switch can participate in graceful restart either in restart mode such as in a graceful restart capable switch or in helper mode such as in a graceful restart aware switch To perform the graceful restart function a switch must be in hi...

Page 1062: ...nd to modify the SNMP agent to support traps for an IPv6 host SNMP and syslog related MIBs to support IPv6 addressing Configuration of IPv6 hosts as trap receivers For support over IPv6 SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and IPv6 These SNMP actions support IPv6 transport management Opens User Datagram Protocol UDP SNMP socket with default settings Provid...

Page 1063: ...tocols IPv6 unicast reverse path forwarding IPv6 general prefixes Limitations Because IPv6 is implemented in switch hardware some limitations occur due to the IPv6 compressed addresses in the hardware memory These hardware limitations result in some loss of functionality and limits some features These are feature limitations ICMPv6 redirect functionality is not supported for IPv6 host routes route...

Page 1064: ...ding The stack master also runs all IPv6 applications Note To route IPv6 packets in a stack all switches in the stack must be running the IP services feature set If a new switch becomes the stack master it recomputes the IPv6 routing tables and distributes them to the member switches While the new stack master is being elected and is resetting the switch stack does not forward IPv6 packets The sta...

Page 1065: ...tack might need up to 60 seconds to recover all routes and resume forwarding traffic IPv6 host functionality is supported on the stack master and all IPv6 applications run on the stack master Configuring IPv6 These sections contain this IPv6 forwarding configuration information Default IPv6 Configuration page 40 11 Configuring IPv6 Addressing and Enabling IPv6 Host Functions or Routing page 40 12 ...

Page 1066: ...address comprise the prefix the network portion of the address To forward IPv6 traffic on an interface you must configure a global IPv6 address on that interface Configuring an IPv6 address on an interface automatically configures a link local address and activates IPv6 for the interface The configured interface automatically joins these required multicast groups for that link solicited node multi...

Page 1067: ...ort Remove the interface from Layer 2 configuration mode if it is a physical interface Step 8 ipv6 address ipv6 prefix prefix length eui 64 or ipv6 address ipv6 address prefix length or ipv6 address ipv6 address link local or ipv6 enable Specify a global IPv6 address with an extended unique identifier EUI in the low order 64 bits of the IPv6 address Specify only the network prefix the last 64 bits...

Page 1068: ...ethernet1 0 1 GigabitEthernet1 0 1 is up line protocol is up IPv6 is enabled link local address is FE80 20B 46FF FE2F D940 Global unicast address es 2001 0DB8 c18 1 20B 46FF FE2F D940 subnet is 2001 0DB8 c18 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number ...

Page 1069: ...support both IPv4 and IPv6 and to enable IPv6 routing Step 5 show ipv6 interface Verify the configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip routing Enable routing on the switch Step 3 ipv6 unicast routing Enable forwarding of IPv6 data pac...

Page 1070: ...ch config if no switchport Switch config if ip address 192 168 99 1 244 244 244 0 Switch config if ipv6 address 2001 0DB8 c18 1 64 eui 64 Switch config if end Configuring DHCP for IPv6 Address Assignment These sections describe how to configure Dynamic Host Configuration Protocol for IPv6 DHCPv6 address assignment Default DHCPv6 Address Assignment Configuration page 40 16 DHCPv6 Address Assignment...

Page 1071: ...y agent Typically messages from a DHCPv6 relay agent show the source address of the interface from which they are sent However in some networks it may be desirable to configure a more stable address such as a loopback interface as the source address for messages from the relay agent The DHCPv6 Relay Source Configuration feature provides this capability For more information and to configure these f...

Page 1072: ...d by the suboption parameters Step 7 exit Return to DHCP pool configuration mode Step 8 exit Return to global configuration mode Step 9 interface interface id Enter interface configuration mode and specify the interface to configure Step 10 ipv6 dhcp server poolname automatic rapid commit preference value allow hint Enable DHCPv6 server function on an interface poolname Optional User defined name ...

Page 1073: ...face To disable the DHCPv6 client function use the no ipv6 address dhcp interface configuration command To remove the DHCPv6 client request use the no ipv6 address dhcp client request interface configuration command This example shows how to acquire an IPv6 address and to enable the rapid commit option Switch config interface gigabitethernet2 0 1 Switch config if ipv6 address dhcp rapid commit Thi...

Page 1074: ... unicast packet forwarding by using the ipv6 unicast routing global configuration command You must configure an IPv6 address and IPv6 processing on an interface by using the ipv6 address interface configuration command To disable IPv6 CEF or distributed CEF use the no ipv6 cef or no ipv6 cef distributed global configuration command To reenable IPv6 CEF or dCEF if it has been disabled use the ipv6 ...

Page 1075: ...address A slash mark must precede the decimal value ipv6 address The IPv6 address of the next hop that can be used to reach the specified network The IPv6 address of the next hop need not be directly connected recursion is done to find the IPv6 address of the directly connected next hop The address must be specified in hexadecimal using 16 bit values between colons interface id Specify direct stat...

Page 1076: ...ace interface id recursive detail or show ipv6 route static updated Verify your entries by displaying the contents of the IPv6 routing table interface interface id Optional Display only those static routes with the specified interface as an egress interface recursive Optional Display only recursive static routes The recursive keyword is mutually exclusive with the interface keyword but it can be u...

Page 1077: ... commands Changing the defaults might adversely affect OSPF for the IPv6 network Before you enable IPv6 OSPF on an interface you must enable routing by using the ip routing global configuration command enable the forwarding of IPv6 packets by using the ipv6 unicast routing global configuration command and enable IPv6 on Layer 3 interfaces on which you are enabling IPv6 OSPF Step 7 ipv6 rip name de...

Page 1078: ...vertise Optional Set the address range status to advertise and to generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for this summary route which is used during OSPF SPF calculation to determine the...

Page 1079: ...ive interface command on selected interfaces to make them active EIGRP IPv6 does not need to be configured on a passive interface For more configuration procedures see the Implementing EIGRP for IPv6 chapter in the Cisco IOS IPv6 Configuration Guide Configuring HSRP for IPv6 Hot Standby Router Protocol HSRP for IPv6 provides routing redundancy for routing IPv6 traffic not dependent on the availabi...

Page 1080: ...EC mode Step 5 show standby Verify the configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP for IPv6 Step 3 standby group number ipv6 link l...

Page 1081: ...er to preempt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional delay Set to cause the local router to postpone taking over the active role for the shown number of seconds The range is 0 to 3600 1 hour The default is 0 no delay before taking over Op...

Page 1082: ...nation cache show ipv6 neighbors Display IPv6 neighbor cache entries show ipv6 ospf1 Display IPv6 OSPF information show ipv6 prefix list Display a list of IPv6 prefix lists show ipv6 protocols1 Display IPv6 routing protocols on the switch show ipv6 rip1 Display IPv6 RIP routing protocol status show ipv6 route1 Display the IPv6 route table entries show ipv6 routers 1 Display the local IPv6 routers ...

Page 1083: ...are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds output truncated Table 40 4 Commands for Displaying IPv4 and IPv6 Address Types Command Purpose show ip htt...

Page 1084: ...28 receive output truncated This is an example of the output from the show ipv6 protocols privileged EXEC command Switch show ipv6 protocols IPv6 Routing Protocol is connected IPv6 Routing Protocol is static IPv6 Routing Protocol is rip fer Interfaces Vlan6 GigabitEthernet2 0 4 GigabitEthernet2 0 11 GigabitEthernet1 0 12 Redistribution None This is an example of the output from the show ipv6 rip p...

Page 1085: ...ute IPv6 Routing Table 21 entries Codes C Connected L Local S Static R RIP B BGP U Per user Static route I1 ISIS L1 I2 ISIS L2 IA ISIS interarea IS ISIS summary O OSPF intra OI OSPF inter OE1 OSPF ext 1 OE2 OSPF ext 2 ON1 OSPF NSSA ext 1 ON2 OSPF NSSA ext 2 S 0 1 0 via 3FFE C000 0 7 777 C 3FFE C000 0 1 64 0 0 via Vlan1 L 3FFE C000 0 1 20B 46FF FE2F D940 128 0 0 via Vlan1 C 3FFE C000 0 7 64 0 0 via...

Page 1086: ...1 sent ICMP statistics Rcvd 1 input 0 checksum errors 0 too short 0 unknown info type 0 unknown error type unreach 0 routing 0 admin 0 neighbor 0 address 0 port parameter 0 error 0 header 0 option 0 hopcount expired 0 reassembly timeout 0 too big 0 echo request 0 echo reply 0 group query 0 group report 0 group reduce 1 router solicit 0 router advert 0 redirects 0 neighbor solicit 0 neighbor advert...

Page 1087: ... availability by providing first hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address HSRP routes IP traffic without relying on the availability of any single router It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN When HSRP is configured on a network or segmen...

Page 1088: ...essages are automatically enabled for the interface You can configure multiple Hot Standby groups among switches and switch stacks that are operating in Layer 3 to make more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an interface For example you might configure an interface on switch 1 as an active router and one on switch 2 as...

Page 1089: ...Cisco Group Management Protocol CGMP leave processing You cannot enable HSRPv1 and CGMP at the same time they are mutually exclusive HSRPv2 Version 2 of the HSRP has these features To match the HSRP group number to the VLAN ID of a subinterface HSRPv2 can use a group number from 0 to 4095 and a MAC address from 0000 0C9F F000 to 0000 0C9F FFFF HSRPv2 uses the multicast address 224 0 0 102 to send ...

Page 1090: ...gure MHSRP to achieve load balancing and to use two or more standby groups and paths from a blade server network to a server network In Figure 41 2 one enclosure with blade servers is configured for Router A and the other enclosure with blade servers is configured for Router B Together the configuration for Routers A and B establishes two HSRP groups For group 1 Router A is the default active rout...

Page 1091: ...ected and initialized and the standby router might become active after the stack master fails Configuring HSRP These sections contain this configuration information Default HSRP Configuration page 41 6 HSRP Configuration Guidelines page 41 6 Enabling HSRP page 41 7 Configuring HSRP Priority page 41 8 Configuring MHSRP page 41 10 201791 Active router for group 1 Standby router for group 2 Blade swi...

Page 1092: ... created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Layer 3 EtherChannels section on page 38 15 All Layer 3 interfaces must have IP addresses assigned to them See the Configuring Layer 3 Interfaces section on page 11 25 HSRPv2 and HSRPv1 can be configured on ...

Page 1093: ...terface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP Step 3 standby version 1 2 Optional Configure the HSRP version on the interface 1 Select HSRPv1 2 Select HSRPv2 If you do not enter this command or do not specify a keyword the interface runs the default HSRP version HSRP v1 Step 4 standby group number ip ip address secondary Create or en...

Page 1094: ...ty preempt or both The priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router goes down The standby track interface configuration command ties the router hot standby priority to the availability of its interfaces and is useful for tracking interfaces that are not configured for HSRP When a tracked interface fai...

Page 1095: ... 1 hour the default is 0 no delay before taking over Optional delay reload Set to cause the local router to postpone taking over the active role after a reload for the number of seconds shown The range is 0 to 36000 seconds 1 hour the default is 0 no delay before taking over after a reload Optional delay sync Set to cause the local router to postpone taking over the active role so that IP redundan...

Page 1096: ... standby preempt interface configuration command on each HSRP interface so that if a router fails and comes back up the preemption occurs and restores load balancing Router A is configured as the active router for group 1 and Router B is configured as the active router for group 2 The HSRP interface for Router A has an IP address of 10 0 0 1 with a group 1 standby priority of 110 the default is 10...

Page 1097: ...umber authentication string interface configuration command to delete an authentication string Use the no standby group number timers hellotime holdtime interface configuration command to restore timers to their default values Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on wh...

Page 1098: ...Messages ICMP redirect messages are automatically enabled on interfaces configured with HSRP ICMP is a network layer Internet protocol that provides message packets to report errors and other information relevant to IP processing ICMP provides diagnostic functions such as sending and directing error packets to the host This feature filters outgoing ICMP redirect messages through HSRP in which the ...

Page 1099: ...Beginning with Cisco IOS Release 12 2 58 SE switches with the IP base feature set support the Virtual Router Redundancy Protocol VRRP The Virtual Router Redundancy Protocol VRRP is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN allowing several routers on a multiaccess link to utilize the same virtual IP address A VRRP rout...

Page 1100: ...41 14 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 41 Configuring HSRP and VRRP Configuring VRRP ...

Page 1101: ... see the command reference at this URL http www cisco com en US docs ios ipsla command reference sla_book html This chapter consists of these sections Understanding Cisco IOS IP SLAs page 42 1 Configuring IP SLAs Operations page 42 6 Monitoring IP SLAs Operations page 42 13 Understanding Cisco IOS IP SLAs Cisco IOS IP SLAs sends data across the network to measure performance between multiple netwo...

Page 1102: ...g IP SLAs can provide these benefits Service level agreement monitoring measurement and verification Network performance monitoring Measures the jitter latency or packet loss in the network Provides continuous reliable and predictable measurements IP service network health assessment to verify that the existing QoS is sufficient for new IP services Edge to edge network availability monitoring for ...

Page 1103: ...e the IP SLAs responder if required 2 Configure the required IP SLAs operation type 3 Configure any options available for the specified operation type 4 Configure threshold conditions if required 5 Schedule the operation to run then let the operation run for a period of time to gather statistics 6 Display and interpret the results of the operation using the Cisco IOS CLI or a network management sy...

Page 1104: ...For example a responder is not required for services that are already provided by the destination router such as Telnet or HTTP You cannot configure the IP SLAs responder on non Cisco devices and Cisco IOS IP SLAs can send operational packets only to services native to those devices Response Time Computation for IP SLAs Switches and routers can take tens of milliseconds to process incoming packets...

Page 1105: ...ation that is visible through SNMP The pending state is also used when an operation is a reaction threshold operation waiting to be triggered You can schedule a single IP SLAs operation or a group of operations at one time You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the CISCO RTTMON MIB Scheduling the operations to run at evenly distributed ti...

Page 1106: ...tion which does not require a responder For details about configuring other operations see he Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html This section includes this information Default Configuration page 42 6 Configuration Guidelines page 42 6 Configuring the IP SLAs Responder page 42 7 Analyzing IP Service...

Page 1107: ... http Type of Operation to Perform jitter Type of Operation to Perform pathEcho Type of Operation to Perform pathJitter Type of Operation to Perform tcpConnect Type of Operation to Perform udpEcho IP SLAs low memory water mark 21741224 Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software based devices including some Layer 2 switches that do not support fu...

Page 1108: ...DP jitter operations measure this data Per direction jitter source to destination and destination to source Per direction packet loss Per direction delay one way delay Round trip delay average round trip time Because the paths for the sending and receiving of data can be different asymmetric you can use the per direction data to more readily identify where congestion or other problems are occurrin...

Page 1109: ... the range from 1 to 65535 Optional source ip ip address hostname Specify the source IP address or hostname When a source IP address or hostname is not specified IP SLAs chooses the IP address nearest to the destination Optional source port port number Specify the source port number in the range from 1 to 65535 When a port number is not specified IP SLAs chooses an available port Optional control ...

Page 1110: ...ollecting information To start at a specific time enter the hour minute second in 24 hour notation and day of the month If no month is entered the default is the current month Enter pending to select no information collection until a start time is selected Enter now to start the operation immediately Enter after hh mm ss to show that the operation should start after the entered time has elapsed Op...

Page 1111: ...cheduled Start Time Pending trigger Group Scheduled FALSE Randomly Scheduled FALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distribution buckets kept 1 Statistic distribution interval milliseconds 20 Enhanced Hist...

Page 1112: ...ration mode Step 6 ip sla schedule operation number life forever seconds start time hh mm ss month day day month pending now after hh mm ss ageout seconds recurring Configure the scheduling parameters for an individual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to ...

Page 1113: ...rf Name Schedule Operation frequency seconds 60 Next Scheduled Start Time Pending trigger Group Scheduled FALSE Randomly Scheduled FALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distribution buckets kept 1 Statist...

Page 1114: ...w ip sla history entry number full tabular Display history collected for all IP SLAs operations show ip sla mpls lsp monitor collection statistics configuration ldp operational state scan queue summary entry number neighbors Display MPLS label switched path LSP Health Monitor operations show ip sla reaction configuration entry number Display the configured proactive threshold monitoring settings f...

Page 1115: ...s outages and outage duration Unless otherwise noted the term switch refers to a standalone switch and to a switch stack The chapter includes these sections Understanding Enhanced Object Tracking page 43 1 Configuring Enhanced Object Tracking Features page 43 2 Monitoring Enhanced Object Tracking page 43 10 Understanding Enhanced Object Tracking Each tracked object has a unique number that is spec...

Page 1116: ...hese conditions are not met the IP routing state is down Beginning in privileged EXEC mode follow these steps to track the line protocol state or IP routing state of an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number interface interface id line protocol Optional Create a tracking list to track the line protocol state of an interface an...

Page 1117: ...st The state of the tracked list is determined by whether or not the threshold was met The state of each object is determined by comparing the total weight of all objects against a threshold weight for each object When you measure the tracked list by a percentage threshold you assign a percentage threshold to all objects in the tracked list The state of each object is determined by comparing the a...

Page 1118: ... cannot use the Boolean NOT operator in a weight threshold list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list boolean and or Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 boolean Specify the state of the tracked list based on a Boolean calculation and Specify that the list is up...

Page 1119: ...t of objects specify that a percentage will be used as the threshold and specify a percentage for all objects in the list The state of the list is determined by comparing the assigned percentage of each object to the list You cannot use the Boolean NOT operator in a percentage threshold list Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list th...

Page 1120: ... list object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based on percentage Step 3 object object number Specify the object to be tracked The range is from 1 to 500 Note An object must exist before you can add it to a tracked list Step 4 threshold percentage...

Page 1121: ...default up threshold is 254 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Configuring a Tracked List with a Boolean Expression section on page 43 3 For threshold weight see the Configuring a Tracked List with a Weight Threshold section on page 43 4 For threshold percentage see the Config...

Page 1122: ... is a network performance measurement and diagnostics tool that uses active monitoring by generating traffic to measure network performance Cisco IP SLAs operations collects real time metrics that you can use for network troubleshooting design and analysis For more information about Cisco IP SLAs on the switch see Chapter 42 Configuring Cisco IOS IP SLAs Operations For IP SLAs command information ...

Page 1123: ...change 00 00 47 Latest operation return code over threshold Latest RTT millisecs 4 Tracked by HSRP Ethernet0 1 3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number rtr operation number state Enter tracking configuration mode to track the state of an IP SLAs operation The object number range is from 1 to 500 The operation number range is from 1 to 2...

Page 1124: ...P Ethernet0 1 3 Monitoring Enhanced Object Tracking Use the privileged EXEC or user EXEC commands in Table 43 1 to display enhanced object tracking information Table 43 1 Commands for Displaying Tracking Information Command Purpose show track object number Display information about the all tracking lists or the specified list show track brief Display a single line of tracking information output sh...

Page 1125: ...tical content from servers Application engines accelerate content delivery and ensure maximum scalability and availability of content In a service provider network you can deploy the WCCP and application engine solution at the points of presence POPs In an enterprise network you can deploy the WCCP and application engine solution at the regional site and the small branch office Note To use this fe...

Page 1126: ...e word transparent means that the end user does not know that a requested file such as a web page came from the application engine instead of from the originally specified server When an application engine receives a request it attempts to service it from its own local cache If the requested information is not present the application engine sends a separate request to the end server to retrieve th...

Page 1127: ...o be directly connected to the switch at Layer 2 Assignment method the method by which packets are distributed among the application engines in the cluster The switch uses some bits of the destination IP address the source IP address the destination Layer 4 port and the source Layer 4 port to determine which application engine receives the redirected packets Packet return method the method by whic...

Page 1128: ... incoming packet with source and destination port 80 is forwarded by using service group 1 because it has the higher priority WCCP supports a cluster of application engines for every service group Redirected traffic can be sent to any one of the application engines The switch supports the mask assignment method of load balancing the traffic among the application engines in the cluster for a servic...

Page 1129: ... The stack master performs these WCCP functions It receives protocol packets from any WCCP enabled interface and sends them out any WCCP enabled interface in the stack It processes the WCCP configuration and propagates the information to all stack members It distributes the WCCP information to any switch that joins the stack It programs its hardware with the WCCP information it processes Stack mem...

Page 1130: ...d WCCP entries packets are not redirected and are forwarded by using the standard routing tables The number of available policy based routing PBR labels are reduced as more interfaces are enabled for WCCP ingress redirection For every interface that supports service groups one label is consumed The WCCP labels are taken from the PBR labels You need to monitor and manage the labels that are availab...

Page 1131: ...e number which corresponds to a dynamic service that is defined by the application engine By default this feature is disabled Optional For group address groupaddress specify the multicast group address used by the switches and the application engines to participate in the service group Optional For group list access list if a multicast group address is not used specify a list of valid IP addresses...

Page 1132: ...tion mode Step 9 no switchport Enter Layer 3 mode Step 10 ip address ip address subnet mask Configure the IP address and subnet mask Step 11 no shutdown Enable the interface Step 12 ip wccp web cache service number redirect in Redirect packets received from the client to the application engine Enable this on the interface connected to the client Step 13 ip wccp web cache service number group liste...

Page 1133: ...hernet1 0 1 Switch config if no switchport Switch config if ip address 172 20 10 30 255 255 255 0 Switch config if no shutdown Switch config if ip wccp web cache group listen Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if no shutdown Switch config if exit Switch config interfa...

Page 1134: ...ists Switch configure terminal Switch config ip wccp web cache 80 group list 15 Switch config access list 15 permit host 171 69 198 102 Switch config access list 15 permit host 171 69 198 104 Switch config access list 15 permit host 171 69 198 106 Switch config vlan 299 Switch config vlan exit Switch config interface vlan 299 Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if ...

Page 1135: ...ing and Maintaining WCCP Command Purpose clear ip wccp web cache Removes statistics for the web cache service show ip wccp web cache Displays global information related to WCCP show ip wccp web cache detail Displays information for the switch and all application engines in the WCCP cluster show ip interface Displays status about any IP WCCP redirection commands that are configured on an interface ...

Page 1136: ...44 12 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 44 Configuring Cache Services By Using WCCP Monitoring and Maintaining WCCP ...

Page 1137: ...whether it is a member of a group can send to a group However only the members of a group receive the message To use this feature the switch or stack master must be running the IP services feature set To use the PIM stub routing feature the switch or stack master can be running the IP base image Unless otherwise noted the term switch refers to a standalone switch and to a switch stack This chapter...

Page 1138: ...ed on Cisco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP Figure 45 1 shows where these protocols operate within the IP multicast environment Figure 45 1 IP Multicast Routing Protocols According to IPv4 multicast standards the MAC destination multicast address begins with 0100 5e and is appended by the last 23 bits of the...

Page 1139: ...up addresses which are class D addresses The high order bits of a Class D address are 1110 Therefore host group addresses can be in the range 224 0 0 0 through 239 255 255 255 Multicast addresses in the range 224 0 0 0 to 224 0 0 255 are reserved for use by routing protocols and other network control traffic The address 224 0 0 0 is guaranteed not to be assigned to any group IGMP packets are sent ...

Page 1140: ...omated RP discovery and distribution mechanism that enables routers and multilayer switches to dynamically learn the group to RP mappings Sparse mode and dense mode are properties of a group as opposed to an interface We strongly recommend sparse dense mode as opposed to either sparse mode or dense mode only PIM join and prune messages have more flexible encoding for multiple address families A mo...

Page 1141: ...n messages to be torn down when they are no longer needed When the number of PIM enabled interfaces exceeds the hardware capacity and PIM SM is enabled with the SPT threshold is set to infinity the switch does not create S G entries in the multicast routing table for the some directly connected interfaces if they are not already in the table The switch might not correctly forward traffic from thes...

Page 1142: ...cted to the router and PIM stub routing is enabled on the VLAN 100 interfaces and on Host 3 This configuration allows the directly connected hosts to receive traffic from multicast source 200 1 1 3 See the Enabling PIM Stub Routing section on page 45 27 for more information Figure 45 2 PIM Stub Router Configuration IGMP Helper PIM stub routing moves routed traffic closer to the end user and reduce...

Page 1143: ...R is another method to distribute group to RP mapping information to all PIM routers and multilayer switches in the network It eliminates the need to manually configure RP information in every router and switch in the network However instead of using IP multicast to distribute group to RP mapping information BSR uses hop by hop flooding of special BSR messages to distribute the mapping information...

Page 1144: ...packet arrived on an interface that is on the reverse path back to the source 2 If the packet arrives on the interface leading back to the source the RPF check is successful and the packet is forwarded to all interfaces in the outgoing interface list which might not be all interfaces on the router 3 If the RPF check fails the packet is discarded Some multicast routing protocols such as DVMRP maint...

Page 1145: ...his routing information to make the packet forwarding decision The software does not implement the complete DVMRP However it supports dynamic discovery of DVMRP routers and can interoperate with them over traditional media such as Ethernet and FDDI or over DVMRP specific tunnels DVMRP neighbors build a route table by periodically exchanging source network routing information in route report messag...

Page 1146: ...t is responsible for completing the IP multicast routing functions of the stack It fully initializes and runs the IP multicast routing protocols It builds and maintains the multicast routing table for the entire stack It is responsible for distributing the multicast routing table to all stack members The stack members perform these functions They act as multicast routing standby devices and are re...

Page 1147: ... interoperate with Cisco PIM v1 devices Monitoring the RP Mapping Information page 45 39 optional Troubleshooting PIMv1 and PIMv2 Interoperability Problems page 45 39 optional Default Multicast Routing Configuration Table 45 2 shows the default multicast routing configuration Multicast Routing Configuration Guidelines To avoid misconfiguring multicast routing on your switch review the information ...

Page 1148: ...gle RP on every router or multilayer switch in the group Not all routers and switches in the domain use the PIMv2 hash function to select multiple RPs Dense mode groups in a mixed PIMv1 and PIMv2 region need no special configuration they automatically interoperate Sparse mode groups in a mixed PIMv1 and PIMv2 region are possible because the Auto RP feature in PIMv1 interoperates with the PIMv2 RP ...

Page 1149: ...orm IP multicast routing Enabling PIM on an interface also enables IGMP operation on that interface Note If you enable PIM on multiple interfaces when most of these interfaces are not on the outgoing interface list and IGMP snooping is disabled the outgoing interface might not be able to sustain line rate for multicast traffic because of the extra replication In populating the multicast routing ta...

Page 1150: ...ayer 3 Interfaces section on page 11 25 Step 4 ip pim version 1 2 Configure the PIM version on the interface By default Version 2 is enabled and is the recommended setting An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor The interface returns to Version 2 mode after all Version 1 neighbors are shut down or upgraded For more information see th...

Page 1151: ...GMPv3 To run SSM with IGMPv3 SSM must be supported in the Cisco IOS router the host where the application is running and the application itself How SSM Differs from Internet Standard Multicast The current IP multicast infrastructure in the Internet and many enterprise intranets is based on the PIM SM protocol and Multicast Source Discovery Protocol MSDP These protocols have the limitations of the ...

Page 1152: ...he SSM range Use the ip pim ssm global configuration command to configure the SSM range and to enable SSM This configuration has the following effects For groups within the SSM range S G channel subscriptions are accepted through IGMPv3 include mode membership reports PIM operations within the SSM range of addresses change to PIM SSM a mode derived from PIM SM In this mode only PIM S G join and pr...

Page 1153: ...lication to minimize the chance for re use of a single address within the SSM range between different applications For example an application service providing a set of television channels should even with SSM use a different group for each television S G channel This setup guarantees that multiple receivers to different channels within the same application service never experience traffic aliasin...

Page 1154: ...SM Mapping Overview page 45 19 Configuring SSM Mapping page 45 21 Monitoring SSM Mapping page 45 23 Command Purpose Step 1 ip pim ssm default range access list Define the SSM range of IP multicast addresses Step 2 interface type number Select an interface that is connected to hosts on which IGMPv3 can be enabled and enter the interface configuration mode Step 3 ip pim sparse mode sparse dense mode...

Page 1155: ...v3 and the hosts already support IGMPv3 but not SSM the hosts send IGMPv3 group reports SSM mapping does not support these IGMPv3 group reports and the router does not correctly associate sources with these reports SSM Mapping Overview In a typical STB deployment each TV channel uses one separate IP multicast group and has one active server host sending the TV channel A single server can send mult...

Page 1156: ... and performs a reverse lookup into the DNS The router looks up IP address resource records and uses them as the source addresses associated with this group SSM mapping supports up to 20 sources for each group The router joins all sources configured for a group see Figure 45 4 Figure 45 4 DNS Based SSM Mapping The SSM mapping mechanism that enables the last hop router to join multiple sources for ...

Page 1157: ...r global configuration mode Step 2 ip igmp ssm map enable Enable SSM mapping for groups in the configured SSM range Note By default this command enables DNS based SSM mapping Step 3 no ip igmp ssm map query dns Optional Disable DNS based SSM mapping Note Disable DNS based SSM mapping if you only want to rely on static SSM mapping By default the ip igmp ssm map global configuration command enables ...

Page 1158: ...for groups in a configured SSM range Step 3 ip igmp ssm map query dns Optional Enable DNS based SSM mapping By default the ip igmp ssm map command enables DNS based SSM mapping Only the no form of this command is saved to the running configuration Note Use this command to re enable DNS based SSM mapping if DNS based SSM mapping is disabled Step 4 ip domain multicast domain prefix Optional Change t...

Page 1159: ...s the routing protocol that supports the implementation of SSM and is derived from PIM sparse mode PIM SM Internet Group Management Protocol version 3 IGMPv3 Step 3 ip igmp static group group address source ssm map Configure SSM mapping to statically forward a S G channel from the interface Use this command if you want to statically forward SSM traffic for certain groups Use DNS based SSM mapping ...

Page 1160: ...bscribed whereas in ISM receivers need not know the IP addresses of sources from which they receive their traffic The proposed standard approach for channel subscription signalling use IGMP include mode membership reports which are supported only in IGMP version 3 SSM IP Address Range SSM can coexist with the ISM service by applying the SSM delivery model to a configured subset of the IP multicast...

Page 1161: ...orts are ignored Configuration Guidelines This section contains the guidelines for configuring SSM Legacy Applications Within the SSM Range Restrictions Existing applications in a network predating SSM do not work within the SSM range unless they are modified to support S G channel subscriptions Therefore enabling SSM in a network can cause problems for existing applications if they use addresses ...

Page 1162: ...g traffic for more than 3 minutes in PIM SM the S G state is deleted and only re established after packets from the source arrive again through the RPT Because no mechanism in PIM SSM notifies a receiver that a source is active the network must maintain the S G state in PIM SSM as long as receivers are requesting receipt of that channel Configuring SSM Beginning in privileged EXEC mode follow thes...

Page 1163: ...fig if ip address 100 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if exit Switch config interface GigabitEthernet3 0 20 Switch config if no switchport Switch config if ip address 10 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if end To verify that PIM stub is enabled for each interface use the show ip pim interface privileged EXEC command Switch show ip ...

Page 1164: ...ack protocol in the Internet Engineering Task Force IETF You can use auto RP BSR or a combination of both depending on the PIM version that you are running and the types of routers in your network For more information see the PIMv1 and PIMv2 Interoperability section on page 45 12 and the Auto RP and BSR Configuration Guidelines section on page 45 12 Manually Assigning an RP to Multicast Groups Thi...

Page 1165: ...M domain The access list conditions specify for which groups the device is an RP For ip address enter the unicast address of the RP in dotted decimal notation Optional For access list number enter an IP standard access list number from 1 to 99 If no access list is configured the RP is used for all groups Optional The override keyword means that if there is a conflict between the RP configured with...

Page 1166: ...figured with a manual RP address for the Auto RP groups If routed interfaces are configured in sparse mode and you enter the ip pim autorp listener global configuration command Auto RP can still be used even if all devices are not configured with a manual RP address for the Auto RP groups These sections describe how to configure Auto RP Setting up Auto RP in a New Internetwork page 45 30 optional ...

Page 1167: ...e to be the candidate RP for local groups For interface id enter the interface type and number that identifies the RP address Valid interfaces include physical ports port channels and VLANs For scope ttl specify the time to live value in hops Enter a hop count that is high enough so that the RP announce messages reach all mapping agents in the network There is no default setting The range is 1 to ...

Page 1168: ...default use the ip pim accept rp auto rp global configuration command This procedure is optional If all interfaces are in sparse mode use a default configured RP to support the two well known groups 224 0 1 39 and 224 0 1 40 Auto RP uses these two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ...

Page 1169: ...ist number variable If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to ensure that no conflicts occur in the Group to RP mapping information Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times a...

Page 1170: ... optional Defining the IP Multicast Boundary page 45 35 optional Configuring Candidate BSRs page 45 36 optional Configuring Candidate RPs page 45 37 optional For overview information see the Bootstrap Router section on page 45 7 Defining the PIM Domain Border As IP multicast becomes more widespread the chance of one PIMv2 domain bordering another PIMv2 domain is increasing Because these two domain...

Page 1171: ...yer 3 switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 ...

Page 1172: ...30 bits as the hash mask length and has a priority of 10 Switch config interface gigabitethernet1 0 2 Switch config if ip address 172 21 24 18 255 255 255 0 Switch config if ip pim sparse dense mode Switch config if ip pim bsr candidate gigabitethernet1 0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length prio...

Page 1173: ...l configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group...

Page 1174: ... candidate BSRs as the RP mapping agents for Auto RP For more information see the Configuring Auto RP section on page 45 30 and the Configuring Candidate BSRs section on page 45 36 For group prefixes advertised through Auto RP the PIMv2 BSR mechanism should not advertise a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the ...

Page 1175: ...with the show ip pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features These sections describe the op...

Page 1176: ...ard the source At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tre...

Page 1177: ...lies to all groups Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a st...

Page 1178: ...ic from a source needs to be forwarded down the shared tree In this case the DR is the device with the highest IP address Beginning in privileged EXEC mode follow these steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Step 4 end Return to privileged EXEC mode Step 5...

Page 1179: ...oup You can configure the switch as a member of a multicast group and discover multicast reachability in a network If all the multicast capable routers and multilayer switches that you administer are members of a multicast group pinging that group causes all these devices to respond The devices respond to ICMP echo request packets addressed to a group of which they are members Another example is t...

Page 1180: ...C mode follow these steps to filter multicast groups allowed on an interface This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp join group group address Configure the switch to join a multicast group By default no group members...

Page 1181: ...dure is optional Step 5 access list access list number deny permit source source wildcard Create a standard access list For access list number specify the access list created in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group that hosts on the subnet can join Optional For sour...

Page 1182: ...ast routing protocol that runs on the LAN The designated router is responsible for sending IGMP host query messages to all hosts on the LAN In sparse mode the designated router also sends PIM register and PIM join messages toward the RP router Beginning in privileged EXEC mode follow these steps to modify the host query interval This procedure is optional To return to the default setting use the n...

Page 1183: ...e no more directly connected group members on a LAN Decreasing the value enables the switch to prune groups faster Beginning in privileged EXEC mode follow these steps to change the maximum query response time This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface ...

Page 1184: ... Beginning in privileged EXEC mode follow these steps to configure the switch itself to be a statically connected member of a group and enable fast switching This procedure is optional To remove the switch as a member of the group use the no ip igmp static group group address interface configuration command Configuring Optional Multicast Routing Features These sections describe how to configure op...

Page 1185: ...tion mode Step 2 interface interface id Specify the interface that is connected to the Layer 2 Catalyst switch and enter interface configuration mode Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfaces Enabling CGMP triggers a CGMP join message Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches Optional When you enter the proxy...

Page 1186: ...ssion is active its IP multicast group addresses media format contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in the SDR Session Announcement window Enabling sdr Listener Support By default the switch does not listen to session directory advertisements Beginning in privileged EXEC mode follow these steps to enable the swit...

Page 1187: ... Multicast boundaries and TTL thresholds control the scoping of multicast domains however TTL thresholds are not supported by the switch You should use multicast boundaries instead of TTL thresholds to limit the forwarding of multicast traffic outside of a domain or a subdomain Figure 45 7 shows that Company XYZ has an administratively scoped boundary set for the multicast address range 239 0 0 0 ...

Page 1188: ...al 45154 Company XYZ Engineering Marketing 239 128 0 0 16 239 0 0 0 8 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched...

Page 1189: ...ally discover DVMRP multicast routers on attached networks by listening to DVMR probe messages When a DVMRP neighbor has been discovered the PIM device periodically sends DVMRP report messages advertising the unicast sources reachable in the PIM domain By default directly connected subnets and networks are advertised The device forwards multicast packets that have been forwarded by DVMRP routers a...

Page 1190: ... which the packet is being sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything Step 3 interface interface id Specify the interface connected to the MBONE and enabled for multicast routing a...

Page 1191: ...0 136 0 0 0 0 255 255 Switch config access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 255 Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP The software then sends and receives multicast packets through the tunnel This strateg...

Page 1192: ... tunnel destination ip address Specify the destination address of the tunnel interface Enter the IP address of the mrouted router Step 6 tunnel mode dvmrp Configure the encapsulation mode for the tunnel to DVMRP Step 7 ip address address mask or ip unnumbered type number Assign an IP address to the interface or Configure the interface as unnumbered Step 8 ip pim dense mode sparse mode Configure th...

Page 1193: ... config if interface gigabitethernet1 0 1 Switch config if ip address 172 16 2 1 255 255 255 0 Switch config if ip pim dense mode Switch config exit Switch config access list 1 permit 198 92 37 0 0 0 0 255 Advertising Network 0 0 0 0 to DVMRP Neighbors If your switch is a neighbor of an mrouted Version 3 6 device you can configure the software to advertise network 0 0 0 0 the default route to the ...

Page 1194: ...4 34 mm1 45c cisco com 1 0 pim 171 69 214 137 0 0 0 0 1 0 pim querier down leaf 171 69 214 203 0 0 0 0 1 0 pim querier down leaf 171 69 214 18 171 69 214 20 mm1 45e cisco com 1 0 pim 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0 pim 171 69 214 18 171 69 214 17 mm1 45a cisco com 1 0 pim Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward...

Page 1195: ...nning these routes might be preferred over routes in the unicast routing table enabling PIM to run on the MBONE topology when it is different from the unicast topology DVMRP unicast routing can run on all interfaces For DVMRP tunnels it uses DVMRP multicast routing This feature does not enable DVMRP multicast routing among Cisco routers and multilayer switches However if there is a DVMRP capable m...

Page 1196: ...RP Neighbor You can prevent the switch from peering communicating with a DVMRP neighbor if that neighbor does not support DVMRP pruning or grafting To do so configure the switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 45 9 In this case when t...

Page 1197: ...his procedure is optional To disable this function use the no ip dvmrp reject non pruners interface configuration command 101245 Router A Router B RP Multicast traffic gets to receiver not to leaf DVMRP device Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Layer 3 switch Command Purpose Step 1 configure terminal Enter g...

Page 1198: ...ivileged EXEC mode follow these steps to change the DVMRP route limit This procedure is optional To configure no route limit use the no ip dvmrp route limit global configuration command Changing the DVMRP Route Threshold By default 10 000 DVMRP routes can be received per interface within a 1 minute interval When that rate is exceeded a syslog message is issued warning that there might be a route s...

Page 1199: ... Because the DVMRP tunnel shares the same IP address as Fast Ethernet port 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router is able to poison reverse only these two routes to the directly connected subnets and is able to only RPF properly for multicast traffic sent by sources on the...

Page 1200: ...02 13 3 0 24 m 40 176 32 10 0 24 m 1 176 32 15 0 24 m 1 DVMRP router Cisco router Tunnel Gigabit Ethernet 1 0 1 176 32 10 0 24 Gigabit Ethernet 1 0 2 176 32 15 0 24 DVMRP Report 159888 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered gigabitethernet1 0 1 interface gigabitethernet1 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface gigabitetherne...

Page 1201: ...iguration command Adding a Metric Offset to the DVMRP Route By default the switch increments by one the metric hop count of a DVMRP route advertised in incoming DVMRP reports You can change the metric if you want to favor or not favor a certain route For example a route is learned by multilayer switch A and the same route is learned by multilayer switch B with a higher metric If you want to use th...

Page 1202: ...et in out increment Change the metric added to DVMRP routes advertised in incoming reports The keywords have these meanings Optional in Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies Optional out Specifies that the increment value is added to outgoing DVMRP reports for routes from the DVMRP routing table If neither in nor out is specified in...

Page 1203: ...2 cache or an sdr cache entry Table 45 5 Commands for Clearing Caches Tables and Databases continued Command Purpose Table 45 6 Commands for Displaying System and Network Statistics Command Purpose ping group name group address Send an ICMP Echo Request to a multicast group address show ip dvmrp route ip address Display the entries in the DVMRP routing table show ip igmp groups group name group ad...

Page 1204: ...s doing Reverse Path Forwarding that is from the unicast routing table DVMRP routing table or static mroutes show ip sdr group session name detail Display the Session Directory Protocol Version 2 cache Table 45 6 Commands for Displaying System and Network Statistics continued Command Purpose Table 45 7 Commands for Monitoring IP Multicast Routing Command Purpose mrinfo hostname address source addr...

Page 1205: ...tions Understanding MSDP page 46 1 Configuring MSDP page 46 4 Monitoring and Maintaining MSDP page 46 19 Note Understanding MSDP MSDP allows multicast sources for a group to be known to all rendezvous points RPs in different domains Each PIM SM domain uses its own RPs and does not depend on RPs in other domains An RP runs MSDP over the Transmission Control Protocol TCP to discover multicast source...

Page 1206: ... as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover which peer is the next hop toward the originating RP of the SA message Such a peer is called an RPF peer reverse path forwarding peer The MSDP device forwards the message to all...

Page 1207: ...the shared tree never need to leave your domain PIM sparse mode domains can rely only on their own RPs decreasing reliance on RPs in another domain This increases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required sav...

Page 1208: ...nfigured MSDP peer Configure a default MSDP peer when the switch is not BGP or MBGP peering with an MSDP peer If a single MSDP peer is configured the switch always accepts all SA messages from that peer Figure 46 2 shows a network in which default MSDP peers might be used In Figure 46 2 a customer who owns Switch B is connected to the Internet through two Internet service providers ISPs one owning...

Page 1209: ...SDP SA messages For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the...

Page 1210: ...roup soon after a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network len...

Page 1211: ...list are cached For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the condition...

Page 1212: ...eive multicast traffic This procedure is optional To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA request messages to the MSDP peer at 171 69 1 1 Switch config ip msdp sa request 171 69 1 1 Controlling Source Information that Your Switch Originates You can control the multicast sou...

Page 1213: ...ap Configure which S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of an IP standard or extended access list The range is 1 to 99 for standard access lists and 100 to 199 for extended lists The access list controls which local sources are advertised ...

Page 1214: ...ing the command as many times as necessary or Create an IP extended access list repeating the command as many times as necessary For access list number the range is 1 to 99 for standard access lists and 100 to 199 for extended lists Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched Fo...

Page 1215: ...all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for groups that pass the standard access list The access list describes a multicast group address The range for the access list number is 1 to 99 Step 3 access list access list number deny permit source source wildcard Create an IP standard access list repeating the command as many times...

Page 1216: ...nning in privileged EXEC mode follow these steps to apply a filter This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the spe...

Page 1217: ...leged EXEC mode follow these steps to establish a TTL threshold This procedure is optional Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the cond...

Page 1218: ...ip address name ttl Limit which multicast data is encapsulated in the first SA message to the specified MSDP peer For ip address name enter the IP address or name of the MSDP peer to which the TTL limitation applies For ttl enter the TTL value The default is 0 which means all multicast data packets are forwarded to the peer until the TTL is exhausted The range is 0 to 255 Step 3 end Return to priv...

Page 1219: ... 100 to 199 If both the list and the route map keywords are used all conditions must be true to pass any S G pair in incoming SA messages or From the specified MSDP peer pass only those SA messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list...

Page 1220: ...oss a domain You can configure multiple mesh groups with different names in a single switch Beginning in privileged EXEC mode follow these steps to create a mesh group This procedure is optional To remove an MSDP peer from a mesh group use the no ip msdp mesh group name ip address name global configuration command Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your ent...

Page 1221: ...main to proxy register sources in the dense mode domain to the RP of the sparse mode domain and have the sparse mode domain use standard MSDP procedures to advertise these sources Beginning in privileged EXEC mode follow these steps to configure the border router to send SA messages for sources active in the dense mode region to the MSDP peers This procedure is optional Command Purpose Step 1 conf...

Page 1222: ...P it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in the SA message This procedure is optional If both the ip msdp border sa address and ...

Page 1223: ...e number of sources and groups originated in SA messages from each autonomous system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP p...

Page 1224: ...46 20 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 46 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 1225: ...ning Fallback Bridging page 47 11 Understanding Fallback Bridging These sections describe how fallback bridging works Fallback Bridging Overview page 47 1 Fallback Bridging and Switch Stacks page 47 3 Fallback Bridging Overview With fallback bridging the switch bridges together two or more VLANs or routed ports essentially connecting multiple VLANs within one bridge domain Fallback bridging forwar...

Page 1226: ... packet destination address is in the bridge table the packet is forwarded on a single interface in the bridge group If the packet destination address is not in the bridge table the packet is flooded on all forwarding interfaces in the bridge group A source MAC address is learned on a bridge group only when the address is learned on a VLAN the reverse is not true Any address that is learned on a s...

Page 1227: ...elearned in the bridge group Note If a stack master running the IP services feature set fails and if the newly elected stack master is running the IP base feature set the switch stack loses its fallback bridging capability If stacks merge or if a switch is added to the stack any new VLANs that are part of a bridge group and become active are included in the VLAN bridge STP When a stack member fail...

Page 1228: ...g a Bridge Group To configure fallback bridging for a set of SVIs or routed ports these interfaces must be assigned to bridge groups All interfaces in the same group belong to the same bridge domain Each SVI or routed port can be assigned to only one bridge group Note The protected port feature is not compatible with fallback bridging When fallback bridging is enabled it is possible for packets to...

Page 1229: ...ion mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to run in the bridge group The ibm and dec keywords are not supported For bridge group specify the bridge group number The range is 1 to 255 You can create up to 32 bridge groups Frames are bridged only among interfaces in the same group Step 3 interface interfac...

Page 1230: ...l Adjusting BPDU Intervals page 47 8 optional Disabling the Spanning Tree on an Interface page 47 10 optional Note Only network administrators with a good understanding of how switches and STP function should make adjustments to spanning tree parameters Poorly planned adjustments can have a negative impact on performance A good source on switching is the IEEE 802 1D specification For more informat...

Page 1231: ...e the no bridge group bridge group priority interface configuration command This example shows how to change the priority to 20 on a port in bridge group 10 Switch config interface gigabitethernet2 0 1 Switch config if bridge group 10 priority 20 Step 4 show running config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Command Purpose...

Page 1232: ...l Changing the Forward Delay Interval page 47 9 optional Changing the Maximum Idle Interval page 47 10 optional Note Each switch in a spanning tree adopts the interval between hello BPDUs the forward delay interval and the maximum idle interval parameters of the root switch regardless of what its individual configuration might be Command Purpose Step 1 configure terminal Enter global configuration...

Page 1233: ... no bridge bridge group forward time global configuration command This example shows how to change the forward delay interval to 10 seconds in bridge group 10 Switch config bridge 10 forward time 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group hello time seconds Specify the interval between hello BPDUs For bridge group specify the bridge grou...

Page 1234: ...m traveling across the WAN link Beginning in privileged EXEC mode follow these steps to disable spanning tree on a port This procedure is optional To re enable spanning tree on the port use the no bridge group bridge group spanning disabled interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group max age seconds Specify th...

Page 1235: ...a stack member start a session from the stack master to the stack member by using the session stack member number global configuration command Enter the show bridge bridge group interface id mac address verbose privileged EXEC command at the stack member prompt For information about the fields in these displays see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 1...

Page 1236: ...47 12 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Chapter 47 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging ...

Page 1237: ...s used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 2 This chapter consists of these sections Recovering from a Software Failure page 48 2 Recovering from a Lost or Forgotten Password page 48 3 Preventing Switch Stack Problems page 48 8 Note Recovery procedures require that you have physical access to the switch Preventing Autonegotiation ...

Page 1238: ...es on dell com or Cisco com see the release notes Step 2 Extract the bin file from the tar file If you are using Windows use a zip program that can read a tar file Use the zip program to navigate to and extract the bin file If you are using UNIX follow these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar 2 Locate ...

Page 1239: ...t ip_addr ip_address mask b Specify the default router switch set default_router ip_address Step 10 Copy the software image from the TFTP server to the switch switch copy tftp ip_address filesystem source file url flash image_filename bin Step 11 Boot up the newly downloaded Cisco IOS image switch boot flash image_filename bin Step 12 Use the archive download sw privileged EXEC command to download...

Page 1240: ...off the switch by using one of these methods Power off the standalone switch or the entire switch stack by using the CMC GUI Remove the switch or stack members from the enclosure On a nonstacking capable switch power off the switch by using the CMC GUI or remove the switch from the enclosure Step 4 Power on the switch by using one of these methods If you powered off the switch by using the CMC GUI...

Page 1241: ... set the console port speed to anything other than 9600 it has been reset to that particular speed Change the emulation software line speed to match that of the switch console port Step 3 Load any helper files switch load_helper Step 4 Display the contents of flash memory switch dir flash The switch file system appears Directory of flash 2 rwx 5752 Mar 1 1993 00 06 02 00 00 config text 3 rwx 24 Ma...

Page 1242: ...oaded and you can change the password Step 10 Enter global configuration mode Switch configure terminal Step 11 Change the password Switch config enable secret password The secret password can be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading spaces Step 12 Return to privileged EXEC mode Switch config exit Switch Step 13 Write t...

Page 1243: ...n no the normal bootup process continues as if the Mode button had not been pressed you cannot access the boot loader prompt and you cannot enter a new password You see the message Press Enter to continue If you enter y yes the configuration file in flash memory and the VLAN database file are deleted When the default configuration loads you can reset the password Step 1 Elect to continue with pass...

Page 1244: ...th the switch in interface configuration mode enter the no shutdown command Step 10 You must now reconfigure the switch If the system administrator has the backup switch and VLAN configuration files available you should use those Step 11 Reload the switch Switch reload Preventing Switch Stack Problems Note Make sure that the switches that you add to or remove from the switch stack are powered off ...

Page 1245: ...lus ports 3 Power on the switches For the commands that you can use to monitor the switch stack and its members see the Displaying Switch Stack Information section on page 7 27 Preventing Autonegotiation Mismatches The IEEE 802 3ab autonegotiation protocol manages the switch settings for speed 10 Mb s 100 Mb s and 1000 Mb s excluding SFP module ports and duplex half or full There are situations wh...

Page 1246: ...e is identified as a Cisco SFP module but the system is unable to read vendor data information to verify its accuracy an SFP module error message is generated In this case you should remove and re insert the SFP module If it continues to fail the SFP module might be defective Monitoring SFP Module Status You can check the physical or operational status of an SFP module by using the show interfaces...

Page 1247: ...e host or network a network or host unreachable message is returned Executing Ping If you attempt to ping a host in a different IP subnetwork you must define a static route to the network or have IP routing configured to route between those subnets For more information see Chapter 39 Configuring IP Unicast Routing IP routing is disabled by default on all switches If you need to enable or configure...

Page 1248: ... the switch continues to send Layer 2 trace queries and lets them time out The switch can only identify the path from the source device to the destination device It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host Usage Guidelines These are the Layer 2 traceroute usage guidelines Cisco Discovery Protocol CDP m...

Page 1249: ...he Layer 2 path when the specified source and destination IP addresses belong to the same subnet When you specify the IP addresses the switch uses the Address Resolution Protocol ARP to associate the IP addresses with the corresponding MAC addresses and the VLAN IDs If an ARP entry exists for the specified IP address the switch uses the associated MAC address and identifies the physical path If an...

Page 1250: ...rst hop by examining the source address field of the ICMP time to live exceeded message To identify the next hop traceroute sends a UDP packet with a TTL value of 2 The first router decrements the TTL field by 1 and sends the datagram to the next router The second router sees a TTL value of 1 discards the datagram and returns the time to live exceeded message to the source This process continues u...

Page 1251: ...ve cabling problems When running TDR a local device sends a signal through a cable and compares the reflected signal to the initial signal TDR is supported only on 10 100 1000 copper Ethernet ports It is not supported on 10 Gigabit Ethernet ports and on SFP module ports TDR can detect these cabling problems Open broken or cut twisted pair wires The wires are not connected to the wires from the rem...

Page 1252: ...a stack member To run TDR enter the test cable diagnostics tdr interface interface id privileged EXEC command To display the results enter the show cable diagnostics tdr interface interface id privileged EXEC command For a description of the fields in the display see the command reference for this release Using Debug Commands These sections explains how you use debug commands to diagnose and resol...

Page 1253: ...bled Depending on the feature you are debugging you can use commands such as the TCP IP ping command to generate network traffic To disable debugging of SPAN enter this command in privileged EXEC mode Switch no debug span session Alternately in privileged EXEC mode you can enter the undebug form of the command Switch undebug span session To display the state of each debugging option enter this com...

Page 1254: ...overhead Logging messages to the console produces very high overhead whereas logging messages to a virtual terminal produces less overhead Logging messages to a syslog server produces even less and logging to an internal buffer produces the least overhead of any method When stack members generate a system error message the stack master displays the error message to all stack members The syslog res...

Page 1255: ... example of the output from the show platform forward command on port 1 in VLAN 5 when the packet entering that port is addressed to unknown MAC addresses The packet should be flooded to all other ports in VLAN 5 Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 2 2 2 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup ...

Page 1256: ...s unknown Because there is no default route set the packet should be dropped Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 03 e319 ee44 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index Hit A Data InptACL 40_0D020202_0D010101 00_41000014_000A0000 01FFA 03000000 L3Local 00_00000000_00000000 90_000014...

Page 1257: ...ce number Each new crashinfo file that is created uses a sequence number that is larger than any previously existing sequence number so the file with the largest sequence number describes the most recent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system will use when it creates the fi...

Page 1258: ...licy routing The output from the show platform tcam errors privileged EXEC command provides information about the TCAM memory consistency integrity on the switch Beginning in privileged EXEC mode use the show platform tcam errors command to display the TCAM memory consistency check errors detected on the switch This example shows the output of the show platform tcam errors command DomainMember sho...

Page 1259: ...of the hardware related system messages generated by a standalone switch or a stack member Temperature Temperature of a standalone switch or a stack member Uptime data Time when a standalone switch or a stack member starts the reason the switch restarts and the length of time the switch has been running since it last restarted Voltage System voltages of a standalone switch or a stack member You sh...

Page 1260: ...or Displaying OBFL Information Command Purpose show logging onboard module switch number clilog Displays the OBFL CLI commands that were entered on a standalone switch or the specified stack members show logging onboard module switch number environment Display the UDI information for a standalone switch or the specified stack members and for all the connected FRU devices the PID the VID and the se...

Page 1261: ...ment requests ICMP ping SNMP timeouts slow Telnet or SSH sessions UDLD flapping IP SLAs failures because of SLAs responses beyond an acceptable threshold DHCP or IEEE 802 1x failures if the switch does not forward or respond to requests Layer 3 switches Dropped packets or increased latency for packets routed in software BGP or OSPF routing topology changes HSRP flapping Verifying the Problem and C...

Page 1262: ...roblems see the Troubleshooting High CPU Utilization document on Cisco com Table 48 5 Troubleshooting CPU Utilization Problems Type of Problem Cause Corrective Action Interrupt percentage value is almost as high as total CPU utilization value The CPU is receiving too many packets from the network Determine the source of the network packet Stop the flow or change the switch configuration See the se...

Page 1263: ...ng Online Diagnostics With online diagnostics you can test and verify the hardware functionality of the switch while the switch is connected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet por...

Page 1264: ...sting for a specific day and time on a standalone switch Switch config diagnostic schedule test TestPortAsicCam on december 3 2006 22 25 Command Purpose diagnostic schedule switch number test name test id test id range all basic non disruptive daily hh mm on mm dd yyyy hh mm weekly day of week hh mm Schedule on demand diagnostic tests for a specific day and time The switch number keyword is suppor...

Page 1265: ...gure and enable the health monitoring diagnostic tests Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 diagnostic monitor interval switch number test name test id test id range all hh mm ss milliseconds day Configure the health monitoring interval of the specified tests The switch number keyword is supported only on stacking capable switches The range is from 1 to ...

Page 1266: ...mber of the test that appears in the show diagnostic content command output test id range ID numbers of the tests that appear in the show diagnostic content command output all All of the diagnostic tests The range for the failure threshold count is 0 to 99 Step 5 diagnostic monitor switch number test name test id test id range all Enable the specified health monitoring tests The switch number keyw...

Page 1267: ...9 5 Displaying Online Diagnostic Tests and Test Results page 49 6 Starting Online Diagnostic Tests After you configure diagnostic tests to run on the switch use the diagnostic start privileged EXEC command to begin diagnostic testing Use this privileged EXEC command to manually start online diagnostic testing After starting the tests you cannot stop the testing process Command Purpose diagnostic s...

Page 1268: ...agnostic command output see the Examples section of the show diagnostic command in the command reference for this release Table 49 1 Commands for Diagnostic Test Configuration and Results Command Purpose show diagnostic content switch number all 1 1 The switch number all parameter is supported only on stacking capable switches Display the online diagnostics configured for a switch show diagnostic ...

Page 1269: ... a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash As viewed from the stack master or any stack member flash refers to the local flash device which is attached to the same switch on which the file system is being viewed In a switch stack each of th...

Page 1270: ...20138 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem opaque ro ymodem To display the available file systems on your switch use the show file systems privileged EXEC command as shown in this example for a stacking capable switch In this example the stack master is stack member 2 therefore flash2 is aliased to flash The file system on stack member 5 is displayed as f...

Page 1271: ...g a new configuration file to flash memory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NV...

Page 1272: ...Directory Beginning in privileged EXEC mode follow these steps to change directories and to display the working directory Table A 2 Commands for Displaying Information About Files Command Description dir all filesystem filename Display a list of files on a file system show file systems Display more information about each of the files on a file system show file information file url Display informat...

Page 1273: ...s cannot be recovered Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used ...

Page 1274: ...only once at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive download sw command but are no longer needed If you omit the filesystem option the switch uses the default device specified by the cd command For file url you specify the path directory and the name of the file to be deleted When you att...

Page 1275: ...rectory filename TFTP syntax tftp location directory filename For flash file url specify the location on the local flash file system in which the new file is created You can also specify an optional list of files or directories within the source directory to add to the new file If none are specified all files and directories at this level are written to the newly created file Step 2 archive table ...

Page 1276: ...l cbs31x0 universal mz 122 40 EX1 html directory cbs31x0 universal mz 122 40 EX1 html const htm 556 bytes cbs31x0 universal mz 122 40 EX1 html xhome htm 9373 bytes cbs31x0 universal mz 122 40 EX1 html menu css 1654 bytes output truncated This example shows how to extract the contents of a file located on the TFTP server at 172 20 10 30 Switch archive xtract tftp 172 20 10 30 saved flash new config...

Page 1277: ...efault Gateway You can copy download configuration files from a TFTP FTP or RCP server to the running configuration or startup configuration of the switch You might want to perform this for one of these reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration simil...

Page 1278: ...ork connection instead of through a direct connection to the console port or Ethernet management port keep in mind that some configuration changes such as changing the switch IP address or disabling ports can cause a loss of connectivity to the switch If no password has been set on the switch we recommend that you set one by using the enable secret secret password global configuration command Note...

Page 1279: ...ation file Step 1 Copy an existing configuration from a switch to a server For more information see the Downloading the Configuration File By Using TFTP section on page A 12 the Downloading a Configuration File By Using FTP section on page A 15 or the Downloading a Configuration File By Using RCP section on page A 18 Step 2 Open the configuration file in a text editor such as vi or emacs on UNIX o...

Page 1280: ...e ping command Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server usually tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the configuration file you might need to create an empty file on the TFTP server To create an empty ...

Page 1281: ...ng the Configuration File By Using TFTP To upload a configuration file from a switch to a TFTP server for storage follow these steps Step 1 Verify that the TFTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page A 12 Step 2 Log into the switch through the console port the Ethernet management port or a Telnet session ...

Page 1282: ...sword commands to specify a username and password for all copies Include the username in the copy command if you want to specify only a username for that copy operation If the server has a directory structure the configuration file is written to or copied from the directory associated with the username on the server For example if the configuration file resides in the home directory of a user on t...

Page 1283: ... on the switch Switch copy ftp netadmin1 mypass 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host1 confg OK Switch SYS 5 CONFIG Configured from host1 config by ftp from 172 16 101 101 Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to...

Page 1284: ...on file by using FTP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config ftp netadmin1 mypass 172 16 101 101 switch2 confg Write file switch2 confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101 Switch Command Purpo...

Page 1285: ...ng a file from one place to another you must have read permission on the source file and write permission on the destination file If the destination file does not exist RCP creates it for you The RCP requires a client to send a remote username with each RCP request to a server When you copy a configuration file from the switch to a server the Cisco IOS software sends the first valid username in th...

Page 1286: ... a Telnet session and you have a valid username this username is used and you do not need to set the RCP username Include the username in the copy command if you want to specify a username for only that copy operation When you upload a file to the RCP server it must be properly configured to accept the RCP write request from the user on the switch For UNIX systems you must add an entry to the rhos...

Page 1287: ...m startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 config by rcp from 172 16 101 101 Uploading a Configuration File By Using RCP Beginning in...

Page 1288: ...Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information You can clear the configuration information from the startup configuration If you reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Clearing the Startup Configur...

Page 1289: ...uld understand these concepts Archiving a Configuration page A 21 Replacing a Configuration page A 22 Rolling Back a Configuration page A 22 Archiving a Configuration The configuration archive provides a mechanism to store organize and manage an archive of configuration files The configure replace privileged EXEC command increases the configuration rollback capability As an alternative you can sav...

Page 1290: ...eplacement file for the configure replace target url command Rolling Back a Configuration You can also use the configure replace command to roll back changes that were made since the previous configuration was saved Instead of basing the rollback operation on a specific set of changes that were applied the configuration rollback capability reverts to a specific configuration based on a saved confi...

Page 1291: ...XEC mode follow these steps to configure the configuration archive Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 archive Enter archive configuration mode Step 3 path url Specify the location and filename prefix for the files in the configuration archive Step 4 maximum number Optional Set the maximum number of archive files of the running configuration to be saved...

Page 1292: ...st of the command entries applied by the software parser during each pass of the configuration replacement operation The total number of passes also appears force Replace the running configuration file with the specified saved configuration file without prompting you for confirmation time seconds Specify the time in seconds within which you must enter the configure confirm command to confirm repla...

Page 1293: ... For information about upgrading your switch by using a TFTP server or a web browser HTTP see the release notes You can replace the current image with the new one or keep the current image in flash memory after a download You can use the archive download sw allow feature upgrade privileged EXEC command to allow installation of an image with a different feature set for example upgrading from the no...

Page 1294: ... a tar file or list of tar files to be downloaded instead of specifying complete paths with each tar file File Format of Images on a Server or Cisco com Software images on a server or downloaded from Cisco com are in a file format which contains these files An info file which serves as a table of contents for the file One or more subdirectories containing other images and files such as Cisco IOS i...

Page 1295: ... stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using TFTP...

Page 1296: ...ver by using the ping command Ensure that the image to be downloaded is in the correct directory on the TFTP server usually tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an empty file e...

Page 1297: ...e option allows installation of a software images with different feature sets Optional The directory option specifies a directory for the images The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For location specify the IP address ...

Page 1298: ...other switch of the same type Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS ima...

Page 1299: ...matically reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using FTP page A 31 Downloading an Image File By Using FTP page A 32 Uploading an Image File By Using FTP page A 34 Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server The...

Page 1300: ...new FTP username by using the ip ftp username username global configuration command This new name will be used during all archive operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw p...

Page 1301: ... section on page A 31 For location specify the IP address of the FTP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directory optional and the images to download Directory and image names are case sensitive Step 8 archive download sw directory leave old sw reload tftp location directory image name1 tar image name2 tar image name3 tar imag...

Page 1302: ...the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image nam...

Page 1303: ... the archive download sw and archive upload sw privileged EXEC commands to download and upload software image files For switch stacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible sof...

Page 1304: ...ion command if the command is entered The remote username associated with the current TTY terminal process For example if the user is connected to the router through Telnet and was authenticated through the username command the switch software sends the Telnet username as the remote username The switch hostname For the RCP copy request to execute successfully an account must be defined on the netw...

Page 1305: ...mpany com Switch1 For more information see the documentation for your RCP server Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image Beginning in privileged EXEC mode follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image To keep the current image go to Step 6 Command Purpose Step 1 Verify that...

Page 1306: ...ion specify the IP address of the RCP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directory optional and the images to download Directory and image names are case sensitive Step 7 archive download sw directory leave old sw reload tftp location directory image name1 tar image name2 tar image name3 tar image name4 tar Download the images...

Page 1307: ...mage If you kept the old software during the download process you specified the leave old sw keyword you can remove it by entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For th...

Page 1308: ...to copy the software image from an existing stack member to the one that has incompatible software That switch automatically reloads and joins the stack as a fully functioning member Note To use the archive copy sw privileged EXEC command you must have downloaded from a TFTP server the images for both the stack member switch being added and the stack master You use the archive download sw privileg...

Page 1309: ...d the updated stack member Note At least one stack member must be running the image that is to be copied to the switch that is running the incompatible software For destination system destination stack member number specify the number of the stack member the destination to which to copy the source running image file If you do not specify this stack member number the default is to copy the running ...

Page 1310: ...sco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Appendix A Working with the Cisco IOS File System Configuration Files and Software Images Working with Software Images ...

Page 1311: ...ftware feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination show access lists rate limit destination show accounting show ip accounting checkpoint output packets access ...

Page 1312: ...ve config logging persistent show archive config show archive log ARP Commands Unsupported Global Configuration Commands arp ip address hardware address smds arp ip address hardware address srp a arp ip address hardware address srp b Unsupported Interface Configuration Commands arp probe ip probe proxy Boot Loader Commands Unsupported User EXEC Commands verify Unsupported Global Configuration Comm...

Page 1313: ...policy policy filename group group name expression repository url location Parameters are not supported for this command event manager run policy name paramater1 paramater15 Unsupported Global Configuration Commands no event manager directory user repository url location event manager applet applet name maxrun Unsupported Commands in Applet Configuration Mode no event interface name interface name...

Page 1314: ...upported Global Configuration Commands bridge bridge group acquire bridge bridge group address mac address forward discard interface id bridge bridge group aging time seconds bridge bridge group bitswap_l3_addresses bridge bridge group bridge ip bridge bridge group circuit group circuit group pause milliseconds bridge bridge group circuit group circuit group source based bridge cmf bridge crb brid...

Page 1315: ...t access list number bridge group bridge group output lat service deny group list bridge group bridge group output lat service permit group list bridge group bridge group output lsap list access list number bridge group bridge group output pattern list access list number bridge group bridge group output type list access list number bridge group bridge group sse bridge group bridge group subscriber...

Page 1316: ...dby mac refresh seconds standby use bia IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping tcn Interface Commands Unsupported Privileged EXEC Commands show interfaces interface id vlan vlan id crb fair queue irb mac accounting precedence irb random detect rate limit shape Unsupported Global Configuration Commands interface tunnel Unsupported Interface Configuration C...

Page 1317: ...dware switched use this command only when you know that the route will forward the packet to the CPU debug ip pim atm show frame relay ip rtp header compression interface type number The show ip mcache command displays entries in the cache for those packets that are sent to the switch CPU Because most multicast packets are switched in hardware without CPU involvement you can use this command but m...

Page 1318: ...sion active passive ip igmp helper address ip address ip multicast helper map group address broadcast broadcast address multicast address extended access list number ip multicast rate limit in out video whiteboard group list access list source list access list kbps ip multicast ttl threshold ttl value instead use the ip multicast boundary access list number interface configuration command ip multi...

Page 1319: ...point output packets access violations show ip bgp dampened paths show ip bgp inconsistent as show ip bgp regexp regular expression show ip prefix list regular expression Unsupported Global Configuration Commands ip accounting precedence input output ip accounting list ip address wildcard ip accounting transits count ip cef accounting per prefix non recursive ip cef traffic statistics load interva...

Page 1320: ... vpnv4 default information originate neighbor advertise map neighbor allowas in neighbor default originate neighbor description network backdoor table map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route type for policy based routing PBR set as path tag prepend as path string set automatic tag set dampening half life reuse suppress max suppress time set default...

Page 1321: ... aging time show mac address table count show mac address table dynamic show mac address table interface show mac address table multicast show mac address table notification show mac address table static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entries for a VLAN Unsuppo...

Page 1322: ...unnel global drop threshold service compress config stack mac persistent timer only on stacking capable switches track object number rtr MSDP Unsupported Privileged EXEC Commands show access expression show exception show location show pm LINE show smf interface id show subscriber policy policy number show template template name Unsupported Global Configuration Commands ip msdp default peer ip add...

Page 1323: ...tistics show ip nat translations QoS Unsupported Global Configuration Command priority list Unsupported Interface Configuration Commands priority group rate limit Unsupported Policy Map Configuration Command class class default where class default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authenticatio...

Page 1324: ... informs snmp server ifindex persist Spanning Tree Unsupported Global Configuration Command spanning tree pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported User EXEC Commands show running config vlan show vlan ifindex vlan database Unsupported...

Page 1325: ...re Configuration Guide OL 13270 06 Appendix B Unsupported Commands in Cisco IOS Release 12 2 58 SE VTP VTP Unsupported Privileged EXEC Command vtp password password pruning version number Note This command has been replaced by the vtp global configuration command ...

Page 1326: ...B 16 Cisco Catalyst Blade Switch 3130 and 3032 for Dell Software Configuration Guide OL 13270 06 Appendix B Unsupported Commands in Cisco IOS Release 12 2 58 SE VTP ...

Page 1327: ...tack members 7 26 access lists See ACLs access ports and Layer 2 protocol tunneling 17 11 defined 11 3 access template 8 1 accounting with 802 1x 9 50 with IEEE 802 1x 9 15 with RADIUS 6 35 with TACACS 6 11 6 17 ACEs and QoS 37 8 defined 35 2 Ethernet 35 2 IP 35 2 ACLs ACEs 35 2 any keyword 35 13 applying on bridged packets 35 40 on multicast packets 35 41 on routed packets 35 41 on switched packe...

Page 1328: ... 9 named IPv4 35 15 IPv6 36 2 names 36 4 number per QoS class map 37 38 port 35 2 36 1 precedence of 35 3 QoS 37 8 37 49 resequencing entries 35 15 router 35 2 36 1 router ACLs and VLAN map configuration guidelines 35 39 standard IP configuring for QoS classification 37 49 37 51 standard IPv4 creating 35 10 matching criteria 35 8 support for 1 10 support in hardware 35 22 time ranges 35 17 types s...

Page 1329: ...ication engines redirecting traffic to 44 1 area border routers See ABRs area routing IS IS 39 69 ISO IGRP 39 69 ARP configuring 39 10 defined 1 6 5 24 39 10 encapsulation 39 11 static cache configuration 39 10 table address resolution 5 24 managing 5 24 ASBRs 39 27 AS path filters BGP 39 59 asymmetrical links and IEEE 802 1Q tunneling 17 4 attributes RADIUS vendor proprietary 6 38 vendor specific...

Page 1330: ...e voice VLAN availability features 1 8 B BackboneFast described 20 7 disabling 20 17 enabling 20 16 support for 1 8 backup interfaces See Flex Links backup links 21 2 banners configuring login 5 13 message of the day login 5 12 default configuration 5 11 when displayed 5 11 BGP aggregate addresses 39 65 aggregate routes configuring 39 65 CIDR 39 65 clear commands 39 68 community filtering 39 61 co...

Page 1331: ...ee BPDU broadcast flooding 39 17 broadcast packets directed 39 14 flooded 39 14 broadcast storm control command 26 4 broadcast storms 26 2 39 14 C cables monitoring for unidirectional links 29 1 Catalyst 6000 switches authentication compatibility 9 9 CA trustpoint configuring 6 53 defined 6 50 CDP and trusted boundary 37 45 configuring 27 2 default configuration 27 2 defined with LLDP 28 1 describ...

Page 1332: ...7 54 described 37 8 displaying 37 93 class of service See CoS clearing interfaces 11 30 CLI abbreviating commands 2 3 command modes 2 1 configuration logging 2 5 described 1 6 editing features enabling and disabling 2 6 keystroke editing 2 7 wrapped lines 2 8 error messages 2 4 filtering command output 2 9 getting help 2 3 history changing the buffer size 2 5 described 2 5 disabling 2 6 recalling ...

Page 1333: ...y disable considerations 6 5 replacing and rolling back guidelines for A 22 replacing a running configuration A 21 A 22 rolling back a running configuration A 21 A 22 specifying the filename 3 20 system contact and location information 33 16 types and location A 11 uploading preparing A 12 A 14 A 18 reasons for A 9 using FTP A 16 using RCP A 19 using TFTP A 13 configuration guidelines multi VRF CE...

Page 1334: ...See downloadable ACL daylight saving time 5 7 dCEF in the switch stack 39 95 debugging enabling all system diagnostics 48 17 enabling for a specific feature 48 17 redirecting error message output 48 17 using commands 48 16 default commands 2 4 default configuration 802 1x 9 34 auto QoS 37 22 banners 5 11 BGP 39 49 booting 3 19 CDP 27 2 DHCP 22 8 DHCP option 82 22 8 DHCP snooping 22 8 DHCP snooping...

Page 1335: ...eleting VLANs 13 9 denial of service attack 26 2 description command 11 24 designing your network examples 1 20 desktop template 7 12 destination addresses in IPv4 ACLs 35 12 in IPv6 ACLs 36 5 36 6 destination IP address based forwarding EtherChannel 38 8 destination MAC address forwarding EtherChannel 38 8 detecting indirect link failures STP 20 8 device discovery protocol 27 1 28 1 device manage...

Page 1336: ...ace 22 2 untrusted interface 22 2 untrusted messages 22 2 DHCP snooping binding database adding bindings 22 15 binding entries displaying 22 16 binding file format 22 7 location 22 6 bindings 22 6 clearing agent statistics 22 15 configuration guidelines 22 10 configuring 22 15 default configuration 22 8 22 9 deleting binding file 22 15 bindings 22 16 database agent 22 15 described 22 6 displaying ...

Page 1337: ...A 37 using TFTP A 28 using the device manager or Network Assistant A 25 drop threshold for Layer 2 protocol packets 17 11 DRP configuring 40 14 described 40 5 IPv6 40 5 DSCP 1 13 37 2 DSCP input queue threshold map for QoS 37 17 DSCP output queue threshold map for QoS 37 20 DSCP to CoS map for QoS 37 78 DSCP to DSCP mutation map for QoS 37 79 DSCP transparency 37 46 DTP 1 9 13 16 dual action detec...

Page 1338: ...23 13 rate limit for incoming ARP packets 23 4 23 10 default configuration 23 5 denial of service attacks preventing 23 10 described 23 1 DHCP snooping binding database 23 2 displaying ARP ACLs 23 14 configuration and operating state 23 14 log buffer 23 15 statistics 23 15 trust state and rate limit 23 14 error disabled state for exceeding rate limit 23 4 function of 23 2 interface trust states 23...

Page 1339: ...tion for passwords 6 3 Enhanced IGRP See EIGRP enhanced object tracking defined 43 1 HSRP 43 7 IP routing state 43 2 IP SLAs 43 9 line protocol state 43 2 tracked lists 43 3 environmental variables embedded event manager 34 5 environment variables function of 3 23 equal cost routing 1 14 39 97 error disabled state BPDU 20 3 error messages during command entry 2 4 EtherChannel automatic creation of...

Page 1340: ... 14 and routing 11 16 and TFTP 11 18 configuring 11 18 default setting 11 16 described 11 13 IP address 11 14 Layer 3 routing guidelines 11 17 unsupported features 11 17 Ethernet VLANs adding 13 8 defaults and ranges 13 8 modifying 13 8 EUI 40 4 event detectors embedded event manager 34 3 events RMON 31 4 examples network configuration 1 20 expedite queue for QoS 37 92 Express Setup 1 3 See also g...

Page 1341: ...tion Protocol 20 6 features incompatible 26 12 FIB 39 95 fiber optic detecting unidirectional links 29 1 files basic crashinfo description 48 21 location 48 21 copying A 5 crashinfo description 48 21 deleting A 6 displaying the contents of A 8 extended crashinfo description 48 21 location 48 21 tar creating A 7 displaying the contents of A 7 extracting A 8 image file format A 26 file system displa...

Page 1342: ...ports 21 4 get bulk request operation 33 3 get next request operation 33 3 33 4 get request operation 33 3 33 4 get response operation 33 3 global configuration mode 2 2 global leave IGMP 24 13 guest VLAN and IEEE 802 1x 9 21 guide mode 1 3 GUIs See device manager and Network Assistant H hardware limitations and Layer 3 interfaces 11 25 hello time MSTP 19 23 STP 18 22 help for the command line 2 3...

Page 1343: ...1 ICMP ping executing 48 11 overview 48 11 ICMP Router Discovery Protocol See IRDP ICMPv6 40 4 IDS appliances and ingress RSPAN 30 23 and ingress SPAN 30 15 IEEE 802 1D See STP IEEE 802 1p 15 1 IEEE 802 1Q and trunk ports 11 3 configuration limitations 13 17 encapsulation 13 15 native VLAN for untagged traffic 13 22 tunneling compatibility with other features 17 6 defaults 17 4 described 17 1 tunn...

Page 1344: ...g 24 25 default configuration 24 25 described 24 24 monitoring 24 29 support for 1 5 IGMP groups configuring filtering 24 28 setting the maximum number 24 27 IGMP helper 45 6 IGMP Immediate Leave configuration guidelines 24 12 described 24 6 enabling 24 11 IGMP profile applying 24 27 configuration mode 24 25 configuring 24 26 IGMP snooping and address aliasing 24 2 and stack changes 24 7 configuri...

Page 1345: ...al neighbors BGP 39 52 Internet Control Message Protocol See ICMP Internet Group Management Protocol See IGMP Internet Protocol version 6 See IPv6 inter VLAN routing 1 14 39 2 Intrusion Detection System See IDS appliances inventory management TLV 28 3 28 7 IP ACLs for QoS classification 37 8 implicit deny 35 10 35 14 implicit masks 35 10 named 35 15 undefined 35 21 IP addresses 128 bit 40 2 classe...

Page 1346: ...8 enabling sdr listener support 45 50 limiting DVMRP routes advertised 45 62 limiting sdr cache entry lifetime 45 50 SAP packets for conference session announcement 45 50 Session Directory sdr tool described 45 50 monitoring packet rate loss 45 68 peering devices 45 68 tracing a path 45 68 multicast forwarding described 45 8 PIMv1 and PIMv2 interoperability 45 12 protocol interaction 45 2 reverse ...

Page 1347: ...hold monitoring 42 6 track state 43 9 UDP jitter operation 42 8 IP source guard and DHCP snooping 22 16 and EtherChannels 22 19 and IEEE 802 1x 22 19 and port security 22 19 and private VLANs 22 19 and routed ports 22 18 and TCAM entries 22 19 and trunk interfaces 22 19 and VRF 22 19 binding configuration automatic 22 16 manual 22 16 binding table 22 16 configuration guidelines 22 18 default confi...

Page 1348: ...39 9 routed ports 39 5 static routing 39 3 steps to configure 39 5 subnet mask 39 7 subnet zero 39 7 supernet 39 8 UDP 39 16 unicast reverse path forwarding 1 15 with SVIs 39 5 See also BGP See also EIGRP See also OSPF See also RIP IPv4 ACLs applying to interfaces 35 20 extended creating 35 11 named 35 15 standard creating 35 10 IPv6 ACLs displaying 36 9 limitations 36 2 matching criteria 36 3 por...

Page 1349: ... 39 69 OSI standard 39 69 ISO IGRP area routing 39 69 system routing 39 69 isolated port 16 2 isolated VLANs 16 2 16 3 J join messages IGMP 24 3 K KDC described 6 41 See also Kerberos keepalive messages 18 2 Kerberos authenticating to boundary switch 6 43 KDC 6 43 network services 6 44 configuration examples 6 40 configuring 6 44 credentials 6 41 cryptographic software image 6 40 described 6 41 KD...

Page 1350: ...ink Aggregation Control Protocol See EtherChannel Link Failure detecting unidirectional 19 8 Link Layer Discovery Protocol See CDP link local unicast addresses 40 4 link redundancy See Flex Links links unidirectional 29 1 link state advertisements LSAs 39 33 link state protocols 39 3 link state tracking configuring 38 25 described 38 23 LLDP configuring 28 4 characteristics 28 6 default configurat...

Page 1351: ...nfiguring 21 12 default configuration 21 8 description 21 6 monitoring 21 14 MAC address to VLAN mapping 13 26 MAC authentication bypass 9 16 MAC extended access lists applying to Layer 2 interfaces 35 29 configuring for QoS 37 53 creating 35 28 defined 35 28 for QoS classification 37 5 macros See Smartports macros magic packet 9 26 manageability features 1 6 management access in band browser sess...

Page 1352: ...1 14 HSRP 41 12 IEEE 802 1Q tunneling 17 18 IGMP filters 24 29 snooping 24 17 25 12 interfaces 11 29 IP address tables 39 18 multicast routing 45 66 routes 39 111 IP SLAs operations 42 13 IPv4 ACL configuration 35 42 IPv6 40 28 IPv6 ACL configuration 36 9 IS IS 39 79 ISO CLNS 39 79 Layer 2 protocol tunneling 17 18 MAC address table move update 21 14 MSDP peers 46 19 multicast router interfaces 24 ...

Page 1353: ...2 limiting data with TTL 46 13 monitoring 46 19 restricting advertised sources 46 9 support for 1 15 MSTP boundary ports configuration guidelines 19 16 described 19 6 BPDU filtering described 20 3 enabling 20 14 BPDU guard described 20 3 enabling 20 13 CIST described 19 3 CIST regional root 19 3 CIST root 19 5 configuration guidelines 19 16 20 12 configuring forward delay time 19 24 hello time 19 ...

Page 1354: ...ded system ID 19 18 unexpected behavior 19 18 shutdown Port Fast enabled port 20 3 stack changes effects of 19 8 status displaying 19 27 MTU system 11 27 system jumbo 11 27 system routing 11 27 multiauth support for inaccessible authentication bypass 9 24 multiauth mode See multiple authentication mode multicast groups Immediate Leave 24 6 joining 24 3 leaving 24 5 static joins 24 11 25 8 multicas...

Page 1355: ...12 9 53 Layer 2 IEEE 802 1x validation 1 11 9 58 Layer 2 IP validation 1 11 named IPv4 ACLs 35 15 named IPv6 ACLs 36 2 NameSpace Mapper See NSM native VLAN and IEEE 802 1Q tunneling 17 4 configuring 13 22 default 13 22 NEAT configuring 9 59 overview 9 31 neighbor discovery IPv6 40 4 neighbor discovery recovery EIGRP 39 40 neighbors BGP 39 63 Network Admission Control See NAC Network Assistant bene...

Page 1356: ... 48 23 displaying 48 24 object tracking HSRP 43 7 IP SLAs 43 9 IP SLAs configuring 43 9 monitoring 43 10 offline configuration for switch stacks 7 9 off mode VTP 14 3 on board failure logging See OBFL online diagnostics described 49 1 overview 49 1 running tests 49 5 open1x configuring 9 64 open1x authentication overview 9 29 Open Shortest Path First See OSPF optimizing system resources 8 1 option...

Page 1357: ...ds 9 9 per VLAN spanning tree plus See PVST PE to CE routing configuring 39 90 physical ports 11 2 PIM default configuration 45 11 dense mode overview 45 4 rendezvous point RP described 45 5 RPF lookups 45 9 displaying neighbors 45 67 enabling a mode 45 14 overview 45 4 router query message interval modifying 45 42 shared tree and source tree overview 45 39 shortest path tree delaying the use of 4...

Page 1358: ...authentication of a client 9 46 periodic re authentication 9 45 quiet period 9 46 RADIUS server 9 43 10 13 RADIUS server parameters on the switch 9 42 10 11 restricted VLAN 9 52 switch to client frame retransmission number 9 47 9 48 switch to client retransmission time 9 46 violation modes 9 38 default configuration 9 34 10 9 described 9 2 device roles 9 3 10 2 displaying statistics 9 66 10 17 dow...

Page 1359: ...escribed 9 16 voice aware 802 1x security configuring 9 41 described 9 31 9 41 voice VLAN described 9 25 PVID 9 25 VVID 9 25 wake on LAN described 9 26 port based authentication methods supported 9 8 port blocking 1 4 26 8 port channel See EtherChannel port description TLV 28 2 Port Fast described 20 2 enabling 20 12 mode spanning tree 13 28 support for 1 8 port membership modes VLAN 13 3 port pri...

Page 1360: ...guration 16 7 end station access to 16 3 IP addressing 16 3 isolated port 16 2 isolated VLANs 16 2 16 3 mapping 16 14 monitoring 16 15 ports community 16 2 configuration guidelines 16 9 configuring host ports 16 12 configuring promiscuous ports 16 13 described 13 4 isolated 16 2 promiscuous 16 2 primary VLANs 16 1 16 3 promiscuous ports 16 2 secondary VLANs 16 2 subdomains 16 1 traffic in 16 5 pri...

Page 1361: ...for non IP traffic 37 5 policy maps described 37 8 trust DSCP described 37 5 trusted CoS described 37 5 trust IP precedence described 37 5 class maps configuring 37 54 displaying 37 93 configuration guidelines auto QoS 37 32 standard QoS 37 38 configuring aggregate policers 37 72 auto QoS 37 21 default port CoS value 37 43 DSCP maps 37 75 DSCP transparency 37 46 DSCP trust states bordering another...

Page 1362: ...dwidth on egress interface 37 92 mapping tables CoS to DSCP 37 75 displaying 37 94 DSCP to CoS 37 78 DSCP to DSCP mutation 37 79 IP precedence to DSCP 37 76 policed DSCP 37 77 types of 37 13 marked down actions 37 62 37 68 marking described 37 4 37 9 overview 37 2 packet modification 37 20 policers configuring 37 62 37 68 37 73 described 37 9 displaying 37 93 number of 37 40 types of 37 10 policie...

Page 1363: ...T rapid PVST described 18 10 IEEE 802 1Q trunking interoperability 18 11 instances supported 18 10 Rapid Spanning Tree Protocol See RSTP RARP 39 10 RCP configuration files downloading A 18 overview A 17 preparing the server A 18 uploading A 19 image files deleting old image A 39 downloading A 37 preparing the server A 36 uploading A 39 reachability tracking IP SLAs IP host 43 9 readiness check por...

Page 1364: ...31 2 1901 SNMPv2C 33 2 1902 to 1907 SNMPv2 33 2 2236 IP multicast and IGMP 24 2 2273 2275 SNMPv3 33 2 RFC 5176 Compliance 6 21 RIP advertisements 39 20 authentication 39 23 configuring 39 22 default configuration 39 21 described 39 20 for IPv6 40 7 hop counts 39 20 split horizon 39 24 summary addresses 39 24 support for 1 14 RMON default configuration 31 3 displaying status 31 6 enabling alarms an...

Page 1365: ... source traffic to specific VLANs 30 21 specifying monitored ports 30 18 with ingress traffic enabled 30 23 source ports 30 6 transmitted traffic 30 6 VLAN based 30 7 RSTP active topology 19 10 BPDU format 19 13 processing 19 13 designated port defined 19 9 designated switch defined 19 9 interoperability with IEEE 802 1D described 19 9 restarting migration process 19 27 topology changes 19 14 over...

Page 1366: ...ification 48 9 status displaying 48 10 shaped round robin See SRR show access lists hw summary command 35 22 show and more command output filtering 2 9 show cdp traffic command 27 5 show configuration command 11 24 show forward command 48 19 show interfaces command 11 21 11 24 show interfaces switchport 21 4 show l2protocol command 17 13 17 15 17 16 show lldp traffic command 28 11 show platform fo...

Page 1367: ...3 9 versions supported 33 2 SNMP and Syslog Over IPv6 40 8 SNMPv1 33 2 SNMPv2C 33 2 SNMPv3 33 2 snooping IGMP 24 2 software compatibility See stacks switch software images location in flash A 26 recovery procedures 48 2 scheduling reloads 3 24 tar file format described A 26 See also downloading and uploading source addresses in IPv4 ACLs 35 12 in IPv6 ACLs 36 5 36 6 source and destination IP addre...

Page 1368: ... HTTP client 6 55 configuring a secure HTTP server 6 54 cryptographic software image 6 50 described 6 50 monitoring 6 56 SSM address management restrictions 45 25 CGMP limitations 45 26 configuration guidelines 45 25 configuring 45 26 differs from Internet standard multicast 45 24 IGMP snooping 45 26 IGMPv3 45 15 45 23 IGMPv3 Host Signalling 45 25 IP address range 45 24 monitoring 45 26 operations...

Page 1369: ...escription of 7 1 displaying information of 7 27 enabling persistent MAC address timer 7 21 hardware compatibility and SDM mismatch mode 7 12 HSRP considerations 41 5 incompatible software and image upgrades 7 16 A 40 IPv6 on 40 10 MAC address considerations 5 15 MAC address of 7 21 management connectivity 7 18 managing 7 1 membership 7 3 merged 7 3 MSTP instances supported 18 10 multicast routing...

Page 1370: ...static access ports assigning to VLAN 13 10 defined 11 3 13 3 static addresses See addresses static IP routing 1 14 static MAC addressing 1 10 static routes configuring 39 97 configuring for IPv6 40 21 understanding 40 7 static routing 39 3 static VLAN membership 13 2 statistics 802 1X 10 17 CDP 27 5 IEEE 802 1x 9 66 interface 11 29 IP multicast routing 45 67 LLDP 28 11 LLDP MED 28 11 NMSP 28 11 O...

Page 1371: ... bridge ID 18 4 IEEE 802 1D and multicast addresses 18 9 IEEE 802 1t and VLAN identifier 18 4 inferior BPDU 18 3 instances supported 18 10 interface state blocking to forwarding 20 2 interface states blocking 18 6 disabled 18 7 forwarding 18 6 18 7 learning 18 7 listening 18 7 overview 18 5 interoperability and compatibility among modes 18 11 keepalive messages 18 2 Layer 2 protocol tunneling 17 8...

Page 1372: ...n 35 39 Switched Port Analyzer See SPAN switched ports 11 2 switchport backup interface 21 4 21 5 switchport block multicast command 26 8 switchport block unicast command 26 8 switchport command 11 19 switchport mode dot1q tunnel command 17 6 switchport protected command 26 7 switch priority MSTP 19 23 STP 18 21 switch software features 1 1 switch virtual interface See SVI synchronization BGP 39 5...

Page 1373: ...e configuration 6 17 identifying the server 6 13 limiting the services to the user 6 16 operation of 6 12 overview 6 10 support for 1 12 tracking services accessed by user 6 17 tagged packets IEEE 802 1Q 17 3 Layer 2 protocol 17 8 tar files creating A 7 displaying the contents of A 7 extracting A 8 image file format A 26 TCL script registering and defining with embedded event manager 34 7 TDR 1 16...

Page 1374: ...rface line protocol state 43 2 tracking IP routing state 43 2 tracking objects 43 1 tracking process 43 1 track state tracking IP SLAs 43 9 traffic blocking flooded 26 8 fragmented 35 6 fragmented IPv6 36 2 unfragmented 35 6 traffic policing 1 13 traffic suppression 26 2 transmit hold count see STP transparent mode VTP 14 3 trap door mechanism 3 2 traps configuring MAC address notification 5 16 5 ...

Page 1375: ...links 29 1 type of service See ToS U UDLD configuration guidelines 29 4 default configuration 29 4 disabling globally 29 5 on fiber optic interfaces 29 5 per interface 29 6 echoing detection mechanism 29 2 enabling globally 29 5 per interface 29 6 Layer 2 protocol tunneling 17 10 link detection mechanism 29 1 neighbor database 29 2 overview 29 1 resetting an interface 29 6 status displaying 29 7 s...

Page 1376: ... 14 5 version mismatch VM mode automatic upgrades with auto upgrade 7 13 described 7 13 displaying 7 13 manual upgrades with auto advise 7 14 upgrades with auto extract 7 13 Virtual Private Network See VPN virtual router 41 1 41 2 virtual switches and PAgP 38 6 vlan dat file 13 5 VLAN 1 disabling on a trunk port 13 20 minimization 13 20 VLAN ACLs See VLAN maps vlan assignment response VMPS 13 26 V...

Page 1377: ... 13 14 extended range 13 1 13 11 features 1 9 illustrated 13 2 internal 13 12 in the switch stack 13 7 limiting source traffic with RSPAN 30 21 limiting source traffic with SPAN 30 16 modifying 13 8 multicast 24 18 native configuring 13 22 normal range 13 1 13 4 number supported 1 9 parameters 13 5 port membership modes 13 3 static access ports 13 10 STP and IEEE 802 1Q trunks 18 11 supported 13 2...

Page 1378: ...ing 39 84 ftp 39 87 HSRP 39 86 ping 39 85 RADIUS 39 88 SNMP 39 85 syslog 39 87 tftp 39 87 traceroute 39 87 VRFs configuring multicast 39 88 VTP adding a client to a domain 14 17 advertisements 13 18 14 4 and extended range VLANs 13 3 14 2 and normal range VLANs 13 2 14 2 client mode configuring 14 13 configuration guidelines 14 9 requirements 14 11 saving 14 9 configuration requirements 14 11 conf...

Page 1379: ...e 44 3 monitoring and maintaining 44 11 negotiation 44 3 packet redirection 44 4 packet return method 44 3 redirecting traffic received from a client 44 7 setting the password 44 7 unsupported WCCPv2 features 44 5 web authentication 9 16 configuring 10 16 described 1 10 web based authentication customizeable web pages 10 6 description 10 1 web based authentication interactions with other features ...

Page 1380: ...Index IN 54 Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide OL 12189 06 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands