background image

 

Index

IN-17

Cisco IE 3000 Switch Software Configuration Guide

OL-13018-03

IPv6

addresses

     37-2

address formats

     37-2

applications

     37-4

assigning address

     37-6

autoconfiguration

     37-4

configuring static routes

     37-9

default configuration

     37-6

defined

     37-1

forwarding

     37-6

ICMP

     37-3

monitoring

     37-10

neighbor discovery

     37-3

Stateless Autoconfiguration

     37-4

supported features

     37-2

understanding static routes

     37-5

J

join messages, IGMP

     25-3

L

LACP

See EtherChannel

Layer 2 frames, classification with CoS

     36-2

Layer 2 interfaces, default configuration

     13-10

Layer 2 traceroute

and ARP

     39-11

and CDP

     39-10

broadcast traffic

     39-10

described

     39-10

IP addresses and subnets

     39-11

MAC addresses and VLANs

     39-11

multicast traffic

     39-11

multiple devices on a port

     39-11

unicast traffic

     39-10

usage guidelines

     39-10

Layer 3 interfaces

assigning IPv6 addresses to

     37-7

Layer 3 packets, classification methods

     36-2

LDAP

     6-2

Leaking IGMP Reports

     22-4

LEDs, switch

See hardware installation guide

lightweight directory access protocol

See LDAP

line configuration mode

     2-3

Link Aggregation Control Protocol

See EtherChannel

link failure, detecting unidirectional

     19-7

link fault alarm

     3-3

link integrity, verifying with REP

     21-3

Link Layer Discovery Protocol

See CDP

link local unicast addresses

     37-3

link redundancy

See Flex Links

links, unidirectional

     29-1

link-state tracking

configuring

     38-20

described

     38-18

LLDP

configuring

     27-4

characteristics

     27-5

default configuration

     27-4

enabling

     27-5

monitoring and maintaining

     27-10

overview

     27-1

supported TLVs

     27-2

switch stack considerations

     27-2

transmission timer and holdtime, setting

     27-5

LLDP-MED

configuring

procedures

     27-4

TLVs

     27-6

Summary of Contents for IE 3000

Page 1: ...c 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco IE 3000 Switch Software Configuration Guide Cisco IOS Release 12 2 50 SE March 2009 Text Part Number OL 13018 03 ...

Page 2: ...THE POSSIBILITY OF SUCH DAMAGES CCDE CCENT Cisco Eos Cisco HealthPresence the Cisco logo Cisco Lumin Cisco Nexus Cisco StadiumVision Cisco TelePresence Cisco WebEx DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn and Cisco Store are service marks and Access Registrar Aironet AsyncOS Bringing the Meeting To You Catalyst CCDA CCDP CCIE CCIP CCNA CCNP C...

Page 3: ... and Redundancy Features 1 6 VLAN Features 1 7 Security Features 1 8 QoS and CoS Features 1 9 Monitoring Features 1 10 Default Settings After Initial Switch Configuration 1 11 Network Configuration Examples 1 13 Design Concepts for Using the Switch 1 13 Ethernet to the Factory Architecture 1 14 Enterprise Zone 1 15 Demilitarized Zone 1 15 Manufacturing Zone 1 15 Topology Options 1 17 Where to Go N...

Page 4: ...ms 3 1 Global Status Monitoring Alarms 3 2 FCS Error Hysteresis Threshold 3 2 Port Status Monitoring Alarms 3 2 Triggering Alarm Options 3 3 Configuring IE 3000 Switch Alarms 3 4 Default IE 3000 Switch Alarm Configuration 3 4 Configuring the Power Supply Alarm 3 5 Setting the Power Mode 3 5 Setting the Power Supply Alarm Options 3 5 Configuring the Switch Temperature Alarms 3 6 Setting the Primary...

Page 5: ...ation 4 9 Configuring the DHCP Auto Configuration and Image Update Features 4 11 Configuring DHCP Autoconfiguration Only Configuration File 4 11 Configuring DHCP Auto Image Update Configuration File and Image 4 12 Configuring the Client 4 13 Manually Assigning IP Information 4 14 Checking and Saving the Running Configuration 4 14 Modifying the Startup Configuration 4 15 Default Boot Configuration ...

Page 6: ...atically Managing Power 5 12 Managing Multiple Entities 5 12 Multiple PoE Switch Scenario 5 13 EnergyWise Query 5 13 Using Queries to Manage Power in the Domain 5 14 Examples 5 15 Querying with the Name Attribute 5 15 Querying with Keywords 5 16 Querying to Set Power Levels 5 16 Troubleshooting EnergyWise 5 16 Using CLI Commands 5 17 Verifying the Power Usage 5 17 Additional Information 5 18 Manag...

Page 7: ...uster Command Switch Characteristics 7 3 Candidate Switch and Cluster Member Switch Characteristics 7 3 Planning a Switch Cluster 7 4 Automatic Discovery of Cluster Candidates and Members 7 4 Discovery Through CDP Hops 7 5 Discovery Through Non CDP Capable and Noncluster Capable Devices 7 6 Discovery Through Different VLANs 7 6 Discovery Through Different Management VLANs 7 7 Discovery of Newly In...

Page 8: ...12 Configuring Summer Time Daylight Saving Time 8 13 Configuring a System Name and Prompt 8 14 Default System Name and Prompt Configuration 8 15 Configuring a System Name 8 15 Understanding DNS 8 15 Default DNS Configuration 8 16 Setting Up DNS 8 16 Displaying the DNS Configuration 8 17 Creating a Banner 8 17 Default Banner Configuration 8 17 Configuring a Message of the Day Login Banner 8 18 Conf...

Page 9: ...C Commands 11 2 Default Password and Privilege Level Configuration 11 2 Setting or Changing a Static Enable Password 11 3 Protecting Enable and Enable Secret Passwords with Encryption 11 3 Disabling Password Recovery 11 5 Setting a Telnet Password for a Terminal Line 11 6 Configuring Username and Password Pairs 11 6 Configuring Multiple Privilege Levels 11 7 Setting the Privilege Level for a Comma...

Page 10: ... Load Balancing 11 31 Displaying the RADIUS Configuration 11 32 Configuring the Switch for Local Authentication and Authorization 11 32 Configuring the Switch for Secure Shell 11 33 Understanding SSH 11 33 SSH Servers Integrated Clients and Supported Versions 11 33 Limitations 11 34 Configuring SSH 11 34 Configuration Guidelines 11 34 Setting Up the Switch to Run SSH 11 35 Configuring the SSH Serv...

Page 11: ...nd Redirect URLs 12 15 Cisco Secure ACS and Attribute Value Pairs for the Redirect URL 12 16 Cisco Secure ACS and Attribute Value Pairs for Downloadable ACLs 12 16 802 1x Authentication with Guest VLAN 12 17 802 1x Authentication with Restricted VLAN 12 18 802 1x Authentication with Inaccessible Authentication Bypass 12 19 802 1x Authentication with Voice VLAN Ports 12 20 802 1x Authentication wit...

Page 12: ... 12 40 Configuring 802 1x Accounting 12 41 Configuring a Guest VLAN 12 42 Configuring a Restricted VLAN 12 43 Configuring the Inaccessible Authentication Bypass Feature 12 45 Configuring 802 1x Authentication with WoL 12 47 Configuring MAC Authentication Bypass 12 48 Configuring NAC Layer 2 802 1x Validation 12 49 Configuring 802 1x Switch Supplicant with NEAT 12 50 Configuring 802 1x Authenticati...

Page 13: ...figuring Auto MDIX on an Interface 13 16 Adding a Description for an Interface 13 17 Configuring the System MTU 13 17 Monitoring and Maintaining the Interfaces 13 18 Monitoring Interface Status 13 19 Clearing and Resetting Interfaces and Counters 13 19 Shutting Down and Restarting the Interface 13 20 C H A P T E R 14 Configuring Smartports Macros 14 1 Understanding Smartports Macros 14 1 Configuri...

Page 14: ...erface as a Trunk Port 15 16 Interaction with Other Features 15 16 Configuring a Trunk Port 15 17 Defining the Allowed VLANs on a Trunk 15 18 Changing the Pruning Eligible List 15 19 Configuring the Native VLAN for Untagged Traffic 15 19 Configuring Trunk Ports for Load Sharing 15 20 Load Sharing Using STP Port Priorities 15 20 Load Sharing Using STP Path Cost 15 22 Configuring VMPS 15 23 Understa...

Page 15: ...Configuring a VTP Server 16 9 Configuring a VTP Client 16 11 Disabling VTP VTP Transparent Mode 16 12 Enabling VTP Version 2 16 13 Enabling VTP Pruning 16 14 Adding a VTP Client Switch to a VTP Domain 16 14 Monitoring VTP 16 16 C H A P T E R 17 Configuring Voice VLAN 17 1 Understanding Voice VLAN 17 1 Cisco IP Phone Voice Traffic 17 2 Cisco IP Phone Data Traffic 17 2 Configuring Voice VLAN 17 3 De...

Page 16: ...ibility 18 10 STP and IEEE 802 1Q Trunks 18 10 Configuring Spanning Tree Features 18 11 Default Spanning Tree Configuration 18 11 Spanning Tree Configuration Guidelines 18 12 Changing the Spanning Tree Mode 18 13 Disabling Spanning Tree 18 14 Configuring the Root Switch 18 14 Configuring a Secondary Root Switch 18 16 Configuring Port Priority 18 16 Configuring Path Cost 18 18 Configuring the Switc...

Page 17: ... Features 19 13 Default MSTP Configuration 19 14 MSTP Configuration Guidelines 19 14 Specifying the MST Region Configuration and Enabling MSTP 19 15 Configuring the Root Switch 19 17 Configuring a Secondary Root Switch 19 18 Configuring Port Priority 19 19 Configuring Path Cost 19 20 Configuring the Switch Priority 19 21 Configuring the Hello Time 19 22 Configuring the Forwarding Delay Time 19 23 ...

Page 18: ...0 15 Enabling Loop Guard 20 15 Displaying the Spanning Tree Status 20 16 C H A P T E R 21 Configuring Resilient Ethernet Protocol 21 1 Understanding REP 21 1 Link Integrity 21 3 Fast Convergence 21 4 VLAN Load Balancing 21 4 Spanning Tree Interaction 21 6 REP Ports 21 6 Configuring REP 21 6 Default REP Configuration 21 7 REP Configuration Guidelines 21 7 Configuring the REP Administrative VLAN 21 ...

Page 19: ...r 23 2 DHCP Relay Agent 23 2 DHCP Snooping 23 2 Option 82 Data Insertion 23 3 DHCP Snooping Binding Database 23 5 Configuring DHCP Snooping 23 6 Default DHCP Snooping Configuration 23 6 DHCP Snooping Configuration Guidelines 23 7 Configuring the DHCP Relay Agent 23 8 Enabling DHCP Snooping and Option 82 23 9 Enabling the Cisco IOS DHCP Server Database 23 10 Enabling the DHCP Snooping Binding Datab...

Page 20: ... Dynamic ARP Inspection in DHCP Environments 24 7 Configuring ARP ACLs for Non DHCP Environments 24 8 Limiting the Rate of Incoming ARP Packets 24 10 Performing Validation Checks 24 12 Configuring the Log Buffer 24 13 Displaying Dynamic ARP Inspection Information 24 14 C H A P T E R 25 Configuring IGMP Snooping and MVR 25 1 Understanding IGMP Snooping 25 1 IGMP Versions 25 2 Joining a Multicast Gr...

Page 21: ...ing Configuration 25 24 Configuring IGMP Profiles 25 24 Applying IGMP Profiles 25 25 Setting the Maximum Number of IGMP Groups 25 26 Configuring the IGMP Throttling Action 25 27 Displaying IGMP Filtering and Throttling Configuration 25 28 C H A P T E R 26 Configuring Port Based Traffic Control 26 1 Configuring Storm Control 26 1 Understanding Storm Control 26 1 Default Storm Control Configuration ...

Page 22: ...figuration Guidelines 27 5 Enabling LLDP 27 5 Configuring LLDP Characteristics 27 5 Configuring LLDP MED TLVs 27 6 Configuring Network Policy TLV 27 7 Configuring Location TLV and Wired Location Service 27 9 Monitoring and Maintaining LLDP LLDP MED and Wired Location Service 27 10 C H A P T E R 28 Configuring CDP 28 1 Understanding CDP 28 1 Configuring CDP 28 2 Default CDP Configuration 28 2 Confi...

Page 23: ... and RSPAN Configuration 30 9 Configuring Local SPAN 30 9 SPAN Configuration Guidelines 30 10 Creating a Local SPAN Session 30 10 Creating a Local SPAN Session and Configuring Incoming Traffic 30 13 Specifying VLANs to Filter 30 15 Configuring RSPAN 30 16 RSPAN Configuration Guidelines 30 16 Configuring a VLAN as an RSPAN VLAN 30 17 Creating an RSPAN Source Session 30 18 Creating an RSPAN Destinat...

Page 24: ...Sent to the History Table and to SNMP 32 10 Enabling the Configuration Change Logger 32 10 Configuring UNIX Syslog Servers 32 12 Logging Messages to a UNIX Syslog Daemon 32 12 Configuring the UNIX System Logging Facility 32 12 Displaying the Logging Configuration 32 13 C H A P T E R 33 Configuring SNMP 33 1 Understanding SNMP 33 1 SNMP Versions 33 2 SNMP Manager Functions 33 3 SNMP Agent Functions...

Page 25: ...mments in ACLs 34 15 Applying an IPv4 ACL to a Terminal Line 34 16 Applying an IPv4 ACL to an Interface 34 16 Hardware and Software Treatment of IP ACLs 34 17 Troubleshooting ACLs 34 17 IPv4 ACL Configuration Examples 34 18 Numbered ACLs 34 19 Extended ACLs 34 19 Named ACLs 34 19 Time Range Applied to an IP ACL 34 20 Commented IP ACL Entries 34 20 Creating Named MAC Extended ACLs 34 20 Applying a ...

Page 26: ...Configuring Auto QoS 36 19 Generated Auto QoS Configuration 36 19 Effects of Auto QoS on the Configuration 36 24 Auto QoS Configuration Guidelines 36 24 Enabling Auto QoS for VoIP 36 25 Auto QoS Configuration Example 36 26 Displaying Auto QoS Information 36 27 Configuring Standard QoS 36 28 Default Standard QoS Configuration 36 28 Default Ingress Queue Configuration 36 29 Default Egress Queue Conf...

Page 27: ...ng WTD Thresholds 36 57 Allocating Buffer Space Between the Ingress Queues 36 58 Allocating Bandwidth Between the Ingress Queues 36 59 Configuring the Ingress Priority Queue 36 60 Configuring Egress Queue Characteristics 36 61 Configuration Guidelines 36 61 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set 36 61 Mapping DSCP or CoS Values to an Egress Queue and to a Thr...

Page 28: ...Other Features 38 5 Link Aggregation Control Protocol 38 5 LACP Modes 38 6 LACP Interaction with Other Features 38 6 EtherChannel On Mode 38 6 Load Balancing and Forwarding Methods 38 7 Configuring EtherChannels 38 8 Default EtherChannel Configuration 38 9 EtherChannel Configuration Guidelines 38 9 Configuring Layer 2 EtherChannels 38 10 Configuring EtherChannel Load Balancing 38 13 Configuring th...

Page 29: ...g 39 9 Executing Ping 39 9 Using Layer 2 Traceroute 39 10 Understanding Layer 2 Traceroute 39 10 Usage Guidelines 39 10 Displaying the Physical Path 39 11 Using IP Traceroute 39 11 Understanding IP Traceroute 39 11 Executing IP Traceroute 39 12 Using TDR 39 13 Understanding TDR 39 13 Running TDR and Displaying the Results 39 14 Using Debug Commands 39 14 Enabling Debugging on a Specific Feature 39...

Page 30: ...g Configuration Files B 9 Configuration File Types and Location n B 9 Creating a Configuration File By Using a Text Editor B 10 Copying Configuration Files By Using TFTP B 10 Preparing to Download or Upload a Configuration File B y Using TFTP B 10 Downloading the Configuration File By Using TFTP B 11 Uploading the Configuration File By Using TFTP B 11 Copying Configuration Files By Using FTP B 12 ...

Page 31: ...iles By Using RCP B 32 Preparing to Download or Upload an Image File By Using RCP B 33 Downloading an Image File By Using RCP B 34 Uploading an Image File By Using RCP B 36 A P P E N D I X C Unsupported Commands in Cisco IOS Release 12 2 50 SE C 1 Access Control Lists C 1 Unsupported Privileged EXEC Commands C 1 Unsupported Global Configuration Commands C 2 Unsupported Route Map Configuration Comm...

Page 32: ...iguration Commands C 5 Unsupported Policy Map Configuration Command C 5 RADIUS C 5 Unsupported Global Configuration Commands C 5 SNMP C 5 Unsupported Global Configuration Commands C 5 SNMPv3 C 5 Unsupported 3DES Encryption Commands C 5 Spanning Tree C 6 Unsupported Global Configuration Command C 6 Unsupported Interface Configuration Command C 6 VLAN C 6 Unsupported Global Configuration Command C 6...

Page 33: ...S Software This guide does not provide detailed information on the graphical user interfaces GUIs for the embedded device manager or for Cisco Network Assistant hereafter referred to as Network Assistant that you can use to manage the switch However the concepts in this guide are applicable to the GUI user For information about the device manager see the switch online help For information about Ne...

Page 34: ...ries_home html Note Before installing configuring or upgrading the switch see these documents For initial configuration information see the Using Express Setup section in the getting started guide or the Configuring the Switch with the CLI Based Setup Program appendix in the hardware installation guide For device manager requirements see the System Requirements section in the release notes not ord...

Page 35: ... com en US products hw modules ps5455 products_device_support_tables_list html Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix Obtaining Documentation Obtaining Support and Security Guidelines For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new...

Page 36: ...xxxiv Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Preface ...

Page 37: ... the cryptographic supports encryption version of the software You must obtain authorization to use this feature and to download the cryptographic version of the software from Cisco com For more information see the release notes for this release Ease of Deployment and Ease of Use Features page 1 2 Performance Features page 1 3 Management Options page 1 4 Manageability Features page 1 5 includes a ...

Page 38: ...g and minimizing switch and switch cluster management from anywhere in your intranet Accomplishing multiple configuration tasks from a single graphical interface without needing to remember command line interface CLI commands to accomplish specific tasks Interactive guide mode that guides you in configuring complex features such as VLANs ACLs and quality of service QoS Configuration wizards that p...

Page 39: ...Link Aggregation Control Protocol LACP for automatic creation of EtherChannel links Forwarding of Layer 2 packets at Gigabit line rate Per port storm control for preventing broadcast multicast and unicast storms Port blocking on forwarding unknown Layer 2 unknown unicast multicast and bridged broadcast traffic Internet Group Management Protocol IGMP snooping for IGMP Versions 1 2 and 3 for efficie...

Page 40: ...o com CLI The Cisco IOS software supports desktop and multilayer switching features You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station For more information about the CLI see Chapter 2 Using the Command Line Interface SNMP SNMP management applications such as CiscoWorks2000 LAN Management Suite ...

Page 41: ...ing between the switch and other Cisco devices on the network Link Layer Discovery Protocol LLDP and LLDP Media Endpoint Discovery LLDP MED for interoperability with third party IP phones LLDP media extensions LLDP MED location TLV that provides location information from the switch to the endpoint device Network Time Protocol NTP for providing a consistent time stamp to all switches from an extern...

Page 42: ...ing MAC address learning on a VLAN DHCP server port based address allocation for the preassignment of an IP address to a switch port Wired location service sends location and attachment tracking information for connected devices to a Cisco Mobility Services Engine MSE CPU utilization threshold trap monitors CPU utilization LLDP MED network policy profile time length value TLV for creating a profil...

Page 43: ...Support for up to 255 VLANs for assigning users to VLANs associated with appropriate network resources traffic patterns and bandwidth Support for VLAN IDs in the 1 to 4094 range as allowed by the IEEE 802 1Q standard VLAN Query Protocol VQP for dynamic VLAN membership IEEE 802 1Q trunking encapsulation on all ports for network moves adds and changes management and control of broadcast and multicas...

Page 44: ...ended IP access control lists ACLs for defining inbound security policies on Layer 2 interfaces port ACLs Extended MAC access control lists for defining security policies in the inbound direction on Layer 2 interfaces Source and destination MAC based ACLs for filtering non IP traffic DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers IP source guard to restric...

Page 45: ...uthentication sequencing to configure the order of the authentication methods that a port tries when authenticating a new host Multiple user authentication to allow more than one host to authenticate on an 802 1x enabled port TACACS a proprietary feature for managing network security through a TACACS server RADIUS for verifying the identity of granting access to and tracking the actions of remote ...

Page 46: ...de on ingress queues Egress queues and scheduling Four egress queues per port WTD as the congestion avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications SRR as the scheduling service for specifying the rate at which packets are dequeued to the egress interface shaping or sharing is supported on egress queues Shaped egress queues ar...

Page 47: ...Gateway and Chapter 23 Configuring DHCP Features and IP Source Guard Default domain name is not configured For more information see Chapter 4 Assigning the Switch IP Address and Default Gateway DHCP client is enabled the DHCP server is enabled only if the device acting as a DHCP server is configured and is enabled and the DHCP relay agent is enabled only if the device is acting as a DHCP relay age...

Page 48: ...Tree Features Flex Links are not configured For more information see Chapter 22 Configuring Flex Links and the MAC Address Table Move Update Feature DHCP snooping is disabled The DHCP snooping information option is enabled For more information see Chapter 23 Configuring DHCP Features and IP Source Guard DHCP server port based address allocation is disabled For more information see Chapter 23 Confi...

Page 49: ... page 1 14 Design Concepts for Using the Switch As your network users compete for network bandwidth it takes longer to send and receive data When you configure your network consider the bandwidth required by your network users and the relative priority of the network applications that they use Table 1 1 describes what can cause network performance to degrade and how you can configure your network ...

Page 50: ...ndwidth usage for multimedia applications and guaranteed bandwidth for critical applications Use IGMP snooping to efficiently forward multimedia and multicast traffic Use other QoS mechanisms such as packet classification marking scheduling and congestion avoidance to classify traffic with the appropriate priority level thereby providing maximum flexibility and support for mission critical unicast...

Page 51: ...es The DMZ maintains availability addresses security vulnerabilities and abiding by regulatory compliance mandates The DMZ provides segmentation of organizational control for example between the IT and production organizations Different policies for each organization can be applied and contained For example the production organization might apply security policies to the manufacturing zone that ar...

Page 52: ...e OL 13018 03 Chapter 1 Overview Network Configuration Examples Figure 1 1 Ethernet to the Factory Architecture LAN GE Link for Failover Detection Servers Management tools Servers Catalyst 3750 switch Catalyst 3750 switch stack Catalyst 4500 switch 204322 ...

Page 53: ...ayer 2 hop should be considered For instance there is a higher latency with 100 Mb interfaces than there is with 1 Gigabit interfaces Bandwidth should not consistently exceed 50 percent of the interface capacity on any switch The CPU should not consistently exceed 50 to 70 percent utilization Above this level the switch might not properly process control packets and might behave abnormally These a...

Page 54: ...tch maintains connectivity to the other switches See Figure 1 3 The network can only recover from the loss of a single connection It is more difficult to implement because it requires additional protocol implementation and Rapid Spanning Tree Protocol RSTP Although better than the trunk drop the top of the ring connections to the Layer 3 switches can become a bottleneck and is susceptible to overs...

Page 55: ...connections to a Layer 3 distribution switch Devices are connected to the Layer2 switches See Figure 1 4 Any Layer 2 switch is always only two hops to another Layer 2 switch In the Layer 2 network each switch has dual connections to the Layer 3 devices The Layer 2 network is maintained even if multiple connections are lost 204320 Human Machine Interface HMI IE 3000 Cell Zone Catalyst 3750 Stackwis...

Page 56: ...t Star Topology Where to Go Next Before configuring the switch review these sections for startup information Chapter 2 Using the Command Line Interface Chapter 4 Assigning the Switch IP Address and Default Gateway 204321 Human Machine Interface HMI IE 3000 Cell Zone Catalyst 3750 Stackwise Switch Stack Controllers Drives and Remote I O ...

Page 57: ...mpt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or i...

Page 58: ... a password to protect access to this mode Global configuration While in privileged EXEC mode enter the configure command Switch config To exit to privileged EXEC mode enter exit or end or press Ctrl Z Use this mode to configure parameters that apply to the entire switch Config vlan While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration...

Page 59: ... information about defining interfaces see the Using Interface Configuration Mode section on page 13 4 To configure multiple interfaces with the same parameters see the Configuring a Range of Interfaces section on page 13 6 Line configuration While in global configuration mode specify a line with the line vty or line console command Switch config line To exit to global configuration mode enter exi...

Page 60: ...e the command without the keyword no to re enable a disabled feature or to enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and have variables set to...

Page 61: ... Configuration Change Notification and Logging feature module at this URL http www cisco com en US products sw iosswrel ps5207 products_feature_guide09186a00801d1e81 html Note Only CLI or HTTP changes are logged Table 2 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your switch to recognize the command Re enter t...

Page 62: ...rminal history size number of lines The range is from 0 to 256 Beginning in line configuration mode enter this command to configure the number of command lines the switch records for all sessions on a particular line Switch config line history size number of lines The range is from 0 to 256 Recalling Commands To recall commands from the history buffer perform one of the actions listed in Table 2 4...

Page 63: ... Command Lines that Wrap page 2 9 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing To re enable the enhanced e...

Page 64: ...0 items that you have deleted or cut If you press Esc Y more than ten times you cycle to the first buffer entry Delete entries if you make a mistake or change your mind Press the Delete or Backspace key Erase the character to the left of the cursor Press Ctrl D Delete the character at the cursor Press Ctrl K Delete all characters from the cursor to the end of the command line Press Ctrl U or Ctrl ...

Page 65: ...31 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 ...

Page 66: ... the switch as described in the getting started guide that shipped with your switch Then to understand the boot process and the options available for assigning IP information see Chapter 4 Assigning the Switch IP Address and Default Gateway If your switch is already configured you can access the CLI through a local console connection or through a remote Telnet session but your switch must first be...

Page 67: ...port or a switch basis If the conditions present on the switch or a port do not match the set parameters the switch software triggers an alarm or a system message By default the switch software sends the system messages to a system message logging facility or a syslog facility You can also configure the switch to send Simple Network Management Protocol SNMP traps to an SNMP server You can configur...

Page 68: ...om 1 to 10 percent The default value is 10 percent See the Configuring the FCS Bit Error Rate Alarm section on page 3 8 for more information Port Status Monitoring Alarms The IE 3000 switch can also monitor the status of the Ethernet ports and generate alarm messages based on the alarms listed in Table 3 2 To save user time and effort the switch supports changing alarm configurations by using alar...

Page 69: ...rity level based on the Cisco IOS System Error Message Severity Level See the Configuring IE 3000 Switch Alarms section on page 3 4 for more information on configuring the relays Table 3 2 IE 3000 Port Status Monitoring Alarms Alarm Description Link Fault alarm The switch generates a link fault alarm when problems with a port physical layer cause unreliable data transmission A typical link fault c...

Page 70: ...ribes how to configure the IE 3000 switch alarms Default IE 3000 Switch Alarm Configuration page 3 4 Configuring the Power Supply Alarm page 3 5 Configuring the Switch Temperature Alarms page 3 6 Configuring the FCS Bit Error Rate Alarm page 3 8 Configuring Alarm Profiles page 3 9 Enabling SNMP Traps page 3 11 Default IE 3000 Switch Alarm Configuration Table 3 3 shows the default IE 3000 switch al...

Page 71: ...upply global configuration command to associate the power supply alarm to a relay You can also configure all alarms and traps associated with the power supply alarm to be sent to syslog and the SNMP server Beginning in privileged EXEC mode follow these steps to associate the power supply alarm to a relay Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 power supply ...

Page 72: ... page 3 6 Setting a Secondary Temperature Threshold for the Switch page 3 7 Associating the Temperature Alarms to a Relay page 3 7 Setting the Primary Temperature Threshold for the Switch You can use the alarm facility temperature primary global configuration command to set low and high temperature thresholds for the primary temperature monitoring alarm Beginning in privileged EXEC mode follow the...

Page 73: ...nning in privileged EXEC mode follow these steps to associate the secondary temperature alarm to a relay Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 alarm facility temperature secondary high threshold Set the secondary high temperature threshold value Set the threshold from 238 F 150 C to 572 F 300 C Step 3 alarm facility temperature secondary low threshold Set...

Page 74: ...er Switch config alarm facility temperature primary syslog Switch config alarm facility temperature primary relay major Configuring the FCS Bit Error Rate Alarm This section describes how to configure the FCS bit error rate alarm on your switch Setting the FCS Error Threshold page 3 8 Setting the FCS Error Hysteresis Threshold page 3 9 Setting the FCS Error Threshold The switch generates an FCS bi...

Page 75: ...he no alarm facility fcs hysteresis command to set the FCS error hysteresis threshold to its default value Note The show running config command displays any FCS error hysteresis that is not the default value This example shows how to set the FCS error hysteresis at 5 percent Switch config alarm facility fcs hysteresis 5 Configuring Alarm Profiles This section describes how to configure alarm profi...

Page 76: ...rm prof relay major 4 Switch config alarm prof relay minor 3 Switch config alarm prof notifies 3 4 Switch config alarm prof syslog 3 4 Note Before you use the notifies command to send alarm traps to an SNMP server you must first set up the SNMP server by using the snmp server enable traps alarms global configuration command See the Enabling SNMP Traps section on page 3 11 Command Purpose Step 1 co...

Page 77: ... from a port Switch config interface fastethernet 1 2 Switch config if no alarm profile fastE Enabling SNMP Traps Use the snmp server enable traps alarms global configuration command to enable the switch to send alarm traps Note Before using alarm profiles to set the switch to send SNMP alarm trap notifications to an SNMP server you must first enable SNMP by using the snmp server enable traps alar...

Page 78: ...he switch to send SNMP traps Step 3 end Return to privileged EXEC mode Step 4 show alarm settings Verify the configuration Step 5 copy running config startup config Optional Save your entries in the configuration file Table 3 5 Commands for Displaying Global and Port Alarm Status Command Purpose show alarm description port Displays an alarm number and its text description show alarm profile name D...

Page 79: ...Checking and Saving the Running Configuration page 4 14 Modifying the Startup Configuration page 4 15 Scheduling a Reload of the Software Image page 4 20 Understanding the Boot Process To start your switch you need to follow the procedures in the Getting Started Guide or the hardware installation guide for installing and powering on the switch and for setting up the initial switch configuration IP...

Page 80: ...lso provides trap door access into the system if the operating system has problems serious enough that it cannot be used The trap door mechanism provides enough access to the system so that if it is necessary you can format the flash file system reinstall the operating system software image by using the Xmodem Protocol recover from a lost or forgotten password and finally restart the operating sys...

Page 81: ...ion parameters from a DHCP server to a device and a mechanism for allocating network addresses to devices DHCP is built on a client server model in which designated DHCP servers allocate network addresses and deliver configuration parameters to dynamically configured devices The switch can act as both a DHCP client and a DHCP server During DHCP based autoconfiguration your switch DHCP client is au...

Page 82: ...figuration information to the DHCP server The formal request is broadcast so that all other DHCP servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to the client The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK unicast message to the client With this message the client and serve...

Page 83: ...n is appended to the configuration file stored on the switch Any existing configuration is not overwritten by the downloaded one Note To enable a DHCP auto image update on the switch the TFTP server where the image and configuration files are located must be configured with the correct option 67 the configuration filename option 66 the DHCP server hostname option 150 the TFTP server address and op...

Page 84: ...ion about configuring DHCP see the Configuring DHCP section of the IP Addressing and Services section of the Cisco IOS IP Configuration Guide from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Configuration Guides DHCP Server Configuration Guidelines Follow these guidelines if you are configuring a device as a DHCP server You should configure the DHCP server with reserved...

Page 85: ...ss 255 255 255 255 For the switch to successfully download a configuration file the TFTP server must contain one or more configuration files in its base directory The files can include these files The configuration file named in the DHCP reply the actual switch configuration file The network confg or the cisconet cfg file known as the default configuration files The router confg or the ciscortr cf...

Page 86: ...igure 4 2 Relay Device Used in Autoconfiguration Obtaining Configuration Files Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease the switch obtains its configuration information in these ways The IP address and the configuration filename is reserved for the switch and provided in the DHCP reply one file read method The switch receives its IP ...

Page 87: ...s hostname hostname confg or hostname cfg depending on whether network confg or cisconet cfg was read earlier from the TFTP server If the cisconet cfg file is read the filename of the host is truncated to eight characters If the switch cannot read the network confg cisconet cfg or the hostname file it reads the router confg file If the switch cannot read the router confg file it reads the ciscortr...

Page 88: ...h D Configuration Explanation In Figure 4 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by indexing its I...

Page 89: ...t1 2 Switch config if no switchport Switch config if ip address 10 10 10 1 255 255 255 0 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp poolname Create a name for the DHCP Server address pool and enter DHCP pool configuration mode Step 3 bootfile filename Specify the name of the configuration file that is used as a boot image Step 4 ne...

Page 90: ...me of the file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash Step 5 default router ...

Page 91: ...ve C Caution Saving Configuration File to NVRAM May Cause You to Nolonger Automatically Download Configuration Files at Reboot C Switch config vlan 99 Switch config vlan interface vlan 99 Switch config if no shutdown Switch config if end Switch show boot BOOT path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER path list NVRAM ...

Page 92: ... you made by entering this privileged EXEC command Switch show running config Building configuration Current configuration 1363 bytes version 12 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assigned The VLAN range is 1 to 4094 Step 3 ip address ip addres...

Page 93: ...changes you have made to your startup configuration in flash memory enter this privileged EXEC command Switch copy running config startup config Destination filename startup config Building configuration This command saves the configuration settings that you made If you fail to do this your configuration will be lost the next time you reload the system To display information stored in the NVRAM se...

Page 94: ... steps to specify a different configuration filename Table 4 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and execute the first executable image it can by performing a recursive depth first search t...

Page 95: ...ment variable Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot manual Enable the switch to manually boot up during the next boot cycle Step 3 end Return to privileged EXEC mode Step 4 show boot Verify your entries The boot manual global command changes...

Page 96: ...des support for nonvolatile environment variables which can be used to control how the boot loader or any other software running on the system behaves Boot loader environment variables are similar to environment variables that can be set on UNIX or DOS systems Environment variables that have values are stored in flash memory outside of the flash file system Each line in these files contains an env...

Page 97: ...he BOOT environment variable is not set the system attempts to load and execute the first executable image it can find by using a recursive depth first search through the flash file system If the BOOT variable is set but the specified images cannot be loaded the system attempts to boot the first bootable file that it can find in the flash file system boot system filesystem file url Specifies the C...

Page 98: ...ime is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has been set through Network Time Protocol NTP the hardware calendar or manually The time is relative to the configured time zone on the switch To schedule reloads across several switches to occur simultaneously the time on each switch must be synchronized...

Page 99: ...heduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the time the reload is scheduled to occur and the reason for the reload if it was specified whe...

Page 100: ...4 22 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 4 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image ...

Page 101: ..._home html Managing Single Entities Use Cisco EnergyWise to manage the energy usage of entities in an EnergyWise network EnergyWise Entity page 5 1 EnergyWise Domain page 5 2 EnergyWise Network page 5 2 Single PoE Switch Scenario page 5 3 EnergyWise Power Level page 5 4 EnergyWise Importance page 5 5 Configuration Guidelines page 5 5 PoE and EnergyWise Interactions page 5 5 Manually Managing Power...

Page 102: ...ected PoE devices such as an IP phone an IP camera or a PoE enabled device For example a Catalyst switch sends a power off message to an IP phone On an EnergyWise enabled entity The entity always participates in EnergyWise PoE ports participate in EnergyWise Non PoE ports do not participate in EnergyWise EnergyWise Domain An EnergyWise domain can be an EnergyWise network The domain is treated as o...

Page 103: ...powers on and powers off connected entities The specified times are local times based on the PoE entity time zone For example IP phones are powered on at 7 00 a m 0700 local time and they are powered off at 7 00 p m 1900 local time This is also known as the recurrence scenario 1 Entity managing power usage 3 Entities 2 Domain IP 1 2 3 3 3 3 3 3 3 3 3 3 SNMP Manager TCP Catalyst 6500 switches Catal...

Page 104: ... 0 A PoE port supports level 0 to level 10 If the power level is 0 the port is powered off If the power level is from 1 to 10 the port is powered on If the power level is 0 enter any value in this range to power on the PoE port or the switch When the power level changes the port determines the action for the connected entities 1 Entity managing power usage 3 Entities 2 Domain IP 1 3 1 3 1 3 1 3 3 ...

Page 105: ... entities Configuration Guidelines By default EnergyWise is disabled When you add an entity to a domain EnergyWise is enabled on the entity and its PoE ports Use the energywise level 0 interface configuration command to power off a PoE port You cannot use the energywise level 0 global configuration command to power off the entity If you schedule the entity to power on the PoE port at 7 00 a m 0700...

Page 106: ...e communication among the entities in the domain Optional 0 Use an unencrypted password This is the default Optional 7 Use a hidden password If you do not enter 0 or 7 the entity uses the default value of 0 Optional port udp port number Specify the UDP port that sends and receives queries The range is from 1 to 65000 The default is 43440 Optional interface interface id Specify the port from which ...

Page 107: ...re defined Step 5 energywise management udp port number Optional Specify the UDP port that sends and receives queries The range is from 1 to 65000 The default is 43440 Step 6 energywise name name Optional Specify the EnergyWise specific entity name You can enter alphanumeric characters and symbols such as or Do not use an asterisk or a blank space between the characters and symbols The default is ...

Page 108: ...red and enter interface configuration mode Step 3 energywise level 0 or energywise level 10 Optional Manually power off the port or Manually power on the port Step 4 end Return to privileged EXEC mode Step 5 show energywise domain show energywise children Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Note The power level that you...

Page 109: ...ter alphanumeric characters and symbols such as or Do not use an asterisk or a blank space between the characters and symbols The default is a short version of the port name for example Gi1 1 2 for Gigabit Ethernet 1 1 2 Step 6 energywise role role Optional Specify the role of the port in the domain For example lobbyport You can enter alphanumeric characters and symbols such as or Do not use an as...

Page 110: ...ess of the port that sends EnergyWise messages For the domain name and password You can enter alphanumeric characters and symbols such as or Do not use an asterisk or a blank space between the characters and symbols By default no domain and password are assigned Step 4 interface interface id Specify the port or a range of ports to be configured and enter interface configuration mode Step 5 energyw...

Page 111: ...oute Bridge S Switch H Host I IGMP r Repeater P Phone Id Neighbor Name Ip Port Prot Capability 1 TG3560G 21 2 2 2 21 43440 udp S I 2 TG3560G 31 2 2 4 31 43440 static S I 3 TG3560G 22 2 2 2 22 43440 cdp S I Step 6 energywise level 0 recurrence importance importance at minute hour day_of_month month day_of_week Optional Schedule the power off recurrence importance importance Set the importance of th...

Page 112: ...domain cisco secret cisco protocol udp port 43440 ip 2 2 4 30 Switch config interface gigabitethernet1 1 3 Switch config if energywise level 10 recurrence importance 90 at 0 8 Switch config if energywise level 0 recurrence importance 90 at 0 20 Switch config if energywise importance 50 Switch config if energywise name labInterface 3 Switch config if energywise role role labphone Switch config if e...

Page 113: ...on Summarize power information from entities Set parameters Use these attributes to filter results Importance Entity name One or more keywords for a port or for a group of ports 1 Entity managing power usage 3 Entities 2 Domain IP 1 2 3 3 3 3 1 3 1 3 3 Router Catalyst PoE switches Catalyst PoE switch IP phone IP IP phone IP Cisco IP camera Router Catalyst PoE switches Catalyst non PoE switches Cat...

Page 114: ... importance importance Filter the results based on the importance value Only entities with values less than or equal to the specified value appear The importance range is from 1 to 100 Optional keywords word word Filter the results based on one or more of the specified keywords Optional name name Filter the results based on the name For the wildcard use or name with the asterisk at the end of the ...

Page 115: ...d 2 Responded 2 Time 0 4 seconds The first row shipping 1 is from Switch 1 The second row shipping 2 is from Switch 2 a neighbor of Switch 1 Step 2 energywise query importance importance keywords word word name name set level level Optional Run a query to power on or power off the domain entities or PoE ports Caution Use this query with care because it affects the entity on which you enter the com...

Page 116: ...ing 2 entity to 0 Switch energywise query importance 80 name shipping 2 set level 0 Manually set the power level of the shipping 1 entity and the shipping 2 entity to 0 Switch energywise query importance 90 name shipping set level 0 Set the power level of entities with the keyword Admin to 10 Switch energywise query importance 60 keyword Admin set level 10 EnergyWise query timeout is 3 seconds Suc...

Page 117: ...able EnergyWise on the PoE port no energywise domain global configuration Disable EnergyWise on the entity Table 5 3 show Privileged EXEC Commands Command Purpose show energywise Display the settings and status for the entity show energywise children Display the status of the entity and the PoE ports in the domain show energywise domain Display the domain to which the entity belongs show energywis...

Page 118: ... connected Catalyst PoE switch On Switch 1 configure the domain Switch config energywise domain cisco secret 0 cisco protocol udp port 43440 interface gigabitethernet1 0 23 On Switch 1 verify that the EnergyWise protocols discovered the neighbors Switch show energywise neighbors Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater P Phone Id Neighbor Nam...

Page 119: ... 1 3 43440 cdp S I Switch 1 uses both static and dynamic protocols to detect neighbors Verify that switches are in the same domain Switch energywise query name collect usage EnergyWise query timeout is 3 seconds Host Name Usage 192 168 1 2 Switch 1 96 0 W 192 168 40 2 shipping 1 6 3 W 192 168 40 2 guest 1 10 3 W 192 168 50 2 shipping 2 8 5 W 192 168 50 2 lobby 1 10 3 W Queried 72 Responded 72 Time...

Page 120: ...ise Additional Information Note To prevent a disjointed domain you can also configure a helper address on Router A and specify that the router use UDP to forward broadcast packets with the ip helper address address interface configuration command ip forward protocol udp port global configuration command ...

Page 121: ...on Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 6 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and delivering them as needed The Configuration Engine automates initial configuration...

Page 122: ...rvice to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration information in the form of CLI co...

Page 123: ... group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespace c...

Page 124: ...n to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the switch se...

Page 125: ... switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon successful...

Page 126: ... the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and a...

Page 127: ...ration agent DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the Configuration Engine The switch configured to use either the switch MAC address or the serial number instead of ...

Page 128: ...umber enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway is established Optional For keepalive seconds enter how often the switch sends ke...

Page 129: ...on mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout seconds Enter ...

Page 130: ...oint to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify more interface p...

Page 131: ...s mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event and image keyw...

Page 132: ...dress syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Optional En...

Page 133: ...artial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal Enter ...

Page 134: ... CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Displays statistics about the CNS event agent show cns eve...

Page 135: ...lusters mixed with cluster capable Catalyst switches but it does not provide complete descriptions of the cluster features for these other switches For complete cluster information for a specific Catalyst platform refer to the software configuration guide for that switch This chapter consists of these sections Understanding Switch Clusters page 7 1 Planning a Switch Cluster page 7 4 Using the CLI ...

Page 136: ...cluster command switches to avoid loss of contact with cluster members A cluster standby group is a group of standby cluster command switches Management of a variety of switches through a single IP address This conserves on IP addresses especially if you have a limited number of them All communication with the switch cluster is through the cluster command switch IP address Table 7 1 lists the swit...

Page 137: ... member switches is maintained It is not a command or member switch of another cluster Note Standby cluster command switches must be the same type of switches as the cluster command switch For example if the cluster command switch is a IE 3000 switch the standby cluster command switches must also be IE 3000 switches Refer to the switch configuration guide of other cluster capable switches for thei...

Page 138: ...er This section describes these guidelines requirements and caveats that you should understand before you create the cluster Automatic Discovery of Cluster Candidates and Members page 7 4 HSRP and Standby Cluster Command Switches page 7 9 IP Addresses page 7 12 Hostnames page 7 12 Passwords page 7 12 SNMP Community Strings page 7 13 TACACS and RADIUS page 7 13 LRE Profiles page 7 13 Refer to the r...

Page 139: ... to seven CDP hops away the default is three hops from the edge of the cluster The edge of the cluster is where the last cluster member switches are connected to the cluster and to candidate switches For example cluster member switches 9 and 10 in Figure 7 1 are at the edge of the cluster In Figure 7 1 the cluster command switch has ports assigned to VLANs 16 and 62 The CDP hop count is three The ...

Page 140: ...ANs If the cluster command switch is a Catalyst 2970 Catalyst 3550 Catalyst 3560 or Catalyst 3750 switch the cluster can have cluster member switches in different VLANs As cluster member switches they must be connected through at least one VLAN in common with the cluster command switch The cluster command switch in Figure 7 3 has ports assigned to VLANs 9 16 and 62 and therefore discovers the swit...

Page 141: ...as a Catalyst 3750 or 2975 switch or has a switch stack that switch or switch stack must be the cluster command switch The cluster command switch and standby command switch in Figure 7 4 assuming they are Catalyst 2960 Catalyst 2970 Catalyst 2975 Catalyst 3550 Catalyst 3560 or Catalyst 3750 cluster command switches have ports assigned to VLANs 9 16 and 62 The management VLAN on the cluster command...

Page 142: ...o the VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 7 5 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port are a...

Page 143: ...er cluster The switches in the cluster standby group are ranked according to HSRP priorities The switch with the highest priority in the group is the active cluster command switch AC The switch with the next highest priority is the standby cluster command switch SC The other switches in the cluster standby group are the passive cluster command switches PC If the active cluster command switch and t...

Page 144: ... switch becomes the standby cluster command switch again For more information about IP address in switch clusters see the IP Addresses section on page 7 12 Other Considerations for Cluster Standby Groups These requirements also apply Standby cluster command switches must be the same type of switches as the cluster command switch For example if the cluster command switch is a IE 3000 switch the sta...

Page 145: ...ches If the active cluster command switch and standby cluster command switch become disabled at the same time the passive cluster command switch with the highest priority becomes the active cluster command switch However because it was a passive standby cluster command switch the previous cluster command switch did not forward cluster configuration information to it The active cluster command swit...

Page 146: ...s not have its own IP address you must assign an IP address to manage it as a standalone switch For more information about IP addresses see Chapter 4 Assigning the Switch IP Address and Default Gateway Hostnames You do not need to assign a host name to either a cluster command switch or an eligible cluster member However a hostname assigned to the cluster command switch can help to identify the sw...

Page 147: ...ly and read write strings are propagated to the cluster member switch The switches support an unlimited number of community strings and string lengths For more information about SNMP and community strings see Chapter 33 Configuring SNMP For SNMP considerations specific to the Catalyst 1900 and Catalyst 2820 switches refer to the installation and configuration guides specific to those switches TACA...

Page 148: ...ment console a menu driven interface if the cluster command switch is at privilege level 15 If the cluster command switch is at privilege level 1 to 14 you are prompted for the password to access the menu console Command switch privilege levels map to the Catalyst 1900 and Catalyst 2820 cluster member switches running standard and Enterprise Edition Software as follows If the command switch privil...

Page 149: ... configured for the cluster If the cluster member switch does not have an IP address the cluster command switch redirects traps from the cluster member switch to the management station as shown in Figure 7 7 If a cluster member switch has its own IP address and community strings the cluster member switch can send traps directly to the management station without going through the cluster command sw...

Page 150: ...7 16 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 7 Clustering Switches Using SNMP to Manage Switch Clusters ...

Page 151: ...e Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References These sections contain this configuration information Understanding the System Clock page 8 1 Un...

Page 152: ... atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP This strategy effectively builds a self organizing tree of NTP speakers NTP avoids synchronizing to a device whose time might not be...

Page 153: ...e to that device through NTP When multiple sources of time are available NTP is always considered to be more authoritative NTP time overrides the time set by any other method Several manufacturers include NTP software for their host systems and a publicly available version for systems running UNIX and its various derivatives is also available This software allows host systems to be time synchroniz...

Page 154: ...trator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps to authenticate the associations communications between devices running NTP that provide for accurate timekeeping with other devices for security purposes Table 8 1 Default NTP Confi...

Page 155: ...ronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight characters for the ...

Page 156: ...be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchronized b...

Page 157: ...urpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 ntp broadcast version number key keyid destination address Enable the interface to send NTP broadcast packets to a peer By default this feature is disabled on all interfaces Optional For number specify the N...

Page 158: ...se steps to control access to NTP services by using access lists Step 5 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup config Optional Sav...

Page 159: ... use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve only 42 Switch ...

Page 160: ...dress is to be taken The specified interface is used for the source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 8 5 Command Purpose Step 1 configure terminal Enter global configuration mo...

Page 161: ...e you do not need to manually set the system clock These sections contain this configuration information Setting the System Clock page 8 11 Displaying the Time and Date Configuration page 8 12 Configuring the Time Zone page 8 12 Configuring Summer Time Daylight Saving Time page 8 13 Setting the System Clock If you have an outside source on the network that provides time services such as an NTP ser...

Page 162: ...e the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set the time t...

Page 163: ...lock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring withou...

Page 164: ... used as the system prompt A greater than symbol is appended The prompt is updated whenever the system name changes For complete syntax and usage information for the commands used in this section from the Cisco com page select Documentation Cisco IOS Software 12 2 Mainline Command References and see the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP Command Reference V...

Page 165: ...cheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the delimiting characters For example Cisco Systems is a commercial organization that IP identifies by a com domain name so its domain name is cisco com A specific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep track ...

Page 166: ...ates an unqualified name from the domain name At boot up time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Specify th...

Page 167: ...tion To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also displays on all connected terminal...

Page 168: ...g 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals This banner appears after the MOTD banner and before the login prompt Command Purpose Step 1 configure terminal Ent...

Page 169: ...witch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syntax and usage information for the commands used in this section see the command reference for this release These sections contain this configuration information Building the Address Table page 8 20 MAC Addresses and ...

Page 170: ...VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any combination of ports based on the destination address of the received packet Using the MAC address table the switch forwards the packet only to the port associated with the destination address If the destination address is on the port that sent the packet the packet is filtered and not forwarded...

Page 171: ...ce interface id or remove all addresses on a specified VLAN clear mac address table dynamic vlan vlan id To verify that dynamic entries have been removed use the show mac address table dynamic privileged EXEC command Configuring MAC Address Notification Traps MAC address notification enables you to track users on a network by storing the MAC address activity on the switch Whenever the switch learn...

Page 172: ... server host command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification Enable the switch to send MAC address traps to the NMS Step 4 mac address table notification Enable the MAC address notification feature Step 5 mac address table notification interval value history size value Enter the trap interval time and the history table size Optional F...

Page 173: ...on added You can verify the previous commands by entering the show mac address table notification interface and the show mac address table notification privileged EXEC commands Adding and Removing Static Address Entries A static address has these characteristics It is manually entered in the address table and must be manually removed It can be a unicast or multicast address It does not age and is ...

Page 174: ...static mac addr vlan vlan id drop global configuration command one of these messages appears Only unicast addresses can be configured to be dropped CPU destined address cannot be configured as drop address Packets that are forwarded to the CPU are also not supported Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mac address table static mac addr vlan vlan id inter...

Page 175: ...mac addr vlan vlan id global configuration command This example shows how to enable unicast MAC address filtering and to configure the switch to drop packets that have a source or destination address of c2f3 220a 12f4 When a packet is received in VLAN 4 with this MAC address as its source or destination the packet is dropped Switch config mac address table static c2f3 220a 12f4 vlan 4 drop Disabli...

Page 176: ...e MAC address learning on an RSPAN VLAN The configuration is not allowed If you disable MAC address learning on a VLAN that includes a secure port MAC address learning is not disabled on that port If you disable port security the configured MAC address learning state is enabled Beginning in privileged EXEC mode follow these steps to disable MAC address learning on a VLAN To reenable MAC address le...

Page 177: ...tion represented by the arpa keyword is enabled on the IP interface ARP entries added manually to the table do not age and must be manually removed Note For CLI procedures see the Cisco IOS Release 12 2 documentation from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Table 8 4 Commands for Displaying the MAC Address Table Command Description show ip igmp snooping groups D...

Page 178: ...8 28 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 8 Administering the Switch Managing the ARP Table ...

Page 179: ...d are referred to as members Constantly exchanged timing messages ensure continued synchronization PTP is particularly useful for industrial automation systems and process control networks where motion and precision control of instrumentation and test equipment are important You can globally configure the switch to pass PTP packets through the switch as normal multicast traffic forward mode to syn...

Page 180: ...P capable The switch expansion modules do not support PTP The default PTP mode on all ports is end to end transparent Table 9 1 Default PTP Configuration Feature Default Setting PTP boundary mode Disabled PTP forward mode Disabled PTP transparent mode Enabled PTP priority1 and PTP priority2 Default priority number is 128 PTP announce interval 2 seconds PTP announce timeout 8 seconds PTP delay requ...

Page 181: ...the switch This is the default clock mode The switch corrects for the delay incurred by every packet passing through it referred to residence time This mode causes less jitter and error accumulation than boundary mode Select forward mode for incoming PTP packets to pass through the switch as normal multicast traffic This disables both boundary and end to end transparent mode When the switch port i...

Page 182: ...ng synchronization messages The range is 1 second to 1 second The default is 1 second For sync limit specify the maximum clock offset value before PTP attempts to resynchronize The range is 50 to 500000000 nanoseconds The default is 50000 nanoseconds Note We recommend against setting the sync limit below the default 50000 nanoseconds Use values below 50000 nanoseconds only in networks with a high ...

Page 183: ...e functions or use the default template to balance resources To allocate ternary content addressable memory TCAM resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features You can select SDM templates to optimize these features Default The default template gives balance to all functions QoS The QoS template maximizes system resource...

Page 184: ...ow these guidelines when selecting and configuring SDM templates When you select and configure SDM templates you must reload the switch for the configuration to take effect If you try to configure IPv6 features without first selecting a dual IPv4 and IPv6 template a warning message is generated Using the dual stack templates results in less TCAM capacity allowed for each resource so do not use if ...

Page 185: ...rivileged EXEC command with no parameters to display the active template Use the show sdm prefer default dual ipv4 and ipv6 default qos privileged EXEC command to display the resource numbers supported by the specified template Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sdm prefer default dual ipv4 and ipv6 default qos Specify the SDM template to be used on th...

Page 186: ...10 4 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 10 Configuring SDM Templates Displaying the SDM Templates ...

Page 187: ...who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are ...

Page 188: ... see the Cisco IOS Security Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References These sections contain this configuration information Default Password and Privilege Level Configuration page 11 2 Setting or Changing a Static Enable Password page 11 3 Protecting Enable and Enable Secret Passwords with Encryption page 11 3 Dis...

Page 189: ...privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new pass...

Page 190: ...configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is no...

Page 191: ...rocess and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmodem protocol Fo...

Page 192: ...user can access the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port The default data characteristics of the console port are 9600 8 1 no parity You might need to press the Return key ...

Page 193: ...ion Setting the Privilege Level for a Command page 11 8 Changing the Default Privilege Level for Lines page 11 9 Logging into and Exiting a Privilege Level page 11 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the user I...

Page 194: ...urpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is the le...

Page 195: ... and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for the line...

Page 196: ... is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch TACACS provides for separate and modular authentica...

Page 197: ...l session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounting rec...

Page 198: ...ernative method for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is ...

Page 199: ...group servers to select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list and contains the list of IP addresses of the selected server hosts Beginning in privileged EXEC mode follow these steps to identify the IP host or host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 con...

Page 200: ... designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues until there is successful communication with a listed au...

Page 201: ...re information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 11 13 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database...

Page 202: ...ser database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can use the aaa authorization global configuration command with the tacacs keyword to set parameters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these...

Page 203: ... the show tacacs privileged EXEC command Controlling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete syntax and usage information fo...

Page 204: ...Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 11 2 on page 11 19 Network in which the user must only access a single service Using RADIUS you can control user access to a single...

Page 205: ...nal data that is used for privileged EXEC or network authorization Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization if it is enabled The additional data included with the ACCEPT or REJECT packets includes these items Telnet SSH rlogin or privileged EXEC services Connection parameters including the host or client IP address access list and user ...

Page 206: ...ult RADIUS Configuration RADIUS and AAA are disabled by default To prevent a lapse in security you cannot configure RADIUS through a network management application When enabled RADIUS can authenticate users accessing the switch through the CLI Identifying the RADIUS Server Host Switch to RADIUS server communication involves several components Hostname or IP address Authentication destination port ...

Page 207: ... globally to all RADIUS servers communicating with the switch use the three unique global configuration commands radius server timeout radius server retransmit and radius server key To apply these values on a specific RADIUS server use the radius server host global configuration command Note If you configure both global and per server functions timeout retransmission and key commands on the switch...

Page 208: ... global configuration command setting If no timeout is set with the radius server host command the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the se...

Page 209: ... list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in ...

Page 210: ...IUS server For more information see the Identifying the RADIUS Server Host section on page 11 20 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username ...

Page 211: ...cumentation Cisco IOS Software 12 2 Mainline Command References Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Se...

Page 212: ... value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the l...

Page 213: ... server radius group2 Switch config sg radius server 172 20 0 1 auth port 2000 acct port 2001 Switch config sg radius exit Configuring RADIUS Authorization for User Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on ...

Page 214: ...no aaa accounting network exec start stop method1 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network related service requests Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged ...

Page 215: ...utes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared secret t...

Page 216: ...or more information about vendor IDs and VSAs see RFC 2138 Remote Authentication Dial In User Service RADIUS Beginning in privileged EXEC mode follow these steps to configure the switch to recognize and use VSAs Note For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Releas...

Page 217: ...y of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius server key rad124 Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group For more information see the RADIUS Server Load Balancing chapter of the Cisco IOS Security Configuratio...

Page 218: ...d applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username name privilege level password encryption type password Enter the local data...

Page 219: ... Shell chapter of the Cisco IOS Security Configuration Guide Cisco IOS Release 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_configuration_guide_chapter0918 6a00800ca7d5 html Note For complete syntax and usage information for the commands used in this section see the command reference for this release and the command reference for Cisco IOS Release 12 2 at this URL...

Page 220: ...y the execution shell application The SSH server and the SSH client are supported only on DES 56 bit and 3DES 168 bit data encryption software The switch does not support the Advanced Encryption Standard AES symmetric encryption algorithm Configuring SSH This section has this configuration information Configuration Guidelines page 11 34 Setting Up the Switch to Run SSH page 11 35 required Configur...

Page 221: ...Configuring the Switch for Local Authentication and Authorization section on page 11 32 Beginning in privileged EXEC mode follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration command After the RSA ke...

Page 222: ...s This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns to the default ...

Page 223: ...com For more information about the crypto image see the release notes for this release These sections contain this information Understanding Secure HTTP Servers and Clients page 11 37 Configuring Secure HTTP Servers and Clients page 11 40 Displaying Secure HTTP Server and Client Status page 11 43 For configuration examples and complete syntax and usage information for the commands used in this sec...

Page 224: ...a self certified self signed certificate does not provide adequate security the connecting client generates a notification that the certificate is self certified and the user has the opportunity to accept or reject the connection This option is useful for internal network topologies such as testing If you do not configure a CA trustpoint when you enable a secure HTTP connection either a temporary ...

Page 225: ...o the HTTPS server the client Web browser offers a list of supported CipherSuites and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both For example Netscape Communicator 4 76 supports U S security with RSA Public Key Cryptography MD2 MD5 RC2 CBC RC4 DES CBC and DES EDE3 CBC For the best possible encryption you should use a client...

Page 226: ...rustpoint For secure HTTP connections we recommend that you configure an official CA trustpoint A CA trustpoint is more secure than a self signed certificate Beginning in privileged EXEC mode follow these steps to configure a CA trustpoint Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 hostname hostname Specify the hostname of the switch required only if you have ...

Page 227: ... peer has not been revoked Step 9 primary Optional Specify that the trustpoint should be used as the primary default trustpoint for CA requests Step 10 exit Exit CA trustpoint configuration mode and return to global configuration mode Step 11 crypto ca authentication name Authenticate the CA by getting the public key of the CA Use the same name used in Step 5 Step 12 crypto ca enroll name Obtain t...

Page 228: ...ate from the server but the server does not attempt to authenticate the client Step 7 ip http secure trustpoint name Specify the CA trustpoint to use to get an X 509v3 security certificate and to authenticate the client certificate connection Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Step 8 ip http path path name Optional Set a...

Page 229: ...lient secure trustpoint name Optional Specify the CA trustpoint to be used if the remote HTTP server requests client authentication Using this command assumes that you have already configured a CA trustpoint by using the previous procedure The command is optional if client authentication is not needed or if a primary trustpoint has been configured Step 3 ip http client secure ciphersuite 3des ede ...

Page 230: ...nsport the router must have an Rivest Shamir and Adelman RSA key pair Note When using SCP you cannot enter the password into the copy command You must enter the password when prompted Information About Secure Copy To configure the Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp which comes from the Berkeley r tools suite except tha...

Page 231: ...nnecting to a LAN through publicly accessible ports unless they are authenticated The authentication server authenticates each client connected to a switch port before making available any switch or LAN services Until the client is authenticated IEEE 802 1x access control allows only Extensible Authentication Protocol over LAN EAPOL Cisco Discovery Protocol CDP and Spanning Tree Protocol STP traff...

Page 232: ...edirect URLs page 12 15 Web Authentication page 12 25 Device Roles Devices roles with 802 1x port based authentication Figure 12 1 802 1x Device Roles Client the device workstation that requests access to the LAN and switch services and responds to requests from the switch The workstation must be running 802 1x compliant client software such as that offered in the Microsoft Windows XP operating sy...

Page 233: ...then encapsulated for Ethernet and sent to the client The devices that can act as intermediaries include the IE 3000 the Catalyst 3750 E Catalyst 3560 E Catalyst 3750 Catalyst 3560 Catalyst 3550 Catalyst 2975 Catalyst 2970 Catalyst 2960 Catalyst 2955 Catalyst 2950 Catalyst 2940 switches or a wireless access point These devices must be running software that supports the RADIUS client and 802 1x aut...

Page 234: ...tribute 29 The Session Timeout RADIUS attribute Attribute 27 specifies the time after which re authentication occurs 141679 Yes No Client identity is invalid All authentication servers are down All authentication servers are down Client identity is valid The switch gets an EAPOL message and the EAPOL message exchange begins Yes No 1 1 1 1 This occurs if the switch does not detect EAPOL packets fro...

Page 235: ...ntity frame to the client to request its identity Upon receipt of the frame the client responds with an EAP response identity frame However if during boot up the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If 802 1x authentication is not en...

Page 236: ...the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and stops 802 1x authentication Figure 12 4 shows the message exchange during MAC authentication bypass Figure 12 4 Message Exchange During MAC...

Page 237: ...L Filter ID attribute Downloadable ACL3 Redirect URL 2 3 Supported in Cisco IOS Release 12 2 50 SE and later VLAN assignment VLAN assignment Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 MAC authentication bypass VLAN assignment Per user ACL Filter ID attribute Downloadable ACL2 Redirect URL2 VLAN assignment VL...

Page 238: ... auto interface configuration command enables authentication on an interface However the dot1x system authentication control global configuration command only globally enables or disables 802 1x authentication Note If 802 1x authentication is globally disabled other authentication methods are still enabled on that port such as web authentication The authentication manager commands provide the same...

Page 239: ... in the authorized state You control the port authorization state by using the authentication port control or dot1x port control interface configuration command and these keywords force authorized disables 802 1x authentication and causes the port to change to the authorized state without any authentication exchange required The port sends and receives normal traffic without 802 1x based authentic...

Page 240: ...e switch port to change to the unauthorized state If the link state of a port changes from up to down or if an EAPOL logoff frame is received the port returns to the unauthorized state 802 1x Host Mode You can configure an 802 1x port for single host or for multiple hosts mode In single host mode see Figure 12 1 on page 12 2 only one client can be connected to the 802 1x enabled switch port The sw...

Page 241: ... authorization as a data device If more than one device attempts authorization on either the voice or the data domain of a port it is error disabled Until a device is authorized the port drops its traffic Non Cisco IP phones or voice devices are allowed into both the data and voice VLANs The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VL...

Page 242: ...as the fallback method for individual host authentications to authenticate different hosts through by different methods on a single port Note Multiple authentication mode is limited to eight authentications hosts per port Multiple authentication mode also supports MDA functionality on the voice VLAN by assigning authenticated devices to either a data or voice VLAN depending on the VSAs received fr...

Page 243: ... Release 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_command_reference_book09186a 00800872ce html For more information about AV pairs see RFC 3580 802 1x Remote Authentication Dial In User Service RADIUS Usage Guidelines Table 12 3 Accounting AV Pairs Attribute Number AV Pair Name START INTERIM STOP Attribute 1 User Name Always Always Always Attribute 4 NAS IP Ad...

Page 244: ...MDA enabled ports For more information see the Multidomain Authentication section on page 12 11 When configured on the switch and the RADIUS server 802 1x authentication with VLAN assignment has these characteristics If no VLAN is supplied by the RADIUS server or if 802 1x authentication is disabled the port is configured in its access VLAN after successful authentication Recall that an access VLA...

Page 245: ...ed when you configure 802 1x authentication on an access port Assign vendor specific tunnel attributes in the RADIUS server The RADIUS server must return these attributes to the switch 64 Tunnel Type VLAN 65 Tunnel Medium Type 802 81 Tunnel Private Group ID VLAN name or VLAN ID Attribute 64 must contain the value VLAN type 13 Attribute 65 must contain the value 802 type 6 Attribute 81 specifies th...

Page 246: ... default port ACL on the connected client switch port must also be configured Cisco Secure ACS and Attribute Value Pairs for Downloadable ACLs You can set the CiscoSecure Defined ACL Attribute Value AV pair on the Cisco Secure ACS with the RADIUS cisco av pair vendor specific attributes VSAs This pair specifies the names of the downloadable ACLs on the Cisco Secure ACS with the ACL IP name number ...

Page 247: ...t this situation use one of these command sequences Enter the dot1x guest vlan supplicant global configuration command to allow access to the guest VLAN Enter the shutdown interface configuration command followed by the no shutdown interface configuration command to restart the port Note If an EAPOL packet is detected after the interface has changed to the guest VLAN the interface reverts to an un...

Page 248: ...ttempt counter resets Users who fail authentication remain in the restricted VLAN until the next re authentication attempt A port in the restricted VLAN tries to re authenticate at configured intervals the default is 60 seconds If re authentication fails the port remains in the restricted VLAN If re authentication is successful the port moves either to the configured VLAN or to a VLAN sent by the ...

Page 249: ... unavailable during an authentication exchange the current exchanges times out and the switch puts the critical port in the critical authentication state during the next authentication attempt When a RADIUS server that can authenticate the host is available all critical ports in the critical authentication state are automatically re authenticated Inaccessible authentication bypass interacts with t...

Page 250: ...t relay CDP messages from other devices As a result if several IP phones are connected in series the switch recognizes only the one directly connected to it When 802 1x authentication is enabled on a voice VLAN port the switch drops packets from unrecognized IP phones more than one hop away When 802 1x authentication is enabled on a port you cannot configure a port VLAN that is equal to a voice VL...

Page 251: ...either single host or multiple hosts mode Port security applies to both the voice VLAN identifier VVID and the port VLAN identifier PVID You can configure the authentication violation or dot1x violation mode interface configuration command so that a port shuts down generates a syslog error or discards packets from a new device when it connects to an 802 1x enabled port or when the maximum number o...

Page 252: ...is detected on the interface during the lifetime of the link the switch determines that the device connected to that interface is an 802 1x capable supplicant and uses 802 1x authentication not MAC authentication bypass to authorize the interface EAPOL history is cleared if the interface link status goes down If the switch already authorized a port by using MAC authentication bypass and detects an...

Page 253: ...s policy against the client from the RADIUS server Set the action to be taken when the switch tries to re authenticate the client by using the Termination Action RADIUS attribute Attribute 29 If the value is the DEFAULT or is not set the session ends If the value is RADIUS Request the re authentication process starts View the NAC posture token which shows the posture of the client by using the sho...

Page 254: ...cess Topology NEAT NEAT extends identity to areas outside the wiring closet such as conference rooms through the following 802 1x switch supplicant You can configure a switch to act as a supplicant to another switch by using the 802 1x supplicant feature This configuration is helpful in a scenario where for example a switch is outside a wiring closet and is connected to an upstream switch through ...

Page 255: ...Attribute Value AV pair attributes The first attribute priv lvl 15 must always be set to 15 This sets the privilege level of the user who is logging into the switch The second attribute is an access list to be applied for web authenticated hosts The syntax is similar to 802 1x per user access control lists ACLs However instead of ip inacl this attribute must begin with proxyacl and the source fiel...

Page 256: ...m the Access Control Server ACS An IEEE 802 1x port in single host mode uses ACLs from the ACS to provide different levels of service to an IEEE 802 1x authenticated user When the RADIUS server authenticates this type of user and port it sends ACL attributes based on the user identity to the switch The switch applies the attributes to the port for the duration of the user session If the session is...

Page 257: ...ication Bypass Feature page 12 45 optional Configuring 802 1x Authentication with WoL page 12 47 optional Configuring MAC Authentication Bypass page 12 48 optional Configuring NAC Layer 2 802 1x Validation page 12 49 optional Configuring 802 1x Switch Supplicant with NEAT page 12 50 Configuring 802 1x Authentication with Downloadable ACLs and Redirect URLs page 12 52 Configuring Flexible Authentic...

Page 258: ...r of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number of times that the switch will send an EAP request identity frame before restarting the authentication process Client timeout period 30 seconds when relaying a request from the authentication server to the client the amoun...

Page 259: ... dynamic an error message appears and the port mode is not changed Dynamic access ports If you try to enable 802 1x authentication on a dynamic access VLAN Query Protocol VQP port an error message appears and 802 1x authentication is not enabled If you try to change an 802 1x enabled port to dynamic VLAN assignment an error message appears and the VLAN configuration is not changed EtherChannel por...

Page 260: ...itch changes the port state to the critical authentication state and remains in the restricted VLAN You can configure the inaccessible bypass feature and port security on the same switch port You can configure any VLAN except an RSPAN VLAN or a voice VLAN as an 802 1x restricted VLAN The restricted VLAN feature is not supported on trunk ports it is supported only on access ports MAC Authentication...

Page 261: ...t its 802 1x capability When the client responds with a notification packet it is 802 1x capable A syslog message is generated if the client responds within the timeout period If the client does not respond to the query the client is not 802 1x capable No syslog message is generated The readiness check can be sent on a port that handles multiple hosts for example a PC that is connected to an IP ph...

Page 262: ...tep 3 aaa authentication dot1x default method1 Create an 802 1x authentication method list To create a default list to use when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of...

Page 263: ...e in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Note Though other keywords are visible in the command line help string only the group radius keywords are supported Step 4 dot1x system auth control Enable 802 1x authentication globally on the switch Step 5 aaa a...

Page 264: ...Step 13 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address auth port port number key string Configure the RADIUS server parameters For hostname ip address specify the hostname or IP address of the remote RADIUS server For auth ...

Page 265: ...ers section on page 11 29 You also need to configure some settings on the RADIUS server These settings include the IP address of the switch and the key string to be shared by both the server and the switch For more information see the RADIUS server documentation Configuring the Host Mode Beginning in privileged EXEC mode follow these steps to allow a single host client or multiple hosts on an 802 ...

Page 266: ...e keywords have these meanings multi auth Allow one client on the voice VLAN and multiple authenticated clients on the data VLAN Note The multi auth keyword is only available with the authentication host mode command multi host Allow multiple hosts on an 802 1x authorized port after a single host has been authenticated multi domain Allow both a host and a voice device such as an IP phone Cisco or ...

Page 267: ...cation Enable periodic re authentication of the client which is disabled by default Step 4 authentication timer inactivity reauthenticate server am restart value or dot1x timeout reauth period seconds server Set the number of seconds between re authentication attempts The authentication timer keywords have these meanings inactivity Interval in seconds after which if there is no activity from the c...

Page 268: ...again The dot1x timeout quiet period interface configuration command controls the idle period A failed client authentication might occur because the client provided an invalid password You can provide a faster response time to the user by entering a number smaller than the default Beginning in privileged EXEC mode follow these steps to change the quiet period This procedure is optional To return t...

Page 269: ... a response to an EAP request identity frame from the client before resending the request Switch config if dot1x timeout tx period 60 Setting the Switch to Client Frame Retransmission Number You can change the number of times that the switch sends an EAP request identity frame assuming no response is received to the client before restarting the authentication process Note You should change the def...

Page 270: ...ervers Beginning in privileged EXEC mode follow these steps to set the re authentication number This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x max reauth req count Set the number of times that the switch sends an EAP request ident...

Page 271: ...0 09 55 RADIUS 4 RADIUS_DEAD RADIUS server 172 20 246 201 1645 1646 is not responding Note You must configure the RADIUS server to perform accounting tasks such as logging start stop and interim update messages and time stamps To turn on these functions enable logging of Update Watchdog packets from this AAA client in your RADIUS server Network Configuration tab Next enable CVS RADIUS Accounting i...

Page 272: ...ged EXEC mode follow these steps to configure a guest VLAN This procedure is optional To disable and remove the guest VLAN use the no dot1x guest vlan interface configuration command The port returns to the unauthorized state Step 6 show running config Verify your entries Step 7 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Command Purpose...

Page 273: ...these steps to configure a restricted VLAN This procedure is optional To disable and remove the restricted VLAN use the no dot1x auth fail vlan interface configuration command The port returns to the unauthorized state This example shows how to enable VLAN 2 as an 802 1x restricted VLAN Switch config interface gigabitethernet1 2 Switch config if dot1x auth fail vlan 2 Command Purpose Step 1 config...

Page 274: ...pose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuration Guidelines section on page 12 28 Step 3 switchport mode access Set the port to access mode Step 4 authentication port control auto or dot1x port control auto Ena...

Page 275: ...US server status to dead Beginning in privileged EXEC mode follow these steps to configure the port as a critical port and enable the inaccessible authentication bypass feature This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server dead criteria time time tries tries Optional Set the conditions that are used to decide when a RADIUS...

Page 276: ...IUS server authentication port key string Specify the authentication and encryption key for all RADIUS communication between the switch and the RADIUS daemon Note Always configure the key as the last item in the radius server host command syntax because leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in the key do not enclose the key in quotation m...

Page 277: ...ical Switch config if dot1x critical recovery action reinitialize Switch config if dot1x critical vlan 20 Switch config if end Configuring 802 1x Authentication with WoL Beginning in privileged EXEC mode follow these steps to enable 802 1x authentication with WoL This procedure is optional Step 7 dot1x critical recovery action reinitialize vlan vlan id Enable the inaccessible authentication bypass...

Page 278: ... the port and use these keywords to configure the port as bidirectional or unidirectional both Sets the port as bidirectional The port cannot receive packets from or send packets to the host By default the port is bidirectional in Sets the port as unidirectional The port can send packets to the host but cannot receive packets from the host Step 4 end Return to privileged EXEC mode Step 5 show auth...

Page 279: ... keywords to configured the number of seconds that a connected host can be inactive before it is placed in an unauthorized state The range is 1 to 65535 You must enable port security before configuring a time out value For more information see the Configuring Port Security section on page 26 8 Step 5 end Return to privileged EXEC mode Step 6 show authentication interface id or show dot1x interface...

Page 280: ...traffic class switch on the ACS which sets the interface as a trunk after the supplicant is successfuly authenticated Beginning in privileged EXEC mode follow these steps to configure a switch as an authenticator Step 5 dot1x timeout reauth period seconds server Set the number of seconds between re authentication attempts The keywords have these meanings seconds Sets the number of seconds from 1 t...

Page 281: ...ation or server Step 8 end Return to privileged EXEC mode Step 9 show running config interface interface id Verify your configuration Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cisp enable Enable CISP Step 3 dot1x credentials profile Create 802 1x cr...

Page 282: ...vileged EXEC command to display the downloaded ACLs on the port Configuring Downloadable ACLs The policies take effect after client authentication and the client IP address addition to the IP device tracking table The switch then applies the downloadable ACL to the port Beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip device trac...

Page 283: ...he packet that matches the entry to be sent to the console Step 3 interface interface id Enter interface configuration mode Step 4 ip access group acl id in Configure the default ACL on the port in the input direction Note The acl id is an access list name or number Step 5 exit Returns to global configuration mode Step 6 aaa new model Enables AAA Step 7 aaa authorization network default group radi...

Page 284: ...s example shows how to configure a port attempt 802 1x authentication first followed by web authentication as fallback method Switch configure terminal Switch config interface gigabitethernet 1 0 1 Switch config authentication order dot1x webauth Step 12 show ip device tracking all Displays information about the entries in the IP device tracking table Step 13 copy running config startup config Opt...

Page 285: ...guration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication control direction both in Optional Configure the port control as unidirectional or bidirectional Step 4 authentication fallback name Optional Configure a port to use web authentication as a fallback method for clients that do not support 802 1x authentication S...

Page 286: ...cess the switch console after entering the aaa authentication login command If you do not want to be prompted for a username and password configure a second login authentication list Switch config t Switch config aaa authentication login line console none Switch config line console 0 Switch config line login authentication line console Switch config line end Step 4 aaa authorization auth proxy def...

Page 287: ...Specify the port to be configured and enter interface configuration mode Step 4 switchport mode access Set the port to access mode Step 5 ip access group access list in Specify the default access control list to be applied to network traffic before web authentication Step 6 ip admission rule Apply an IP admission rule to the interface Step 7 end Return to privileged EXEC mode Step 8 show running c...

Page 288: ...You can disable 802 1x authentication on the port by using the no dot1x pae interface configuration command Beginning in privileged EXEC mode follow these steps to disable 802 1x authentication on the port This procedure is optional Step 9 authentication port control auto or dot1x port control auto Enable 802 1x authentication on the interface Step 10 authentication fallback fallback profile or do...

Page 289: ... privileged EXEC command To display the 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the 802 1x administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command For detailed information about the fields in these displays see the command refe...

Page 290: ...12 60 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 12 Configuring IEEE 802 1x Port Based Authentication Displaying 802 1x Statistics and Status ...

Page 291: ...ands used in this chapter see the switch command reference for this release and the Cisco IOS Interface Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed inf...

Page 292: ...se When VTP mode is transparent the VTP and VLAN configuration is saved in the switch running configuration and you can save it in the switch startup configuration file by entering the copy running config startup config privileged EXEC command Add ports to a VLAN by using the switchport interface configuration commands Identify the interface For a trunk port set trunk characteristics and if desire...

Page 293: ...ring an allowed list of VLANs for each trunk port The list of allowed VLANs does not affect any other port but the associated trunk port By default all possible VLANs VLAN ID 1 to 4094 are in the allowed list A trunk port can become a member of a VLAN only if VTP knows of the VLAN and if the VLAN is in the enabled state If VTP learns of a new enabled VLAN and the VLAN is in the allowed list for a ...

Page 294: ...uplink see the Setting the Interface Speed and Duplex Parameters section on page 13 14 Each uplink port has two LEDs one shows the status of the RJ 45 port and one shows the status of the SFP module port The port LED is on for whichever connector is active For more information about the LEDs see the hardware installation guide Connecting Interfaces Devices within a single VLAN can communicate dire...

Page 295: ...he Gigabit Ethernet ports The port numbers for the IE 3000 8TC switch model are 1 8 for the Fast Ethernet ports and 1 2 for the Gigabit Ethernet ports Table 13 1 shows the switch and module combinations and the interface numbers You can identify physical interfaces by looking at the switch You can also use the show privileged EXEC commands to display information about a specific interface or all t...

Page 296: ...enter define the protocols and applications that will run on the interface The commands are collected and applied to the interface when you enter another interface command or enter end to return to privileged EXEC mode You can also configure a range of interfaces by using the interface range or interface range macro global configuration commands Interfaces configured in a range must be the same ty...

Page 297: ...works with VLAN interfaces that have been configured with the interface vlan command The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used with the interface range command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface range port range macro ...

Page 298: ...ait until the command prompt reappears before exiting interface range configuration mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration Before you can use the macro keyword in the interface range macro global configuration command string you must use the define interface range global configuration...

Page 299: ...s VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named enet_list to include ports 1 and 2 and...

Page 300: ...ayer 2 Ethernet Interface Configuration Feature Default Setting Allowed VLAN range VLANs 1 to 4094 Default VLAN for access ports VLAN 1 Native VLAN for IEEE 802 1Q trunks VLAN 1 VLAN trunking Switchport mode dynamic auto supports DTP Port enable state All ports are enabled Port description None defined Speed Autonegotiate Duplex mode Autonegotiate Flow control Flow control is set to receive off It...

Page 301: ...eps to select which dual purpose uplink to activate so that you can set the speed and duplex This procedure is optional Auto MDIX Enabled Note The switch might not support a pre standard powered device such as Cisco IP phones and access points that do not fully support IEEE 802 3af if that powered device is connected to the switch through a crossover cable This is regardless of whether auto MIDX i...

Page 302: ...RJ 45 side Step 3 media type auto select rj45 sfp Select the interface and type of a dual purpose uplink port The keywords have these meanings auto select The switch dynamically selects the type When link up is achieved the switch disables the other type until the active link goes down When the active link goes down the switch enables both types until one of them links up In auto select mode the s...

Page 303: ... support all speed options and all duplex options auto half and full However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode For SFP module ports the speed and duplex CLI options change depending on the SFP module type The 1000BASE x where x is BX CWDM LX SX and ZX SFP module ports support the nonegotiate keyword in the speed interface configuration command Duplex opt...

Page 304: ...interface configuration mode Step 3 speed 10 100 1000 auto 10 100 1000 nonegotiate Enter the appropriate speed parameter for the interface Enter 10 100 or 1000 to set a specific speed for the interface The 1000 keyword is available only for 10 100 1000 Mb s ports Enter auto to enable the interface to autonegotiate speed with the connected device If you use the 10 100 or the 1000 keywords with the ...

Page 305: ...e frames but can operate with an attached device that is required to or can send pause frames the port can receive pause frames receive off Flow control does not operate in either direction In case of congestion no indication is given to the link partner and no pause frames are sent or received by either device Note For details on the command settings and the resulting flow control resolution on l...

Page 306: ...that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow these steps to configure auto MDIX on an interface To disable auto MDIX use the no mdix auto interface configuration command This example shows how to enable auto MDIX on a port Switch configure terminal Switch config interface gigabitethernet1 1 Switch config if speed auto Switch config ...

Page 307: ...e switch is 1500 bytes You can increase the MTU size for all interfaces operating at 10 or 100 Mb s by using the system mtu global configuration command You can increase the MTU size to support jumbo frames on all Gigabit Ethernet interfaces by using the system mtu jumbo global configuration command Gigabit Ethernet ports are not affected by the system mtu command 10 100 ports are not affected by ...

Page 308: ...eged EXEC command This example shows how to set the maximum packet size for a Gigabit Ethernet port to 1800 bytes Switch config system mtu jumbo 1800 Switch config exit Switch reload This example shows the response when you try to set Gigabit Ethernet interfaces to an out of range number Switch config system mtu jumbo 25000 Invalid input detected at marker Monitoring and Maintaining the Interfaces...

Page 309: ...abled state show interfaces interface id switchport Optional Display administrative and operational status of switching ports show interfaces interface id description Optional Display the description configured on an interface or all interfaces and the interface status show ip interface interface id Optional Display the usability status of all interfaces configured for IP routing or the specified ...

Page 310: ...an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface conf...

Page 311: ...ings based on the location of a switch in the network and for mass configuration deployments across the network Each Smartports macro is a set of CLI commands that you define Smartports macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a Smartports macro to an interface the CLI commands within the macro are configured on the interface When the m...

Page 312: ...h Description cisco ie global Use this global configuration macro to configure the switch settings for the industrial Ethernet environment This macro is automatically applied when you use Express Setup to initially configure the switch Note You must first apply the cisco ie global macro for the cisco ethernetip macro to work properly cisco ie desktop Use this interface configuration macro for incr...

Page 313: ...pecify unique parameter values that are specific to the switch You can enter up to three keyword value pairs Parameter keyword matching is case sensitive The corresponding value replaces all matching occurrences of the keyword Step 5 interface interface id Optional Enter interface configuration mode and specify the interface on which to apply the macro Step 6 default interface interface id Optiona...

Page 314: ...ctivity spanning tree portfast spanning tree bpduguard enable no macro description macro description cisco ie desktop Switch Switch configure terminal Switch config interface gigabitethernet1 4 Switch config if macro apply cisco ie desktop AVID 25 This example shows how to display the cisco ethernetip macro and how to apply it to an interface Switch show parser macro name cisco ethernetip Macro na...

Page 315: ...vileged EXEC commands in Table 14 2 Table 14 2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all Smartports macros show parser macro name macro name Displays a specific Smartports macro show parser macro brief Displays the Smartports macro names show parser macro description interface interface id Displays the Smartports macro description for all interfaces o...

Page 316: ...14 6 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 14 Configuring Smartports Macros Displaying Smartports Macros ...

Page 317: ...rk that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are forwarded and flooded only to end stations in t...

Page 318: ...N IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs VTP only learns normal range VLANs with VLAN IDs 1 to 1005 VLAN IDs greater than 1005 are extended range VLANs and are not stored in the VLAN database The switch must be in VTP transparent mode when you create VLAN IDs from 1006 to 4094 Although the switch supports a total of 255 normal range and extended range VLANs the number of ...

Page 319: ...figuring the allowed VLAN list You can also modify the pruning eligible list to block flooded traffic to VLANs on trunk ports that are included in the list For information about configuring trunk ports see the Configuring an Ethernet Interface as a Trunk Port section on page 15 16 VTP is recommended but not required VTP maintains VLAN configuration consistency by managing the addition deletion and...

Page 320: ... described in these sections and in the command reference for this release To change the VTP configuration see Chapter 16 Configuring VTP You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs The results of these commands are written to the running configuration file and you can display the file by entering the show running config privil...

Page 321: ...n Ring and FDDI VLANs VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN database If the VTP mode is transparent VTP and VLAN configuration are also saved in the switch running configuration file The switch also supports VLAN IDs 1006 through 4094 in VTP transparent mode VTP disabled These are extended range VLANs and configuration options are limited Extended range VLANs are not ...

Page 322: ...obal configuration command description in the command reference for this release When you have finished the configuration you must exit config vlan mode for the configuration to take effect To display the VLAN configuration enter the show vlan privileged EXEC command You must use this config vlan mode when creating extended range VLANs VLAN IDs greater than 1005 See the Configuring Extended Range ...

Page 323: ...nd VLAN configuration for the first 1005 VLANs use the VLAN database information Caution If the VLAN database configuration is used at startup and the startup configuration file contains extended range VLAN configuration this information is lost when the system boots up Default Ethernet VLAN Configuration Table 15 2 shows the default configuration for Ethernet VLANs Note The switch supports Ethern...

Page 324: ...itch config vlan 20 Switch config vlan name test20 Switch config vlan end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter config vlan mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding VLAN IDs gr...

Page 325: ...ly on that specific switch You cannot delete the default VLANs for the different media types Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005 Command Purpose Step 1 vlan database Enter VLAN database configuration mode Step 2 vlan vlan id name vlan name Add an Ethernet VLAN by assigning a number to it The range is 1 to 1001 You can create or modify a range of consecutive VLANs by entering ...

Page 326: ... that does not exist the new VLAN is created See the Creating or Modifying an Ethernet VLAN section on page 15 8 Beginning in privileged EXEC mode follow these steps to assign a port to a VLAN in the VLAN database Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no vlan vlan id Remove the VLAN by entering the VLAN ID Step 3 end Return to privileged EXEC mode Step 4 ...

Page 327: ...upported in VLAN database configuration mode accessed by entering the vlan database privileged EXEC command Extended range VLAN configurations are not stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configuration in the startup configuration file by using the copy running config startup config privileged ...

Page 328: ... we recommend that you configure the IEEE 802 1s Multiple STP MSTP on your switch to map multiple VLANs to a single spanning tree instance For more information about MSTP see Chapter 19 Configuring MSTP Although the switch supports a total of 255 normal range and extended range VLANs the number of configured features affects the use of the switch hardware If you try to create an extended range VLA...

Page 329: ...commands for monitoring VLANs Step 3 vlan vlan id Enter an extended range VLAN ID and enter config vlan mode The range is 1006 to 4094 Step 4 mtu mtu size Optional Modify the VLAN by changing the MTU size Note Although all VLAN commands appear in the CLI help in config vlan mode only the mtu mtu size and remote span commands are supported for extended range VLANs Step 5 remote span Note Optional C...

Page 330: ...k interfaces support different trunking modes see Table 15 4 You can set an interface as trunking or nontrunking or to negotiate trunking with the neighboring interface To autonegotiate trunking the interfaces must be in the same VTP domain Trunk negotiation is managed by the Dynamic Trunking Protocol DTP which is a Point to Point Protocol However some internetworking devices might forward DTP fra...

Page 331: ...cause spanning tree loops We recommend that you leave spanning tree enabled on the native VLAN of an IEEE 802 1Q trunk or disable spanning tree on every VLAN in the network Make sure your network is loop free before you disable spanning tree Table 15 4 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface access port into permanent nontrunking mode and negotiates to conve...

Page 332: ... port Trunk ports can be grouped into EtherChannel port groups but all trunks in the group must have the same configuration When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters the switch propagates the setting you entered to all ports in the group allowed VLAN list STP port priority...

Page 333: ...sirable Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured for trunking and enter interface configuration mode Step 3 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk required only if the interface is a Layer 2 access port or to specify the trunking mod...

Page 334: ...regardless of the switchport trunk allowed setting The same is true for any VLAN that has been disabled on the port A trunk port can become a member of a VLAN if the VLAN is enabled if VTP knows of the VLAN and if the VLAN is in the allowed list for the port When VTP detects a newly enabled VLAN and the VLAN is in the allowed list for a trunk port the trunk port automatically becomes a member of t...

Page 335: ...eceive both tagged and untagged traffic By default the switch forwards untagged traffic in the native VLAN configured for the port The native VLAN is VLAN 1 by default Note The native VLAN can be assigned any VLAN ID Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter interface conf...

Page 336: ...out STP see Chapter 18 Configuring STP Load Sharing Using STP Port Priorities When two ports on the same switch form a loop the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a...

Page 337: ...domain name can be 1 to 32 characters Step 3 vtp mode server Configure Switch A as the VTP server Step 4 end Return to privileged EXEC mode Step 5 show vtp status Verify the VTP configuration on both Switch A and Switch B In the display check the VTP Operating Mode and the VTP Domain Name fields Step 6 show vlan Verify that the VLANs exist in the database on Switch A Step 7 configure terminal Ente...

Page 338: ...onfigure the network shown in Figure 15 3 Step 16 interface gigabitethernet 0 1 Define the interface to set the STP port priority and enter interface configuration mode Step 17 spanning tree vlan 8 10 port priority 16 Assign the port priority of 16 for VLANs 8 through 10 Step 18 exit Return to global configuration mode Step 19 interface gigabitethernet0 2 Define the interface to set the STP port p...

Page 339: ...section on page 15 29 Step 4 exit Return to global configuration mode Step 5 Repeat Steps 2 through 4 on a second interface in Switch A Step 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries In the display make sure that the interfaces are configured as trunk ports Step 8 show vlan When the trunk links come up Switch A receives the VTP information from the other s...

Page 340: ...ddress The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new host address If the switch receives a port shutdown response from the VMPS it disables the port The port must be manually re enabled by using Network Assistant the CLI or SNMP Dynamic Access Port VLAN Membership A dynamic access port can belong to only one VLAN with an ID ...

Page 341: ...EEE 802 1x is not enabled If you try to change an IEEE 802 1x enabled port to dynamic VLAN assignment an error message appears and the VLAN configuration is not changed Trunk ports cannot be dynamic access ports but you can enter the switchport access vlan dynamic interface configuration command for a trunk port In this case the switch retains the setting and applies it if the port is later config...

Page 342: ...itches can cause a loss of connectivity Beginning in privileged EXEC mode follow these steps to configure a dynamic access port on a VMPS client switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server Step 3 vmps server ipaddress Optional Enter the IP address of the sw...

Page 343: ... reconfirmation setting on the command switch You must also first use the rcommand privileged EXEC command to log in to the member switch Beginning in privileged EXEC mode follow these steps to change the reconfirmation interval To return the switch to its default setting use the no vmps reconfirm global configuration command Step 6 show interfaces interface id switchport Verify your entries in th...

Page 344: ... query the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it by entering the vmps...

Page 345: ... a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 15 4 shows a network with a VMPS server switch and VMPS client switches with dynamic access ports In this example these assumptions apply The VMPS server and the VMPS client are separate switches The Catalyst 6500 series Sw...

Page 346: ...series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switch G Switc...

Page 347: ...an make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work in an environment where updates are made on a single switch and are sent through VTP to other switches in the domain It does not work well in a situati...

Page 348: ...P domain always verify that its VTP configuration revision number is lower than the configuration revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number If you add a switch that has a revision number higher than the revision number in the VTP domain it can erase all VLAN inf...

Page 349: ...VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links In VTP server mode VLAN configurations are saved in NVRAM VTP server is the default mode VTP client A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks but you cannot create change or del...

Page 350: ...ecting the version and domain name Consistency Checks In VTP Version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information through the CLI or SNMP Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM If the MD5 digest on a received VTP message is correct its information is...

Page 351: ...n Making VLANs pruning eligible or pruning ineligible affects pruning eligibility for those VLANs on that trunk only not on all switches in the VTP domain See the Enabling VTP Pruning section on page 16 14 VTP pruning takes effect several seconds after you enable it VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 and VLANs 1002 to 1005 are always pruning ineligible...

Page 352: ...abled for the VTP domain whether or not any given VLAN exists and whether or not the interface is currently trunking Configuring VTP These sections contain this configuration information Default VTP Configuration page 16 6 VTP Configuration Options page 16 6 VTP Configuration Guidelines page 16 7 Configuring a VTP Server page 16 9 Configuring a VTP Client page 16 11 Disabling VTP VTP Transparent M...

Page 353: ...nd the VTP and VLAN configurations in the startup configuration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode or domain name in the startup configuration do not match the VLAN database the domain name and VTP mode and configuration for the first 255 VLANs use the VLAN database information VTP Configuration in VLAN Database Configuration Mode...

Page 354: ...the new switch learns the domain name only after the applicable password has been configured on it Caution When you configure a VTP domain password the management domain does not function properly if you do not assign a management domain password to each switch in the domain VTP Version Follow these guidelines when deciding which VTP version to implement All switches in a VTP domain must run the s...

Page 355: ...d state use the no vtp password global configuration command This example shows how to use global configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword Switch config terminal Switch config vtp mode server Switch config vtp domain eng_group Switch config vtp password mypassword Switch config end Command Purpose Step 1 configure termina...

Page 356: ...p Switch vlan vtp password mypassword Switch vlan exit APPLY completed Exiting Switch Command Purpose Step 1 vlan database Enter VLAN database configuration mode Step 2 vtp server Configure the switch for VTP server mode the default Step 3 vtp domain domain name Configure a VTP administrative domain name The name can be 1 to 32 characters All switches operating in VTP server or client mode under t...

Page 357: ...To return the switch to a no password state use the no vtp password privileged EXEC command When you configure a domain name it cannot be removed you can only reassign a switch to a different domain Note You can also configure a VTP client by using the vlan database privileged EXEC command to enter VLAN database configuration mode and entering the vtp client command similar to the second procedure...

Page 358: ...uration command Note If extended range VLANs are configured on the switch you cannot change the VTP mode to server You receive an error message and the configuration is not allowed Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN database configuration mode and by entering the vtp transparent command similar to the second procedure u...

Page 359: ...ction properly For Token Ring and Token Ring Net media VTP Version 2 must be disabled For more information on VTP version configuration guidelines see the VTP Version section on page 16 8 Beginning in privileged EXEC mode follow these steps to enable VTP Version 2 To disable VTP Version 2 use the no vtp version global configuration command Note You can also enable VTP Version 2 by using the vlan d...

Page 360: ...tire VTP domain Only VLANs included in the pruning eligible list can be pruned By default VLANs 2 through 1001 are pruning eligible on trunk ports Reserved VLANs and extended range VLANs cannot be pruned To change the pruning eligible VLANs see the Changing the Pruning Eligible List section on page 15 19 Adding a VTP Client Switch to a VTP Domain Before adding a VTP client to a VTP domain always v...

Page 361: ...and Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue with the next steps to reset the switch configuration revision number Step 2 configure terminal Enter global configuration mode Ste...

Page 362: ...rrent VTP revision and the number of VLANs You can also display statistics about the advertisements sent and received by the switch Table 16 3 shows the privileged EXEC commands for monitoring VTP activity Table 16 3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information show vtp counters Display counters about VTP messages that have been sent and ...

Page 363: ...P precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the switch in a predictable manner For more information on QoS see Chapter 36 Configu...

Page 364: ...Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 17 1 You can configu...

Page 365: ...onfiguration of voice VLANs is not required on trunk ports The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Chapter 15 Configuring VLANs for information on how to create the voice VLAN Before you enable voic...

Page 366: ...rmation A source or destination port for a SPAN or RSPAN session Secure port See the Configuring Port Security section on page 26 8 for more information Note When you enable port security on an interface that is also configured with a voice VLAN you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN When the port ...

Page 367: ...ce interface id Specify the interface connected to the phone and enter interface configuration mode Step 3 mls qos trust cos Configure the interface to classify incoming traffic packets by using the packet CoS value For untagged packets the port default CoS value is used Note Before configuring the port trust state you must first globally enable QoS by using the mls qos global configuration comman...

Page 368: ...with CNTL Z Switch config interface gigabitethernet1 1 Switch config if switchport priority extend trust Switch config if end To return the port to its default setting use the no switchport priority extend interface configuration command Displaying Voice VLAN To display voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Command Purpose...

Page 369: ...al Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Spanning Tree Features page 18 1 Configuring Spanning Tree Features page 18 11 Displaying the Spanning Tree Status page 18 22 Understanding Spanning Tree Features STP Overview page 18 2 Spanni...

Page 370: ... path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is called the designated switch Spanning tree forces redundant data paths into a standby blocked state If a network segment in the spa...

Page 371: ...nfiguration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is discarded and superior information is propagated on the network A BPDU exchan...

Page 372: ...ed as the root switch Configuring a higher value decreases the probability a lower value increases the probability For more information see the Configuring the Root Switch section on page 18 14 the Configuring a Secondary Root Switch section on page 18 16 and the Configuring the Switch Priority of a VLAN section on page 18 19 Spanning Tree Interface States Propagation delays can occur when protoco...

Page 373: ...ocess occurs 1 The interface is in the listening state while spanning tree waits for protocol information to move the interface to the blocking state 2 While spanning tree waits the forward delay timer to expire it moves the interface to the learning state and resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end station l...

Page 374: ...ld participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding The interface enters the learning state from the listening...

Page 375: ...g interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 18 2 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the path bet...

Page 376: ...0x0180C2000010 to be used by different bridge protocols These addresses are static addresses that cannot be removed Regardless of the spanning tree state each switch receives but does not forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on the switch receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spanning tree ...

Page 377: ...PVST immediately deletes dynamically learned MAC address entries on a per port basis upon receiving a topology change By contrast PVST uses a short aging time for dynamically learned MAC address entries The rapid PVST uses the same configuration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install ba...

Page 378: ...ver in a network of Cisco switches connected through IEEE 802 1Q trunks the switches maintain one spanning tree instance for each VLAN allowed on the trunks When you connect a Cisco switch to a non Cisco device through an IEEE 802 1Q trunk the Cisco switch uses PVST to provide spanning tree interoperability If rapid PVST is enabled the switch uses it instead of PVST The switch combines the spannin...

Page 379: ...s page 18 20 optional Default Spanning Tree Configuration Table 18 3 shows the default spanning tree configuration Table 18 3 Default Spanning Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1 For more information see the Supported Spanning Tree Instances section on page 18 9 Spanning tree mode PVST Rapid PVST and MSTP are disabled Switch priority 32768 Spanning tree port p...

Page 380: ...ing tree instances on your switch adding another VLAN anywhere in the VTP domain creates a VLAN that is not running spanning tree on that switch If you have the default allowed list on the trunk ports of that switch the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop in the new VLAN that will not be broken particularly if there are several a...

Page 381: ... Step 3 interface interface id Recommended for rapid PVST mode only Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports VLANs and port channels The VLAN ID range is 1 to 4094 The port channel range is 1 to 6 Step 4 spanning tree link type point to point Recommended for rapid PVST mode only Specify that the link type for this port is poin...

Page 382: ...ity from the default value 32768 to a significantly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified VLAN has a...

Page 383: ...d the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id root global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Page 384: ... state You can assign higher priority values lower numerical values to interfaces that you want selected first and lower priority values higher numerical values that you want selected last If all interfaces have the same priority value spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal ...

Page 385: ...tion mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 and 240 All other values are rejected The lower t...

Page 386: ...nterface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost represen...

Page 387: ...llow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you can specify a single V...

Page 388: ...iable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that can be s...

Page 389: ...states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup config ...

Page 390: ...he clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure the number of BPDUs that can be sent before pausing for 1 second For...

Page 391: ...Spanning Tree Protocol RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipm...

Page 392: ...n each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the switch for a region by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance MST configuration com...

Page 393: ...an MST Region The IST connects all the MSTP switches in a region When the IST converges the root of the IST becomes the CIST regional root called the IST master before the implementation of the IEEE 802 1s standard as shown in Figure 19 1 on page 19 4 It is the switch within the region with the lowest switch ID and path cost to the CIST root The CIST regional root is also the CIST root if there is...

Page 394: ... MST Regions CIST Masters and CST Root Only the CST instance sends and receives BPDUs and MST instances add their spanning tree information into the BPDUs to interact with neighboring switches and compute the final spanning tree topology Because of this the spanning tree parameters related to BPDU transmission for example hello time forward time max age and max hops are configured only on the CST ...

Page 395: ...ST instance 0 Table 19 1 on page 19 5 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spanning tree m...

Page 396: ...to share a segment with a port belonging to a different region creating the possibility of receiving both internal and external messages on a port The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP compatible mode Note If there is a legacy STP switch on the segment messages are always considered external ...

Page 397: ...for prestandard BPDU transmission Figure 19 2 illustrates this scenario Assume that A is a standard switch and B a prestandard switch both configured to be in the same region A is the root switch for the CIST and thus B has a root port BX on segment X and an alternate port BY on segment Y If segment Y flaps and the port on BY becomes the alternate before sending out a single prestandard BPDU AY ca...

Page 398: ...s because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the designated switch A switch might also continue to assign a boundary role to a port when the switch to which this switch is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring switches use the clear spanning tree detected ...

Page 399: ...e is included in the active topology A port with the alternate or backup port role is excluded from the active topology In a stable topology with consistent port roles throughout the network the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state equivalent to blocking in IEEE 8...

Page 400: ...ot port After receiving Switch B s agreement message Switch A also immediately transitions its designated port to the forwarding state No loops in the network are formed because Switch B blocked all of its nonedge ports and because there is a point to point link between Switches A and B When Switch C is connected to Switch B a similar set of handshaking messages are exchanged Switch C selects the ...

Page 401: ...not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring that all of the ports are synchronized the switch sends an agreement message to the ...

Page 402: ...he state of the sending port Processing Superior BPDU Information If a port receives superior root information lower switch ID lower path cost and so forth than currently stored for the port the RSTP triggers a reconfiguration If the port is proposed and is selected as the new root port RSTP forces all the other ports to synchronize If the BPDU received is an RSTP BPDU with the proposal flag set t...

Page 403: ...ve on a root port connected to an IEEE 802 1D switch and a configuration BPDU with the TCA bit set is received the TC while timer is reset This behavior is only required to support IEEE 802 1D switches The RSTP BPDUs never have the TCA bit set Propagation When an RSTP switch receives a TC message from another switch through a designated or root port it propagates the change to all of its nonedge d...

Page 404: ...e default MSTP configuration For information about the supported number of spanning tree instances see the Supported Spanning Tree Instances section on page 18 9 MSTP Configuration Guidelines These are the configuration guidelines for MSTP When you enable MST by using the spanning tree mode mst global configuration command RSTP is automatically enabled For two or more switches to be in the same MS...

Page 405: ...the MST cloud consists of multiple MST regions one of the MST regions must contain the CST root and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST or rapid PVST cloud You might have to manually configure the switches in the clouds Partitioning the network into a large number of regions is not recommended However if this ...

Page 406: ...LANs to an MST instance For instance id the range is 0 to 4094 For vlan vlan range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify ...

Page 407: ...ority 4096 is the value of the least significant bit of a 4 bit switch priority value as shown in Table 18 1 on page 18 4 If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority value every time the VLAN number is gr...

Page 408: ... the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root primary diameter net diameter hello time seconds Configure a switch as the root switch For insta...

Page 409: ...instance id root secondary diameter net diameter hello time seconds Configure a switch as the secondary root switch For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 Optional For diameter net diameter specify the maximum number of switches between any two end stations The range is 2 to 7...

Page 410: ...s the other interfaces Beginning in privileged EXEC mode follow these steps to configure the MSTP cost of an interface This procedure is optional Step 3 spanning tree mst instance id port priority priority Configure the port priority For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For ...

Page 411: ...you use the spanning tree mst instance id root primary and the spanning tree mst instance id root secondary global configuration commands to modify the switch priority Step 3 spanning tree mst instance id cost cost Configure the cost If a loop occurs the MSTP uses the path cost when selecting an interface to place into the forwarding state A lower path cost represents higher speed transmission For...

Page 412: ... a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch will be chosen as the root switch Priority values are 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 and 61440 All other v...

Page 413: ...ime seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config Optio...

Page 414: ...ions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional To return the port to its default setting use the no spanning tree link type interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max hops hop count Specify the number of ...

Page 415: ...h also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is the des...

Page 416: ...ds for the show spanning tree privileged EXEC command see the command reference for this release Table 19 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information for the ...

Page 417: ...Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 19 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features page 20 1 Configuring Optional Spanning Tree Features page 20 9 Displa...

Page 418: ...ng a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 20 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the global level ...

Page 419: ...revents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its Port Fast ...

Page 420: ...is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provides fas...

Page 421: ...protocol information received on an interface When a switch receives an inferior BPDU from the designated port of another switch the BPDU is a signal that the other switch might have lost its path to the root and BackboneFast tries to find an alternate path to the root BackboneFast which is enabled by using the spanning tree backbonefast global configuration command starts when a root port or bloc...

Page 422: ...e or more alternate paths can still connect to the root switch the switch makes all interfaces on which it received an inferior BPDU its designated ports and moves them from the blocking state if they were in the blocking state through the listening and learning states and into the forwarding state Figure 20 5 shows an example topology with no link failures Switch A the root switch connects direct...

Page 423: ...therChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device A misconfiguration can occur if the switch interfaces are configured in an EtherChannel but the interfaces on the other device are not A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel For EtherChannel configuration guidelines see the Et...

Page 424: ... root switch The customer s switch does not become the root switch and is not in the path to the root If the switch is operating in multiple spanning tree MST mode root guard forces the interface to be a designated port If a boundary port is blocked in an internal spanning tree IST instance because of root guard the interface also is blocked in all MST instances A boundary port is an interface tha...

Page 425: ...is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration information Default Optional Spanning Tree Configuration page 20 9 Optional Spanning Tree Configuration Guidelines page 20 10 Enabling Port Fast page 20 10 optional Enabling BPDU Guard page 20 11 ...

Page 426: ...lly enabled When you disable voice VLAN the Port Fast feature is not automatically disabled For more information see Chapter 17 Configuring Voice VLAN You can enable this feature if your switch is running PVST rapid PVST or MSTP Beginning in privileged EXEC mode follow these steps to enable Port Fast This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mo...

Page 427: ...U guard feature provides a secure response to invalid configurations because you must manually put the port back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Caution Configure Port Fast only on ports that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt s...

Page 428: ...panning tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature This command prevents the interface from sending or receiving BPDUs Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning tree loops You can enable the BPDU filtering feature if your sw...

Page 429: ...t is not altered The changes to the switch priority and the path cost reduce the chance that a switch will become the root switch When UplinkFast is disabled the switch priorities of all VLANs and path costs of all interfaces are set to default values if you did not modify them from their defaults To return the update packet rate to the default setting use the no spanning tree uplinkfast max updat...

Page 430: ... command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration After the configuration is corrected enter the shutdown and no shutdown interface configuration comma...

Page 431: ...u can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the same time You ca...

Page 432: ...tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 20 2 Commands for Displaying th...

Page 433: ...21 6 Monitoring REP page 21 13 Understanding REP One REP segment is a chain of ports connected to each other and configured with a segment ID Each segment consists of standard non edge segment ports and two user configured edge ports A switch can have no more than two ports that belong to the same segment and each segment port can have only one external neighbor A segment can go through a shared m...

Page 434: ...both edge ports located on the same switch is a ring segment In this configuration there is connectivity between the edge ports through the segment With this configuration you can create a redundant connection between any two switches in the segment Figure 21 2 REP Ring Segment REP segments have these characteristics If all ports in the segment are operational one port referred to as the alternate...

Page 435: ... within the segment multiple port failures within the REP segment cause loss of network connectivity You should configure REP only in networks with redundancy Configuring REP in a network without redundancy causes loss of connectivity Link Integrity REP does not use an end to end polling mechanism between edge ports to verify link integrity It implements local link failure detection The REP Link S...

Page 436: ...on fiber interfaces is less than 200 ms for the local segment with 200 VLANs configured Convergence for VLAN load balancing is 300 ms or less VLAN Load Balancing One edge port in the REP segment acts as the primary edge port the other as the secondary edge port It is the primary edge port that always participates in VLAN load balancing in the segment REP VLAN balancing is achieved by blocking some...

Page 437: ...onfigured it does not start working until triggered by either manual intervention or a link failure and recovery When VLAN load balancing is triggered the primary edge port sends out a message to alert all interfaces in the segment about the preemption When the secondary port receives the message it is reflected into the network to notify the alternate port to block the set of VLANs specified in t...

Page 438: ... open state forwarding all VLANs A regular segment port converted to an edge port or an edge port converted to a regular segment port does not always result in a topology change If you convert an edge port into a regular segment port VLAN load balancing is not implemented unless it has been configured For VLAN load balancing you must configure two edge ports in the segment A segment port that is r...

Page 439: ...e alternate port election mechanism REP ports must be Layer 2 trunk ports Be careful when configuring REP through a Telnet connection Because REP blocks all VLANs until another REP interface sends a message to unblock it you might lose connectivity to the switch if you enable REP in a Telnet session that accesses the switch through the same interface You cannot run REP and STP or REP and Flex Link...

Page 440: ...yer HFL to a regular multicast address These messages are flooded to the whole network not just the REP segment You can control flooding of these messages by configuring an administrative VLAN for the whole domain Follow these guidelines when configuring the REP administrative VLAN If you do not configure an administrative VLAN the default is VLAN 1 There can be only one administrative VLAN on a s...

Page 441: ...HFL TLV rx 0 tx 0 EPA ELECTION TLV rx 118 tx 118 EPA COMMAND TLV rx 0 tx 0 EPA INFO TLV rx 4214 tx 4190 Configuring REP Interfaces For REP operation you need to enable it on each segment interface and identify the segment ID This step is required and must be done before other REP configuration You must also configure a primary and secondary edge port on each segment All other steps are optional Be...

Page 442: ...me as any edge port Note Although each segment can have only one primary edge port if you configure edge ports on two different switches and enter the primary keyword on both switches the configuration is allowed However REP selects only one of these ports as the segment primary edge port You can identify the primary edge port for a segment by entering the show rep topology privileged EXEC command...

Page 443: ...as a downstream neighbor from an edge port The range is from 256 to 256 with negative numbers indicating the downstream neighbor from the secondary edge port A value of 0 is invalid Enter 1 to identify the secondary edge port as the alternate port See Figure 21 4 on page 21 5 for an example of neighbor offset numbering Note Because you enter this command at the primary edge port offset number 1 yo...

Page 444: ...ghbor offset number 4 After manual preemption VLANs 100 to 200 are blocked at this port and all other VLANs are blocked at the primary edge port E1 Gigabit Ethernet port 1 0 1 Switch configure terminal Switch conf interface gigabitethernet1 1 Switch conf if rep segment 1 edge primary Switch conf if rep block port 4 vlan 100 200 Switch conf if end Figure 21 5 Example of VLAN Blocking Setting Manual...

Page 445: ...nt You will need to confirm the command before it is executed Step 2 show rep topology View REP topology information Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp mib rep trap rate value Enable the switch to send REP traps and set the number of traps sent per second The range is from 0 to 1000 The default is 0 no limit imposed a trap is sent at every occurre...

Page 446: ...21 14 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 21 Configuring Resilient Ethernet Protocol Monitoring REP ...

Page 447: ...ess Table Move Update page 22 7 Monitoring Flex Links and the MAC Address Table Move Update page 22 14 Understanding Flex Links and the MAC Address Table Move Update This section contains this information Flex Links page 22 1 VLAN Flex Link Load Balancing and Support page 22 2 Flex Link Multicast Fast Convergence page 22 3 MAC Address Table Move Update page 22 6 Flex Links Flex Links are a pair of...

Page 448: ...n also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic For example in the example in Figure 22 1 you can configure the Flex Links pair with preemption mode In the scenario shown when port 1 comes back up and has more bandwidth than port 2 port 1 begins forwarding traffic after 60 seconds Port 2 becomes the standby port You do this by entering the int...

Page 449: ...Flex Link ports are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port Both Flex Link ports are always part of multicast groups Though both Flex Link ports are part of the groups in normal operation mode all traffic on the backup port is blocked So the normal multicast data flow is not affected by the addition of the backup port as an mrouter port When the chang...

Page 450: ...eports on the backup port which became the forwarding port Configuration Examples These are configuration examples for learning the other Flex Link port as the mrouter port when Flex Link is configured on GigabitEthernet1 1 and GigabitEthernet1 2 with output for the show interfaces switchport backup command Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch ...

Page 451: ...tchport backup interface gigabitEthernet 1 2 multicast fast convergence command This example shows turning on this feature Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 1 Switch config if switchport backup interface gigabitethernet 1 2 multicast fast convergence Switch config if exit Switch show interfaces switchport b...

Page 452: ...he PC has been learned on port 3 of switch C Traffic from the server to the PC is forwarded from port 3 to port 1 If the MAC address table move update feature is not configured and port 1 goes down port 2 starts forwarding traffic However for a short time switch C keeps forwarding traffic from the server to the PC through port 3 and the PC does not get the traffic because port 1 is down If switch ...

Page 453: ...s Table Move Update Example Configuring Flex Links and the MAC Address Table Move Update These sections contain this information Default Configuration page 22 8 Configuration Guidelines page 22 8 Configuring Flex Links page 22 9 Configuring VLAN Load Balancing on Flex Links page 22 11 Configuring the MAC Address Table Move Update Feature page 22 12 Switch C Port 3 Port 1 Port 2 Port 4 Switch A Swi...

Page 454: ...sical interface as Flex Links with either the port channel or the physical interface as the active link A backup link does not have to be the same type Fast Ethernet Gigabit Ethernet or port channel as the active link However you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic STP is disab...

Page 455: ...nterface 4 Beginning in privileged EXEC mode follow these steps to configure a preemption scheme for a pair of Flex Links Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1...

Page 456: ...rface Pair Gi1 1 Gi1 2 Preemption Mode forced Preemption Delay 50 seconds Bandwidth 100000 Kbit Gi1 1 100000 Kbit Gi1 2 Mac Address Move Update Vlan auto Step 3 switchport backup interface interface id Configure a physical Layer 2 interface or port channel as part of a Flex Links pair with the interface When one link is forwarding traffic the other interface is in standby mode Step 4 switchport ba...

Page 457: ...ackup Interface 60 100 120 When a Flex Link interface goes down LINK_DOWN VLANs preferred on this interface are moved to the peer interface of the Flex Link pair In this example if interface Gi1 1 goes down Gi1 2 carries all VLANs of the Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet1 1 GigabitEthernet1 ...

Page 458: ...Preemption Mode off Bandwidth 10000 Kbit Fa1 3 100000 Kbit Fa1 4 Mac Address Move Update Vlan auto Configuring the MAC Address Table Move Update Feature This section contains this information Configuring a switch to send MAC address table move updates Configuring a switch to get MAC address table move updates Beginning in privileged EXEC mode follow these steps to configure an access switch to sen...

Page 459: ... 5 Rcv conforming packet count 5 Rcv invalid packet count 0 Rcv packet count this min 0 Rcv threshold exceed count 0 Rcv last sequence this min 0 Rcv last interface Po2 Rcv last src mac address 000b 462d c502 Rcv last switch ID 0403 fd6a 8700 Xmt packet count 0 Xmt packet count this min 0 Xmt threshold exceed count 0 Xmt pak buf unavail cnt 0 Xmt last interface None Beginning in privileged EXEC mo...

Page 460: ...MAC Address Table Move Update Table 22 1 shows the privileged EXEC commands for monitoring the Flex Links configuration and the MAC address table move update information Step 4 show mac address table move update Verify the configuration Step 5 copy running config startup config Optional Save your entries in the switch startup configuration file Command Purpose Table 22 1 Flex Links and MAC Address...

Page 461: ...age 23 1 Configuring DHCP Snooping page 23 6 Displaying DHCP Snooping Information page 23 12 Understanding IP Source Guard page 23 12 Configuring IP Source Guard page 23 13 Displaying IP Source Guard Information page 23 15 Understanding DHCP Server Port Based Address Allocation page 23 15 Configuring DHCP Server Port Based Address Allocation page 23 16 Displaying DHCP Server Port Based Address All...

Page 462: ...s a DHCP snooping binding table DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch Note For DHCP snooping to function properly all DHCP servers must be connected to the switch through trusted interfaces An untru...

Page 463: ... and you enter the ip dhcp snooping information option allow untrusted global configuration command the aggregation switch accepts packets with option 82 information from the edge switch The aggregation switch learns the bindings for hosts connected through an untrusted switch interface The DHCP security features can still be enabled on the aggregation switch while the switch receives packets with...

Page 464: ...le it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch The switch verifies that it o...

Page 465: ... checksum that accounts for all the bytes from the start of the file through all the bytes associated with the entry Each entry is 72 bytes followed by a space and then the checksum value To keep the bindings when the switch reloads you must use the DHCP snooping database agent If the agent is disabled dynamic ARP inspection or IP source guard is enabled and the DHCP snooping binding database has ...

Page 466: ... the switch starts and the calculated checksum value equals the stored checksum value the switch reads entries from the binding file and adds the bindings to its DHCP snooping binding database The switch ignores an entry when one of these situations occurs The switch reads the entry and the calculated checksum value does not equal the stored checksum value The entry and the ones following it are i...

Page 467: ...esses that the DHCP server can assign or exclude or you must configure DHCP options for these devices If the DHCP relay agent is enabled but DHCP snooping is disabled the DHCP option 82 data insertion feature is not supported Table 23 1 Default DHCP Snooping Configuration Feature Default Setting DHCP server Enabled in Cisco IOS software requires configuration1 1 The switch responds to DHCP request...

Page 468: ... configured the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP Do not enter the ip dhcp snooping information option allow untrusted command on an aggregation switch to which an untrusted device is connected If you enter this command an untrusted device might spoof the option 82 information You can display DHCP snooping statistics by ent...

Page 469: ...the switch to insert and remove DHCP relay information option 82 field in forwarded DHCP request messages to the DHCP server This is the default setting Step 5 ip dhcp snooping information option allow untrusted Optional If the switch is an aggregation switch connected to an edge switch enable the switch to accept incoming DHCP snooping packets with option 82 information from the edge switch The d...

Page 470: ... dhcp snooping Switch config ip dhcp snooping vlan 10 Switch config ip dhcp snooping information option Switch config interface gigabitethernet1 1 Switch config if ip dhcp snooping limit rate 100 Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database see the DHCP Configuration Task List section in the Configuring DHCP chapter of the Ci...

Page 471: ...na me host ip directory image name tar rcp user host filename tftp host filename Specify the URL for the database agent or the binding file by using one of these forms flash filename ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filename Step 3 ip dhcp snooping database timeout seconds Specify in seconds how long t...

Page 472: ...y IP traffic with a source IP address in the IP source binding table and denies all other traffic Note The port ACL takes precedence over any router ACLs or VLAN maps that affect the same interface The IP source binding table has bindings that are learned by DHCP snooping or are manually configured static IP source bindings An entry in this table has an IP address with its associated MAC address a...

Page 473: ...s The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table When IP source guard with source IP and MAC address filtering is enabled the switch filters IP and non IP traffic If the source MAC address of an IP or non IP packet matches a valid IP source binding the switch forwards the packet The switch drops all other types of packets except ...

Page 474: ...supported on EtherChannels You can enable this feature when IEEE 802 1x port based authentication is enabled If the number of ternary content addressable memory TCAM entries exceeds the maximum available the CPU usage increases Enabling IP Source Guard Beginning in privileged EXEC mode follow these steps to enable and configure IP source guard on an interface Command Purpose Step 1 configure termi...

Page 475: ...thernet switch port regardless of the attached device client identifier or client hardware address When Ethernet switches are deployed in the network they offer connectivity to the directly connected devices In some environments such as on a factory floor if a device fails the replacement device must be working immediately in the existing network With the current DHCP implementation there is no gu...

Page 476: ... address is allocated through DHCP to the attached device The DHCP server port based address allocation feature is only supported on a Cisco IOS DHCP server and not a third party server Configuring DHCP Server Port Based Address Allocation This section contains this configuration information Default Port Based Address Allocation Configuration page 23 16 Port Based Address Allocation Configuration ...

Page 477: ...iber identifier configured on a specific interface takes precedence over this command Step 4 interface interface id Specify the interface to be configured and enter interface configuration mode Step 5 ip dhcp server use subscriber id client id Configure the DHCP server to use the subscriber identifier as the client identifier on all incoming DHCP messages on the interface Step 6 end Return to priv...

Page 478: ...lding configuration Current configuration 4899 bytes version 12 2 hostname switch no aaa new model clock timezone EST 0 ip subnet zero ip dhcp relay information policy removal pad no ip dhcp use vrf connected ip dhcp use subscriber id client id ip dhcp subscriber id interface name ip dhcp excluded address 10 1 1 1 10 1 1 3 ip dhcp pool dhcppool network 10 1 1 0 255 255 255 0 address 10 1 1 7 clien...

Page 479: ...isplay the DHCP server port based address allocation information use one or more of the privileged EXEC commands in Table 23 4 Table 23 4 Commands for Displaying DHCP Port Based Address Allocation Information Command Purpose show interface interface id Display the status and configuration of a specific interface show ip dhcp pool Display the DHCP address pools show ip dhcp binding Display address ...

Page 480: ...23 20 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 23 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port Based Address Allocation ...

Page 481: ...2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the broadcast domain receive the ARP request and Host A resp...

Page 482: ...rcepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a valid IP ...

Page 483: ...ypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 24 2 assume that both Switch A a...

Page 484: ...t the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains in that state until you intervene You can use the errdisabl...

Page 485: ...in non DHCP environments Limiting the Rate of Incoming ARP Packets page 24 10 optional Performing Validation Checks page 24 12 optional Configuring the Log Buffer page 24 13 optional Default Dynamic ARP Inspection Configuration Table 24 1 shows the default dynamic ARP inspection configuration Table 24 1 Default Dynamic ARP Inspection Configuration Feature Default Setting Dynamic ARP inspection Dis...

Page 486: ...port channel inherits its trust state from the first physical port that joins the channel Consequently the trust state of the first physical port need not match the trust state of the channel Conversely when you change the trust state on the port channel the switch configures a new trust state on all the physical ports that comprise the channel The operating rate for the port channel is cumulative...

Page 487: ...on You must perform this procedure on both switches This procedure is required Command Purpose Step 1 show cdp neighbors Verify the connection between the switches Step 2 configure terminal Enter global configuration mode Step 3 ip arp inspection vlan vlan range Enable dynamic ARP inspection on a per VLAN basis By default dynamic ARP inspection is disabled on all VLANs For vlan range specify a sin...

Page 488: ...ent this possibility you must configure port 1 on Switch A as untrusted To permit ARP packets from Host 2 you must set up an ARP ACL and apply it to VLAN 1 If the IP address of Host 2 is not static it is impossible to apply the ACL configuration on Switch A you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them Beginning in privileged EXEC mode follow th...

Page 489: ...ARP ACLs are applied to any VLAN For arp acl name specify the name of the ACL created in Step 2 For vlan range specify the VLAN that the switches and hosts are in You can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 Optional Specify static to treat implicit denies in the ARP ACL as explici...

Page 490: ...led recovery so that ports automatically emerge from this state after a specified timeout period Note Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp ...

Page 491: ...nd responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an upper limit for the number of incoming packets processed per second The range is 0 to 2048 pps Optional For burst interval seconds specify the consecutive interval in seconds over which the inter...

Page 492: ...or src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped For dst mac check the destination MAC address in the Ethernet header against the target MAC address in ARP body This check is performed for...

Page 493: ... the log buffer or increase the logging rate Beginning in privileged EXEC mode follow these steps to configure the log buffer This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip arp inspection log buffer entries number logs number interval seconds Configure the dynamic ARP inspection logging buffer By default when dynamic ARP inspection is...

Page 494: ...Ns separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match A...

Page 495: ...about these commands see the command reference for this release Table 24 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC validation failure IP validation failure ACL permitted and deni...

Page 496: ...24 16 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 24 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Page 497: ...f these sections Understanding IGMP Snooping page 25 1 Configuring IGMP Snooping page 25 6 Displaying IGMP Snooping Information page 25 15 Understanding Multicast VLAN Registration page 25 16 Configuring MVR page 25 19 Displaying MVR Information page 25 23 Configuring IGMP Filtering and Throttling page 25 23 Displaying IGMP Filtering and Throttling Configuration page 25 28 Note You can either mana...

Page 498: ...st groups by using the ip igmp snooping vlan vlan id static ip_address interface interface id global configuration command If you specify group membership for a multicast group address statically your setting supersedes any automatic manipulation by IGMP snooping Multicast group membership lists can consist of both user defined and IGMP snooping learned settings You can configure an IGMP snooping ...

Page 499: ... see the following URL http www cisco com en US products sw iosswrel ps1834 products_feature_guide09186a008008048a html Joining a Multicast Group When a host connected to the switch wants to join an IP multicast group and it is an IGMP Version 2 client it sends an unsolicited IGMP join message specifying the IP multicast group to join Alternatively when the switch receives a general query from the...

Page 500: ...engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group If another host for example Host 4 sends an unsolicited IGMP join message for the same group Figure 25 2 the CPU receives that message and adds the port number of Host 4 to the forwarding table as shown in Table 25 2 Note that because the forwardin...

Page 501: ...he VLAN from its IGMP cache Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group specific queries to the interface The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave ...

Page 502: ...also includes requests for IGMPv3 reports the switch forwards all IGMPv1 IGMPv2 and IGMPv3 reports for a group to the multicast devices If you disable IGMP report suppression all IGMP reports are forwarded to the multicast routers For configuration steps see the Disabling IGMP Report Suppression section on page 25 15 Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets a...

Page 503: ...e use the no ip igmp snooping vlan vlan id global configuration command for the specified VLAN number Multicast router learning snooping method PIM DVMRP IGMP snooping Immediate Leave Disabled Static groups None configured TCN1 flood query count 2 TCN query solicitation Disabled IGMP snooping querier Disabled IGMP report suppression Enabled 1 TCN Topology Change Notification Table 25 3 Default IGM...

Page 504: ...M DVMRP packets use the ip igmp snooping vlan vlan id mrouter learn pim dvmrp global configuration command Note If you want to use CGMP as the learning method and no multicast routers in the VLAN are CGMP proxy enabled you must enter the ip cgmp router only command to dynamically access the router Beginning in privileged EXEC mode follow these steps to alter the method in which a VLAN interface dy...

Page 505: ... privileged EXEC mode follow these steps to add a Layer 2 port as a member of a multicast group Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter interface interface id Specify the multicast router VLAN ID and the interface to the multicast router The VLAN ID range is 1 to 1001 and 1006 to 4094 The interface can be a physical int...

Page 506: ...ooping vlan vlan id immediate leave global configuration command This example shows how to enable IGMP Immediate Leave on VLAN 130 Switch configure terminal Switch config ip igmp snooping vlan 130 immediate leave Switch config end Configuring the IGMP Leave Timer Follows these guidelines when configuring the IGMP leave timer You can configure the leave time globally or on a per VLAN basis Configur...

Page 507: ... event by using the ip igmp snooping tcn flood query count global configuration command This command configures the number of general queries for which multicast data traffic is flooded after a TCN event Some examples of TCN events are when the client changed its location and the receiver is on same port that was blocked but is now forwarding and when a port went down without sending a leave messa...

Page 508: ... is disabled Beginning in privileged EXEC mode follow these steps to enable the switch to send the global leave message whether or not it is the spanning tree root To return to the default query solicitation use the no ip igmp snooping tcn query solicit global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping tcn flood query cou...

Page 509: ...If there is no global IP address specified the IGMP querier tries to use the VLAN switch virtual interface SVI IP address if one exists If there is no SVI IP address the switch uses the first available IP address configured on the switch The first IP address available appears in the output of the show ip interface privileged EXEC command The IGMP snooping querier does not generate an IGMP general ...

Page 510: ...oping querier Step 3 ip igmp snooping querier address ip_address Optional Specify an IP address for the IGMP snooping querier If you do not specify an IP address the querier tries to use the global IP address configured for the IGMP querier Note The IGMP snooping querier does not generate an IGMP general query if it cannot find an IP address on the switch Step 4 ip igmp snooping querier query inte...

Page 511: ...s for a VLAN configured for IGMP snooping To display IGMP snooping information use one or more of the privileged EXEC commands in Table 25 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no ip igmp snooping report suppression Disable IGMP report suppression Step 3 end Return to privileged EXEC mode Step 4 show ip igmp snooping Verify that IGMP report suppression ...

Page 512: ...reacts only to join and leave messages from multicast groups configured under MVR Join and leave messages from all other multicast groups are managed by IGMP snooping show ip igmp snooping groups vlan vlan id ip_address count dynamic count user count Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 and 1006 t...

Page 513: ...d client ports that the MVR hosts have joined either by IGMP reports or by MVR static configuration Any IGMP reports received from MVR hosts are also forwarded from all the MVR data ports in the switch This eliminates using unnecessary bandwidth on MVR data port links which occurs when the switch runs in compatible mode Only Layer 2 ports take part in MVR You must configure ports as MVR receiver p...

Page 514: ... reports If no reports are received in a configured time period the receiver port is removed from multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave was received As soon as the leave message is received the receiver port is removed from multicast group membership which speeds up leave latency Enable the Immediate Leave feature o...

Page 515: ...delines and Limitations page 25 19 Configuring MVR Global Parameters page 25 20 Configuring MVR Interfaces page 25 21 Default MVR Configuration Table 25 5 shows the default MVR configuration MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR Receiver ports can only be access ports they cannot be trunk ports Receiver ports on a switch can be in different VLANs...

Page 516: ...3 mvr group ip address count Configure an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses the range for count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address Each multicast address wou...

Page 517: ...nk ports that receive and send multicast data as source ports Subscribers cannot be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Configure a port as a receiver port if it is a subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using ...

Page 518: ...icast group address configure Immediate Leave on the port and verify the results Switch config mvr Switch config interface gigabitethernet1 2 Switch config if mvr type receiver Switch config if mvr vlan 22 group 228 1 23 4 Switch config if mvr immediate Switch config end Switch show mvr interface Port Type Status Immediate Leave Gi1 2 RECEIVER ACTIVE DOWN ENABLED Step 7 end Return to privileged EX...

Page 519: ...group the IGMP report from the port is forwarded for normal processing You can also set the maximum number of IGMP groups that a Layer 2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast ...

Page 520: ...oups page 25 26 optional Configuring the IGMP Throttling Action page 25 27 optional Default IGMP Filtering and Throttling Configuration Table 25 7 shows the default IGMP filtering configuration When the maximum number of groups is in forwarding table the default IGMP throttling action is to deny the IGMP report For configuration guidelines see the Configuring the IGMP Throttling Action section on ...

Page 521: ...how ip igmp profile 4 IGMP Profile 4 permit range 229 9 9 0 229 9 9 0 Applying IGMP Profiles To control access as defined in an IGMP profile use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces You can apply IGMP profiles only to Layer 2 access ports You cannot apply profiles to ports that belong to an EtherChannel port group You can apply a pro...

Page 522: ...urpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the physical interface and enter interface configuration mode The interface must be a Layer 2 port that does not belong to an EtherChannel port group Step 3 ip igmp filter profile number Apply the specified IGMP profile to the interface The range is 1 to 4294967295 Step 4 end Return to privileged...

Page 523: ...ng table entries are either aged out or removed depending on the throttling action If you configure the throttling action as deny the entries that were previously in the forwarding table are not removed but are aged out After these entries are aged out and the maximum number of entries is in the forwarding table the switch drops the next IGMP report received on the interface If you configure the t...

Page 524: ...rface Use the privileged EXEC commands in Table 25 8 to display IGMP filtering and throttling configuration Step 4 end Return to privileged EXEC mode Step 5 show running config interface interface id Verify the configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 25 8 Commands for Displaying IGMP Filtering and Throttling...

Page 525: ...rol page 26 1 Default Storm Control Configuration page 26 3 Configuring Storm Control and Threshold Levels page 26 3 Configuring Small Frame Arrival Rate page 26 5 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LAN creating excessive traffi...

Page 526: ...all multicast traffic except control traffic such as bridge protocol data unit BDPU and Cisco Discovery Protocol CDP frames are blocked The graph in Figure 26 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traffic In this example the broadcast traffic being forwarded exceeded the configured threshold between t...

Page 527: ...ecause of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported on physical interfaces You can also configure storm control on an Eth...

Page 528: ...threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops...

Page 529: ...ed if small frames arrive at a specified rate threshold You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global configuration command...

Page 530: ...cast to any other port that is also a protected port Data traffic cannot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwarding behavior between a protected port and a nonprotec...

Page 531: ... MAC addresses out of all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to another you can block a port protected or nonprotected from flooding unknown unicast or multicast packets to other ports These sections contain this configuration information De...

Page 532: ...forward packets with source addresses outside the group of defined addresses If you limit the number of secure MAC addresses to one and assign a single secure MAC address the workstation attached to that port is assured the full bandwidth of the port If a port is configured as a secure port and the maximum number of secure MAC addresses is reached when the MAC address of a station attempting to ac...

Page 533: ...ved in the configuration file when the switch restarts the interface does not need to dynamically reconfigure them You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning To enable sticky learning enter the switchport port security mac address sticky interface configuration command W...

Page 534: ...he maximum value or increase the number of maximum allowable addresses In this mode you are notified that a security violation has occurred An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown A port security violation causes the interface to become error disabled and to shut down immediately and the port LED turns off An SNMP trap is sent a syslog message ...

Page 535: ...red If you connect more than one PC to the Cisco IP phone you must configure enough secure addresses to allow one for each PC and one for the phone When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic entering the switchport voice and switchport priority extend interface configuration commands has no effect When a con...

Page 536: ...LAN Query Protocol VQP port configured with the switchport access vlan dynamic interface configuration command No SPAN source port Yes SPAN destination port No EtherChannel No Protected port Yes IEEE 802 1x port Yes Voice VLAN port4 4 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN Yes Flex Links Yes Comman...

Page 537: ... Layer 2 functions and any other secure MAC addresses configured on interfaces Optional vlan set a per VLAN maximum value Enter one of these options after you enter the vlan keyword vlan list On a trunk port you can set a per VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas For nonspecified VLANs the per VLAN maximum value is used access On an a...

Page 538: ...reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is error disab...

Page 539: ...ured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC addresses than t...

Page 540: ...c or sticky on the switch or on an interface To delete a specific secure MAC address from the address table use the no switchport port security mac address mac address interface configuration command To delete all dynamic secure addresses on an interface from the address table enter the no switchport port security interface configuration command followed by the switchport port security command to ...

Page 541: ...s sticky 0000 0000 0001 vlan voice Switch config if switchport port security mac address 0000 0000 0004 vlan voice Switch config if switchport port security maximum 10 vlan access Switch config if switchport port security maximum 10 vlan voice Enabling and Configuring Port Security Aging You can use port security aging to set the aging time for all secure addresses on a port Two types of aging are...

Page 542: ... verify the previous commands by entering the show port security interface interface id privileged EXEC command Step 3 switchport port security aging static time time type absolute inactivity Enable or disable static aging for the secure port or set the aging time or type Note The switch does not support port security aging of sticky secure addresses Enter static to enable aging for statically con...

Page 543: ...l switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered show port security interface interface id Displays port sec...

Page 544: ...26 20 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 26 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Page 545: ...covery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network To support non Cisco devices and to allow for interoperability between other devices the switch supports the IEEE 802 1AB Link Layer ...

Page 546: ...MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine the capabilities that the connected device supports and has enabled Network policy TLV Allows both network connectivity devices and endpoints to advertise VLAN configurations and associated Layer 2 and Layer 3 attributes for the specific application on that port For example the switch can notify a phone of the...

Page 547: ...SP location and attachment notifications The MSE starts the NMSP connection to the switch which opens a server port When the MSE connects to the switch there are a set of message exchanges to establish version compatibility and service exchange information followed by location information synchronization After connection the switch periodically sends location and attachment notifications to the MS...

Page 548: ... NMSP location notification message that identifies the affected ports and the changed address information Configuring LLDP LLDP MED and Wired Location Service Default LLDP Configuration page 27 4 Configuration Guidelines page 27 5 Enabling LLDP page 27 5 Configuring LLDP Characteristics page 27 5 Configuring LLDP MED TLVs page 27 6 Configuring Network Policy TLV page 27 7 Configuring Location TLV...

Page 549: ...erface use the no lldp transmit and the no lldp receive interface configuration commands This example shows how to globally enable LLDP Switch configure terminal Switch config lldp run Switch config end This example shows how to enable LLDP on an interface Switch configure terminal Switch config interface interface_id Switch config if lldp transmit Switch config if lldp receive Switch config if en...

Page 550: ... configure the interface not to send the TLVs listed in Table 27 2 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information from your device before discarding it The range is 0 to 65535 seconds the default is 120 seconds Step 3 lldp reinit delay Optional Specify the dela...

Page 551: ...butes and apply it to an interface network policy LLDP MED network policy TLV power management LLDP MED power management TLV Table 27 2 LLDP MED TLVs LLDP MED TLV Description Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are configuring an LLDP MED TLV and enter interface configuration mode Step 3 lldp med...

Page 552: ...pplication type vlan Specify the native VLAN for voice traffic vlan id Optional Specify the VLAN for voice traffic The range is 1 to 4094 cos cvalue Optional Specify the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 0 dscp dvalue Optional Specify the differentiated services code point DSCP value for the configured VLAN The range is 0 to 63 the def...

Page 553: ...y the location information for an endpoint admin tag Specify an administrative tag or site information civic location Specify civic location information elin location Specify emergency location information ELIN identifier id Specify the ID for the civic location string Specify the site or location information in alphanumeric format Step 3 exit Return to global configuration mode Step 4 interface i...

Page 554: ...ble Enable the NMSP features on the switch Step 3 nmsp notification interval attachment location interval seconds Specify the NMSP notification interval attachment Specify the attachment notification interval location Specify the location notification interval interval seconds Duration in seconds before the switch sends the MSE the location or attachment updates The range is 1 to 30 the default is...

Page 555: ...lay information about neighbors including device type interface type and number holdtime settings capabilities and port ID You can limit the display to neighbors of a specific interface or expand the display for more detailed information show lldp traffic Display LLDP counters including the number of packets sent and received number of packets discarded and number of unrecognized TLVs show locatio...

Page 556: ...27 12 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 27 Configuring LLDP LLDP MED and Wired Location Service Monitoring and Maintaining LLDP LLDP MED and Wired Location Service ...

Page 557: ... type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different network layer protocols can learn about ...

Page 558: ...ime and advertisement type Note Steps 2 through 4 are all optional and can be performed in any order Table 28 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP Version 2 advertisements Enabled Command Purpose Step 1 configure terminal Enter global confi...

Page 559: ...information see Chapter 7 Clustering Switches and see Getting Started with Cisco Network Assistant available on Cisco com Beginning in privileged EXEC mode follow these steps to disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to enable CDP when it has been disabled This example shows how to enable CDP if it has been disabled Switch configure termina...

Page 560: ...witch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Step 3 no cdp enable Disable CDP on the interface Step 4 end Return to privileged EXEC mode Step 5 copy running config startup config Optional Save your entries in the configuration fi...

Page 561: ... display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can limit the display to the interfac...

Page 562: ...28 6 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 28 Configuring CDP Monitoring and Maintaining CDP ...

Page 563: ...n cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traffic on fiber optic and twisted pair links and to misconn...

Page 564: ...oss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a Layer 1 perspective UDLD in aggressive mode detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be performed by auton...

Page 565: ...in the advertisement or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state is still undetermined Figure 29 1 shows an example of a unidirectional link condition Figure 29 1 UDLD Detection of a Unidirectional Link Configuring UDLD Default UDLD Configuration p...

Page 566: ...witch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 29 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per port enable state f...

Page 567: ... aggressive mode on all fiber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 29 1 message time message timer interval Configure...

Page 568: ...d the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release Step 3 udl...

Page 569: ... sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do not receive or forward traffic Only traffic that enters or leaves source ports or traffic that en...

Page 570: ... all network traffic from port 5 without being physically attached to port 5 Figure 30 1 Example of Local SPAN Configuration on a Single Switch Remote SPAN RSPAN supports source ports source VLANs and destination ports on different switches enabling remote monitoring of multiple switches across your network Figure 30 2 shows source ports on Switch A and Switch B The traffic for each RSPAN session ...

Page 571: ... the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of source ports or sou...

Page 572: ...ns do not interfere with the normal operation of the switch However an oversubscribed SPAN destination for example a 10 Mb s port monitoring a 100 Mb s port can result in dropped or lost packets When RSPAN is enabled each packet being monitored is transmitted twice once as normal traffic and once as a monitored packet Therefore monitoring a large number of ports or VLANs could potentially generate...

Page 573: ...be dropped at ingress source ports egress source ports or SPAN destination ports In general these characteristics are independent of one another For example A packet might be forwarded normally but dropped from monitoring due to an oversubscribed SPAN destination port An ingress packet might be dropped from normal forwarding but still appear on the SPAN destination port An egress packet dropped be...

Page 574: ...ports is added to or removed from the sources being monitored You cannot use filter VLANs in the same session with VLAN sources You can monitor only Ethernet VLANs VLAN Filtering When you monitor a trunk port as a source port by default all VLANs active on the trunk are monitored You can limit SPAN traffic monitoring on trunk source ports to specific VLANs by using VLAN filtering VLAN filtering ap...

Page 575: ...ncoming traffic is never learned or forwarded on a destination port If ingress traffic forwarding is enabled for a network security device the destination port forwards traffic at Layer 2 It does not participate in any of the Layer 2 protocols STP VTP CDP DTP PagP A destination port that belongs to a source VLAN of any SPAN session is excluded from the source list and is not monitored The maximum ...

Page 576: ... remove the SPAN destination configuration Changes in VLAN membership or trunk settings for a source port immediately take effect and the respective SPAN sessions automatically adjust accordingly EtherChannel You can configure an EtherChannel group as a source port but not as a SPAN destination port When a group is configured as a SPAN source the entire group is monitored If a physical port is add...

Page 577: ...RSPAN Configuration page 30 9 Configuring Local SPAN page 30 9 Configuring RSPAN page 30 16 Default SPAN and RSPAN Configuration Table 30 1 shows the default SPAN and RSPAN configuration Configuring Local SPAN These sections contain this configuration information SPAN Configuration Guidelines page 30 10 Creating a Local SPAN Session page 30 10 Creating a Local SPAN Session and Configuring Incoming...

Page 578: ...headers untagged or IEEE 802 1Q if the encapsulation replicate keywords are specified If the keywords are not specified the packets are sent in native form For RSPAN destination ports outgoing packets are not tagged You can configure a disabled port to be a source or destination port but the SPAN function does not start until the destination port and at least one source port or source VLAN are ena...

Page 579: ...re 1 to 6 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A single session can include multiple sources ports or VLANs defined in a series of commands but you cannot combine source ports and source VLANs in one session Optional Specify a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyph...

Page 580: ...or SPAN session 1 Switch config no monitor session 1 source interface gigabitethernet1 1 Switch config end Step 4 monitor session session_number destination interface interface id encapsulation dot1q replicate Specify the SPAN session and the destination port monitoring port For session_number specify the session number entered in step 3 Note For local SPAN you must use the same session number for...

Page 581: ...tor session 2 Switch config monitor session 2 source vlan 1 3 rx Switch config monitor session 2 destination interface gigabitethernet1 2 Switch config monitor session 2 source vlan 10 Switch config end Creating a Local SPAN Session and Configuring Incoming Traffic Beginning in privileged EXEC mode follow these steps to create a SPAN session to specify the source ports or VLANs and the destination...

Page 582: ...rface interface id encapsulation dot1q replicate ingress dot1q vlan vlan id untagged vlan vlan id vlan vlan id Specify the SPAN session the destination port the packet encapsulation and the ingress VLAN and encapsulation For session_number specify the session number entered in Step 3 For interface id specify the destination port The destination interface must be a physical port it cannot be an Eth...

Page 583: ... session_number enter the session number specified in Step 3 For vlan id the range is 1 to 4094 Optional Use a comma to specify a series of VLANs or use a hyphen to specify a range of VLANs Enter a space before and after the comma enter a space before and after the hyphen Step 5 monitor session session_number destination interface interface id encapsulation dot1q replicate Specify the SPAN session...

Page 584: ...to RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches For RSPAN configuration you can distribute the source ports and the destina...

Page 585: ...tination switches and any intermediate switches Use VTP pruning to get an efficient flow of RSPAN traffic or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic Beginning in privileged EXEC mode follow these steps to create an RSPAN VLAN To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN use the no remote span VLAN confi...

Page 586: ...monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 6 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A single session can include multiple sources ports or VLANs defined in a series of commands but you cannot combine source ports and source VLANs...

Page 587: ...itch that is not the switch on which the source session was configured Beginning in privileged EXEC mode follow these steps to define the RSPAN VLAN on that switch to create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter the VLAN ID of the RSPAN VLAN creat...

Page 588: ...PAN Destination Session section on page 30 19 This procedure assumes that the RSPAN VLAN has already been configured Step 7 monitor session session_number destination interface interface id Specify the RSPAN session and the destination interface For session_number enter the number defined in Step 6 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and t...

Page 589: ...ming VLAN and encapsulation For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Though visible in the command line help string encapsulation replicate is not supported for ...

Page 590: ...ll to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id Specify the characteristics of the source port monitored port and SPAN session For session_number the range is 1 to 66 For interface id specify the source port to monitor The interface specified must already be configured...

Page 591: ...uring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 592: ...30 24 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 30 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status ...

Page 593: ...s chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References This chapter consists of these sections Understanding RMON page 31 1 Configuring RMON page 31 2 Displaying RMON Status page 31 6 Understanding RMON RMON is an Internet Engineer...

Page 594: ...resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware counters for RMON data processin...

Page 595: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in seconds the alarm...

Page 596: ... be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command Thi...

Page 597: ...ion history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is 50 bu...

Page 598: ...r Documentation Cisco IOS Software 12 2 Mainline Command References Step 3 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show running conf...

Page 599: ...fault a switch sends the output from system messages and debug privileged EXEC commands to a logging process The logging process controls the distribution of logging messages to various destinations such as the logging buffer terminal lines or a UNIX syslog server depending on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX W...

Page 600: ...32 5 optional Synchronizing Log Messages page 32 6 optional Enabling and Disabling Time Stamps on Log Messages page 32 7 optional Enabling and Disabling Sequence Numbers in Log Messages page 32 8 optional Defining the Message Severity Level page 32 8 optional Limiting Syslog Messages Sent to the History Table and to SNMP page 32 10 optional Enabling the Configuration Change Logger page 32 10 optio...

Page 601: ...e number only if the service sequence numbers global configuration command is configured For more information see the Enabling and Disabling Sequence Numbers in Log Messages section on page 32 8 timestamp formats mm dd hh mm ss or hh mm ss short uptime or d h long uptime Date and time of the message or event This information appears only if the service timestamps log datetime log global configurat...

Page 602: ...gging synchronous global configuration command also affects the display of messages to the console When this command is enabled messages appear only after you press Return For more information see the Synchronizing Log Messages section on page 32 6 To re enable message logging after it has been disabled use the logging on global configuration command Time stamps Disabled Synchronous logging Disabl...

Page 603: ... used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see the Configuring UNIX Syslog Servers section on page 32 12 Step 4 logging file flash filename max file size min file size severity level number type Store log messages in a file in flash memory For filename enter the log mess...

Page 604: ...nchronous logging of unsolicited messages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solicited devic...

Page 605: ...lue are printed asynchronously Low numbers mean greater severity and high numbers mean lesser severity The default is 2 Optional Specifying level all means that all messages are printed asynchronously regardless of the severity level Optional For limit number of buffers specify the number of buffers to be queued for the terminal after which new messages are dropped The range is 0 to 2147483647 The...

Page 606: ...umbers enabled 000019 SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message which are described in Table 32 3 Beginning in privileged EXEC mode follow these steps to define the message severity level This procedure is optional Command Purpose Step 1 conf...

Page 607: ...om the debug commands displayed at the debugging level Debug commands are typically used only by the Technical Assistance Center Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information switch functionality is not affected Step 4 logging trap level Limit messages logged to the syslog servers By default syslog servers rec...

Page 608: ...ble to the default value use the no logging history size global configuration command Enabling the Configuration Change Logger You can enable a configuration logger to keep track of configuration changes made with the command line interface CLI When you enter the logging enable configuration change logger configuration command the log records the session the user and the command that was entered t...

Page 609: ...ig archive log cfg end This is an example of output for the configuration log Switch show archive log config all idx sess user line Logged command 38 11 unknown user vty3 no aaa authorization config commands 39 12 unknown user vty3 no aaa authorization network default group radius 40 12 unknown user vty3 no aaa accounting dot1x default start stop group radius 41 13 unknown user vty3 no aaa account...

Page 610: ...rmation on the facilities The debug keyword specifies the syslog level see Table 32 3 on page 32 9 for information on the severity levels The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands at the UN...

Page 611: ...Command Reference Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References Step 3 logging trap level Limit messages logged to the syslog servers Be default syslog servers receive informational messages and lower See Table 32 3 on page 32 9 for level keywords Step 4 logging facility facility type Configure the syslog facility See Table 32 4 on pag...

Page 612: ...32 14 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 32 Configuring System Message Logging Displaying the Logging Configuration ...

Page 613: ... agent and a MIB The SNMP manager can be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The a...

Page 614: ...ed with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword This keyword is available only when the cryptographic encrypted software image is installed Both SNMPv1 and SNMPv2C use a community based form of security The commun...

Page 615: ...string No Uses a community string match for authentication SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication SNMPv3 noAuthNoPriv Username No Uses a username match for authentication SNMPv3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Prov...

Page 616: ...mber esN where N is the switch number to the first configured RW and RO community strings on the command switch and propagates them to the member switches For more information see Chapter 7 Clustering Switches and see Getting Started with Cisco Network Assistant available on Cisco com Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software CiscoWorks 2...

Page 617: ... it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs require a trade off between reliability and resources If it is important that the SNMP manager receive every ...

Page 618: ...es If the switch starts and the switch startup configuration has at least one snmp server global configuration command the SNMP agent is enabled An SNMP group is a table that maps SNMP users to SNMP views An SNMP user is a member of an SNMP group An SNMP host is the recipient of an SNMP trap operation An SNMP engine ID is a name for the local or remote SNMP engine Table 33 4 Default SNMP Configura...

Page 619: ...a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has important side effects A user s password entered on the command line is converted to an MD5 or SHA security digest based on the password and the local engine ID The command line password is then destroyed...

Page 620: ...figure a community string on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server community string view view name ro rw access list number Configure the community string Note The symbol is used for delimiting the context information Avoid using the symbol as part of the SNMP community string when configuring this command For string specify a strin...

Page 621: ... you can add new users to the SNMP group Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then create the list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The permit ke...

Page 622: ...ew access access list Configure a new SNMP group on the remote device For groupname specify the name of the group Specify a security model v1 is the least secure of the possible security models v2c is the second least secure model It allows transmission of informs and integers twice the normal width v3 the most secure requires you to select an authentication level auth Enables the Message Digest 5...

Page 623: ...r an SNMP group The username is the name of the user on the host that connects to the agent The groupname is the name of the group to which the user is associated Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 v2c or v3 If you enter v3 you have...

Page 624: ...lid PIM messages neighbor changes and rendezvous point RP mapping changes port security Generates SNMP port security traps You can also set a maximum trap rate per second The range is from 0 to 1000 the default is 0 which means that there is no rate limit Note When you configure a trap by using the notification type port security configure the port security trap first and then configure the port s...

Page 625: ...e the switch to send traps or informs to a host Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID remote ip address engineid string Specify the engine ID for the remote host Step 3 snmp server user username groupname remote host udp port port v1 access access list v2c access access list v3 encrypted access access list auth md5 sha auth password C...

Page 626: ...page 33 11 If no type is specified all notifications are sent Step 6 snmp server enable traps notification types Enable the switch to send traps or informs and specify the type of notifications to be sent For a list of notification types see Table 33 5 on page 33 11 or enter snmp server enable traps To enable multiple types of traps you must enter a separate snmp server enable traps command for ea...

Page 627: ...pes and values Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 process cpu threshold type total process interrupt rising percentage interval seconds falling fall percentage interval seconds Set the CPU threshold notification types and values total set the notification type to total CPU utilization process set the notification type to CPU process utilization interru...

Page 628: ...how running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server tftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter an IP s...

Page 629: ... snmp authentication Switch config snmp server host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled The second line specifies the destination of these traps and overwrites any previous snmp server host commands f...

Page 630: ...fields in the displays see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Table 33 6 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP...

Page 631: ...and restrict network use by certain users or devices ACLs filter traffic as it passes through a switch and permit or deny packets crossing specified interfaces An ACL is a sequential collection of permit and deny conditions that apply to packets When a packet is received on an interface the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required...

Page 632: ...Ls Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction These access lists are supported Standard IP access lists using source addresses Extended IP access lists using source and destination addresses and optional protocol type infor...

Page 633: ...red one Handling Fragmented and Unfragmented Traffic IP packets can be fragmented as they cross the network When this happens only the fragment containing the beginning of the packet contains the Layer 4 information such as TCP or UDP port numbers ICMP type and code and so on All other fragments are missing this information Some ACEs do not check Layer 4 information and therefore can be applied to...

Page 634: ...ayer 4 information Instead they match the third ACE a permit Because the first fragment was denied host 10 1 1 2 cannot reassemble a complete packet so packet B is effectively denied However the later fragments that are permitted will consume bandwidth on the network and resources of host 10 1 1 2 as it tries to reassemble the packet Fragmented packet C is from host 10 2 2 2 port 65001 going to ho...

Page 635: ...n of permit and deny conditions One by one the switch tests packets against the conditions in an access list The first match determines whether the switch accepts or rejects the packet Because the switch stops testing after the first match the order of the conditions is critical If no conditions match the switch denies the packet The software supports these types of ACLs or access lists for IPv4 S...

Page 636: ...IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list Table 34 1 Access List Numbers Access List Number Type Supported 1 99 IP standard access list Yes 100 199 IP extended access list Yes 200 299 Protocol type code access list No 300 399 DECnet access list No 400...

Page 637: ...t 2 permit any Switch config end Switch show access lists Standard IP access list 2 10 deny 171 69 198 102 20 permit any Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or...

Page 638: ...e protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywords are in parentheses in bold Authentication Header Protocol ahp Enhanced Interior Gateway Routing Protocol eigrp Encapsulation Security Payload esp generic routing encapsulation gre Internet Control Message Protocol icmp Internet Group Management Protocol igmp any Int...

Page 639: ...card applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can be specified as The 32 bit quantity in dotted decimal format The keyword any for 0 0 0 0 255 255 255 255 any host The keyword host for a single host 0 0 0 ...

Page 640: ...wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port number range requires two port numbers separated by a space Enter the port number as a decimal number from 0 to 65535 or the name of a TCP port To see TCP port names use the or see the Configuring IP Services section in the IP Addressing and Services chapt...

Page 641: ...ssage precedence precedence tos tos fragments time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings icmp ...

Page 642: ... and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advantage of using named ACLs instead of numbered list...

Page 643: ...son you might use named ACLs instead of numbered ACLs After creating a named ACL you can apply it to interfaces see the Applying an IPv4 ACL to an Interface section on page 34 16 Step 4 end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purp...

Page 644: ...itch clock For more information see the Managing the System Time and Date section on page 8 1 Beginning in privileged EXEC mode follow these steps to configure a time range parameter for an ACL Repeat the steps if you have multiple items that you want in effect at different times To remove a configured time range limitation use the no time range time range name global configuration command This ex...

Page 645: ...ange new_year_day_2006 Switch config ext nacl exit Switch config ip access list extended may_access Switch config ext nacl permit tcp any any time range workhours Switch config ext nacl end Switch show ip access lists Extended IP access list lpip_default 10 permit ip any any Extended IP access list deny_access 10 deny tcp any any time range new_year_day_2006 inactive Extended IP access list may_ac...

Page 646: ...l line and the addresses in an ACL To remove an ACL from a terminal line use the no access class access list number in out line configuration command Applying an IPv4 ACL to an Interface This section describes how to apply IPv4 ACLs to network interfaces Note these guidelines Apply an ACL only to inbound Layer 2 interfaces When controlling access to an interface you can use a named or numbered ACL...

Page 647: ...substantially less than for hardware forwarded traffic If ACLs cause large numbers of packets to be sent to the CPU the switch performance can be negatively affected When you enter the show ip access lists privileged EXEC command the match count displayed does not account for packets that are access controlled in hardware Use the show access lists hardware counters privileged EXEC command to obtai...

Page 648: ...using ip access list resequence global configuration command permit tcp source source wildcard destination destination wildcard permit tcp source source wildcard destination destination wildcard range 5 60 permit tcp source source wildcard destination destination wildcard range 15 160 permit tcp source source wildcard destination destination wildcard range 115 1660 or Rename the ACL with a name or...

Page 649: ...your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same port numbers are used throughout the life of the connection Mail packets coming in from the Internet have a destination port of 25 Because the secure system of the network always accepts mail connections on port 25 the incoming ser...

Page 650: ...list 1 remark Do not allow Smith workstation through Switch config access list 1 deny 171 69 3 13 In this example of a numbered ACL the Winter and Smith workstations are not allowed to browse the web Switch config access list 100 remark Do not allow Winter to browse the web Switch config access list 100 deny host 171 69 3 85 any eq www Switch config access list 100 remark Do not allow Smith to bro...

Page 651: ...AC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address with a mask...

Page 652: ...terface gigabitethernet1 2 Router config if mac access group mac1 in Note The mac access group interface configuration command is only valid when applied to a physical Layer 2 interface You cannot use the command on EtherChannel port channels After receiving a packet the switch checks it against the inbound ACL If the ACL permits it the switch continues to process the packet If the ACL rejects the...

Page 653: ...ed in Table 34 2 to display this information Table 34 2 Commands for Displaying Access Lists and Access Groups Command Purpose show access lists number name Display the contents of one or all current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Display the contents of all current IP access lists or a specific IP access list numbered o...

Page 654: ...34 24 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 655: ...ion Guide Release 12 4T at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html For command syntax information see the command reference at this URL http www cisco com en US docs ios ipsla command reference sla_book html This chapter consists of these sections Understanding Cisco IOS IP SLAs page 35 1 Configuring IP SLAs Operations page 35 5 Monitoring IP ...

Page 656: ...nitoring measurement and verification Network performance monitoring Measures the jitter latency or packet loss in the network Provides continuous reliable and predictable measurements IP service network health assessment to verify that the existing QoS is sufficient for new IP services Edge to edge network availability monitoring for proactive verification and connectivity testing of network reso...

Page 657: ...onfiguration Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html Note The switch does not support Voice over IP VoIP service levels using the gatekeeper registration delay operations measurements Before configuring any IP SLAs application you can use the show ip sla application privileged EXEC command to verify that the operation type is supporte...

Page 658: ...on the response times would not accurately represent true network delays IP SLAs minimizes these processing delays on the source device as well as on the target device if the responder is being used to determine true round trip times IP SLAs test packets use time stamping to minimize the processing delays When the IP SLAs responder is enabled it allows the target device to take time stamps when th...

Page 659: ...tion Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html This section includes this information Default Configuration page 35 5 Configuration Guidelines page 35 5 Configuring the IP SLAs Responder page 35 6 Default Configuration No IP SLAs operations are configured Configuration Guidelines For information on the IP SLAs commands see the Cisco IOS...

Page 660: ...ntation for the source device for configuration information Monitoring IP SLAs Operations Use the User EXEC or Privileged EXEC commands in Table 35 1 to display IP SLAs operations configuration Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip sla responder tcp connect udp echo ipaddress ip address port port number Configure the switch as an IP SLAs responder The ...

Page 661: ...Understanding QoS page 36 1 Configuring Auto QoS page 36 19 Displaying Auto QoS Information page 36 27 Configuring Standard QoS page 36 28 Displaying Standard QoS Information page 36 68 The switch supports some of the modular QoS CLI MQC commands For more information about the MQC commands see the Modular Quality of Service Command Line Interface Overview at this site http www cisco com en US prod...

Page 662: ...User field that carries an IEEE 802 1p class of service CoS value in the three least significant bits On ports configured as Layer 2 ISL trunks all traffic is in ISL frames Layer 2 IEEE 802 1Q frame headers have a 2 byte Tag Control Information field that carries the CoS value in the three most significant bits which are called the User Priority bits On ports configured as Layer 2 IEEE 802 1Q trun...

Page 663: ...h provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the traffic types and patterns in your network and the granularity of control that you need over incoming and outgoing traffic Basic QoS Model To implement QoS the switch must di...

Page 664: ...ing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet Queueing is enhanced with the weighted tail drop WTD algorithm a congestion avoidance mechanism If the threshold is exceeded the packet is dropped For more information see the Queueing and Scheduling Overview section on page 36 11 Scheduling services the queues based...

Page 665: ...e traffic Perform the classification based on a configured Layer 2 MAC access control list ACL which can examine the MAC source address the MAC destination address and other fields If no ACL is configured the packet is assigned 0 as the DSCP and CoS values which means best effort traffic Otherwise the policy map action specifies a DSCP or CoS value to assign to the incoming frame For IP traffic yo...

Page 666: ...or classification Assign DSCP identical to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as specified by ACL action to generate the QoS label Assign the default DSCP 0 Are there any more Q...

Page 667: ...ist extended global configuration command For configuration information see the Configuring a QoS Policy section on page 36 39 Classification Based on Class Maps and Policy Maps A class map is a mechanism that you use to name a specific traffic flow or class and to isolate it from all other traffic The class map defines the criteria used to match against a specific traffic flow to further classify...

Page 668: ...ced DSCP map see the Mapping Tables section on page 36 10 Marked down packets use the same queues as the original QoS label to prevent packets in a flow from getting out of order Note All traffic regardless of whether it is bridged or routed is subjected to a policer if one is configured As a result bridged packets might be dropped or might have their DSCP or CoS fields modified when they are poli...

Page 669: ...t fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate b s and the duration of the burst above the average rate The size of the bucket imposes an upper limit on the burst length and limits the number of frames that can be transmitted back to back If the burst is short the bucket does not overflow and no action is taken against the traffic flow However if...

Page 670: ...ds On an ingress port configured in the DSCP trusted state if the DSCP values are different between the QoS domains you can apply the configurable DSCP to DSCP mutation map to the port that is on the boundary between the two QoS domains You configure this map by using the mls qos map dscp mutation global configuration command During policing QoS can assign another DSCP value to an IP or a non IP p...

Page 671: ...n information see the Configuring DSCP Maps section on page 36 50 For information about the DSCP and CoS input queue threshold maps see the Queueing and Scheduling on Ingress Queues section on page 36 13 For information about the DSCP and CoS output queue threshold maps see the Queueing and Scheduling on Egress Queues section on page 36 15 Queueing and Scheduling Overview The switch has queues at ...

Page 672: ...Operation For more information see the Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds section on page 36 57 the Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set section on page 36 61 and the Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID section on page 36 64 SRR Shaping and Sharing Both the ingress and egress queues are ...

Page 673: ...n on page 36 66 Queueing and Scheduling on Ingress Queues Figure 36 7 shows the queueing and scheduling flowchart for ingress ports Figure 36 7 Queueing and Scheduling Flowchart for Ingress Ports Note SRR services the priority queue for its configured share before servicing the other queue 90564 Read QoS label DSCP or CoS value Determine ingress queue number buffer allocation and WTD thresholds Ar...

Page 674: ...ffer and Bandwidth Allocation You define the ratio allocate the amount of space with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth ...

Page 675: ...weight1 weight2 global configuration command You can combine the commands described in this section to prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues by allocating a large queue size or by servicing the queue more frequently and by adjusting queue thresholds so that packets with lower priorities are dropped For configuration information see the Configuring ...

Page 676: ...a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue to prevent any queue or port from consuming all the buffers and depriving other queues and to control whether to grant buffer space to a requesting queue The switch detects whether the target queue has not consumed more buffers than its reserved amount under limit whether it has consumed all of its maximum buff...

Page 677: ...can guarantee that the allocated buffers are reserved for a specific queue in a queue set For example if there are 100 buffers for a queue you can reserve 50 percent 50 buffers The switch returns the remaining 50 buffers to the common pool You also can enable a queue in the full condition to obtain more buffers than are reserved for it by setting a maximum threshold The switch can allocate the nee...

Page 678: ...ress Queue Characteristics section on page 36 61 Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution Packet Modification A packet is classified policed and queued to provide QoS Packet modifications can occur during this process For IP and ...

Page 679: ...ou also use the commands to identify ports that receive trusted traffic through an uplink Auto QoS then performs these functions Detects the presence or absence of Cisco IP Phones Configures QoS classification Configures egress queues These sections contain this configuration information Generated Auto QoS Configuration page 36 19 Effects of Auto QoS on the Configuration page 36 24 Auto QoS Config...

Page 680: ...hen you enter the auto qos voip cisco softphone interface configuration command on a port at the edge of the network that is connected to a device running the Cisco SoftPhone the switch uses policing to determine whether a packet is in or out of profile and to specify the action on the packet If the packet does not have a DSCP value of 24 26 or 46 or is out of profile the switch changes the DSCP v...

Page 681: ...ld 3 3 5 The switch automatically maps CoS values to an egress queue and to a threshold ID Switch config no mls qos srr queue output cos map Switch config mls qos srr queue output cos map queue 1 threshold 3 5 Switch config mls qos srr queue output cos map queue 2 threshold 3 3 6 7 Switch config mls qos srr queue output cos map queue 3 threshold 3 2 4 Switch config mls qos srr queue output cos map...

Page 682: ...width and buffer size for the ingress queues Switch config no mls qos srr queue input priority queue 1 Switch config no mls qos srr queue input priority queue 2 Switch config mls qos srr queue input bandwidth 90 10 Switch config mls qos srr queue input threshold 1 8 16 Switch config mls qos srr queue input threshold 2 34 66 Switch config mls qos srr queue input buffers 67 33 The switch automatical...

Page 683: ...ig pmap c set dscp cs3 Switch config pmap c police 32000 8000 exceed action policed dscp transmit After creating the class maps and policy maps the switch automatically applies the policy map called AutoQoS Police SoftPhone to an ingress interface on which auto QoS with the Cisco SoftPhone feature is enabled Switch config if service policy input AutoQoS Police SoftPhone If you entered the auto qos...

Page 684: ... the priority queue interface configuration command for an egress interface You can also configure a policy map and trust device on the same interface for Cisco IP phones If the switch port was configure by using the auto qos voip cisco phone interface configuration command in Cisco IOS Release 12 2 37 SE or earlier the auto QoS generated commands new to Cisco IOS Release 12 2 40 SE are not applie...

Page 685: ... packets are switched without any rewrites and classified as best effort without any policing This example shows how to enable auto QoS and to trust the QoS labels received in incoming packets when the switch or router connected to a port is a trusted device Switch config interface gigabitethernet1 1 Switch config if auto qos voip trust Command Purpose Step 1 configure terminal Enter global config...

Page 686: ...S is enabled on the switches in the wiring closets at the edge of the QoS domain Note You should not configure any standard QoS commands before entering the auto QoS commands You can fine tune the QoS configuration but we recommend that you do so only after the auto QoS configuration is completed 101234 Cisco router To Internet Trunk link Trunk link Cisco IP phones End stations Cisco IP phones Vid...

Page 687: ... enabled Step 4 interface interface id Specify the switch port connected to the Cisco IP Phone and enter interface configuration mode Step 5 auto qos voip cisco phone Enable auto QoS on the port and specify that the port is connected to a Cisco IP Phone The QoS labels of incoming packets are trusted only when the Cisco IP Phone is detected Step 6 exit Return to global configuration mode Step 7 Rep...

Page 688: ...cation Using Port Trust States page 36 32 required Configuring a QoS Policy page 36 39 required Configuring DSCP Maps page 36 50 optional unless you need to use the DSCP to DSCP mutation map or the policed DSCP map Configuring Ingress Queue Characteristics page 36 56 optional Configuring Egress Queue Characteristics page 36 61 optional Default Standard QoS Configuration QoS is disabled There is no...

Page 689: ...rcent Bandwidth allocation 1 1 The bandwidth is equally shared between the queues SRR sends packets in shared mode only 4 4 Priority queue bandwidth 2 2 Queue 2 is the priority queue SRR services the priority queue for its configured share before servicing the other queue 0 10 WTD drop threshold 1 100 percent 100 percent WTD drop threshold 2 100 percent 100 percent Table 36 7 Default CoS Input Que...

Page 690: ...h maps an incoming DSCP value to the same DSCP value The default policed DSCP map is a null map which maps an incoming DSCP value to the same DSCP value no markdown Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 25 0 0 0 SRR shared weights 2 25 25 25 25 1 A shaped weight of zero means that this queue is operating in shared mode 2 One quarter of the ...

Page 691: ...might be too large to fit into the available QoS TCAM and an error can occur when you apply the policy map to a port Whenever possible you should minimize the number of lines in a QoS ACL Policing Guidelines These are the policing guidelines The port ASIC device which controls more than one physical port supports 256 policers 255 user configurable policers plus 1 policer reserved for system intern...

Page 692: ...coming traffic by using port trust states Depending on your network configuration you must perform one or more of these tasks or one or more of the tasks in the Configuring a QoS Policy section on page 36 39 Configuring the Trust State on Ports within the QoS Domain page 36 33 Configuring the CoS Value for an Interface page 36 34 Configuring a Trusted Boundary to Ensure Port Security page 36 35 En...

Page 693: ...d to classify the packets at every switch within the QoS domain Figure 36 11 shows a sample network topology Figure 36 11 Port Trusted States within the QoS Domain Beginning in privileged EXEC mode follow these steps to configure the port to trust the classification of the traffic that it receives 101236 Trunk Trusted interface Traffic classification performed here Trusted boundary IP P1 P3 Comman...

Page 694: ...he keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress packet by using the packet DSCP value For a non IP packet the packet CoS value is used if the packet is tagged for an untagged packet the default port CoS is used Internally the switch map...

Page 695: ...ith the trusted setting you also can use the trusted boundary feature to prevent misuse of a high priority queue if a user bypasses the telephone and connects the PC directly to the switch Without trusted boundary the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting By contrast trusted boundary uses CDP to detect the presence of a Cisco IP Phone such as t...

Page 696: ...vice QoS configuration including the port trust setting policing and marking and the DSCP to DSCP mutation map If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command the switch does not modify the DSCP field in the incoming packet and the DSCP field in the outgoing packet is the same as that in the incoming packet Command Purpose Step 1 configure terminal Enter global conf...

Page 697: ...arency is still enabled Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic you can configure the switch ports bordering the domains to a DSCP trusted state as shown in Figure 36 12 Then the receiving port accepts the DSCP trusted value and avoids the classification...

Page 698: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map The default DSCP to DSCP mutation map is a null map which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map by specifying a new name...

Page 699: ...EC mode follow these steps to create an IP standard ACL for IP traffic To delete an access list use the no access list access list number global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access ...

Page 700: ...he range is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of available protocol keywords For source enter the network or host from which the packet is being...

Page 701: ...ng the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0 0 For mask enter the wildcard bits by placing ones in the bit positions that you...

Page 702: ...lues The match criterion is defined with one match statement entered within the class map configuration mode Note You can also create class maps during policy map creation by using the class policy map configuration command For more information see the Classifying Policing and Marking Traffic on Physical Ports by Using Policy Maps section on page 36 44 Beginning in privileged EXEC mode follow thes...

Page 703: ...ass map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match an...

Page 704: ...ria and policers A separate policy map class can exist for each type of traffic received through a port A policy map trust state and a port trust state are mutually exclusive and whichever is configured last takes affect Follow these guidelines when configuring policy maps on physical ports You can attach only one policy map per ingress port If you configure the IP precedence to DSCP map by using ...

Page 705: ...teria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mo...

Page 706: ... for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map ip precedence QoS derives the DSCP value by using the IP precedence value from the ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non...

Page 707: ... map flow1t Step 7 police rate bps burst byte exceed action drop policed dscp transmit Define a policer for the classified traffic By default no policer is defined For information on the number of policers supported see the Standard QoS Configuration Guidelines section on page 36 31 For rate bps specify average traffic rate in bits per second b s The range is 1000000 to 1000000000 You can set the ...

Page 708: ... 0 0002 0000 0001 0 0 0 Switch config ext mac permit 0001 0000 0002 0 0 0 0002 0000 0002 0 0 0 xns idp Switch config ext mac exit Switch config mac access list extended maclist2 Switch config ext mac permit 0001 0000 0003 0 0 0 0002 0000 0003 0 0 0 Switch config ext mac permit 0001 0000 0004 0 0 0 0002 0000 0004 0 0 0 aarp Switch config ext mac exit Switch config class map macclass1 Switch config ...

Page 709: ...ceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet For more information see the Configuring the Policed DSCP Map section on page 36 53 Step 3 class map match all match any class map name Create a class map to classify traffic as necessary For more information see the Clas...

Page 710: ...mit1 48000 8000 exceed action policed dscp transmit Switch config class map ipclass1 Switch config cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Switch config pmap c trust dscp Switch config pmap c police aggregate transmit1 Switch...

Page 711: ...lues are not appropriate for your network you need to modify them Beginning in privileged EXEC mode follow these steps to modify the CoS to DSCP map This procedure is optional To return to the default map use the no mls qos cos dscp global configuration command Table 36 12 Default CoS to DSCP Map CoS Value DSCP Value 0 0 1 8 2 16 3 24 4 32 5 40 6 48 7 56 Command Purpose Step 1 configure terminal E...

Page 712: ...your network you need to modify them Beginning in privileged EXEC mode follow these steps to modify the IP precedence to DSCP map This procedure is optional To return to the default map use the no mls qos ip prec dscp global configuration command Table 36 13 Default IP Precedence to DSCP Map IP Precedence Value DSCP Value 0 0 1 8 2 16 3 24 4 32 5 40 6 48 7 56 Command Purpose Step 1 configure termi...

Page 713: ... dscp global configuration command This example shows how to map DSCP 50 to 57 to a marked down DSCP value of 0 Switch config mls qos map policed dscp 50 51 52 53 54 55 56 57 to 0 Switch config end Switch show mls qos maps policed dscp Policed dscp map d1 d2 0 1 2 3 4 5 6 7 8 9 0 00 01 02 03 04 05 06 07 08 09 1 10 11 12 13 14 15 16 17 18 19 2 20 21 22 23 24 25 26 27 28 29 3 30 31 32 33 34 35 36 37...

Page 714: ...re not appropriate for your network you need to modify them Beginning in privileged EXEC mode follow these steps to modify the DSCP to CoS map This procedure is optional To return to the default map use the no mls qos dscp cos global configuration command Table 36 14 Default DSCP to CoS Map DSCP Value CoS Value 0 7 0 8 15 1 16 23 2 24 31 3 32 39 4 40 47 5 48 55 6 56 63 7 Command Purpose Step 1 con...

Page 715: ...late one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With ingress mutation the new DSCP value overwrites the one in the packet and QoS treats the packet with this new value The switch sends the packet out the port with the new DSCP value You can configure m...

Page 716: ...te In the above DSCP to DSCP mutation map the mutated values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the mutated value For example a DSCP value of 12 corresponds to a mutated value of 10 Configuring Ingress Queue...

Page 717: ...ap queue queue id threshold threshold id dscp1 dscp8 or mls qos srr queue input cos map queue queue id threshold threshold id cos1 cos8 Map DSCP or CoS values to an ingress queue and to a threshold ID By default DSCP values 0 39 and 48 63 are mapped to queue 1 and threshold 1 DSCP values 40 47 are mapped to queue 2 and threshold 1 By default CoS values 0 4 6 and 7 are mapped to queue 1 and thresho...

Page 718: ...ess buffers between the two queues The buffer and the bandwidth allocation control how much data can be buffered before packets are dropped Beginning in privileged EXEC mode follow these steps to allocate the buffers between the ingress queues This procedure is optional Step 5 show mls qos maps Verify your entries The DSCP input queue threshold map appears as a matrix The d1 column specifies the m...

Page 719: ...s qos interface buffer or show mls qos input queue Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues The default setting for weight1...

Page 720: ...them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Beginning in privileged EXEC mode follow these steps to configure the priority queue This procedure is optional To return to the default setting use the no mls qos srr queue input priority queue queue id global configuration command To disable priority queueing set th...

Page 721: ...technique shaped shared or both should be used These sections contain this configuration information Configuration Guidelines page 36 61 Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set page 36 61 optional Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID page 36 64 optional Configuring SRR Shaped Weights on Egress Queues page 36 65 optional Configuri...

Page 722: ...to drop thresholds for a queue set This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos queue set output qset id buffers allocation1 allocation4 Allocate buffers to a queue set By default all allocation values are equally mapped among the four queues 25 25 25 25 Each queue has 1 4 of the buffer space For qset id enter the ID of the que...

Page 723: ...D thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 400 percent For qset id enter the ID of the queue set specified in Step 2 The range is 1 to 2 For queue id enter the specific queue in the queue set on which the command is pe...

Page 724: ...ues 0 15 are mapped to queue 2 and threshold 1 DSCP values 16 31 are mapped to queue 3 and threshold 1 DSCP values 32 39 and 48 63 are mapped to queue 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and thr...

Page 725: ...ese queues operate in shared mode The bandwidth weight for queue 1 is 1 8 which is 12 5 percent Switch config interface gigabitethernet1 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth...

Page 726: ...ws how to configure the weight ratio of the SRR scheduler running on an egress port Four queues are used and the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 and one a...

Page 727: ...an limit the bandwidth to that amount Note The egress queue default settings are suitable for most situations You should change them only when you have a thorough understanding of the egress queues and if these settings do not meet your QoS solution Beginning in privileged EXEC mode follow these steps to limit the bandwidth on an egress port This procedure is optional Command Purpose Step 1 config...

Page 728: ...ed and is set to 100 percent Step 4 end Return to privileged EXEC mode Step 5 show mls qos interface interface id queueing Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 36 15 Commands for Displaying Standard QoS Information Command Purpose show class map class map name Display QoS class maps which define the...

Page 729: ... criteria for incoming traffic Note Do not use the show policy map interface privileged EXEC command to display classification information for incoming traffic The control plane and interface keywords are not supported and the statistics shown in the display should be ignored show running config include rewrite Display the DSCP transparency setting Table 36 15 Commands for Displaying Standard QoS ...

Page 730: ...36 70 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 36 Configuring QoS Displaying Standard QoS Information ...

Page 731: ...vice QoS and globally unique addresses The IPv6 address space reduces the need for private addresses and Network Address Translation NAT processing by border routers at network edges For information about how Cisco Systems implements IPv6 go to this URL http www cisco com en US products ps6553 products_ios_technology_home html For information about IPv6 and other features in this chapter See the C...

Page 732: ... formats address types and the IPv6 packet header see the Implementing IPv6 Addressing and Basic Connectivity chapter of Cisco IOS IPv6 Configuration Library on Cisco com In the Implementing Addressing and Basic Connectivity chapter these sections apply to the IE 3000 switch IPv6 Address Formats IPv6 Address Output Display Simplified IPv6 Packet Header Supported IPv6 Host Features These sections d...

Page 733: ... information see the section about IPv6 unicast addresses in the Implementing IPv6 Addressing and Basic Connectivity chapter in the Cisco IOS IPv6 Configuration Library on Cisco com DNS for IPv6 IPv6 supports Domain Name System DNS record types in the DNS name to address and address to name lookup processes The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A addres...

Page 734: ... IPv6 transport HTTP server access over IPv6 transport DNS resolver for AAAA over IPv4 transport Cisco Discovery Protocol CDP support for IPv6 addresses For more information about managing these applications see the Managing Cisco IOS Applications over IPv6 chapter and the Implementing IPv6 Addressing and Basic Connectivity chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Dual IPv4...

Page 735: ...c Routes for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com SNMP and Syslog Over IPv6 To support both IPv4 and IPv6 IPv6 network management requires both IPv6 and IPv4 transports Syslog over IPv6 supports address data types for these transports SNMP and syslog over IPv6 provide these features Support for both IPv4 and IPv6 IPv6 transport for SNMP and to modify the SNMP agent...

Page 736: ...in the Cisco IOS IPv6 Configuration Library on Cisco com Configuring IPv6 These sections contain this IPv6 forwarding configuration information Default IPv6 Configuration page 37 6 Configuring IPv6 Addressing and Enabling IPv6 Host page 37 6 Configuring IPv6 ICMP Rate Limiting page 37 8 Configuring Static Routes for IPv6 page 37 9 Default IPv6 Configuration Table 37 1 shows the default IPv6 config...

Page 737: ...se the no ipv6 enable interface configuration command To globally disable IPv6 routing use the no ipv6 unicast routing global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sdm prefer dual ipv4 and ipv6 default Select the SDM template that supports IPv4 and IPv6 Step 3 end Return to privileged EXEC mode Step 4 reload Reload the operating syst...

Page 738: ...abled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by...

Page 739: ...decimal value ipv6 address The IPv6 address of the next hop that can be used to reach the specified network The IPv6 address of the next hop need not be directly connected recursion is done to find the IPv6 address of the directly connected next hop The address must be specified in hexadecimal using 16 bit values between colons interface id Specify direct static routes from point to point and broa...

Page 740: ...contents of the IPv6 routing table interface interface id Optional Display only those static routes with the specified interface as an egress interface recursive Optional Display only recursive static routes The recursive keyword is mutually exclusive with the interface keyword but it can be used with or without the IPv6 prefix included in the command syntax detail Optional Display this additional...

Page 741: ...dvertisements live for 1800 seconds output truncated This is an example of the output from the show ipv6 protocols privileged EXEC command Switch show ipv6 protocols IPv6 Routing Protocol is connected IPv6 Routing Protocol is static IPv6 Routing Protocol is rip fer Interfaces Vlan6 FastEthernet1 4 FastEthernet1 6 FastEthernet1 7 Redistribution None This is an example of the output from the show ip...

Page 742: ...eassembled 0 reassembly timeouts 0 reassembly failures Sent 36861 generated 0 forwarded 0 fragmented into 0 fragments 0 failed 0 encapsulation failed 0 no route 0 too big 0 RPF drops 0 RPF suppressed drops Mcast 1 received 36861 sent ICMP statistics Rcvd 1 input 0 checksum errors 0 too short 0 unknown info type 0 unknown error type unreach 0 routing 0 admin 0 neighbor 0 address 0 port parameter 0 ...

Page 743: ...ects traffic from the failed link to the remaining links in the channel without intervention This chapter also describes how to configure link state tracking Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding EtherChannels page 38 1 Configuring EtherChannels page 38 8 ...

Page 744: ...configure one end of an EtherChannel in either PAgP or LACP mode the system negotiates with the other end of the channel to determine which ports should become active Incompatible ports are put into an independent state and continue to carry data traffic as would any other single link The port configuration does not change but the port does not participate in the EtherChannel When you configure an...

Page 745: ...terface to a physical port The channel group number can be the same as the port channel number or you can use a new number If you use a new number the channel group command dynamically creates a new port channel Each EtherChannel has a port channel logical interface numbered from 1 to 6 This port channel interface number corresponds to the one specified with the channel group interface configurati...

Page 746: ...peed and for Layer 2 EtherChannels trunking state and VLAN numbers Ports can form an EtherChannel when they are in different PAgP modes as long as the modes are compatible For example A port in the desirable mode can form an EtherChannel with another port that is in the desirable or auto mode A port in the auto mode can form an EtherChannel with another port in the desirable mode A port in the aut...

Page 747: ... state PAgP Interaction with Other Features The Dynamic Trunking Protocol DTP and the Cisco Discovery Protocol CDP send and receive packets over the physical ports in the EtherChannel Trunk ports send and receive PAgP protocol data units PDUs on the lowest numbered VLAN In Layer 2 EtherChannels the first port in the channel that comes up provides its MAC address to the EtherChannel If this port is...

Page 748: ... the channel that comes up provides its MAC address to the EtherChannel If this port is removed from the bundle one of the remaining ports in the bundle provides its MAC address to the EtherChannel LACP sends and receives LACP PDUs only from ports that are up and have LACP enabled for the active or passive mode EtherChannel On Mode EtherChannel on mode can be used to manually configure an EtherCha...

Page 749: ...oad distribution can be used if it is not clear whether source MAC or destination MAC address forwarding is better suited on a particular switch With source and destination MAC address forwarding packets sent from host A to host B host A to host C and host C to host B could all use different ports in the channel With source IP address based forwarding when packets are forwarded to an EtherChannel ...

Page 750: ...hannel is only going to a single MAC address using the destination MAC address always chooses the same link in the channel Using source addresses or IP addresses might result in better load balancing Figure 38 3 Load Distribution and Forwarding Methods Configuring EtherChannels These sections contain this configuration information Default EtherChannel Configuration page 38 9 EtherChannel Configura...

Page 751: ... on the switch Configure a PAgP EtherChannel with up to eight Ethernet ports of the same type Configure a LACP EtherChannel with up to16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode Configure all ports in an EtherChannel to operate at the same speeds and duplex modes Enable all ports in an EtherChannel A port in an EtherChannel that i...

Page 752: ...ge appears and IEEE 802 1x is not enabled If EtherChannels are configured on switch interfaces remove the EtherChannel configuration from the interfaces before globally enabling IEEE 802 1x on a switch by using the dot1x system auth control global configuration command For Layer 2 EtherChannels Assign all ports in the EtherChannel to the same VLAN or configure them as trunks Ports with different n...

Page 753: ...physical port and enter interface configuration mode Valid interfaces include physical ports For a PAgP EtherChannel you can configure up to eight ports of the same type and speed for the same group For a LACP EtherChannel you can configure up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode Step 3 switchport mode access trunk switc...

Page 754: ...tate in which the port starts negotiations with other ports by sending PAgP packets on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when th...

Page 755: ...balancing This procedure is optional To return EtherChannel load balancing to the default configuration use the no port channel load balance global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 port channel load balance dst ip dst mac src dst ip src dst mac src ip src mac Configure an EtherChannel load balancing method The default is src mac...

Page 756: ...conds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely that the port will be selected Note The switch supports address learning only on aggregate ports even though the physical port keyword is...

Page 757: ...nts in priority order LACP system priority System ID the switch MAC address LACP port priority Port number Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on which physical port the ...

Page 758: ...channel By changing this value from the default you can affect how the software selects active and standby links You can use the show etherchannel summary privileged EXEC command to see which ports are in the hot standby mode denoted with an H port state flag Beginning in privileged EXEC mode follow these steps to configure the LACP system priority This procedure is optional To return the LACP sys...

Page 759: ...p port priority priority Configure the LACP port priority For priority the range is 1 to 65535 The default is 32768 The lower the value the more likely that the port will be used for LACP transmission Step 4 end Return to privileged EXEC mode Step 5 show running config or show lacp channel group number internal Verify your entries Step 6 copy running config startup config Optional Save your entrie...

Page 760: ...e referred to as downstream interfaces and interfaces connected to distribution switches and network devices are referred to as upstream interfaces The configuration in Figure 38 4 ensures that the network traffic flow is balanced as follows For links to switches and other network devices Server 1 and server 2 use switch A for primary links and switch B for secondary links Server 3 and server 4 us...

Page 761: ...king automatically puts the downstream interfaces in the error disabled state Connectivity to and from the servers is automatically changed from the primary server interface to the secondary server interface As an example of a connectivity change from link state group 1 to link state group 2 on switch A see Figure 38 4 on page 38 20 If the upstream link for port 6 is lost the link states of downst...

Page 762: ...ng Link State Tracking page 38 21 Displaying Link State Tracking Status page 38 22 Default Link State Tracking Configuration There are no link state groups defined and link state tracking is not enabled for any group 141680 Network Layer 3 link Server 1 Server 2 Server 3 Server 4 Distribution switch 1 Distribution switch 2 Switch A Switch B Port 1 Port 5 Port 4 Port 3 Port 2 Port 2 Port 3 Port 4 P...

Page 763: ...downstream Switch config if interface gigabitethernet1 1 Switch config if link state group 1 downstream Switch config if interface gigabitethernet1 2 Switch config if link state group 1 downstream Switch config if end To disable a link state group use the no link state track number global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 link st...

Page 764: ...tput from the show link state group 1 command Switch show link state group 1 Link State Group 1 Status Enabled Down This is an example of output from the show link state group detail command Switch show link state group detail Up Interface up Dwn Interface Down Dis Interface disabled Link State Group 1 Status Enabled Down Upstream Interfaces Fa1 7 Dwn Fa1 8 Dwn Downstream Interfaces Fa1 3 Dis Fa1 ...

Page 765: ...Master List Release 12 2 from the Cisco com page under Documentation Cisco IOS Software 12 2 Mainline Command References This chapter consists of these sections Recovering from a Software Failure page 39 2 Recovering from a Lost or Forgotten Password page 39 3 Recovering from a Command Switch Failure page 39 4 Recovering from Lost Cluster Member Connectivity page 39 7 Note Recovery procedures requ...

Page 766: ...w these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command unix 1 tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command unix 1 tar xvf image_filename tar image_filename bin x ies lanbase mz 122 44 EX ies lanbase mz 122 44 EX bin 2928176 bytes 5720 tape blocks 3 Verify th...

Page 767: ...switch password and set a new one Before you begin make sure that You have physical access to the switch At least one switch port is enabled and is not connected to a device To delete the switch password and set a new one follow these steps Step 1 Press the Express Setup button until the SETUP LED blinks green and the LED of an available switch downlink port blinks green If no switch downlink port...

Page 768: ...to provide redundant connectivity between the member switches and the replacement command switch These sections describe two solutions for replacing a failed command switch Replacing a Failed Command Switch with a Cluster Member page 39 4 Replacing a Failed Command Switch with Another Switch page 39 6 These recovery procedures require that you have physical access to the switch For information on ...

Page 769: ...eturn Enter setup and press Return to start the setup program Step 11 Respond to the questions in the setup program When prompted for the hostname recall that on a command switch the hostname is limited to 28 characters on a member switch to 31 characters Do not use n where n is a number as the last characters in a hostname for any switch When prompted for the Telnet virtual terminal password reca...

Page 770: ...u may enter a question mark for help Use ctrl c to abort configuration dialog at any prompt Default settings are in square brackets Basic management setup configures only enough connectivity for management of the system extended setup will ask you to configure each interface on the system Would you like to enter basic management setup yes no Step 6 Enter Y at the first prompt The prompts in the se...

Page 771: ...Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 member switches must connect to the command switch through a port that belongs to the same management VLAN A member switch Catalyst 3750 Catalyst 3560 Catalyst 3550 Catalyst 2970 Catalyst 2960 Catalyst 2950 Catalyst 3500 XL Catalyst 2900 XL Catalyst 2820 and Catalyst 1900 switch connected to the command switch through a secured port can lose connect...

Page 772: ...switch and replace it with a Cisco module After inserting a Cisco SFP module use the errdisable recovery cause gbic invalid global configuration command to verify the port status and enter a time interval for recovering from the error disabled state After the elapsed interval the switch brings the interface out of the error disabled state and retries the operation For more information about the er...

Page 773: ... network a network or host unreachable message is returned Executing Ping Beginning in privileged EXEC mode use this command to ping another device on the network from the switch Note Though other protocol keywords are available with the ping command they are not supported in this release This example shows how to ping an IP host Switch ping 172 20 52 3 Type escape sequence to abort Sending 5 100 ...

Page 774: ...cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host Usage Guidelines These are the Layer 2 traceroute usage guidelines Cisco Discovery Protocol CDP must be enabled on all the devices in the network For Layer 2 traceroute to function properly do not disable CDP For a list of switches that support Layer 2 tracerout...

Page 775: ...ath If an ARP entry does not exist the switch sends an ARP query and tries to resolve the IP address If the IP address is not resolved the path is not identified and an error message appears When multiple devices are attached to one port through hubs for example multiple CDP neighbors are detected on a port the Layer 2 traceroute feature is not supported When more than one CDP neighbor is detected...

Page 776: ...ram to the next router The second router sees a TTL value of 1 discards the datagram and returns the time to live exceeded message to the source This process continues until the TTL is incremented to a value large enough for the datagram to reach the destination host or until the maximum TTL is reached To learn when a datagram reaches its destination traceroute sets the UDP destination port number...

Page 777: ...and compares the reflected signal to the initial signal TDR is supported only on 10 100 and 10 100 1000 copper Ethernet ports It is not supported on SFP module ports TDR can detect these cabling problems Open broken or cut twisted pair wires The wires are not connected to the wires from the remote device Shorted twisted pair wires The wires are touching each other or the wires from the remote devi...

Page 778: ... Enabling All System Diagnostics page 39 15 Redirecting Debug and Error Message Output page 39 15 Caution Because debugging output is assigned high priority in the CPU process it can render the system unusable For this reason use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff It is best to use debug commands during period...

Page 779: ...nd because the debug all privileged EXEC command generates more output than any other debug command it can severely diminish switch performance or even render it unusable In virtually all cases it is best to use more specific debug commands The no debug all privileged EXEC command disables all diagnostic output Using the no debug all command is a convenient way to ensure that you have not accident...

Page 780: ... the output from the show platform forward command on port 1 in VLAN 5 when the packet entering that port is addressed to unknown MAC addresses The packet should be flooded to all other ports in VLAN 5 Switch show platform forward gigabitethernet1 1 vlan 5 1 1 1 2 2 2 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Inde...

Page 781: ...f the failure The switch creates two types of crashinfo files Basic crashinfo file The switch automatically creates this file the next time you boot up the Cisco IOS image after the failure Extended crashinfo file The switch automatically creates this file when the system is failing Basic crashinfo Files The information in the basic file includes the Cisco IOS image name and version that failed a ...

Page 782: ...ate the extended creashinfo file by using the no exception crashinfo global configuration command Troubleshooting Tables These tables are a condensed version of troubleshooting documents on Cisco com Troubleshooting CPU Utilization on page 18 Troubleshooting CPU Utilization This section lists some possible symptoms that could be caused by the CPU being too busy and shows how to verify a CPU utiliz...

Page 783: ...ws that utilization for the last 5 seconds is 8 0 which has this meaning The total CPU utilization is 8 percent including both time running Cisco IOS processes and time spent handling interrupts The time spent handling interrupts is zero percent For complete information about CPU utilization and how to troubleshoot utilization problems see the Troubleshooting High CPU Utilization document on Cisco...

Page 784: ...39 20 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Chapter 39 Troubleshooting Troubleshooting Tables ...

Page 785: ...the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO AUTH FRAMEWORK MIB CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CLUSTER MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO ENTITY ALARM MIB CISCO ENTITY VENDORTYPE OID MIB CISCO ...

Page 786: ...ed CISCO PRODUCTS MIB CISCO PROCESS MIB CISCO RTTMON MIB CISCO SMI MIB CISCO STP EXTENSIONS MIB CISCO SYSLOG MIB CISCO TC MIB CISCO TCP MIB CISCO UDLDP MIB CISCO VLAN IFTABLE RELATIONSHIP MIB CISCO VLAN MEMBERSHIP MIB CISCO VTP MIB CISCO CONFIG COPY MIB ENTITY MIB ETHERLIKE MIB IEEE8021 PAE MIB IEEE8023 LAG MIB IF MIB In and out counters for VLANs are not supported IGMP MIB INET ADDRESS MIB LLDP M...

Page 787: ...e3000 ie3000 supportlist html You can access other information about MIBs and Cisco products on the Cisco web site http www cisco com public sw center netmgmt cmtk mibs shtml Using FTP to Access the MIB Files You can get each MIB file by using this procedure Step 1 Make sure that your FTP client is in passive mode Note Some FTP clients do not support passive mode Step 2 Use FTP to access the serve...

Page 788: ...A 4 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Appendix A Supported MIBs Using FTP to Access the MIB Files ...

Page 789: ... 23 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash The switch has a removable compact flash card that stores the Cisco IOS software image and configuration files Removing the compact fl...

Page 790: ...ile systems on your switch use the show file systems privileged EXEC command as shown in this example Switch show file systems File Systems Size b Free b Type Flags Prefixes 15998976 5135872 flash rw flash flash3 opaque rw bs opaque rw vb 524288 520138 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem opaque ro ymodem Setting the Default File System Table B 1 show fil...

Page 791: ... configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Flags Permission for file system ro read only rw read write wo write only Prefixes Alias for file system flash Flash file system nvram NVRAM null Null destination for copies You can copy a r...

Page 792: ... were installed by using the archive download sw command but are no longer needed For filesystem use flash for the system board flash device For file url enter the name of the directory to be deleted All the files in the directory and the directory are removed Caution When files and directories are deleted their contents cannot be recovered Command Purpose Step 1 dir filesystem Display the directo...

Page 793: ...mmand is invalid For specific examples of using the copy command with configuration files see the Working with Configuration Files section on page B 8 To copy software images either by downloading a new version or by uploading the existing one use the archive download sw or the archive upload sw privileged EXEC command For more information see the Working with Software Images section on page B 23 ...

Page 794: ...For the RCP the syntax is rcp username location directory tar filename tar For the TFTP the syntax is tftp location directory tar filename tar The tar filename tar is the tar file to be created For flash file url specify the location on the local flash file system from which the new tar file is created You can also specify an optional list of files or directories within the source directory to wri...

Page 795: ...bytes output truncated Extracting a tar File To extract a tar file into a directory on the flash file system use this privileged EXEC command archive tar xtract source url flash file url dir file For source url specify the source URL alias for the local file system These options are supported For the local flash file system the syntax is flash For the FTP the syntax is ftp username password locati...

Page 796: ...tch You might want to perform this for one of these reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the sam...

Page 797: ... were entering the commands at the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular command than the existing configuration ...

Page 798: ...ing configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File B y Using TFTP page B 10 Downloading the Configuration File By Using TFTP page B 11 Uploading the Configuration File By Using TFT...

Page 799: ...figured by referring to the Preparing to Download or Upload a Configuration File B y Using TFTP section on page B 10 Step 3 Log into the switch through the console port or a Telnet session Step 4 Download the configuration file from the TFTP server to configure the switch Specify the IP address or hostname of the TFTP server and the name of the file to download Use one of these privileged EXEC com...

Page 800: ...ord in this list The password specified in the copy command if a password is specified The password set by the ip ftp password password global configuration command if the command is configured The switch forms a password named username switchname domain The variable username is the username associated with the current session switchname is the configured hostname and domain is the domain of the s...

Page 801: ...t need to set the FTP username Include the username in the copy command if you want to specify a username for only that copy operation When you upload a configuration file to the FTP server it must be properly configured to accept the write request from the user on the switch For more information see the documentation for your FTP server Downloading a Configuration File By Using FTP Beginning in p...

Page 802: ...h config ip ftp username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store co...

Page 803: ...ion Files By Using RCP The RCP provides another method of downloading uploading and copying configuration files between remote hosts and the switch Unlike TFTP which uses User Datagram Protocol UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh ...

Page 804: ...tion File By Using RCP Before you begin downloading or uploading a configuration file by using RCP do these tasks Ensure that the workstation acting as the RCP server supports the remote shell rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP se...

Page 805: ...Switch configure terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store ...

Page 806: ...iguration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information You can clear the configuration information from the startup configuration If you reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Command Purpose Step 1 Verify that the RC...

Page 807: ...g configuration with any saved Cisco IOS configuration file You can use the rollback function to roll back to a previous configuration These sections contain this information Understanding Configuration Replacement and Rollback page B 19 Configuration Guidelines page B 21 Configuring the Configuration Archive page B 21 Performing a Configuration Replacement or Rollback Operation page B 22 Understa...

Page 808: ...py source url running config privileged EXEC command to copy a stored configuration file to the running configuration When using this command as an alternative to the configure replace target url privileged EXEC command note these major differences The copy source url running config command is a merge operation and preserves all the commands from both the source file and the running configuration ...

Page 809: ...on as the replacement configuration file for the running configuration The replacement file must be a complete configuration generated by a Cisco IOS device for example a configuration generated by the copy running config destination url command Note If you generate the replacement configuration file externally it must comply with the format of files generated by Cisco IOS devices Configuring the ...

Page 810: ...vileged EXEC mode Step 5 configure replace target url list force time seconds nolock Replace the running configuration file with a saved configuration file target url URL accessible by the file system of the saved configuration file that is to replace the running configuration such as the configuration file created in Step 2 by using the archive config privileged EXEC command list Display a list o...

Page 811: ...urrent image with the new one or keep the current image in flash memory after a download You upload a switch image file to a TFTP FTP or RCP server for backup purposes You can use this uploaded image for future downloads to the same switch or to another of the same type The protocol that you use depends on which type of server you are using The FTP and RCP transport mechanisms provide faster perfo...

Page 812: ...f contents for the tar file One or more subdirectories containing other images and files such as Cisco IOS images and web management files This example shows some of the information contained in the info file Table B 3 provides additional details about this information system_type 0x00000000 image name image_family xxxx stacking_number x info_end version_suffix xxxx version_directory image name im...

Page 813: ...ile By Using TFTP page B 28 Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP do these tasks Ensure that the workstation acting as the TFTP server is properly configured On a Sun workstation make sure that the etc inetd conf file contains this line tftp dgram udp wait root usr etc in tftpd in tftpd p s tftpboot Make su...

Page 814: ...e an empty file enter the touch filename command where filename is the name of the file you will use when uploading the image to the server During upload operations if you are overwriting an existing file including an empty file if you had to create one on the server ensure that the permissions on the file are set correctly Permissions on the file should be world write Downloading an Image File By...

Page 815: ...tering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Step 3 archive download sw overwrite reload tftp locat...

Page 816: ...om the switch to an FTP server You download a switch image file from a server to upgrade the switch software You can overwrite the current image with the new one or keep the current image after a download You upload a switch image file to a server for backup purposes You can use this uploaded image for future downloads to the switch or another switch of the same type Note Instead of using the copy...

Page 817: ... you are writing to the server the FTP server must be properly configured to accept the FTP write request from you Use the ip ftp username and ip ftp password commands to specify a username and password for all copies Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation If the server has a directory s...

Page 818: ...e terminal Enter global configuration mode This step is required only if you override the default remote username or password see Steps 4 5 and 6 Step 4 ip ftp username username Optional Change the default remote username Step 5 ip ftp password password Optional Change the default password Step 6 end Return to privileged EXEC mode Step 7 archive download sw overwrite reload ftp username password l...

Page 819: ...entering the delete force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using FTP You ca...

Page 820: ...e same type Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13 Step 2 Log into the switch through the console port or a Telnet session Step 3 configure terminal Enter global configuration mode This step is required only if you override the default remote username or pass...

Page 821: ... by using RCP the Cisco IOS software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC command if a username is specified The username set by the ip rcmd remote username username global configuration command if the command is entered The remote username associated with the current TTY terminal process For example if t...

Page 822: ...name Switch1 ip rcmd remote username User0 If the switch IP address translates to Switch1 company com the rhosts file for User0 on the RCP server should contain this line Switch1 company com Switch1 For more information see the documentation for your RCP server Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image Beginning in privileged EXE...

Page 823: ...The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 33 For locat...

Page 824: ...s associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an RCP server Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page B 33 Step 2 Log into the switch through the console p...

Page 825: ...g with Software Images The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names ...

Page 826: ...B 38 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 Appendix B Working with the Cisco IOS File System Configuration Files and Software Images Working with Software Images ...

Page 827: ...ware feature and command mode Access Control Lists page C 1 Boot Loader Commands page C 2 Debug Commands page C 2 IGMP Snooping Commands page C 2 Interface Commands page C 3 MAC Address Commands page C 3 Miscellaneous page C 4 Network Address Translation NAT Commands page C 4 QoS page C 4 SNMP page C 5 SNMPv3 page C 5 Spanning Tree page C 6 VLAN page C 6 VTP page C 6 Access Control Lists Unsupport...

Page 828: ...uration Commands access list rate limit acl index precedence mask prec mask access list dynamic extended Unsupported Route Map Configuration Commands match ip address prefix list prefix list name prefix list name Boot Loader Commands Unsupported Global Configuration Commands boot buffersize Debug Commands Unsupported Privileged EXEC Commands debug platform cli redirection main debug platform confi...

Page 829: ...rted Interface Configuration Commands transmit interface type number MAC Address Commands Unsupported Privileged EXEC Commands show mac address table show mac address table address show mac address table aging time show mac address table count show mac address table dynamic show mac address table interface show mac address table multicast show mac address table notification show mac address table ...

Page 830: ...ed User EXEC Commands verify Unsupported Privileged EXEC Commands file verify auto show cable diagnostics prbs test cable diagnostics prbs Unsupported Global Configuration Commands errdisable recovery cause unicast flood l2protocol tunnel global drop threshold service compress config stack mac persistent timer Network Address Translation NAT Commands Unsupported Privileged EXEC Commands show ip na...

Page 831: ...class default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authentication feature default line aaa nas port extended radius server attribute nas port radius server configure radius server extended portnames SNMP Unsupported Global Configuration Commands snmp server enable informs snmp server enable traps ...

Page 832: ...erface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported vlan config Command private vlan Unsupported User EXEC Commands show running config vlan show vlan ifindex show vlan private vlan VTP Unsupported Privileged EXEC Commands vtp password password pruning version number Note This command h...

Page 833: ...CACS 11 11 11 17 ACEs and QoS 36 7 defined 34 2 Ethernet 34 2 IP 34 2 ACLs ACEs 34 2 any keyword 34 9 applying time ranges to 34 14 to an interface 34 16 to QoS 36 7 classifying traffic for QoS 36 39 comments in 34 15 compiling 34 18 defined 34 1 34 5 examples of 34 18 36 39 extended IP configuring for QoS classification 36 40 extended IPv4 creating 34 8 matching criteria 34 5 hardware and softwar...

Page 834: ...C discovering 8 27 multicast STP address management 18 8 static adding and removing 8 23 defined 8 19 address resolution 8 27 Address Resolution Protocol See ARP administrative VLAN REP configuring 21 8 administrative VLAN REP 21 8 advertisements CDP 28 1 LLDP 27 1 27 2 VTP 15 16 16 3 age timer REP 21 8 aggregatable global unicast addresses 37 3 aggregated ports See EtherChannel aggregate policers...

Page 835: ...s with IEEE 802 1x 12 9 autoconfiguration 4 3 auto enablement 12 24 automatic discovery considerations beyond a noncandidate device 7 7 brand new switches 7 8 connectivity 7 4 different VLANs 7 6 management VLANs 7 7 automatic discovery continued non CDP capable devices 7 6 noncluster capable devices 7 6 in switch clusters 7 4 See also CDP automatic QoS See QoS automatic recovery clusters 7 9 See ...

Page 836: ... bridge protocol data unit See BPDU broadcast storm control command 26 4 broadcast storms 26 1 C cables monitoring for unidirectional links 29 1 candidate switch automatic discovery 7 4 defined 7 3 requirements 7 3 See also command switch cluster standby group and member switch Catalyst 6000 switches authentication compatibility 12 8 CA trustpoint configuring 11 40 defined 11 38 CDP and trusted bo...

Page 837: ...messages 2 5 filtering command output 2 10 getting help 2 3 history changing the buffer size 2 6 described 2 6 disabling 2 7 recalling commands 2 6 CLI continued managing clusters 7 14 no and default forms of commands 2 4 Client Information Signalling Protocol See CISP client mode VTP 16 3 clock See system clock clusters switch accessing 7 12 automatic discovery 7 4 automatic recovery 7 9 benefits...

Page 838: ...uirements 7 3 standby SC 7 9 command switch continued See also candidate switch cluster standby group member switch and standby command switch community strings configuring 7 13 33 8 for cluster switches 33 4 in clusters 7 13 overview 33 4 SNMP 7 13 compatibility feature 26 12 config text 4 16 configurable leave timer IGMP 25 5 configuration initial defaults 1 11 Express Setup 1 2 configuration ch...

Page 839: ...port connecting to 2 10 control protocol IP SLAs 35 3 convergence REP 21 4 corrupted software recovery steps with Xmodem 39 2 CoS in Layer 2 frames 36 2 override priority 17 6 trust priority 17 6 CoS input queue threshold map for QoS 36 14 CoS output queue threshold map for QoS 36 17 CoS to DSCP map for QoS 36 51 counters clearing interface 13 19 CPU utilization troubleshooting 39 18 crashinfo fil...

Page 840: ... 1 description command 13 17 designing your network examples 1 13 destination addresses in IPv4 ACLs 34 9 destination IP address based forwarding EtherChannel 38 7 destination MAC address forwarding EtherChannel 38 7 detecting indirect link failures STP 20 5 device B 23 device discovery protocol 27 1 28 1 device manager benefits 1 2 described 1 2 1 4 in band management 1 5 upgrading a switch B 23 ...

Page 841: ...erface 23 2 untrusted messages 23 2 DHCP snooping binding database adding bindings 23 11 binding entries displaying 23 12 binding file format 23 6 location 23 5 DHCP snooping binding database continued bindings 23 5 clearing agent statistics 23 11 configuration guidelines 23 8 configuring 23 11 default configuration 23 6 23 7 deleting binding file 23 11 bindings 23 11 database agent 23 11 describe...

Page 842: ...v6 templates 37 4 37 5 dual protocol stacks IPv4 and IPv6 37 5 SDM templates supporting 37 5 dual purpose uplinks defined 13 4 LEDs 13 4 link selection 13 4 13 11 setting the type 13 11 dynamic access ports characteristics 15 3 configuring 15 26 defined 13 3 dynamic addresses See addresses dynamic ARP inspection ARP cache poisoning 24 1 ARP requests described 24 1 ARP spoofing attack 24 1 clearing...

Page 843: ...d 2 7 wrapped lines 2 9 ELIN location 27 3 enable password 11 3 enable secret password 11 3 enabling SNMP traps 3 11 encryption CipherSuite 11 39 encryption for passwords 11 3 environment variables function of 4 19 error disabled state BPDU 20 2 error messages during command entry 2 5 EtherChannel automatic creation of 38 4 38 5 channel groups binding physical and logical interfaces 38 3 numbering...

Page 844: ...d universal identifier See EUI Extensible Authentication Protocol over LAN 12 1 F fa0 interface 1 6 Fast Convergence 22 3 FCS bit error rate alarm configuring 3 8 3 9 defined 3 3 FCS error hysteresis threshold 3 2 features incompatible 26 12 fiber optic detecting unidirectional links 29 1 files basic crashinfo description 39 17 location 39 17 copying B 5 crashinfo description 39 17 deleting B 5 di...

Page 845: ...g B 13 overview B 12 preparing the server B 13 uploading B 14 image files deleting old image B 31 downloading B 30 preparing the server B 29 uploading B 31 G general query 22 5 Generating IGMP Reports 22 3 get bulk request operation 33 3 get next request operation 33 3 33 4 get request operation 33 3 33 4 get response operation 33 3 global configuration mode 2 2 global leave IGMP 25 12 global stat...

Page 846: ...EE 802 3x flow control 13 15 ifIndex values SNMP 33 5 IFS 1 5 IGMP configurable leave timer described 25 5 enabling 25 10 flooded multicast traffic controlling the length of time 25 11 disabling on an interface 25 13 global leave 25 12 query solicitation 25 12 recovering from flood mode 25 12 joining multicast group 25 3 join messages 25 3 leave processing enabling 25 10 leaving multicast group 25...

Page 847: ...rfaces auto MDIX configuring 13 16 configuration guidelines duplex and speed 13 13 configuring procedure 13 6 counters clearing 13 19 interfaces continued default configuration 13 10 described 13 17 descriptive name adding 13 17 displaying information about 13 19 flow control 13 15 management 1 4 monitoring 13 18 naming 13 17 physical identifying 13 5 range of 13 6 restarting 13 20 shutting down 1...

Page 848: ...tion 35 3 responder described 35 3 enabling 35 6 response time 35 4 SNMP support 35 2 supported metrics 35 2 IP source guard and 802 1x 23 14 and DHCP snooping 23 12 and EtherChannels 23 14 IP source guard continued and port security 23 14 and private VLANs 23 14 and routed ports 23 13 and TCAM entries 23 14 and trunk interfaces 23 14 and VRF 23 14 binding configuration automatic 23 12 manual 23 1...

Page 849: ...devices on a port 39 11 unicast traffic 39 10 usage guidelines 39 10 Layer 3 interfaces assigning IPv6 addresses to 37 7 Layer 3 packets classification methods 36 2 LDAP 6 2 Leaking IGMP Reports 22 4 LEDs switch See hardware installation guide lightweight directory access protocol See LDAP line configuration mode 2 3 Link Aggregation Control Protocol See EtherChannel link failure detecting unidire...

Page 850: ...20 disabling learning on a VLAN 8 26 discovering 8 27 displaying 8 27 displaying in the IP source binding table 23 15 MAC addresses continued dynamic learning 8 20 removing 8 21 in ACLs 34 20 static adding 8 24 allowing 8 25 8 26 characteristics of 8 23 dropping 8 25 removing 8 24 MAC address learning 1 5 MAC address learning disabling on a VLAN 8 26 MAC address notification support for 1 10 MAC a...

Page 851: ...ribed 1 8 12 11 exceptions with authentication process 12 5 membership mode VLAN port 15 3 member switch automatic discovery 7 4 defined 7 2 managing 7 14 member switch continued passwords 7 12 recovering from lost connectivity 39 7 requirements 7 3 See also candidate switch cluster standby group and standby command switch messages to users through banners 8 17 MIBs accessing files with FTP A 3 lo...

Page 852: ...hbor type 19 25 path cost 19 20 port priority 19 19 root switch 19 17 secondary root switch 19 18 switch priority 19 21 MSTP continued CST defined 19 3 operations between regions 19 3 default configuration 19 14 default optional feature configuration 20 9 displaying status 19 26 enabling the mode 19 15 EtherChannel guard described 20 7 enabling 20 14 extended system ID effects on root switch 19 17...

Page 853: ...1 multicast storm control command 26 4 multicast television application 25 17 multicast VLAN 25 16 Multicast VLAN Registration See MVR multidomain authentication See MDA multiple authentication 12 12 multiple authentication mode configuring 12 35 MVR and address aliasing 25 20 and IGMPv3 25 20 configuration guidelines 25 19 configuring interfaces 25 21 default configuration 25 19 described 25 16 e...

Page 854: ... Protocol See NTP no commands 2 4 nonhierarchical policy maps described 36 8 non IP traffic filtering 34 20 nontrunking mode 15 15 normal range VLANs 15 4 configuration guidelines 15 5 configuration modes 15 6 configuring 15 4 defined 15 1 NSM 6 3 NTP associations authenticating 8 4 defined 8 2 enabling broadcast messages 8 6 peer 8 5 server 8 5 default configuration 8 4 displaying the configurati...

Page 855: ...class 36 48 described 36 4 displaying 36 68 number of 36 31 types of 36 8 policing described 36 4 token bucket algorithm 36 9 policy maps for QoS characteristics of 36 44 described 36 7 displaying 36 69 nonhierarchical on physical ports described 36 8 port ACLs described 34 2 Port Aggregation Protocol See EtherChannel port based authentication accounting 12 12 authentication server defined 12 2 RA...

Page 856: ...tical 12 19 voice VLAN 12 20 port security and voice VLAN 12 21 described 12 20 interactions 12 20 multiple hosts mode 12 10 readiness check configuring 12 31 described 12 14 12 31 resetting to default values 12 59 port based authentication continued statistics displaying 12 59 switch as proxy 12 3 RADIUS client 12 3 switch supplicant configuring 12 50 overview 12 24 VLAN assignment AAA authorizat...

Page 857: ...empt delay time REP 21 5 preemption default configuration 22 8 preemption delay default configuration 22 8 preferential treatment of traffic See QoS preventing unauthorized access 11 1 primary edge port REP 21 4 primary links 22 2 priority overriding CoS 17 6 trusting CoS 17 6 private VLAN edge ports See protected ports privileged EXEC mode 2 2 privilege levels changing the default for lines 11 9 ...

Page 858: ... 36 5 trusted CoS described 36 5 trust IP precedence described 36 5 class maps configuring 36 42 displaying 36 68 QoS continued configuration guidelines auto QoS 36 24 standard QoS 36 31 configuring aggregate policers 36 48 auto QoS 36 19 default port CoS value 36 34 DSCP maps 36 50 DSCP transparency 36 36 DSCP trust states bordering another domain 36 37 egress queue characteristics 36 61 ingress ...

Page 859: ...ace 36 67 mapping tables CoS to DSCP 36 51 displaying 36 68 DSCP to CoS 36 54 DSCP to DSCP mutation 36 55 IP precedence to DSCP 36 52 policed DSCP 36 53 types of 36 10 marked down actions 36 47 marking described 36 4 36 8 overview 36 1 packet modification 36 18 QoS continued policers configuring 36 47 36 49 described 36 8 displaying 36 68 number of 36 31 types of 36 8 policies attaching to an inte...

Page 860: ...AN spanning tree plus See rapid PVST rapid PVST described 18 9 IEEE 802 1Q trunking interoperability 18 10 instances supported 18 9 Rapid Spanning Tree Protocol See RSTP rcommand command 7 14 RCP configuration files downloading B 17 overview B 15 preparing the server B 16 uploading B 18 image files deleting old image B 36 downloading B 34 preparing the server B 33 uploading B 36 readiness check po...

Page 861: ...isabling 25 15 resequencing ACL entries 34 12 resetting a UDLD shutdown interface 29 6 Resilient Ethernet Protocol See REP responder IP SLAs described 35 3 enabling 35 6 response time measuring with IP SLAs 35 4 restricted VLAN configuring 12 43 described 12 18 using with IEEE 802 1x 12 18 restricting access NTP services 8 8 overview 11 1 passwords and privilege levels 11 2 RADIUS 11 17 TACACS 11 ...

Page 862: ...ned 19 9 interoperability with IEEE 802 1D described 19 8 restarting migration process 19 25 topology changes 19 13 overview 19 8 port roles described 19 9 synchronized 19 11 proposal agreement handshake process 19 10 RSTP continued rapid convergence described 19 9 edge ports and Port Fast 19 9 point to point links 19 10 19 24 root ports 19 10 root port defined 19 9 See also MSTP running configura...

Page 863: ...ary command 34 17 show alarm commands 3 12 show and more command output filtering 2 10 show cdp traffic command 28 5 show cluster members command 7 14 show configuration command 13 17 show forward command 39 16 show interfaces command 13 14 13 17 show interfaces switchport 22 4 show lldp traffic command 27 11 show platform forward command 39 16 show running config command displaying ACLs 34 16 34 ...

Page 864: ...GMP 25 1 software images location in flash B 24 recovery procedures 39 2 scheduling reloads 4 20 tar file format described B 24 See also downloading and uploading source addresses in IPv4 ACLs 34 9 source and destination IP address based forwarding EtherChannel 38 7 source and destination MAC address forwarding EtherChannel 38 7 source IP address based forwarding EtherChannel 38 7 source MAC addre...

Page 865: ...ents 7 3 virtual IP address 7 10 See also cluster standby group and HSRP standby group cluster See cluster standby group and HSRP standby links 22 2 startup configuration booting manually 4 17 specific image 4 18 clearing B 19 startup configuration continued configuration file automatically downloading 4 16 specifying the filename 4 16 default boot configuration 4 16 static access ports assigning ...

Page 866: ... 18 3 detecting indirect link failures 20 5 disabling 18 14 displaying status 18 22 STP continued EtherChannel guard described 20 7 disabling 20 14 enabling 20 14 extended system ID effects on root switch 18 14 effects on the secondary root switch 18 16 overview 18 4 unexpected behavior 18 14 features supported 1 6 IEEE 802 1D and bridge ID 18 4 IEEE 802 1D and multicast addresses 18 8 IEEE 802 1t...

Page 867: ...M Switched Port Analyzer See SPAN switched ports 13 2 switchport backup interface 22 4 22 5 switchport block multicast command 26 8 switchport block unicast command 26 8 switchport protected command 26 7 switch priority MSTP 19 21 STP 18 19 switch software features 1 1 synchronization real time clocks 9 1 syslog See system message logging system capabilities TLV 27 2 system clock configuring dayli...

Page 868: ...11 10 support for 1 9 tracking services accessed by user 11 17 tar files creating B 6 displaying the contents of B 6 extracting B 7 image file format B 24 TDR 1 11 Telnet accessing management interfaces 2 10 number of connections 1 6 setting a password 11 6 temperature alarms configuring 3 6 3 7 templates SDM 10 1 temporary self signed certificate 11 38 Terminal Access Controller Access Control Sy...

Page 869: ...ethods 3 3 SNMP traps 3 4 syslog messages 3 4 troubleshooting connectivity problems 39 8 39 10 39 11 CPU utilization 39 18 detecting unidirectional links 29 1 displaying crash information 39 17 setting packet forwarding 39 16 SFP security and identification 39 8 show forward command 39 16 with CiscoWorks 33 4 with debug commands 39 14 with ping 39 9 with system message logging 32 1 with traceroute...

Page 870: ...king 26 8 UniDirectional Link Detection protocol See UDLD UNIX syslog servers daemon configuration 32 12 facilities supported 32 13 message logging configuration 32 12 unrecognized Type Length Value TLV support 16 4 upgrading software images See downloading UplinkFast described 20 3 disabling 20 13 enabling 20 13 support for 1 6 uploading configuration files preparing B 10 B 13 B 16 reasons for B ...

Page 871: ...guring 15 1 configuring IDs 1006 to 4094 15 12 creating in config vlan mode 15 8 creating in VLAN configuration mode 15 9 default configuration 15 7 deleting 15 9 described 13 2 15 1 VLANs continued displaying 15 13 extended range 15 1 15 11 features 1 7 illustrated 15 2 limiting source traffic with RSPAN 30 22 limiting source traffic with SPAN 30 15 modifying 15 8 multicast 25 16 native configuri...

Page 872: ...configuration mode 16 7 guidelines 16 7 privileged EXEC mode 16 7 requirements 16 8 saving 16 7 VLAN configuration mode 16 7 configuration mode options 16 7 configuration requirements 16 8 configuration revision number guideline 16 14 resetting 16 15 configuring client mode 16 11 server mode 16 9 transparent mode 16 12 VTP continued consistency checks 16 4 default configuration 16 6 described 16 1...

Page 873: ...5 to 12 58 described 1 8 12 25 fallback for IEEE 802 1x 12 57 weighted tail drop See WTD wired location service configuring 27 9 displaying 27 10 location TLV 27 3 understanding 27 3 wizards 1 2 WTD described 36 11 setting thresholds egress queue sets 36 61 ingress queues 36 57 support for 1 10 X Xmodem protocol 39 2 ...

Page 874: ...Index IN 42 Cisco IE 3000 Switch Software Configuration Guide OL 13018 03 ...

Reviews: