Cisco IE 4000 Software Configuration Manual Download Page 561 | Manualshive

Page: 561 / 1066

background image

557

Configuring Network Security with ACLs

How to Configure Network Security with ACLs

or

access-list

access-list-number

{

deny | permit

}

protocol

any any

[

precedence

precedence

] [

tos

tos

] [

fragments

] [

log

] [

log-input

]

[

time-range

time-range-name

]

[

dscp

dscp

]

In access-list configuration mode, defines an extended IP access list using an
abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and
an abbreviation for a destination and destination wildcard of 0.0.0.0
255.255.255.255.

You can use the

any

keyword in place of source and destination address and

wildcard.

or

access-list

access-list-number

{

deny

|

permit

}

protocol

host

source

host

destination

[

precedence

precedence

] [

tos

tos

] [

fragments

] [

log

] [

log-input

]

[

time-range

time-range-name

]

[

dscp

dscp

]

Defines an extended IP access list by using an abbreviation for a source and a
source wildcard of

source

0.0.0.0 and an abbreviation for a destination and

destination wildcard of

destination

0.0.0.0.

You can use the

host

keyword in place of the source and destination wildcard

or mask.

Step
2b

access-list

access-list-number

{

deny

|

permit

}

tcp

source

source-wildcard

[

operator port

]

destination destination-wildcard

[

operator port

] [

established

]

[

precedence

precedence

] [

tos

tos

] [

fragments

] [

log

] [

log-input

]

[

time-range

time-range-name

]

[

dscp

dscp

] [

flag

]

(Optional) Defines an extended TCP access list and the access conditions.

Enter

tcp

for Transmission Control Protocol.

The parameters are the same as those described in Step 2a, with these
exceptions:

(Optional)

operator

and

port

compare source (if positioned after

source

source-wildcard

) or destination (if positioned after

destination

destination-wildcard

) port. Possible operators include

eq

(equal),

gt

(greater

than),

lt

(less than),

neq

(not equal), and

range

(inclusive range). Operators

require a port number (

range

requires two port numbers separated by a space).

port

number is a decimal number (from 0 to 65535) or the name of a TCP port.

To see TCP port names, use the ? or see the “Configuring IP Services” section
in the “IP Addressing and Services” chapter of the

Cisco IOS IP Configuration

Guide, Release 12.2

. Use only TCP port numbers or names when filtering TCP.

The other optional keywords have these meanings:



established

—Matches an established connection. This has the same

function as matching on the

ack

or

rst

flag.



flag—

Matches one of these flags by the specified TCP header bits:

ack

(acknowledge),

fin

(finish),

psh

(push),

rst

(reset),

syn

(synchronize), or

urg

(urgent).

Step
2c

access-list

access-list-number

{

deny

|

permit

}

udp

source source-wildcard

[

operator

port

]

destination

destination-wildcard

[

operator

port

] [

precedence

precedence

]

[

tos

tos

] [

fragments

] [

log

]

[

log-input

] [

time-range

time-range-name

] [

dscp

dscp

]

(Optional) Defines an extended UDP access list and the access conditions.

udp

—The User Datagram Protocol.

The UDP parameters are the same as those described for TCP except that the
[

operator

[

port

]] port number or name must be a UDP port number or name, and

the

flag

and

established

parameters are not valid for UDP.

Command

Purpose

«
...
559
560
561
562
563
...
»

Summary of Contents for IE 4000

Page 1: ...tems Inc www cisco com Cisco Industrial Ethernet 4000 4010 and 5000 Switch Software Configuration Guide All Cisco IOS Releases up to 15 2 5 E and 15 2 4 EC First Published September 2016 Last Updated March 2018 ...

Page 2: ...ENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Any Internet Protocol IP addresses and phone numbers used in this document are not intend...

Page 3: ...al user interfaces GUIs for the embedded Device Manager However the concepts in this guide are applicable to the GUI user For information about Device Manager see the switch online help For documentation updates see the release notes for this release Conventions This publication uses these conventions to convey instructions and information Command descriptions use these conventions Commands and ke...

Page 4: ...the Switch with the CLI Based Setup Program appendix in the hardware installation guide For Device Manager requirements see the System Requirements section in the release notes not orderable but available on Cisco com For upgrading information see the Downloading Software section in the release notes See these documents for other information about the switch Release Notes Software Configuration Gu...

Page 5: ...switches datasheet listing html http www cisco com c en us products switches industrial ethernet 4000 series switches datasheet listing html Feature Software Licensing Software Licensing is now simplified with the introduction of right to use RTU licensing This allows you to order and activate a specific license type and level via command line Uploading an extra license file is no longer necessary...

Page 6: ...e In Use License Priority High License Count Non Counted Index 3 Feature mrp manager Period left 8 weeks 4 days License Type Evaluation License State Active Not in Use EULA not accepted License Priority None License Count 1 0 0 Active In use Violation Index 4 Feature mrp client Period left 8 weeks 4 days License Type Evaluation License State Active Not in Use EULA not accepted License Priority Non...

Page 7: ... Protocol SNMP information through a browser based program User defined and Cisco default Smartports macros for creating custom switch configurations for simplified deployment across the network A removable SD flash card that stores the Cisco IOS software image and configuration files for the switch You can replace and upgrade the switch without reconfiguring the software features An embedded Devi...

Page 8: ...raffic convergence time after a FlexLink failure RADIUS server load balancing to allow access and authentication requests to be distributed evenly across a server group Support for QoS marking of CPU generated traffic and queue CPU generated traffic on the egress network ports Management Options An embedded Device Manager Device Manager is a GUI application that is integrated in the software image...

Page 9: ...he embedded Profinet GSD file allows user to bring up Cisco IE switch using Siemens STEP7 or TIA Portal software then monitor the functionality via command line or Web based Device Manger Default Settings After Initial Switch Configuration The switch is designed for plug and play operation requiring only that you assign basic IP information to the switch and connect it to the other devices in your...

Page 10: ...sabled FlexLinks are not configured DHCP snooping is disabled IP source guard is disabled DHCP server port based address allocation is disabled Dynamic ARP inspection is disabled on all VLANs IGMP snooping is enabled No IGMP filters are applied IGMP throttling setting is deny The IGMP snooping querier feature is disabled MVR is disabled Port based traffic Broadcast multicast and unicast storm cont...

Page 11: ...ault Settings After Initial Switch Configuration Syslog messages are enabled and appear on the console SNMP is enabled Version 1 No ACLs are configured QoS is enabled No EtherChannels are configured IP unicast routing is disabled ...

Page 12: ...8 Configuration Overview Default Settings After Initial Switch Configuration ...

Page 13: ...d or enter global configuration mode Using the configuration modes global interface and line you can make changes to the running configuration If you save the configuration these commands are stored and used when the switch reboots To access the various configuration modes you must start at global configuration mode From global configuration mode you can enter interface configuration mode and line...

Page 14: ...arameters for VLANs 1 to 1005 in the VLAN database Interface configuration While in global configuration mode enter the interface command with a specific interface Switch config if To exit to global configuration mode enter exit To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure parameters for the Ethernet ports Line configuration While in global configuration m...

Page 15: ...t Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are disabled by default so the default form is the same as the no form However some commands are enabled by default and have variables set to certain default values In these cases the default command enables the command and sets variables to their default val...

Page 16: ...he Command History Feature page 13 optional Changing the Command History Buffer Size By default the switch records ten command lines in its history buffer You can alter this number for a current terminal session or for all sessions on a particular line These procedures are optional Beginning in privileged EXEC mode enter this command to change the number of command lines that the switch records du...

Page 17: ... Enabling and Disabling Editing Features page 13 optional Editing Commands Through Keystrokes page 14 optional Editing Command Lines That Wrap page 15 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it reenable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced ...

Page 18: ...or forward one word Press Ctrl T Transpose the character to the left of the cursor with the character located at the cursor Recall commands from the buffer and paste them in the command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Press Esc Y Recall the next buffer entry The buffer contains only the last 10 items...

Page 19: ...1 108 1 20 255 255 255 0 eq 45 After you complete the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 The software assumes you have a terminal screen that is 80 columns ...

Page 20: ...To understand the boot process and the options available for assigning IP information see Performing Switch Setup Configuration page 59 If your switch is already configured you can access the CLI through a local console connection or through a remote Telnet session but your switch must first be configured for this type of access For more information see Setting the Telnet Password for a Terminal L...

Page 21: ...s for physical interface characteristics UNI NNI and ENI Port Types page 17 Port Based VLANs page 18 Switch Ports page 19 Routed Ports page 20 Switch Ports page 19 Switch Virtual Interfaces page 20 EtherChannel Port Groups page 20 Power over Ethernet Ports page 21 Connecting Interfaces page 25 UNI NNI and ENI Port Types The switch supports user network interfaces UNIs network node interfaces NNIs ...

Page 22: ...r 3 device to route traffic between the VLANs VLAN partitions provide hard firewalls for traffic in the VLAN and each VLAN has its own MAC address table A VLAN comes into existence when a local port is associated with the VLAN ID or when a user creates te VLAN ID To isolate VLANs of different customers in a service provider network the switch uses UNI ENI VLANs UNI ENI VLANs isolate user network i...

Page 23: ...n forwarding packets as soon as they are enabled Dynamic access ports on the switch are assigned to a VLAN by a VLAN Membership Policy Server VMPS Dynamic access ports for VMPS are only supported on UNIs and ENIs Trunk Ports An 802 1Q trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database A trunk port supports simultaneous tagged and untagged ...

Page 24: ...N of switch ports as one interface to the routing or bridging function in the system Only one SVI can be associated with a VLAN but you need to configure an SVI for a VLAN only when you wish to route between VLANs or to provide IP host connectivity to the switch By default an SVI is created for the default VLAN VLAN 1 to permit remote switch administration Additional SVIs must be explicitly config...

Page 25: ...device power requirements and then grants or denies power to the device The switch can also sense the real time power consumption of the device by monitoring and policing the power usage This section has this PoE information Supported Protocols and Standards page 21 Powered Device Detection and Initial Power Allocation page 22 Power Management Modes page 22 Supported Protocols and Standards The sw...

Page 26: ...powered devices and the switch adjusts the power budget accordingly This does not apply to third party PoE devices The switch processes a request and either grants or denies power If the request is granted the switch updates the power budget If the request is denied the switch ensures that power to the port is turned off generates a syslog message and updates the LEDs Powered devices can also nego...

Page 27: ... to be powered when it is connected to the static port The port no longer participates in the first come first served model However if the powered device IEEE class is greater than the maximum wattage the switch does not supply power to it If the switch learns through CDP messages that the powered device needs more than the maximum wattage the powered device is shutdown If you do not specify a wat...

Page 28: ...value by entering the power inline consumption default wattage or the power inline auto static max max wattage command If you are not manually configuring the cutoff power value the switch automatically determines the value by using CDP power negotiation or the device IEEE classification which is the third method in the previous list If the switch cannot determine the value by using one of these m...

Page 29: ...t still has power available the switch then grants power to the PoE ports in auto mode in ascending order of the port numbers Dual Purpose Ports on IE 4000 Each dual purpose port is considered a single interface with dual front ends an RJ 45 connector and an SFP module connector The dual front ends are not redundant interfaces the switch activates only one connector of the pair By default dual pur...

Page 30: ...input from the RJ 45 console is immediately disabled and input from the USB console is enabled Removing the USB connection immediately reenables input from the RJ 45 console connection A LED on the switch shows which console connection is in use Console Port Change Logs At software startup a log shows whether the USB or the RJ 45 console port is active The switch first displays the RJ 45 media typ...

Page 31: ...stem configuration media type remains RJ45 This example reverses the previous configuration and immediately activates the USB console that is connected Switch configure terminal Switch config line console 0 Switch config line no media type rj45 Using Interface Configuration Mode The switch supports these interface types Physical ports switch ports routed ports UNIs NNIs and ENIs VLANs switch virtu...

Page 32: ... space between the interface type and interface number For example in the preceding line you can specify either fastethernet 0 1 fastethernet0 1 fa 0 1 or fa0 1 3 If you are configuring a UNI or ENI enter the no shutdown interface configuration command to enable the interface Switch config if no shutdown 4 Follow each interface command with the interface configuration commands that the interface r...

Page 33: ...ch configure terminal Switch config interface range fastethernet0 1 2 Switch config if range no shutdown Switch config if range speed 100 This example shows how to use a comma to add different interface type strings to the range to enable Fast Ethernet ports 1 to 3 and Gigabit Ethernet ports 1 and 2 to receive 802 3x flow control pause frames Switch configure terminal Switch config interface range...

Page 34: ...e first port last port where the module is always 1 tengigabitethernet module first port last port where the module is always 1 port channel port channel number port channel number where the port channel number is 1 to 10 When you use the interface ranges with port channels the first and last port channel number must be active port channels You must add a space between the first interface number a...

Page 35: ...f the interfaces in the range to a VLAN Switch configure terminal Switch config define interface range macro1 fastethernet0 1 2 GigabitEthernet1 17 2 Switch config interface range macro macro1 Switch config if range switchport access vlan 20 Switch config if range no shut Switch config if range end This example shows how to enter interface range configuration mode for the interface range macro ene...

Page 36: ...ng Operating mode Layer 2 or switching mode switchport command Allowed VLAN range VLANs 1 4094 Default VLAN for access ports VLAN 1 Layer 2 interfaces only Native VLAN for 802 1Q trunks VLAN 1 Layer 2 interfaces only VLAN trunking Switchport mode access Layer 2 interfaces only Port enable state Enabled Port description None defined Speed Autonegotiate Duplex mode Full 802 3x flow control Flow cont...

Page 37: ...he default setting by entering the no keepalive interface configuration command If you enter the keepalive command with no arguments keepalive packets are sent with the default time interval 10 seconds and number of retries 5 Entering the no keepalive command disables keepalive packets on the interface Beginning in privileged EXEC mode follow these steps to configure the port type on an interface ...

Page 38: ...ex Parameters page 35 Speed and Duplex Configuration Guidelines When configuring an interface speed and duplex mode note these guidelines You can configure interface speed on Fast Ethernet 10 100 Mbps and Gigabit Ethernet 10 100 1000 Mbps ports You can configure Fast Ethernet ports to full duplex half duplex or to autonegotiate mode You can configure Gigabit Ethernet ports to full duplex mode or t...

Page 39: ...de configuration might shut down and re enable the interface during the reconfiguration Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode follow these steps to set the speed and duplex mode for a physical interface Command Purpose 1 configure terminal Enter global configuration mode 2 interface interface id Specify the physical interface to be configured and enter...

Page 40: ...port might not be powered up again For example port 1 is in the auto and on state and you configure it for static mode The switch removes power from port 1 detects the powered device and repowers the port If port 1 is in the auto and on state and you configure it with a maximum wattage of 10 W the switch removes power from the port and then redetects the powered device The switch repowers the port...

Page 41: ...nd make certain not to oversubscribe the power supply Note When you manually configure the power budget you must also consider the power loss over the cable between the switch and the powered device Command Purpose 1 configure terminal Enter global configuration mode 2 interface interface id Specify the physical port to be configured and enter interface configuration mode 3 power inline auto max m...

Page 42: ...mand Beginning in privileged EXEC mode follow these steps to configure amount of power budgeted to a powered device connected to a specific PoE port To return to the default setting use the no power inline consumption interface configuration command Command Purpose 1 configure terminal Enter global configuration mode 2 no cdp run Optional Disable CDP 3 power inline consumption default wattage Conf...

Page 43: ...l settings on the device receive on or desired The port cannot send pause frames but can operate with an attached device that is required to or can send pause frames the port can receive pause frames receive off 802 3x flow control does not operate in either direction In case of congestion no indication is given to the link partner and no pause frames are sent or received by either device Beginnin...

Page 44: ...uplex on the interface to auto so that the feature operates correctly Auto MDIX is supported on all 10 100 and 10 100 1000 Mbps interfaces and on Cisco 10 100 1000 BASE T TX SFP module interfaces It is not supported on 1000 BASE SX or LX SFP module interfaces Table 4 shows the link states that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow...

Page 45: ...ption Switch config terminal Enter configuration commands one per line End with CNTL Z Switch config interface GigabitEthernet1 18 Switch config if description Connects to Marketing Switch config if end Switch show interfaces GigabitEthernet1 18 description Interface Status Protocol Description Gi 0 2 admin down down Connects to Marketing 7 end Return to privileged EXEC mode 8 show controllers eth...

Page 46: ...ror message is generated and the extended range VLAN is rejected If the switch attempts to boot up with a configuration that has more VLANs and routed ports than hardware can support the VLANs are created but the routed ports are shut down and the switch sends a message that this was due to insufficient hardware resources All Layer 3 interfaces require an IP address to route traffic This procedure...

Page 47: ... you do not configure the system mtu jumbo command the setting of the system mtu command applies to all Gigabit Ethernet interfaces You cannot set the MTU size for an individual interface you set it for all 10 100 or all Gigabit Ethernet interfaces on the switch When you change the system MTU size you must reset the switch before the new configuration takes effect The system mtu routing command do...

Page 48: ...ped Beginning in privileged EXEC mode follow these steps to change the MTU size for all 10 100 or Gigabit Ethernet interfaces If you enter a value that is outside the allowed range for the specific type of interface the value is not accepted Once the switch reloads you can verify your settings by entering the show system mtu privileged EXEC command This example shows how to set the maximum packet ...

Page 49: ...commands by using the show command at the privileged EXEC prompt Table 8 Show Commands for Interfaces Command Purpose show interfaces interface id Display the status and configuration of all interfaces or a specific interface show interfaces interface id status err disabled Display interface status or a list of interfaces in an error disabled state show interfaces interface id switchport Display a...

Page 50: ... enabled globally and not configurable on the switch however it applies only to the fiber Fast Ethernet SFP interfaces on the switch show interfaces interface id transceiver detail dom supported list module number properties threshold table Display these physical and operational status about an SFP module interface id Optional Display configuration and status for a specified physical interface det...

Page 51: ...ng the Interface Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable on all monitoring command displays This information is communicated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use...

Page 52: ...48 Configuring Interfaces Monitoring and Maintaining the Interfaces ...

Page 53: ...the alarm set threshold expressed as a percentage value For example if the FCS bit error rate alarm value is configured to 10 8 that value is the alarm set threshold To set the alarm clear threshold at 5 10 10 the hysteresis value h is determined as follows Table 10 Global Status Monitoring Alarms Alarm Description Power supply alarm The switch monitors dual power supply levels If there are two po...

Page 54: ... by alarms for global port status and SD flash card conditions You can configure the relay to send a fault signal to an external alarm device such as a bell light or other signaling device You can associate any alarm condition with the alarm relay Each fault condition is assigned a severity level based on the Cisco IOS System Error Message Severity Level See Configuring the Power Supply Alarms pag...

Page 55: ...o alarm In dual power supply mode the default alarm notification is a system message to the console Primary temperature alarm Enabled for switch temperature range of 203o F 95o C maximum to 4 F 20o C minimum The primary switch temperature alarm is associated with the major relay Secondary temperature alarm Disabled Output relay mode alarm Normally deenergized The alarm output has switched off or i...

Page 56: ...s global configuration mode 2 alarm facility temperature primary secondary high threshold Sets the high temperature threshold value Set the threshold from 238 F 150 C to 572 F 300 C 3 alarm facility temperature primary low threshold Sets the low temperature threshold value Set the threshold from 328 F 200 C to 482 F 250 C 4 end Returns to privileged EXEC mode 5 show alarm settings Verifies the con...

Page 57: ...e is 6 to 11 to set a maximum bit error rate of 10 6 to 10 11 By default the FCS bit error rate is 10 8 4 end Returns to privileged EXEC mode 5 show fcs threshold Verifies the setting 6 copy running config startup config Optional Saves your entries in the configuration file Command Purpose 1 configure terminal Enters global configuration mode 2 alarm facility fcs hysteresis percentage Sets the hys...

Page 58: ...Configures the alarm to send an alarm trap to a syslog server Command Purpose 1 configure terminal Enters global configuration mode 2 interface port interface Enters interface configuration mode 3 alarm profile name Attaches the specified profile to the interface 4 end Returns to privileged EXEC mode 5 show alarm profile Verifies the configuration 6 copy running config startup config Optional Save...

Page 59: ...alue of 113o F 45o C All alarms and traps associated with this alarm are sent to a syslog server and an SNMP server Switch config alarm facility temperature secondary high 45 Switch config alarm facility temperature secondary relay major Switch config alarm facility temperature secondary syslog Switch config alarm facility temperature secondary notifies This example sets the first primary temperat...

Page 60: ...LACK Displaying Alarm Settings Example Switch show alarm settings Alarm relay mode De energized Power Supply Alarm Enabled Relay Notifies Disabled Syslog Enabled Temperature Primary Alarm Enabled Thresholds MAX 95C MIN 20C Relay MAJ Notifies Enabled Syslog Enabled Temperature Secondary Alarm Disabled Threshold Relay Notifies Disabled Syslog Disabled License File Corrupt Alarm Enabled Relay Notifie...

Page 61: ...Card Alarm Disabled Relay Notifies Disabled Syslog Enabled Input Alarm 1 Alarm Enabled Relay Notifies Disabled Syslog Enabled Input Alarm 2 Alarm Enabled Relay Notifies Disabled Syslog Enabled Additional References The following sections provide references related to switch administration ...

Page 62: ...sco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands of page...

Page 63: ...llation Guide Hardware Technical Guide for installing and powering on the switch and for setting up the initial switch configuration IP address subnet mask default gateway secret and Telnet passwords and so forth The normal boot process involves the operation of the boot loader software which performs these activities Performs low level CPU initialization Initializes the CPU registers which contro...

Page 64: ...bits default is 1 Parity settings default is none Default Switch Boot Settings Switch Boot Optimization The normal switch boot process involves a memory test file system check FSCK and power on self test POST The boot fast command in global configuration mode is enabled by default to permit switch boot optimization which disables these tests and minimizes the bootup time However after a system cra...

Page 65: ...is reenabled after the system comes up successfully Switch Information Assignment You can assign IP information through the switch setup program through a DHCP server or manually Use the switch setup program if you want to be prompted for specific IP information With this program you can also configure a hostname and an enable secret password The program gives you the option of assigning a Telnet ...

Page 66: ...on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay device between your switch and the DHCP server A relay device forwards broadcast traffic between two directly connected LANs A router does not forward broadcast packets but it forwards packets based on the destination IP address in the received packet DHCP based ...

Page 67: ...ple DHCP or BOOTP servers and can accept any of the offers however the client usually accepts the first offer it receives The offer from the DHCP server is not a guarantee that the IP address is allocated to the switch However the server usually reserves the address until the client has had a chance to formally request the address If the switch accepts replies from a BOOTP server and configures it...

Page 68: ...er Configuration Guidelines page 64 and the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP DHCP Configuration Guide Release 15 0 After you install the switch in your network the auto image update feature starts The downloaded configuration file is saved in the running configuration of the switch and the new image is downloaded and installed on the switch Whe...

Page 69: ...rver must contain one or more configuration files in its base directory The files can include these files The configuration file named in the DHCP reply the actual switch configuration file The network confg or the cisconet cfg file known as the default configuration files The router confg or the ciscortr cfg file These files contain commands common to all switches Normally if the DHCP and TFTP se...

Page 70: ...nfiguration filename from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt it completes its boot up process The IP address and the configuration filename is reserved for the switch but the TFTP server address is not provided in the DHCP reply one file read method The switch receives...

Page 71: ...he power cord You can release the Mode button a second or two after the LED above port 1 turns off Then the boot loader switch prompt appears The switch boot loader software provides support for nonvolatile environment variables which can be used to control how the boot loader or any other software running on the system behaves Boot loader environment variables are similar to environment variables...

Page 72: ...ment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem file url A semicolon separated list of executable files to try to load and execute when automatically booting If the BOOT environment variable is not set the system attempts to load and execute the first executable image it can find by using a recursive depth first search through the flash f...

Page 73: ...oconfiguration to configure TFTP and DHCP settings on a new switch to download a new image and a new configuration file Command Purpose 1 configure terminal Enters global configuration mode 2 ip dhcp poolname Creates a name for the DHCP Server address pool and enters DHCP pool configuration mode 3 bootfile filename Specifies the name of the configuration file that is used as a boot image 4 network...

Page 74: ... address Specifies the IP address of the TFTP server 7 option 125 hex Specifies the path to the text file that describes the path to the image file 8 copy tftp flash filename txt Uploads the text file to the switch 9 copy tftp flash imagename tar Uploads the tar file for the new image to the switch 10 exit Returns to global configuration mode 11 tftp server flash config text Specifies the Cisco IO...

Page 75: ...exit Returns to global configuration mode 6 ip default gateway ip address Enters the IP address of the next hop router interface that is directly connected to the switch where a default gateway is being configured The default gateway receives IP packets with unresolved destination IP addresses from the switch Once the default gateway is configured the switch has connectivity to the remote networks...

Page 76: ...he default gateway is configured the switch has connectivity to the remote networks with which a host needs to communicate Note When your switch is configured to route with IP it does not need to have a default gateway set 6 end Returns to privileged EXEC mode 7 show interfaces vlan vlan id Verifies the configured IP address 8 show ip redirects Verifies the configured default gateway 9 copy runnin...

Page 77: ...he switch is in boot loader mode shown by the switch prompt To boot up the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory and the name of the bootable image Filenames and directory names are case sensitive 5 copy running config startup config Optional Saves your entries in the configurat...

Page 78: ...50 255 255 255 0 no ip directed broadcast ip default gateway 172 20 137 1 snmp server community private RW snmp server community public RO snmp server community private es0 RW snmp server community public es0 RO snmp server chassis id 0x12 end To store the configuration or changes you have made to your startup configuration in flash memory enter this privileged EXEC command Switch copy running con...

Page 79: ...m the TFTP server Switches B through D retrieve their configuration files and IP addresses in the same way Figure 4 on page 75 shows a sample network for retrieving IP information by using DHCP based autoconfiguration Figure 4 DHCP Based Autoconfiguration Network Example Table 15 on page 75 shows the configuration of the reserved leases on the DHCP server Switch 1 00e0 9f1e 2001 Cisco router 11139...

Page 80: ...ough Switch D Scheduling Software Image Reload Examples This example shows how to reload the software on the switch on the current day at 7 30 p m Switch reload at 19 30 Reload scheduled for 19 30 00 UTC Wed Jun 5 1996 in 2 hours and 25 minutes Proceed with reload confirm This example shows how to reload the software on the switch at a future time Switch reload at 02 00 jun 20 Reload scheduled for...

Page 81: ...ftp server flash c ipservices mz 122 44 3 SE tar Switch config tftp server flash ies lanbase tar 122 44 EX tar Switch config tftp server flash boot config text Switch config tftp server flash autoinstall_dhcp Switch config interface GigabitEthernet1 18 Switch config if no switchport Switch config if ip address 10 10 10 1 255 255 255 0 Switch config if end Configuring Client to Download Files from ...

Page 82: ... software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands of pages of searc...

Page 83: ...al configuration command at the switch Otherwise subsequent cns config partial global configuration command operations malfunction Enable Automated CNS Configuration To enable automated CNS configuration of the switch you must first complete the prerequisites in Table 1 When you complete them power on the switch At the setup prompt you do not need to enter a command The switch begins the initial c...

Page 84: ...er Event service event gateway Data service directory data models and schema In standalone mode Cisco Configuration Engine supports an embedded directory service In this mode no external directory or other data store is required In server mode Cisco Configuration Engine supports a user defined external directory Device Required Configuration Access switch Factory default no configuration file Dist...

Page 85: ...uration information in the form of CLI commands In the templates variables are specified using Lightweight Directory Access Protocol LDAP URLs that reference the device specific configuration information stored in a directory The Cisco IOS agent can perform a syntax check on received configuration files and publish events to show the success or failure of the syntax check The configuration agent c...

Page 86: ...ine both ConfigID and Device ID for each configured switch Within the scope of a single instance of the configuration server no two configured switches can share the same value for ConfigID Within the scope of a single instance of the event bus no two configured switches can share the same value for DeviceID ConfigID Each configured switch has a unique ConfigID which serves as the key into the Con...

Page 87: ...when you run Setup on Configuration Engine Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent Initial Configuration When the switch first comes up it attempts to get an IP address by broadcasting a DHCP request on the network Assuming there is no DHCP server on the subnet the distribution switch acts...

Page 88: ...figuration When the switch receives a configuration it can defer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before savin...

Page 89: ...ers how often the switch sends keepalive messages For retry count enters the number of unanswered keepalive messages that the switch sends before the connection is terminated The default for each is 0 Optional reconnect time Enters the maximum time interval that the switch waits before trying to reconnect to the event gateway Optional source ip address Enters the source IP address of this device N...

Page 90: ...e is 10 to 2000 seconds The default is 120 7 discover controller controller type dlci subinterface subinterface number interface interface type line line type Specifies the interface parameters in the CNS connect profile controller controller type Enters the controller type dlci Enters the active data link connection identifiers DLCIs Optional subinterface subinterface number Specifies the point t...

Page 91: ...ne the unique ID dns reverse Retrieves the hostname and assigns it as the unique ID ipaddress Uses the IP address mac address Uses the MAC address as the unique ID Optional event Sets the ID to be the eventID value used to identify the switch Optional image Sets the ID to be the imageID value used to identify the switch Note If the event and image keywords are omitted the imageID value is used to ...

Page 92: ...esultant configuration to be automatically written to NVRAM Optional page page Enters the web page of the initial configuration The default is Config config asp Optional source ip address Enters the source IP address Optional syntax check Checks the syntax when this parameter is entered Note Though visible in the command line help string the encrypt status url and inventory keywords are not suppor...

Page 93: ...ate ip route Switch config cns conn exit Switch config hostname RemoteSwitch RemoteSwitch config cns config initial 10 1 1 1 no persist This example shows how to configure an initial configuration on a remote switch when the switch IP address is known The Configuration Engine IP address is 172 28 129 22 Switch config cns template connect template dhcp Switch config tmpl conn cli ip address dhcp Sw...

Page 94: ... or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs ...

Page 95: ...o the standby cluster command switches through the management VLAN and to the cluster member switches through a common VLAN Standby Cluster Command Switch Characteristics A standby cluster command switch must meet these requirements Has an IP address Has CDP version 2 enabled Is connected to the command switch and to other standby command switches through its management VLAN Is connected to all ot...

Page 96: ...switch clustering technology so that you can configure and troubleshoot a group of different Catalyst desktop switch platforms through a single IP address In a switch cluster one switch must be the cluster command switch and up to 15 other switches can be cluster member switches The total number of switches in a cluster cannot exceed 16 switches The cluster command switch is the single point of ac...

Page 97: ...IE 4000 15 2 2 EA or later Member or command switch IE 4010 15 2 4 EC or later Member or command switch IE 5000 15 2 2 EB or later Member or command switch Catalyst 3750 E or Catalyst 3560 E 12 2 35 SE2 or later Member or command switch Catalyst 3750 12 1 11 AX or later Member or command switch Catalyst 3560 12 1 19 EA1b or later Member or command switch Catalyst 3550 12 1 4 EA1 or later Member or...

Page 98: ...tomatic discovery of the switch cluster cluster candidates connected switch clusters and neighboring edge devices Discovery Through CDP Hops page 94 Discovery Through Non CDP Capable and Noncluster Capable Devices page 95 Discovery Through Different VLANs page 96 Discovery Through Different Management VLANs page 97 Discovery Through Routed Ports page 97 Discovery of Newly Installed Switches page 9...

Page 99: ...and switch is connected to a noncluster capable Cisco device it cannot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 8 on page 96 shows that the cluster command switch discovers the switch that is connected to a third party hub However the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch Command device M...

Page 100: ...n Figure 9 on page 97 has ports assigned to VLANs 9 16 and 62 and therefore discovers the switches in those VLANs It does not discover the switch in VLAN 50 It also does not discover the switch in VLAN 16 in the first column because the cluster command switch has no VLAN connectivity to it Catalyst 2900 XL Catalyst 2950 and Catalyst 3500 XL cluster member switches must be connected to the cluster ...

Page 101: ...nd switches have ports assigned to VLANs 9 16 and 62 The management VLAN on the cluster command switch is VLAN 9 Each cluster command switch discovers the switches in the different management VLANs except these Switches 7 and 10 switches in management VLAN 4 because they are not connected through a common VLAN meaning VLANs 62 and 9 with the cluster command switch Switch 9 because automatic discov...

Page 102: ...ned to VLAN 1 When the new switch joins a cluster its default VLAN changes to the VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor 101324 RP RP VLAN 62 VLAN 9 VLAN 62 VLAN 9 VLAN 4 VLAN 9 Command device management VLAN 62 Member device 7 101323 VLAN 62 VLAN trunk 4 62 VLAN 62 VLAN 16 VLAN 9 VLAN 16 V...

Page 103: ... active cluster command switch to access the cluster You can assign an IP address to a cluster capable switch but it is not necessary A cluster member switch is managed and communicates with other cluster member switches through the command switch IP address If the cluster member switch leaves the cluster and it does not have its own IP address you must assign an IP address to manage it as a stand...

Page 104: ...cluster member switch inherits the command switch first read only RO and read write RW community strings with esN appended to the community strings command switch readonly community string esN where N is the member switch number command switch readwrite community string esN where N is the member switch number If the cluster command switch has multiple read only or read write community strings only...

Page 105: ...privilege level 1 If the command switch privilege level is 15 the cluster member switch is accessed at privilege level 15 Note The Catalyst 1900 and Catalyst 2820 CLI is available only on switches running Enterprise Edition Software For more information about the Catalyst 1900 and Catalyst 2820 switches refer to the installation and configuration guides for those switches Using SNMP to Manage Swit...

Page 106: ...gs they can be used in addition to the access provided by the cluster command switch Figure 13 SNMP Management for a Cluster Additional References The following sections provide references related to switch administration Trap T r a p T r a p Command switch Trap 1 Trap 2 Trap 3 Member 1 Member 2 Member 3 33020 SNMP Manager ...

Page 107: ...isco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands of pag...

Page 108: ...104 Configuring Switch Clusters Additional References ...

Page 109: ...tive or not that is whether it has been set by a time source considered to be authoritative If it is not authoritative the time is available only for display purposes and is not redistributed For configuration information see Configuring Time and Date Manually page 111 Network Time Protocol NTP is designed to time synchronize a network of devices NTP runs over User Datagram Protocol UDP which runs...

Page 110: ... on a device is a critical resource you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time Two mechanisms are available an access list based restriction scheme and an encrypted authentication mechanism Cisco s implementation of NTP does not support stratum 1 service it is not possible to connect to a radio or atomic clock We recommend that the...

Page 111: ...buted database with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the del...

Page 112: ...switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured However the switch maintains an address table for each VLAN and STP can accelerate the aging interval on a per VLAN basis The switch sends packets between any combination of ports based on the destination address of the received packet Using the MAC addres...

Page 113: ... for dynamic and secure MAC addresses Notifications are not generated for self addresses multicast addresses or other static addresses Static Addresses A static address has these characteristics Is manually entered in the address table and must be manually removed Can be a unicast or multicast address Does not age and is retained when the switch restarts You can add and remove static addresses and...

Page 114: ...ation unicast MAC address and the VLAN from which it is received MAC Address Learning on a VLAN By default MAC address learning is enabled on all VLANs on the switch You can control MAC address learning on a VLAN to manage the available MAC address table space by controlling which VLANs and therefore which ports can learn MAC addresses Before you disable MAC address learning be sure that you are f...

Page 115: ... ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP By default standard Ethernet style ARP encapsulation represented by the arpa keyword is enabled on the IP interface ARP entries adde...

Page 116: ...e is manually set zone Enters the name of the time zone to be displayed when standard time is in effect The default is UTC hours offset Enters the hours offset from UTC Optional minutes offset Enters the minutes offset from UTC 3 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 clock summer time zone recurring week day month hh mm week day...

Page 117: ...one date month date year hh mm month date year hh mm offset or clock summer time zone date date month year hh mm date month year hh mm offset Configures summer time to start on the first date and end on the second date Summer time is disabled by default zone Specifies the name of the time zone for example PDT to be displayed when summer time is in effect Optional week Specifies the week of the mon...

Page 118: ...r address2 server address6 Specifies the address of one or more name servers to use for name and address resolution You can specify up to six name servers Separate each server address with a space The first server specified is the primary server The switch sends DNS queries to the primary server first If that query fails the backup servers are queried 4 ip domain lookup Optional Enables DNS based ...

Page 119: ...er the ending delimiter are discarded message Enters a login message up to 255 characters You cannot use the delimiting character in the message 3 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 mac address table aging time 0 10 1000000 vlan vlan id Sets the length of time that a dynamic entry remains in the MAC address table after the en...

Page 120: ...raps mac notification change Enables the switch to send MAC address change notification traps to the NMS 4 mac address table notification change Enables the MAC address change notification feature 5 mac address table notification change interval value history size value Enters the trap interval time and the history table size Optional interval value Specifies the notification trap interval in seco...

Page 121: ...ty string notification type Specifies the recipient of the trap message host addr Specifies the name or address of the NMS traps the default Sends SNMP traps to the host informs Sends SNMP informs to the host version Specifies the SNMP version to support Version 1 the default is not available with informs community string Specifies the string to send with the notification operation You can set thi...

Page 122: ...mmend that you define this string by using the snmp server community command before using the snmp server host command notification type Uses the mac notification keyword 3 snmp server enable traps mac notification threshold Enables the switch to send MAC threshold notification traps to the NMS 4 mac address table notification threshold Enables the MAC address threshold notification feature 5 mac ...

Page 123: ...ter multiple interface IDs For static unicast addresses you can enter only one interface at a time but you can enter the command multiple times with the same MAC address and VLAN ID 3 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 mac address table static mac addr vlan vlan id drop Enables unicast MAC address filtering and configures the...

Page 124: ...0 26 April 2001 2 00 Command Purpose clear mac address table dynamic Removes all dynamic entries clear mac address table dynamic address mac address Removes a specific MAC address clear mac address table dynamic interface interface id Removes all addresses on the specified physical port or port channel clear mac address table dynamic vlan vlan id Removes all addresses on a specified VLAN show cloc...

Page 125: ...is example shows how to specify 172 20 10 10 as the NMS enable the switch to send MAC address notification traps to the NMS enable the MAC address change notification feature set the interval time to 123 seconds set the history size to 100 entries and enable traps whenever a MAC address is added on the specified port Switch config snmp server host 172 20 10 10 traps private mac notification Switch...

Page 126: ... Address to the MAC Address Table Example This example shows how to add the static address c2f3 220a 12f4 to the MAC address table When a packet is received in VLAN 4 with this MAC address as its destination address the packet is forwarded to the specified port Switch config mac address table static c2f3 220a 12f4 vlan 4 interface GigabitEthernet1 17 Configuring Unicast MAC Address Filtering Examp...

Page 127: ...s MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Tech...

Page 128: ...124 Performing Switch Administration Additional References ...

Page 129: ...rks that include distributed device clocks of varying precision and stability PTP is designed specifically for industrial networked measurement and control systems and is optimal for use in distributed systems because it requires minimal bandwidth and little processing overhead For information about configuring PTP on Cisco Industrial Ethernet switches see Precision Time Protocol Software Configur...

Page 130: ...126 Configuring PTP ...

Page 131: ...data exchange and defines communication paths to meet speed requirements PROFINET communication is scalable on three levels Normal non real time communication uses TCP IP and enables bus cycle times of approximately 100 ms Real time communication enables cycle times of approximately 10 ms Isochronous real time communication enables cycle times of approximately 1 ms PROFINET I O is a modular commun...

Page 132: ...nd diagnostic analysis The I O supervisor exchanges diagnostic status control and parameter information with the I O device An I O device is a distributed input output device such as a sensor an actuator or a motion controller Note If Profinet DCP cannot detect the switch PLC IO mac addresses temporarily disable the firewall virus scan from the Window PC that installed the Siemens STEP7 or TIA Por...

Page 133: ...r the device TCP IP IP address subnet mask default gateway SVI Primary temperature alarm Enables or disables monitoring for the specified alarm Secondary temperature alarm Enables or disables monitoring for the specified alarm RPS failed alarm Enables or disables monitoring for the specified alarm Relay major alarm Enables or disables monitoring for the specified alarm Reset to factory defaults Us...

Page 134: ...e 1 configure terminal Enters global configuration mode 2 profinet Enables PROFINET on the switch 3 profinet id line Optional Sets the PROFINET device identifier ID by using the Cisco IOS software The maximum length is 240 characters The only special characters allowed are the period and hyphen and they are allowed only in specific positions within the ID string It can have multiple labels within ...

Page 135: ...19 Commands for Displaying the PROFINET Configuration Command Purpose show profinet sessions Displays the currently connected PROFINET sessions show profinet status Displays the status of the PROFINET subsystem show lldp neighbor interface x x detail Displays information about the adjacent interface Table 20 Commands for Troubleshooting the PROFINET Configuration Command Purpose debug profinet ala...

Page 136: ... IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands of pages o...

Page 137: ...s for the collection of manufacturing automation applications control safety synchronization motion configuration and information CIP allows users to integrate these manufacturing applications with enterprise level Ethernet networks and the Internet How to Configure CIP Default Configuration By default CIP is not enabled Enabling CIP Command Purpose 1 configure terminal Enters global configuration...

Page 138: ...isplaying the CIP Configuration Command Purpose show cip connection faults file miscellaneous object security session status Displays information about the CIP subsystem Table 22 Commands for Troubleshooting the CIP Configuration Command Purpose debug cip assembly connection manager errors event file io packet request response security session socket Enables debugging of the CIP subsystem ...

Page 139: ...OS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands of pages of ...

Page 140: ...136 Configuring CIP Additional References ...

Page 141: ...h to optimize support for specific features depending on how the switch is used in the network You can select a template to provide maximum system usage for some functions or use the default template to balance resources To allocate ternary content addressable memory TCAM resources for different usages the switch SDM templates prioritize system resources to optimize support for certain features Wh...

Page 142: ... for IPv6 Dual IPv4 and IPv6 routing template Supports Layer 2 multicast routing including policy based routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 Resource Default IPv4 Routing Dual Default Dual Routing Unicast MAC addresses 16 K 16 K 16 K 16 K IPv4 IGMP or IPv6 groups 1K IPv4 1K IPv4 1K IPv4 1K IPv6 1K IPv4 1K IPv6 Direct routes 16K IPv4 16K IPv4 4K IPv4 4K IPv6 4K IPv4 4...

Page 143: ...nected IPv6 addresses 0 number of indirect IPv6 unicast routes 0 number of IPv4 policy based routing aces 0 125k number of IPv4 MAC qos aces 1 875k number of IPv4 MAC security aces 1 875k number of IPv6 policy based routing aces 0 number of IPv6 qos aces 0 number of IPv6 security aces 0 This is an example of output from the show sdm prefer dual ipv4 and ipv6 default command Command Purpose 1 confi...

Page 144: ... switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 16K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicast routes 6K number of directly connected IPv4 hosts 4K number of indirect IPv4 routes 2K number of IPv6 multicast groups 1K number of IPv6 unicast routes 7K number of directly connected IPv6 addresses 4K number of i...

Page 145: ...ources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 16K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicast routes 5 25K number of directly connected IPv4 hosts 4K number of indirect IPv4 routes 1 25K number of IPv6 multicast groups 1K number of IPv6 unicast routes 5 25K number of directly connected IPv6 ad...

Page 146: ...142 Configuring SDM Templates Configuration Examples for Configuring SDM Templates ...

Page 147: ...ccess You can prevent unauthorized users from reconfiguring your switch and viewing configuration information Typically you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the loca...

Page 148: ... a specific privilege level After you specify the level and set a password give the password only to users who need to have access at this level Use the privilege level global configuration command to specify commands accessible at various levels If you enable password encryption it applies to all passwords including username passwords authentication key passwords the privileged command password a...

Page 149: ...w ip commands are automatically set to privilege level 15 unless you set them individually to different levels To return to the default privilege for a given command use the no privilege mode level level command global configuration command Users can override the privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privileg...

Page 150: ...rovides fine grained control over user capabilities for the duration of the user s session including but not limited to setting autocommands access control session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS dae...

Page 151: ...ethod for authenticating the user CONTINUE The user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again cont...

Page 152: ...user s session The user is granted access to a requested service only if the information in the user profile allows it You can use the aaa authorization global configuration command with the tacacs keyword to set parameters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC...

Page 153: ...le host to a single utility such as Telnet or to the network through a protocol such as IEEE 802 1x For more information about this protocol see Configuring IEEE 802 1x Port Based Authentication page 189 Networks that require resource accounting You can use RADIUS accounting independently of RADIUS authentication or authorization The RADIUS accounting functions allow data to be sent at the start a...

Page 154: ...assword The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization if it is enabled The additional data included with the ACCEPT or REJECT packets includes these items Telnet SSH rlogin or privileged EXEC services Connection parameters ...

Page 155: ...ese per session CoA requests Session reauthentication Session termination Session termination with port shutdown Session termination with port bounce Change of Authorization Requests Change of Authorization CoA requests as described in RFC 5176 are used in a push model to allow for session identification host reauthentication and session termination The model is comprised of one request CoA Reques...

Page 156: ...AK or CoA NAK with the Invalid Attribute Value error code attribute For disconnect and CoA requests targeted to a particular session any one of these session identifiers can be used Calling Station ID IETF attribute 31 which should contain the MAC address Attribute Number Attribute Name 24 State 31 Calling Station ID 44 Acct Session ID 80 Message Authenticator 101 Error Cause Value Explanation 201...

Page 157: ... based on the CoA Request and are discussed in individual CoA Commands CoA NAK Response Code A negative acknowledgement NAK indicates a failure to change the authorization state and can include attributes that indicate the reason for the failure Use show commands to verify a successful CoA CoA Request Commands CoA Session Reauthentication The AAA server typically generates a session reauthenticati...

Page 158: ...blems on the network and you need to immediately block network access for the host When you want to restore network access on the port reenable it using a non RADIUS mechanism When a device with no supplicant such as a printer needs to acquire a new IP address for example after a VLAN change terminate the session on the host port with port bounce temporarily disable and then reenable the port CoA ...

Page 159: ... numbers The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address If two different host entries on the same RADIUS server are configured for the same servi...

Page 160: ...d use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host entries for the same server if each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a speci...

Page 161: ...9 and the supported option has vendor type 1 which is named cisco avpair The value is a string with this format protocol attribute sep value protocol is a value of the Cisco protocol attribute for a particular type of authorization Attribute and value are an appropriate attribute value AV pair defined in the Cisco TACACS specification and sep is for mandatory attributes and is for optional attribu...

Page 162: ...kets which have a limited lifespan are stored in user credential caches The Kerberos server uses the tickets instead of usernames and passwords to authenticate users and network services Note A Kerberos server can be a switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol The Kerberos credential scheme uses a process called single log...

Page 163: ... of a Kerberos server and database program that is running on a network host Kerberized A term that describes applications and services that have been modified to support the Kerberos credential infrastructure Kerberos realm A domain consisting of users hosts and network services that are registered to a Kerberos server The Kerberos server is trusted to verify the identity of a user or network ser...

Page 164: ...that includes the user identity to the switch 5 The switch attempts to decrypt the TGT by using the password that the user entered If the decryption is successful the user is authenticated to the switch If the decryption is not successful the user repeats Step 2 either by reentering the username and password noting if Caps Lock or Num Lock is on or off or by entering a different username and passw...

Page 165: ...tion No accounting is available in this configuration Secure Shell To use this feature you must install the cryptographic encrypted software image on your switch You must obtain authorization to use this feature and to download the cryptographic software files from Cisco com For more information see the release notes for this release For SSH configuration examples see the SSH Configuration Example...

Page 166: ...er or SSH client An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server and the reverse If you get CLI error messages after entering the crypto key generate rsa global configuration command an RSA key pair has not been generated Reconfigure the hostname and domain and then enter the crypto key generate rsa command For more information see Setting Up the Switch to Run SSH page 1...

Page 167: ...ou configure a CA trustpoint you should ensure that the system clock is set If the clock is not set the certificate is rejected due to an incorrect date Default SSL Settings Certificate Authority Trustpoints Certificate authorities CAs manage certificate requests and issue certificates to participating network devices These services provide centralized security key and certificate management for t...

Page 168: ...ient browser that supports 128 bit encryption such as Microsoft Internet Explorer Version 5 5 or later or Netscape Communicator Version 4 76 or later The SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites as it does not offer 128 bit encryption The more secure and more complex CipherSuites require slightly more processing time This list defines the CipherSuites...

Page 169: ...n the Cisco IOS Security Configuration Guide Securing User Services Release 12 4 http www cisco com en US docs ios sec_user_services configuration guide sec_secure_copy_ps6350_TSD_Produ cts_Configuration_Guide_Chapter html How to Configure Switch Based Authentication Configuring Password Protection Setting or Changing a Static Enable Password Command Purpose 1 configure terminal Enters global conf...

Page 170: ...is defined Optional encryption type Only type 5 a Cisco proprietary encryption algorithm is available If you specify an encryption type you must provide an encrypted password an encrypted password that you copy from another switch configuration Note If you specify an encryption type and then enter a clear text password you cannot reenter privileged EXEC mode You cannot recover a lost encrypted pas...

Page 171: ...haracters The string cannot start with a number is case sensitive and allows spaces but ignores leading spaces By default no password is defined 6 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 username name privilege level password encryption type password Enters the username privilege level and password for each user name Specifies the...

Page 172: ...or global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode level The range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is the level of access permitted by the enable password command Specifies the command to which you want to restrict access 3 enable password level level password Specifies the enable p...

Page 173: ...up system if the initial method fails The software uses the first method listed to authenticate to authorize or to keep accounts on users if that method does not respond the software selects the next method in the list This process continues until there is successful communication with a listed method or the method list is exhausted 3 privilege level level Changes the default privilege level for t...

Page 174: ...ame or IP address of the host Optional port integer Specifies a server port number The default is port 49 The range is 1 to 65535 Optional timeout integer Specifies a time in seconds the switch waits for a response from the daemon before it times out and declares an error The default is 5 seconds The range is 1 to 1000 seconds Optional key string Specifies the encryption key for encrypting and dec...

Page 175: ...thentication Before you can use this authentication method you must configure the TACACS server For more information see Identifying the TACACS Server Host and Setting the Authentication Key page 170 line Uses the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Uses the local u...

Page 176: ...e key string to be shared by both the server and the switch Command Purpose 1 configure terminal Enters global configuration mode 2 aaa authorization network tacacs Configures the switch for user TACACS authorization for all network related service requests 3 aaa authorization exec tacacs Configures the switch for user TACACS authorization if the user has privileged EXEC access The exec keyword mi...

Page 177: ...quest is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional key string Specifies the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note ...

Page 178: ... configuration command is used Optional key string specifies the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as the last item in the radius server host command Leading spaces are ignored but spaces within and at the end...

Page 179: ...figuration command group radius Uses RADIUS authentication Before you can use this authentication method you must configure the RADIUS server For more information see RADIUS Server Host page 155 line Uses the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Uses the local userna...

Page 180: ...requests 3 aaa accounting exec start stop radius Enables RADIUS accounting to send a start record accounting notice at the beginning of a privileged EXEC process and a stop record at the end 4 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 radius server key string Specifies the shared secret text string used between the switch and all RA...

Page 181: ...configure terminal Enters global configuration mode 2 radius server host hostname ip address non standard Specifies the IP address or hostname of the remote RADIUS server host and identifies that it is using a vendor proprietary implementation of RADIUS 3 radius server key string Specifies the shared secret text string used between the switch and the vendor proprietary RADIUS server The switch and...

Page 182: ...nfigures the switch to ignore a CoA request to temporarily disable the port hosting a session The purpose of temporarily disabling the port is to trigger a DHCP renegotiation from the host when a VLAN change occurs and there is no supplicant on the endpoint to detect the change 11 authentication command disable port ignore Optional Configures the switch to ignore a nonstandard command requesting t...

Page 183: ... can contain embedded spaces and must be the last option specified in the username command 7 end Returns to privileged EXEC mode 8 show running config Verifies your entries 9 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Task Purpose 1 Download the cryptographic software image from Cisco com Required For more information see the notes for ...

Page 184: ...s The range is 0 to 120 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out...

Page 185: ...enerates an RSA key pair RSA key pairs are required before you can obtain a certificate for the switch RSA key pairs are generated automatically You can use this command to regenerate the keys if needed 5 crypto ca trustpoint name Specifies a local configuration name for the CA trustpoint and enter CA trustpoint configuration mode 6 enrollment url url Specifies the URL to which the switch should s...

Page 186: ...does not attempt to authenticate the client 7 ip http secure trustpoint name Specifies the CA trustpoint to use to get an X 509v3 security certificate and to authenticate the client certificate connection Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure 8 ip http path path name Optional Sets a base HTTP path for HTML files The path sp...

Page 187: ...ha des cbc sha Optional Specifies the CipherSuites encryption algorithms to be used for encryption over the HTTPS connection If you do not have a reason to specify a particular CipherSuite you should allow the server and client to negotiate a CipherSuite that they both support This is the default 4 end Returns to privileged EXEC mode 5 show ip http client secure status Displays the status of the H...

Page 188: ...t enter to use level 14 commands Switch config privilege exec level 14 configure Switch config enable password level 14 SecretPswd14 Configuring the RADIUS Server Examples This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting Switch config radius server host 172 29 36 49 auth port 1612 key rad1 Switch config radius server host 172...

Page 189: ...ACL in ASCII format to an interface for the duration of this connection cisco avpair ip outacl 2 deny ip 10 10 10 10 0 0 255 255 any Configuring a Vendor Proprietary RADIUS Host Example This example shows how to specify a vendor proprietary RADIUS host and to use a secret key of rad124 between the switch and the server Switch config radius server host 172 20 30 15 nonstandard Switch config radius ...

Page 190: ... server a new self signed certificate is generated Verifying Secure HTTP Connection Example To verify the secure HTTP connection by using a Web browser enter https URL where the URL is the IP address or hostname of the server switch If you configure a port other than the default port you must also specify the port number after the URL For example https 209 165 129 1026 or https host domain com 102...

Page 191: ...S User Security Configuration Guide Password protection commands Cisco IOS Security Command Reference Kerberos commands Cisco IOS Security Command Reference Secure Shell commands Cisco IOS Security Command Reference Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and downloa...

Page 192: ...188 Configuring Switch Based Authentication Additional References ...

Page 193: ... switch port before making available any switch or LAN services Until the client is authenticated IEEE 802 1x access control allows only Extensible Authentication Protocol over LAN EAPOL Cisco Discovery Protocol CDP and Spanning Tree Protocol STP traffic through the port to which the client is connected After authentication normal traffic passes through the port Device Roles Figure 18 802 1x Devic...

Page 194: ...et header is stripped and the remaining EAP frame is re encapsulated in the RADIUS format The EAP frames are not modified during encapsulation and the authentication server must support EAP within the native frame format When the switch receives frames from the authentication server the server s frame header is removed leaving the EAP frame which is then encapsulated for Ethernet and sent to the c...

Page 195: ...ected during reauthentication You manually reauthenticate the client by entering the dot1x re authenticate interface interface id privileged EXEC command If multidomain authentication MDA is enabled on a port this flow can be used with some exceptions that are applicable to voice authorization For more information on MDA see Multidomain Authentication page 197 281594 Client identity is invalid All...

Page 196: ...onds with an EAP response identity frame However if during boot up the client does not receive an EAP request identity frame from the switch the client can initiate authentication by sending an EAPOL start frame which prompts the switch to request the client s identity Note If 802 1x authentication is not enabled or supported on the network access device any EAPOL frames from the client are droppe...

Page 197: ...essful the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and stops 802 1x authentication Figure 21 Message Exchange During MAC Authentication Bypass 101228 Client Port Authorized Port Unauthori...

Page 198: ...able ACL Redirect URL VLAN assignment Per user ACL Filter ID attribute Downloadable ACL Redirect URL VLAN assignment Per user ACL Filter Id attribute Downloadable ACL Redirect URL Per user ACL Filter Id attribute Downloadable ACL Redirect URL MAC authentication bypass VLAN assignment Per user ACL Filter ID attribute Downloadable ACL Redirect URL VLAN assignment Per user ACL Filter ID attribute Dow...

Page 199: ...onnected host The authentication manager commands control generic authentication features such as host mode violation mode and the authentication timer Generic authentication commands include the authentication host mode authentication violation and authentication timer interface configuration commands 802 1x specific commands begin with the dot1x or authentication keyword For example the authenti...

Page 200: ...n an EAPOL start frame is received The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server Each client attempting to access the network is uniquely identified by the switch by using the client MAC address If the client is successfully authenticated receives an Accept frame from the authentication server the port st...

Page 201: ...Attribute Value AV pair attribute with a value of device traffic class voice Without this value the switch treats the voice device as a data device The guest VLAN and restricted VLAN features only apply to the data devices on an MDA enabled port The switch treats a voice device that fails authorization as a data device If more than one device attempts authorization on either the voice or the data ...

Page 202: ...e clients they are discarded from the port but no violation errors occur If a hub or access point is connected to an 802 1x enabled port each connected client must be authenticated For non 802 1x devices you can use MAC authentication bypass or web authentication as the per host authentication fallback method to authenticate different hosts with different methods on a single port There is no limit...

Page 203: ...ered in that mode It does not apply to ports in multiple host mode because in that mode only the first host requires authentication If you configure the authentication violation interface configuration command with the replace keyword the authentication process on a port in multidomain mode is A new MAC address is received on a port with an existing authenticated MAC address The authentication man...

Page 204: ...ture to determine if the devices connected to the switch ports are 802 1x capable You use an alternate authentication such as MAC authentication bypass or web authentication for the devices that do not support 802 1x functionality This feature only works if the supplicant on the client supports a query with the NOTIFY EAP notification packet The client must respond within the 802 1x timeout value ...

Page 205: ... When a voice device is authorized and the RADIUS server returns an authorized VLAN the voice VLAN on the port is configured to send and receive packets on the assigned voice VLAN Voice VLAN assignment behaves the same as data VLAN assignment on multidomain authentication MDA enabled ports For more information see Multidomain Authentication page 197 When configured on the switch and the RADIUS ser...

Page 206: ... port Assign vendor specific tunnel attributes in the RADIUS server The RADIUS server must return these attributes to the switch 64 Tunnel Type VLAN 65 Tunnel Medium Type 802 81 Tunnel Private Group ID VLAN name VLAN ID or VLAN Group 83 Tunnel Preference Attribute 64 must contain the value VLAN type 13 Attribute 65 must contain the value 802 type 6 Attribute 81 specifies the VLAN name or VLAN ID a...

Page 207: ...tch during the authentication process The VSAs used for per user ACLs are inacl n for the ingress direction and outacl n for the egress direction MAC ACLs are supported only in the ingress direction The switch supports VSAs only in the ingress direction It does not support port ACLs in the egress direction on Layer 2 ports For more information see Configuring Network Security with ACLs page 545 Us...

Page 208: ...on modes open and closed If there is no static ACL on a port in closed authentication mode An auth default ACL is created The auth default ACL allows only DHCP traffic until policies are enforced When the first host authenticates the authorization policy is applied without IP address insertion When a second host is detected the policies for the first host are refreshed and policies for the first a...

Page 209: ...ble ACLs on the Cisco Secure ACS with the ACL IP name number attribute The name is the ACL name The number is the version number for example 3f783768 If a downloadable ACL is configured for a client on the authentication server a default port ACL on the connected client switch port must also be configured If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access p...

Page 210: ...ce device However the switch no longer allows other devices access to the guest VLAN To prevent this situation use one of these command sequences Enter the authentication event no response action authorize vlan vlan id interface configuration command to allow access to the guest VLAN Enter the shutdown interface configuration command followed by the no shutdown interface configuration command to r...

Page 211: ... a VLAN sent by the RADIUS server You can disable reauthentication If you do this the only way to restart the authentication process is for the port to receive a link down or EAP logoff event We recommend that you keep reauthentication enabled if a client might connect through a hub When a client disconnects from the hub the port might not receive the link down or EAP logoff event After a port mov...

Page 212: ...matically reauthenticated For more information see Configuring Inaccessible Authentication Bypass page 227 Feature Interactions Inaccessible authentication bypass interacts with these features Guest VLAN Inaccessible authentication bypass is compatible with guest VLAN When a guest VLAN is enabled on 8021 x port the features interact as follows If at least one RADIUS server is available the switch ...

Page 213: ...For more information about voice VLANs see Configuring Voice VLAN page 309 802 1x Authentication with Port Security In general Cisco does not recommend enabling port security when IEEE 802 1x is enabled Since IEEE 802 1x enforces a single MAC address per port or per VLAN when MDA is configured for IP telephony port security is redundant and in some cases may interfere with expected IEEE 802 1x ope...

Page 214: ...at were authorized with MAC authentication bypass can be reauthenticated The reauthentication process is the same as that for clients that were authenticated with 802 1x During reauthentication the port remains in the previously assigned VLAN If reauthentication is successful the switch keeps the port in the same VLAN If reauthentication fails the switch assigns the port to the guest VLAN if one i...

Page 215: ...ote The RADIUS server can send the VLAN information in any combination of VLAN IDs VLAN names or VLAN groups 802 1x User Distribution Configuration Guidelines Confirm that at least one VLAN is mapped to the VLAN group You can map more than one VLAN to a VLAN group You can modify the VLAN group by adding or deleting a VLAN When you clear an existing VLAN from the VLAN group name none of the authent...

Page 216: ...authenticate a new host MAC authentication bypass and 802 1x can be the primary or secondary authentication methods and web authentication can be the fallback method if either or both of those authentication attempts fail For the configuration commands see Configuring Optional 802 1x Authentication Features page 224 Open1x Authentication Open1x authentication allows a device access to a port befor...

Page 217: ...nnecting to the supplicant switch to the authenticator switch as shown in Figure 23 on page 213 Auto enablement automatically enables trunk configuration on the authenticator switch allowing user traffic from multiple VLANs coming from supplicant switches Configure the cisco av pair as device traffic class switch at the ACS You can configure this under the group or the user settings Figure 23 Auth...

Page 218: ...user or a group to which the user belongs The Filter Id attribute for the user takes precedence over that for the group If a Filter Id attribute from the ACS specifies an ACL that is already configured it takes precedence over a user configured ACL If the RADIUS server sends more than one Filter Id attribute only the last attribute is applied If the Filter Id attribute is not defined on the switch...

Page 219: ...nauthorized state Quiet period 60 seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number of times that the switc...

Page 220: ...ort mode is not changed Dynamic ports A port in dynamic mode can negotiate with its neighbor to become a trunk port If you try to enable 802 1x authentication on a dynamic port an error message appears and 802 1x authentication is not enabled If you try to change the mode of an 802 1x enabled port to dynamic an error message appears and the port mode is not changed Dynamic access ports If you try ...

Page 221: ... has an IP address from the DHCP server receiving an EAP Success message on a critical port might not reinitiate the DHCP configuration process You can configure the inaccessible authentication bypass feature and the restricted VLAN on an 802 1x port If the switch tries to reauthenticate a critical port in a restricted VLAN and all the RADIUS servers are unavailable switch changes the port state t...

Page 222: ...n is performed 3 The VLAN assignment is enabled as appropriate based on the RADIUS server configuration 4 The switch sends a start message to an accounting server 5 Reauthentication is performed as necessary 6 The switch sends an interim accounting update to the accounting server that is based on the result of reauthentication 7 The user disconnects from the port 8 The switch sends a stop message ...

Page 223: ...s single host mode must be configured This setting is the default 6 radius server host ip address Optional Specifies the IP address of the RADIUS server 7 radius server key string Optional Specifies the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server 8 interface interface id Specifies the port connected to the client to enable for 802 1x...

Page 224: ...ored but spaces within and at the end of the key are used If you use spaces in the key do not enclose the key in quotation marks unless the quotation marks are part of the key This key must match the encryption used on the RADIUS daemon If you want to use multiple RADIUS servers reenter this command 3 end Returns to privileged EXEC mode 4 show running config Verifies your entries 5 copy running co...

Page 225: ...ividual VLANs Optional vlan list Specifies a list of VLANs to be reenabled If vlan list is not specified all VLANs are reenabled 5 shutdown no shutdown Optional Reenables an error disabled VLAN and clear all error disable indications 6 end Returns to privileged EXEC mode 7 show errdisable detect Verifies your entries 8 copy running config startup config Optional Saves your entries in the configura...

Page 226: ...endor specific attributes VSAs 3 interface interface id Specifies the port to which multiple hosts are indirectly attached and enter interface configuration mode 4 authentication host mode multi auth multi domain multi host single host The keywords have these meanings multi auth Allows one client on the voice VLAN and multiple authenticated clients on the data VLAN Each host is individually authen...

Page 227: ...f the reauthentication timer or to have the switch use a RADIUS provided session timeout enter the authentication timer reauthenticate command 4 authentication timer inactivity reauthenticate restart value Sets the number of seconds between reauthentication attempts inactivity Interval in seconds after which if there is no activity from the client then it is unauthorized reauthenticate Time in sec...

Page 228: ...rface configuration mode 4 authentication timer inactivity seconds Optional Sets the number of seconds that the switch remains in the quiet state after a failed authentication exchange with the client The range is 1 to 65535 seconds the default is 60 5 authentication timer reauthenticate seconds Optional Sets the number of seconds that the switch waits for a response to an EAP request identity fra...

Page 229: ...ets the order of authentication methods used on a port 11 authentication priority dot1x mab webauth Optional Adds an authentication method to the port priority list 12 dot1x default Resets the 802 1x parameters to the default values 13 end Returns to privileged EXEC mode 14 show authentication interface interface id Verifies your entries 15 copy running config startup config Optional Saves your en...

Page 230: ...rivate VLAN host port 4 authentication port control auto Enables 802 1x authentication on the port 5 authentication event no response action authorize vlan vlan id Specifies an active VLAN as an 802 1x guest VLAN The range is 1 to 4096 You can configure any active VLAN except an internal VLAN routed port an RSPAN VLAN a primary private VLAN or a voice VLAN as an 802 1x guest VLAN 6 end Returns to ...

Page 231: ...ure any active VLAN except an internal VLAN routed port an RSPAN VLAN a primary private VLAN or a voice VLAN as an 802 1x restricted VLAN 6 authentication event retry retry count Specifies a number of authentication attempts to allow before a port moves to the restricted VLAN The range is 1 to 3 and the default is 3 7 end Returns to privileged EXEC mode 8 show authentication interface interface id...

Page 232: ...es are ignored but spaces within and at the end of the key are used If you use spaces in the key do not enclose the key in quotation marks unless the quotation marks are part of the key This key must match the encryption used on the RADIUS daemon You can also configure the authentication and encryption key by using the radius server key 0 string 7 string string global configuration command 5 dot1x...

Page 233: ... vlan group all vlan group name Verifies the configuration 3 no vlan group vlan group name vlan list vlan list Clears the VLAN group configuration or elements of the VLAN group configuration Command Purpose 1 configure terminal Enters global configuration mode 2 interface interface id Specifies the port to be configured and enters interface configuration mode 3 authentication event no response act...

Page 234: ...figures the interface as a port access entity PAE authenticator 7 spanning tree portfast Enables Port Fast on an access port connected to a single workstation or server 8 end Returns to privileged EXEC mode 9 show running config interface interface id Verifies your configuration 10 copy running config startup config Optional Saves your entries in the configuration file Command Purpose 1 configure ...

Page 235: ...tion 13 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Command Purpose 1 configure terminal Enters global configuration mode 2 ip device tracking Configures the IP device tracking table 3 aaa new model Enables AAA 4 aaa authorization network default group radius Sets the authorization method to local To remove the authorization method use t...

Page 236: ...ace interface id Enters interface configuration mode 4 ip access group acl id in Configures the default ACL on the port in the input direction Note The acl id is an access list name or number 5 exit Returns to global configuration mode 6 aaa new model Enables AAA 7 aaa authorization network default group radius Sets the authorization method to local To remove the authorization method use the no aa...

Page 237: ...hentication host mode multi auth multi domain multi host single host Optional Sets the authorization manager mode on a port 6 authentication open Optional Enables or disables open access on a port 7 authentication order dot1x mab webauth Optional Sets the order of authentication methods used on a port 8 authentication periodic Optional Enables or disables reauthentication on a port 9 authenticatio...

Page 238: ...ost Switch config if end Enabling MDA Example This example shows how to enable MDA and to allow both a host and a voice device on the port Switch config interface GigabitEthernet1 18 Switch config if authentication port control auto Switch config if authentication host mode multi domain Switch config if switchport voice vlan 101 Switch config if end Disabling the VLAN Upon Switch Violoation Exampl...

Page 239: ...f seconds that the switch waits for a response to an EAP request identity frame from the client before resending the request and to enable VLAN 2 as an 802 1x guest VLAN when an 802 1x port is connected to a DHCP client Switch config if authentication timer inactivity 3 Switch config if authentication timer reauthenticate 15 Switch config if authentication event no response action authorize vlan 2...

Page 240: ...o the groups and to verify the VLAN group configurations and mapping to the specified VLANs switch config vlan group eng dept vlan list 10 switch config show vlan group group name eng dept Group Name Vlans Mapped eng dept 10 switch show dot1x vlan group all Group Name Vlans Mapped eng dept 10 hr dept 20 This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was ...

Page 241: ...itch as a supplicant Switch configure terminal Switch config cisp enable Switch config dot1x credentials test Switch config username suppswitch Switch config password myswitch Switch config dot1x supplicant force multicast Switch config interface GigabitEthernet1 17 Switch config if switchport mode trunk Switch config if dot1x pae supplicant Switch config if dot1x credentials test Switch config if...

Page 242: ...ol direction both Switch config au ten tic at ion fallback profile1 Switch config authentication host mode multi auth Switch config authentication open Switch config authentication order dot1x webauth Switch config authentication periodic Switch config authentication port control auto Additional References The following sections provide references related to switch administration ...

Page 243: ...port for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs ...

Page 244: ...240 Configuring IEEE 802 1x Port Based Authentication Additional References ...

Page 245: ...s are not detected by the web based authentication feature because they do not send ARP messages Hosts that are more than one hop away might experience traffic disruption if an STP topology change results in the host traffic arriving on a different port This occurs because the ARP and DHCP updates might not be sent after a Layer 2 STP topology change Web based authentication does not support VLAN ...

Page 246: ...ntication Customizable Web Pages page 246 Web Based Authentication Interactions with Other Features page 247 Device Roles With web based authentication the devices in the network have these specific roles Client The device workstation that requests access to the LAN and the services and responds to requests from the switch The workstation must be running an HTML browser with Java Script enabled Au...

Page 247: ...HTTP session The HTTP traffic is intercepted and authorization is initiated The switch sends the login page to the user The user enters a username and password and the switch sends the entries to the authentication server If the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success page is sent to the user If the authen...

Page 248: ...sion auth proxy banner http global configuration command The default banner Cisco Systems and Switch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page as shown in Figure 25 on page 244 Figure 25 Authentication Successful Banner You can also customize the banner as shown in Figure 26 on page 245 Add a switch router or company name to th...

Page 249: ... enable a banner only the username and password dialog boxes appear in the web authentication login screen and no banner appears when you log into the switch as shown in Figure 27 Figure 27 Login Screen with No Banner For more information see the Cisco IOS Security Command Reference and Configuring a Web Authentication Local Banner page 252 ...

Page 250: ...e The CLI command to redirect users to a specific URL is not available when the configured login form is enabled The administrator should ensure that the redirection is configured in the web page If the CLI command redirecting users to a specific URL after authentication occurs is entered and then the command configuring web pages is entered the CLI command redirecting users to a specific URL does...

Page 251: ...login feature is not available To remove the specification of a custom file use the no form of the command Because the custom login page is a public web form consider these guidelines for the page The login form must accept user entries for the username and password and must show them as uname and pwd The custom login page should follow best practices for a web form such as page timeout hidden pas...

Page 252: ...n on the same Layer 3 interface as Gateway IP The host policies for both features are applied in software The GWIP policy overrides the web based authentication host policy ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface the ACL is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a...

Page 253: ... same service for example authentication the second host entry that is configured functions as the failover backup to the first one The RADIUS host entries are chosen in the order that they were configured How to Configure Web Based Authentication Configuring the Authentication Rule and Interfaces Feature Default Settings AAA Disabled RADIUS server IP address UDP authentication port Key None speci...

Page 254: ...e remote RADIUS server The test username username option enables automated testing of the RADIUS server connection The specified username does not need to be a valid user name 5 radius server key string Configures the authorization and encryption key used between the switch and the RADIUS daemon running on the RADIUS server To use multiple RADIUS servers reenter this command for each server Comman...

Page 255: ...fies the number of unanswered sent messages to a RADIUS server before considering the server to be inactive The range of num tries is 1 to 100 Command Purpose Command Purpose 1 ip http server Enables the HTTP server The web based authentication feature uses the HTTP server to communicate with the hosts for user authentication 2 ip http secure server Enables HTTPS Command Purpose 1 ip admission pro...

Page 256: ...o 2147483647 attempts The default is 5 2 end Returns to privileged EXEC mode 3 show ip admission configuration Displays the authentication proxy configuration 4 show ip admission cache Displays the list of authentication entries 5 copy running config startup config Optional Saves your entries in the configuration file Command Purpose 1 configure terminal Enters global configuration mode 2 ip admis...

Page 257: ...5 Enabling AAA Example This example shows how to enable AAA Switch config aaa new model Switch config aaa authentication login default group radius Switch config aaa authorization auth proxy default group radius Configuring the RADIUS Server Parameters Example This example shows how to configure the RADIUS server parameters on a switch Switch config ip radius source interface Vlan80 Switch config ...

Page 258: ...tication Proxy Session ratelimit is 100 Authentication Proxy Watch list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Configuring a Redirection URL Example This example shows how to configure a redirection URL for successful login Switch config ip admission proxy http success redirect www cisco com Verifying a Redirection URL Example This example shows how ...

Page 259: ...thentication Session Example This example shows how to remove the web based authentication session for the client at the IP address 209 165 201 1 Switch clear ip auth proxy cache 209 165 201 1 Additional References The following sections provide references related to switch administration ...

Page 260: ...g standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been mod...

Page 261: ... Macro Name1 Description Global Configuration Macros cisco cg global Use this global configuration macro to configure the switch settings for the industrial Ethernet environment This macro is automatically applied when you use Express Setup to initially configure the switch Note You must first apply the cisco cg global macro for the interface configuration macros to work properly cisco cg password...

Page 262: ...ess point This macro is optimized for utility deployments no cisco cg wireless Use the no form of this interface configuration macro to delete the macro from the switch cisco desktop Use this interface configuration macro for increased network security and reliability when connecting a desktop device such as a PC to a switch port This macro is optimized for utility deployments no cisco desktop Use...

Page 263: ...o the remaining interfaces When you apply a macro to a switch or a switch interface the macro name is automatically added to the switch or interface You can display the applied commands and macro names by using the show running config user EXEC command Applying Smartports Macros cisco ie router Use this interface configuration macro when connecting the switch and a WAN router This macro is optimiz...

Page 264: ...cro 6 default interface interface id Optional Clears all configuration from the specified interface 7 macro apply trace macro name parameter value parameter value parameter value Applies each individual command defined in the macro to the port by entering macro global apply macro name Specifies macro global trace macro name to apply and to debug a macro to find any syntax or configuration errors A...

Page 265: ...rity aging time 2 switchport port security violation restrict switchport port security aging type inactivity spanning tree portfast spanning tree bpduguard enable no macro description macro description cisco ie desktop Switch Switch configure terminal Switch config interface GigabitEthernet1 20 Switch config if macro apply cisco ie desktop AVID 25 Additional References The following sections provi...

Page 266: ...Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands of pa...

Page 267: ...he SXP Connections page 267 Configuring Cisco TrustSec Caching page 268 Cisco TrustSec SGT Exchange Protocol Feature Histories For a list of supported TrustSec features per platform and the minimum required IOS release see the Cisco TrustSec Platform Support Matrix at the following URL final URL posted with TS 4 0 http www cisco com en US solutions ns170 ns896 ns1051 trustsec_matrix html Otherwise...

Page 268: ...ng password protection make sure to use the same password on both ends Note If a default SXP source IP address is not configured and you do not configure an SXP source address in the connection the Cisco TrustSec software derives the SXP source IP address from existing local IP addresses The SXP source address might be different for each TCP connection initiated from the switch To configure the SX...

Page 269: ...config cts sxp connection peer peer ipv4 addr source src ipv4 addr password default none mode local peer speaker listener vrf vrf name Configures the SXP address connection The optional source keyword specifies the IPv4 address of the source device If no address is specified the connection will use the default source address if configured or the address of the port The password keyword specifies t...

Page 270: ... 2 2 Changing the SXP Reconciliation Period After a peer terminates an SXP connection an internal hold down timer starts If the peer reconnects before the internal hold down timer expires the SXP reconciliation period timer starts While the SXP reconciliation period timer is active the Cisco TrustSec software retains the SGT mapping entries learned from the previous connection and removes invalid ...

Page 271: ...dress to SGT binding occurs add delete change These changes are learned and propagated on the SXP connection The default is no cts sxp log binding changes To enable logging of binding changes perform the following task Verifying the SXP Connections To view the SXP connections perform this task Command Purpose 1 Router configure terminal Enters configuration mode 2 Router config cts sxp reconciliat...

Page 272: ... outages you can enable caching of authentication authorization and policy information for Cisco TrustSec connections Caching allows Cisco TrustSec devices to use unexpired security information to restore links after an outage without requiring a full reauthentication of the Cisco TrustSec domain The Cisco TrustSec devices will cache security information in DRAM If non volatile NV storage is also ...

Page 273: ...ode 2 Router config no cts cache enable Enables caching of authentication authorization and environment data information to DRAM The default is disabled The no form of this command deletes all cached information from DRAM and non volatile storage 3 Router config no cts cache nv storage bootdisk bootflash disk0 directory dir name When DRAM caching is enabled enables DRAM cache updates to be written...

Page 274: ...270 Configuring SGT Exchange Protocol over TCP SXP and Layer 3 Transport Configuring Cisco TrustSec Caching ...

Page 275: ...ack bridging as shown in Figure 29 on page 271 Because a VLAN is considered a separate logical network it contains its own bridge Management Information Base MIB information and can support its own implementation of spanning tree See Configuring STP page 315 Note Before you create VLANs you must decide whether to use VLAN Trunking Protocol VTP to maintain global VLAN configuration for your network...

Page 276: ...rsions the switch must be in VTP transparent mode when you create VLAN IDs from 1006 to 4096 This release supports VTP version 3 VTP version 3 supports the entire VLAN range VLANs 1 to 4096 Extended range VLANs VLANs 1006 to 4096 are supported only in VTP version 3 You cannot convert from VTP version 3 to VTP version 2 if extended VLANs are configured in the domain Although the switch supports a t...

Page 277: ...of a second switch Trunk ISL or IEEE 802 1Q A trunk port is a member of all VLANs by default including extended range VLANs but membership can be limited by configuring the allowed VLAN list You can also modify the pruning eligible list to block flooded traffic to VLANs on trunk ports that are included in the list For information about configuring trunk ports see Configuring an Ethernet Interface ...

Page 278: ... always saved in the VLAN database vlan dat file If the VTP mode is transparent they are also saved in the switch running configuration file You can enter the copy running config startup config privileged EXEC command to save the configuration in the startup configuration file To display the VLAN configuration enter the show vlan privileged EXEC command When you save VLAN and VTP information inclu...

Page 279: ...support Token Ring or FDDI media The switch does not forward FDDI FDDI Net TrCRF or TrBRF traffic but it does propagate the VLAN configuration through VTP The switch supports 128 spanning tree instances If a switch has more active VLANs than supported spanning tree instances spanning tree can be enabled on 128 VLANs and is disabled on the remaining VLANs If you have already used all available span...

Page 280: ... 1002 to 1005 Caution When you delete a VLAN any ports assigned to that VLAN become inactive They remain associated with the VLAN and thus inactive until you assign them to a new VLAN Static Access Ports for a VLAN You can assign a static access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP VTP transparent mode If you are assigning a port on a...

Page 281: ... 2 you can set the VTP mode to transparent in global configuration mode See Adding a VTP Client Switch to a VTP Domain page 303 You should save this configuration to the startup configuration so that the switch boots up in VTP transparent mode Otherwise you lose the extended range VLAN configuration if the switch resets If you create extended range VLANs in VTP version 3 you cannot convert to VTP ...

Page 282: ...configuration command to disable trunking To enable trunking to a device that does not support DTP use the switchport mode trunk and switchport nonegotiate interface configuration commands to cause the interface to become a trunk but to not generate DTP frames IEEE 802 1Q Configuration Guidelines The IEEE 802 1Q trunks impose these restrictions on the trunking strategy for a network Table 35 Layer...

Page 283: ...ning tree Default Layer 2 Ethernet Interface VLAN Settings Ethernet Interface as a Trunk Port Because trunk ports send and receive VTP advertisements to use VTP you must ensure that at least one trunk port is configured on the switch and that this trunk port is connected to the trunk port of a second switch Otherwise the switch cannot receive any VTP advertisements Note By default an interface is ...

Page 284: ...rface continues to send and receive management traffic for example Cisco Discovery Protocol CDP Port Aggregation Protocol PAgP Link Aggregation Control Protocol LACP DTP and VTP in VLAN 1 If a trunk port with VLAN 1 disabled is converted to a nontrunk port it is added to the access VLAN If the access VLAN is set to 1 the port will be added to VLAN 1 regardless of the switchport trunk allowed setti...

Page 285: ... 2 In this way Trunk 1 carries traffic for VLANs 8 through 10 and Trunk 2 carries traffic for VLANs 3 through 6 If the active trunk fails the trunk with the lower priority takes over and carries the traffic for all of the VLANs No duplication of traffic occurs over any trunk port Figure 30 Load Sharing by Using STP Port Priorities Load Sharing Using STP Path Cost You can configure parallel trunks ...

Page 286: ...is not allowed on the port and the VMPS is in open mode the VMPS sends an access denied response If the VLAN is not allowed on the port and the VMPS is in secure mode the VMPS sends a port shutdown response If the port already has a VLAN assignment the VMPS provides one of these responses If the VLAN in the database matches the current VLAN on the port the VMPS sends a success response allowing ac...

Page 287: ... addresses seen Default VMPS Client Settings VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic access port VLAN membership You should configure the VMPS before you configure ports as dynamic access ports When you configure a port as a dynamic access port the spanning tree Port Fast feature is automatically enabled for that port The Port Fast mode accelerates the proc...

Page 288: ... connecting to the network More than 20 active hosts reside on a dynamic access port To reenable a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command How to Configure VLANs Creating or Modifying an Ethernet VLAN Command Purpose 1 configure terminal Enters global configuration mode 2 vlan vlan id Enters a VLAN ...

Page 289: ...s the port to a VLAN Valid VLAN IDs are 1 to 4096 5 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 vtp mode transparent Configures the switch for VTP transparent mode and disables VTP Note This step is not required for VTP version 3 3 vlan vlan id Enters an extended range VLAN ID and enters VLAN configuration mode The range is 1006 to 40...

Page 290: ...rface ID for the routed port that you shut down in Step 4 and enters interface configuration mode 10 no shutdown Reenables the routed port It will be assigned a new internal VLAN ID 11 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 interface interface id Specifies the port to be configured for trunking and enters interface configuration ...

Page 291: ...C mode Command Purpose 1 configure terminal Enters global configuration mode 2 interface interface id Selects the trunk port for which VLANs should be pruned and enters interface configuration mode 3 switchport trunk pruning vlan add except none remove vlan list vlan vlan Configures the list of VLANs allowed to be pruned from the trunk See VTP Pruning page 300 4 end Returns to privileged EXEC mode...

Page 292: ...to configure the trunk ports that connect to the trunk ports configured on Switch A 14 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verifies that Switch B has learned the VLAN configuration 15 configure terminal Enters global configuration mode on Switch A 16 interface interface id_1 Defines the interface to set the STP port priority and enters interfa...

Page 293: ...erminal Enters global configuration mode 10 interface interface id_1 Defines the interface on which to set the STP cost and enters interface configuration mode 11 spanning tree vlan 2 4 cost 30 Sets the spanning tree path cost to 30 for VLANs 2 through 4 12 end Returns to global configuration mode 13 Repeat Steps 9 through 12 on the other configured trunk interface on Switch A and set the spanning...

Page 294: ...port that is connected to the end station and enters interface configuration mode 3 switchport mode access Sets the port to access mode 4 switchport access vlan dynamic Configures the port as eligible for dynamic VLAN membership The dynamic access port must be connected to an end station 5 end Returns to privileged EXEC mode Command Purpose copy running config startup config Saves your entries in ...

Page 295: ...to the VLAN database Switch configure terminal Switch config vlan 20 Switch config vlan name test20 Switch config vlan end Primary VMPS Server 1 Catalyst 6500 series Secondary VMPS Server 2 Catalyst 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 ...

Page 296: ...example shows how to configure a port as an IEEE 802 1Q trunk The example assumes that the neighbor interface is configured to support IEEE 802 1Q trunking Switch config interface GigabitEthernet1 18 Switch config if switchport mode dynamic desirable Switch config if end Removing a VLAN Example This example shows how to remove VLAN 2 from the allowed VLAN list on a port Switch config interface Gig...

Page 297: ...his feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support...

Page 298: ...294 Configuring VLANs Additional References ...

Page 299: ...mode Information About Configuring VTP VTP A VLAN Trunking Protocol VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition deletion and renaming of VLANs on a network wide basis VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems such as duplicate VLAN names incorrect VLAN type specifications and secu...

Page 300: ...on a VTP server and VLAN information is not propagated over the network If the switch receives a VTP advertisement over a trunk link it inherits the management domain name and the VTP configuration revision number The switch then ignores advertisements with a different domain name or an earlier configuration revision number When you make a change to the VLAN configuration on a VTP server the chang...

Page 301: ...s received over trunk links VTP server is the default mode Note In VTP server mode VLAN configurations are saved in NVRAM If the switch detects a failure while writing a configuration to NVRAM VTP mode automatically changes from server mode to client mode If this happens the switch cannot be returned to VTP server mode until the NVRAM is functioning VTP client A VTP client behaves like a VTP serve...

Page 302: ...eserved multicast address Neighboring switches receive these advertisements and update their VTP and VLAN configurations as necessary VTP advertisements distribute this global domain information VTP domain name VTP configuration revision number Update identity and update timestamp MD5 digest VLAN configuration including maximum transmission unit MTU size for each VLAN Frame format VTP advertisemen...

Page 303: ... Spanning Tree MST protocol database information A separate instance of the VTP protocol runs for each application that uses VTP VTP primary server and VTP secondary servers A VTP primary server updates the database information and sends updates that are honored by all devices in the system A VTP secondary server can only back up the updated VTP configurations received from the primary server to i...

Page 304: ...low both kinds of neighbors to coexist on the same trunk A VTP version 3 device does not accept configuration information from a VTP version 2 or version 1 device Two VTP version 3 regions can only communicate in transparent mode over a VTP version 1 or version 2 region Devices that are only VTP version 1 capable cannot interoperate with VTP version 3 devices VTP version 2 and version 3 are disabl...

Page 305: ...TP domain In VTP version 3 you must manually enable pruning on each switch in the domain See Enabling VTP Pruning page 305 VTP pruning takes effect several seconds after you enable it VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 and VLANs 1002 to 1005 are always pruning ineligible traffic from these VLANs cannot be pruned Extended range VLANs VLAN IDs higher tha...

Page 306: ...n both the startup configuration and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file the VLAN database is ignored cleared The VTP and VLAN configurations in the startup configuration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode or the domain name in the startup configuration do...

Page 307: ...tion revision number of the other switches in the VTP domain Switches in a VTP domain always use the VLAN configuration of the switch with the highest VTP configuration revision number With VTP versions 1 and 2 adding a switch that has a revision number higher than the revision number in the VTP domain can erase all VLAN information from the VTP server and VTP domain With VTP version 3 the VLAN in...

Page 308: ...icting servers If you do not enter force you are prompted for confirmation before the takeover 2 end Returns to privileged EXEC mode 3 show vtp status Verifies your entries in the VTP Operating Mode and the VTP Domain Name fields of the display 4 copy running config startup config Optional Saves the configuration in the startup configuration file Note Only VTP mode and domain name are saved in the...

Page 309: ...vtp version 1 2 3 Enables the VTP version on the switch The default is VTP version 1 3 end Returns to privileged EXEC mode 4 show vtp status Verifies that the configured VTP version is enabled 5 copy running config startup config Optional Saves the configuration in the startup configuration file Command Purpose 1 configure terminal Enters global configuration mode 2 vtp pruning Enables pruning in ...

Page 310: ...ame Enters the original domain name on the switch 8 end Returns to privileged EXEC mode 9 show vtp status Optional Verifies that the domain name is the same as in Step 1 and that the configuration revision number is 0 10 After resetting the configuration revision number add the switch to the VTP domain Command Purpose show vtp counters Displays counters about VTP messages that have been sent and r...

Page 311: ...n password and how it appears Switch config vtp password mypassword hidden Generating the secret associated to the password Switch config end Switch show vtp password VTP password 89914640C8D90868B6A0D8103847A733 Configuring a VTP Version 3 Primary Server Example This example shows how to configure a switch as the primary server for the VLAN database the default when a hidden or secret password wa...

Page 312: ...ied standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are suppo...

Page 313: ... QoS uses classification and scheduling to send network traffic from the switch in a predictable manner Voice VLAN is referred to as an auxiliary VLAN in some switch documentation The Cisco 7960 IP Phone is a configurable device and you can configure it to forward traffic with an IEEE 802 1p priority You can configure the switch to trust or override the traffic priority assigned by a Cisco IP phon...

Page 314: ... priority tagging to give voice traffic a higher priority and forward all voice traffic through the native access VLAN The Cisco IP phone can also send untagged voice traffic or use its own configuration to send voice traffic in the access VLAN In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 Cisco IP Phone Data Traffic The switch can also process tagg...

Page 315: ...all switch interfaces The Port Fast feature is automatically enabled when voice VLAN is configured When you disable voice VLAN the Port Fast feature is not automatically disabled If the Cisco IP phone and a device attached to the phone are in the same VLAN they must be in the same IP subnet These conditions indicate that they are in the same VLAN They both use IEEE 802 1p or untagged frames The Ci...

Page 316: ... phone how to send data packets from the device attached to the access port on the Cisco IP phone The PC can generate packets with an assigned CoS value You can configure the phone to not change trust or to override not trust the priority of frames arriving on the phone port from connected devices How to Configure Voice VLAN Configuring the Priority of Incoming Data Frames Monitoring and Maintaini...

Page 317: ...ple This example shows how to configure a port connected to a Cisco IP phone to not change the priority of frames received from the PC or the attached device Switch config interface GigabitEthernet1 17 Switch config if switchport priority extend trust Switch config if end Additional References for Configuring Voice VLAN The following sections provide references related to switch administration ...

Page 318: ...cted port configuration Configuring Protected Ports Secure port configuration Configuring Port Security Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform un...

Page 319: ... preventing loops in the network For a Layer 2 Ethernet network to function properly only one active path can exist between any two stations Multiple active paths among end stations cause loops in the network If a loop exists in the network end stations might receive duplicate messages Switches might also learn end station MAC addresses on multiple Layer 2 interfaces These conditions result in an ...

Page 320: ...tch The port identifier port priority and MAC address associated with each Layer 2 interface When the switches in a network are powered up each functions as the root switch Each switch sends a configuration BPDU through all of its ports The BPDUs communicate and compute the spanning tree topology Each configuration BPDU contains this information The unique bridge ID of the switch that the sending ...

Page 321: ...xtended system ID value equal to the VLAN ID Spanning tree uses the extended system ID the switch priority and the allocated spanning tree MAC address to make the bridge ID unique for each VLAN Support for the extended system ID affects how you manually configure the root switch the secondary root switch and the switch priority of a VLAN For example when you change the switch priority value you ch...

Page 322: ... spanning tree is enabled by default and every interface in the switch VLAN or network goes through the blocking state and the transitory states of listening and learning Spanning tree stabilizes each interface at the forwarding or blocking state When the spanning tree algorithm places a Layer 2 interface in the forwarding state this process occurs 1 The interface is in the listening state while s...

Page 323: ...warding Does not learn addresses Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switc...

Page 324: ...orwarding interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 37 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the pa...

Page 325: ...sses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on the switch receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spanning tree is disabled the switch forwards those packets as unknown multicast addresses Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes the default setting of the mac address table aging ...

Page 326: ...figuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode each VLAN runs its own spanning tree instance up to the maximum supported MSTP This spanning tree mode is based on the IEEE 802 1s standard You can map multiple VLANs...

Page 327: ...bines the spanning tree instance of the IEEE 802 1Q VLAN of the trunk with the spanning tree instance of the non Cisco IEEE 802 1Q switch However all PVST or rapid PVST information is maintained by Cisco switches separated by a cloud of non Cisco IEEE 802 1Q switches The non Cisco IEEE 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches PVST is automat...

Page 328: ...antly lower value When you enter this command the software checks the switch priority of the root switches for each VLAN Because of the extended system ID support the switch sets its own priority for the specified VLAN to 24576 if this value will cause this switch to become the root for the specified VLAN If any root switch for the specified VLAN has a switch priority lower than 24576 the switch s...

Page 329: ...iguration commands Secondary Root Switch When you configure a switch as the secondary root the switch priority is modified from the default value 32768 to 28672 The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the ...

Page 330: ...orts Depending on the topology of the network this could create a loop in the new VLAN that will not be broken particularly if there are several adjacent switches that have all run out of spanning tree instances You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances Setting up allowed lists is not ne...

Page 331: ...ysical ports VLANs and port channels 4 spanning tree link type point to point Recommended for rapid PVST mode only Specifies that the link type for this port is point to point If you connect this port local port to a remote port through a point to point link and the local port becomes a designated port the switch negotiates with the remote port and rapidly changes the local port to the forwarding ...

Page 332: ... Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 spanning tree vlan vlan id root secondary diameter net diameter hello time seconds Configures a switch to become the secondary root for the specified VLAN vlan id Specifies a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comm...

Page 333: ...d Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 interface interface id Specifies an interface to configure and enters interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number 3 spanning tree cost cost Configures the cost for an interface 4 spanning tree vlan vl...

Page 334: ...Rapid PVST mode Lowering this value can slow down convergence in certain scenarios We recommend that you maintain the default setting 8 end Returns to privileged EXEC mode Command Purpose Command Purpose show spanning tree active Displays spanning tree information on active interfaces only show spanning tree detail Displays a detailed summary of interface information show spanning tree interface i...

Page 335: ...ptional Spanning Tree Features page 353 Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw cent...

Page 336: ...332 Configuring STP Additional References ...

Page 337: ...AN spanning tree plus rapid PVST MSTP MSTP which uses RSTP for rapid convergence enables VLANs to be grouped into a spanning tree instance with each instance having a spanning tree topology independent of other spanning tree instances This architecture provides multiple forwarding paths for data traffic enables load balancing and reduces the number of spanning tree instances required to support a ...

Page 338: ...ween MST Regions page 3 Note The implementation of the IEEE 802 1s standard changes some of the terminology associated with MST implementations Operations Within an MST Region The IST connects all the MSTP switches in a region When the IST converges the root of the IST becomes the CIST regional root called the IST master before the implementation of the IEEE 802 1s standard as shown in Figure 1 on...

Page 339: ...on for example hello time forward time max age and max hops are configured only on the CST instance but affect all MST instances Parameters related to the spanning tree topology for example switch priority port VLAN cost and port VLAN priority can be configured on both the CST instance and the MST instance MSTP switches use Version 3 RSTP BPDUs or IEEE 802 1D STP BPDUs to communicate with legacy I...

Page 340: ... information in the RSTP portion of the BPDU remain the same throughout the region and the same values are propagated by the region designated ports at the boundary Boundary Ports In the Cisco prestandard implementation a boundary port connects an MST region to a single spanning tree region running RSTP to a single spanning tree region running PVST or rapid PVST or to another MST region with a dif...

Page 341: ...STI ports now have a special master role The boundary port is not the root port of the CIST regional root The MSTI ports follow the state and role of the CIST port The standard provides less information and it might be difficult to understand why an MSTI port can be alternately blocking when it receives no BPDUs MRecords In this case although the boundary role no longer exists the show commands id...

Page 342: ...esult switch A blocks or keeps blocking its port preventing the bridging loop Figure 41 Detecting Unidirectional Link Failure Interoperability with IEEE 802 1D STP A switch running MSTP supports a built in protocol migration mechanism that enables it to interoperate with legacy IEEE 802 1D switches If this switch receives a legacy IEEE 802 1D configuration BPDU a BPDU with the protocol version set...

Page 343: ... switch is attached to the LAN is called the designated port Alternate port Offers an alternate path toward the root switch to that provided by the current root port Backup port Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree A backup port can exist only when two ports are connected in a loopback by a point to point link or when a switch has two o...

Page 344: ... of Switch B Switch A sends a proposal message a configuration BPDU with the proposal flag set to Switch B proposing itself as the designated switch After receiving the proposal message Switch B selects as its new root port the port from which the proposal message was received forces all nonedge ports to the blocking state and sends an agreement message a BPDU with the agreement flag set through i...

Page 345: ...onfigured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring that all of the ports are synchronized the switch sends an agreement message to the desig...

Page 346: ...DU to propose itself as the designated switch on that LAN The port role in the proposal message is always set to the designated port The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal The port role in the agreement message is always set to the root port 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Designated port 8 Agreement 10 Agreement Ed...

Page 347: ...ree topology changes Detection Unlike IEEE 802 1D in which any transition between the blocking and the forwarding state causes a topology change only transitions from the blocking to the forwarding state cause a topology change with RSTP only an increase in connectivity is considered a topology change State changes on an edge port do not cause a topology change When an RSTP switch detects a topolo...

Page 348: ...n of the MST configuration is not supported However you can manually configure the MST configuration region name revision number and VLAN to instance mapping on each switch within the MST region by using the command line interface CLI or through the SNMP support For load balancing across redundant paths in the network to work all VLAN to instance mapping assignments must match otherwise all traffi...

Page 349: ...ning tree instance If any root switch for the specified instance has a switch priority lower than 24576 the switch sets its own priority to 4096 less than the lowest switch priority 4096 is the value of the least significant bit of a 4 bit switch priority value as shown in Table 1 on page 4 If your network consists of switches that both do and do not support the extended system ID it is unlikely t...

Page 350: ...hared connection If you have a half duplex link physically connected point to point to a single port on a remote switch running MSTP you can override the default setting of the link type and enable rapid transitions to the forwarding state Neighbor Type A topology could contain both prestandard and IEEE 802 1s standard compliant devices By default ports can automatically detect prestandard devices...

Page 351: ...ed to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN series use a comma for example instance 1 vlan 10 20 30 maps VLANs 10 20 and 30 to MST instance 1 4 name name Specifies the configuration name The name string has a maximum length of 32 characters and is case s...

Page 352: ... 7 This keyword is available only for MST instance 0 Optional hello time seconds Specifies the interval in seconds between the generation of configuration messages by the root switch The range is 1 to 10 seconds the default is 2 seconds 3 spanning tree mst instance id root secondary diameter net diameter hello time seconds Configures a switch as the secondary root switch instance id Specifies a si...

Page 353: ...essages mean that the switch is alive seconds The range is 1 to 10 the default is 2 4 spanning tree mst forward time seconds Configures the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state seconds The range is 4 to 30 the default is 15 5 spanning tree mst max age s...

Page 354: ... to 4096 cost The range is 1 to 200000000 the default value is derived from the media speed of the interface 10 spanning tree link type point to point Specifies that the link type of a port is point to point 11 spanning tree mst pre standard Specifies that the port can send only prestandard BPDUs 12 end Returns to privileged EXEC mode Command Purpose Command Purpose show spanning tree mst configur...

Page 355: ... display the pending configuration apply the changes and return to global configuration mode Switch config spanning tree mst configuration Switch config mst instance 1 vlan 10 20 Switch config mst name region1 Switch config mst revision 1 Switch config mst show pending Pending MST configuration Name region1 Revision 1 Instance Vlans Mapped 0 1 9 21 4096 1 10 20 Switch config mst exit Switch config...

Page 356: ...ee instances Chapter 22 Supported Spanning Tree Instances Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco ...

Page 357: ...rt to the forwarding state from a blocking state bypassing the listening and learning states You can use PortFast on interfaces connected to a single workstation or server as shown in Figure 44 on page 354 to allow those devices to immediately connect to the network rather than waiting for the spanning tree to converge Interfaces connected to a single workstation or server should not receive bridg...

Page 358: ... PortFast feature When the port receives a BPDU it is put in the error disabled state The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Enabling BPDU Guard When you globally enable BPDU guard...

Page 359: ...feature This command prevents the interface from sending or receiving BPDUs Caution Enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning tree loops You can enable the BPDU filtering feature for the entire switch or for an interface Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast enabled interfaces it prevents i...

Page 360: ... if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provides fast convergence after a direct link...

Page 361: ...nfiguration command Note When you enable UplinkFast it affects all VLANs on the switch You cannot configure UplinkFast on an individual VLAN You can configure the UplinkFast feature for rapid PVST or for the MSTP but the feature remains disabled inactive until you change the spanning tree mode to PVST When UplinkFast is enabled the switch priority of all VLANs is set to 49152 If you change the pat...

Page 362: ... root port to expire and becomes the root switch according to normal spanning tree rules If the switch has alternate paths to the root switch it uses these alternate paths to send a root link query RLQ request The switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in the network If the switch discovers that it still has an alternate path to the root ...

Page 363: ...Us that indicate it is the root switch However the other switches ignore these inferior BPDUs and the new switch learns that Switch B is the designated switch to Switch A the root switch Figure 50 Adding a Switch in a Shared Medium Topology Enabling BackboneFast You can enable BackboneFast to detect indirect link failures and to start the spanning tree reconfiguration sooner Note If you use Backbo...

Page 364: ... that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root switch or being in the path to the root If a switch outside the SP network becomes the root switch the interfa...

Page 365: ...does not send BPDUs on root or alternate ports You can enable this feature by using the spanning tree loopguard default global configuration command When the switch is operating in PVST or rapid PVST mode loop guard prevents alternate and root ports from becoming designated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not...

Page 366: ... enable both loop guard and root guard at the same time When you enable UplinkFast it affects all VLANs on the switch You cannot configure UplinkFast on an individual VLAN If you enable the voice VLAN feature the PortFast feature is automatically enabled When you disable voice VLAN the PortFast feature is not automatically disabled Table 45 Default Optional Spanning Tree Settings Feature Default S...

Page 367: ...unk ports you must use the spanning tree portfast trunk interface configuration command The spanning tree portfast command will not work on trunk ports By default PortFast is disabled on all interfaces 11 spanning tree guard root Enables root guard on the interface By default root guard is disabled on all interfaces 12 end Returns to privileged EXEC mode Command Purpose Command Purpose show spanni...

Page 368: ...PVST configuratio Configuring STP page 315 Multiple Spanning Tree Protocol configuration Configuring MSTP page 333 Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a ...

Page 369: ...ng of six ports spread across four switches Ports E1 and E2 are configured as edge ports When all ports are operational as in the segment on the left a single port is blocked shown by the diagonal line When there is a failure in the network as shown in the diagram on the right the blocked port returns to the forwarding state to minimize network disruption Figure 52 REP Open Segments The segment sh...

Page 370: ...ost any type of network based on REP segments REP also supports VLAN load balancing controlled by the primary edge port but occurring at any port in the segment In access ring topologies the neighboring switch might not support REP as shown in Figure 54 on page 366 In this case you can configure the non REP facing ports E1 and E2 as edge no neighbor ports These ports inherit all properties of edge...

Page 371: ...rts become unblocked By default REP packets are sent to a BPDU class MAC address The packets can also be sent to the Cisco multicast address which is used only to send blocked port advertisement BPA messages when there is a failure in the segment The packets are dropped by devices not running REP Fast Convergence Because REP runs on a physical link basis and not a per VLAN basis only one hello mes...

Page 372: ...nt id preferred interface configuration command Figure 55 Neighbor Offset Numbers in a Segment When the REP segment is complete all VLANs are blocked When you configure VLAN load balancing you must also configure triggers in one of two ways Manually trigger VLAN load balancing at any time by entering the rep preempt segment segment id privileged EXEC command on the switch that has the primary edge...

Page 373: ...ole and all other ports become open ports When a failure occurs in a link all ports move to the failed state When the alternate port receives the failure notification it changes to the open state forwarding all VLANs A regular segment port converted to an edge port or an edge port converted to a regular segment port does not always result in a topology change If you convert an edge port into a reg...

Page 374: ...faces You must configure all trunk ports in the segment with the same set of allowed VLANs or a misconfiguration occurs REP ports follow these rules There is no limit to the number of REP ports on a switch however only two ports on a switch can belong to the same REP segment If only one port on a switch is configured in a segment the port should be an edge port If two ports on a switch belong to t...

Page 375: ...ticast address These messages are flooded to the whole network not just the REP segment You can control flooding of these messages by configuring an administrative VLAN for the whole domain Follow these guidelines when configuring the REP administrative VLAN If you do not configure an administrative VLAN the default is VLAN 1 There can be only one administrative VLAN on a switch and on a segment H...

Page 376: ...Configures a port with no external REP neighbors as an edge port The port inherits all properties of edge ports and you can configure them the same as any edge port Note Although each segment can have only one primary edge port if you configure edge ports on two different switches and enter the primary keyword on both switches the configuration is allowed However REP selects only one of these port...

Page 377: ...ou would never enter an offset value of 1 to identify an alternate port preferred Selects the regular segment port previously identified as the preferred alternate port for VLAN load balancing vlan vlan list Blocks one VLAN or a range of VLANs vlan all Blocks all VLANs Note Enter this command only on the REP primary edge port 7 rep preempt delay seconds Optional You must enter this command and con...

Page 378: ...VLAN 100 and verify the configuration by entering the show interface rep detail command on one of the REP interfaces Switch configure terminal Switch conf rep admin vlan 100 Switch conf if end Switch show interface GigabitEthernet1 17 rep detail Command Purpose 1 rep preempt segment segment id Manually triggers VLAN load balancing on the segment You will need to confirm the command before it is ex...

Page 379: ...iseconds without receiving a hello from a neighbor Switch configure terminal Switch conf interface GigabitEthernet1 17 Switch conf if rep segment 1 edge primary Switch conf if rep stcn segment 2 5 Switch conf if rep block port 0009001818D68700 vlan all Switch conf if rep preempt delay 60 Switch conf if rep lsl age timer 6000 Switch conf if end This example shows how to configure an interface as th...

Page 380: ...le Cisco IOS basic commands Cisco IOS Configuration Fundamentals Command Reference Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access ...

Page 381: ...rfaces is in the linkup state and forwarding traffic If the primary link shuts down the standby link starts forwarding traffic When the active link comes back up it goes into standby mode and does not forward traffic STP is disabled on FlexLinks interfaces In Figure 57 on page 378 ports 1 and 2 on switch A are connected to uplink switches B and C Because they are configured as FlexLinks only one o...

Page 382: ... reduces the multicast traffic convergence time after a FlexLinks failure Learning the Other FlexLinks Port as the mrouter Port In a typical multicast network there is a querier for each VLAN A switch deployed at the edge of a network has one of its FlexLinks ports receiving queries FlexLinks ports are also always forwarding at any given time A port that receives queries is added as an mrouter por...

Page 383: ...p port which became the forwarding port MAC Address Table Move Update The MAC address table move update feature allows the switch to provide rapid bidirectional convergence when a primary forwarding link goes down and the standby link begins forwarding traffic In Figure 59 on page 380 switch A is an access switch and ports 1 and 2 on switch A are connected to uplink switches B and D through a Flex...

Page 384: ...16 backup links You can configure only one FlexLinks backup link for any active link and it must be a different interface from the active interface An interface can belong to only one FlexLinks pair An interface can be a backup link for only one active link An active link cannot belong to another FlexLinks pair Switch C Port 3 Port 1 Port 2 Port 4 Switch A Switch B Switch D Server PC 141223 Defaul...

Page 385: ...ports Follow these guidelines to configure VLAN load balancing on the FlexLinks feature For FlexLinks VLAN load balancing you must choose the preferred VLANs on the backup interface You cannot configure a preemption mechanism and VLAN load balancing for the same FlexLinks pair Follow these guidelines to configure the MAC address table move update feature You can enable and configure this feature o...

Page 386: ...exLinks interface pair You can configure the preemption as forced The active interface always preempts the backup bandwidth The interface with the higher bandwidth always acts as the active interface off No preemption happens from active to backup 5 switchport backup interface interface id preemption delay delay time Configures the time delay until a port preempts another port Note Setting a delay...

Page 387: ...the lowest VLAN ID on the interface Configures a physical Layer 2 interface or port channel and specifies the VLAN ID on the interface which is used for sending the MAC address table move update When one link is forwarding traffic the other interface is in standby mode 4 end Returns to global configuration mode 5 mac address table move update transmit Enables the access switch to send MAC address ...

Page 388: ...n Group Type Version Port List 1 228 1 5 1 igmp v2 Gi1 17 Gi1 18 Fa2 1 1 228 1 5 2 igmp v2 Gi1 17 Gi1 18 Fa2 1 When a host responds to the general query the switch forwards this report on all the mrouter ports In this example when a host sends a report for the group 228 1 5 1 it is forwarded only on GigabitEthernet1 17 because the backup port GigabitEthernet1 18 is blocked When the active link Gig...

Page 389: ...AN 1 which is interested in two multicast groups Switch show ip igmp snooping groups Vlan Group Type Version Port List 1 228 1 5 1 igmp v2 Gi1 17 Gi1 18 Gi1 17 1 228 1 5 2 igmp v2 Gi1 17 Gi1 18 Gi1 17 Whenever a host responds to the general query the switch forwards this report on all the mrouter ports When you turn on this feature through the command line port and when a report is forwarded by th...

Page 390: ...Configuring VLAN Load Balancing on FlexLinks Examples In the following example VLANs 1 to 50 60 and 100 to 120 are configured on the switch Switch config interface gigabitEthernet 1 2 Switch config if switchport backup interface gigabitEthernet 1 2 prefer vlan 60 100 120 When both interfaces are up GigabitEthernet1 17 forwards traffic for VLANs 60 and 100 to 120 and GigabitEthernet1 18 forwards tr...

Page 391: ...erface 1 2 5 4096 Vlans Preferred on Backup Interface 3 4 Preemption Mode off Bandwidth 10000 Kbit Fa1 3 100000 Kbit Fa1 4 Mac Address Move Update Vlan auto Configuring MAC Address Table Move Update Example This example shows how to configure an access switch to send MAC address table move update messages Switch conf interface GigabitEthernet1 17 Switch conf if switchport backup interface GigabitE...

Page 392: ...rence Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Ti...

Page 393: ...HCP packets between clients and servers Relay agents forward requests and replies between clients and servers when they are not on the same physical subnet Relay agent forwarding is different from the normal Layer 2 forwarding in which IP datagrams are switched transparently between networks Relay agents receive DHCP messages and generate new DHCP messages to send on output interfaces DHCP Snoopin...

Page 394: ...packets are received on an untrusted interface If DHCP snooping is enabled and packets are received on a trusted port the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping informat...

Page 395: ...assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID The DHCP server then repeats the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch The switch verifies that it originally inserted the option 82 data by inspecting t...

Page 396: ...ng information option format remote id global configuration command and the ip dhcp snooping vlan information option format type circuit id string interface configuration command are entered The values for these fields in the packets change from the default values when you configure the remote ID and circuit ID suboptions Circuit ID suboption fields The circuit ID type is 1 The length values are v...

Page 397: ...y is 72 bytes followed by a space and then the checksum value To keep the bindings when the switch reloads you must use the DHCP snooping database agent If the agent is disabled dynamic ARP inspection or IP source guard is enabled and the DHCP snooping binding database has dynamic bindings the switch loses its connectivity If the agent is disabled and only DHCP snooping is enabled the switch does ...

Page 398: ... bindings to its DHCP snooping binding database The switch ignores an entry when one of these situations occurs The switch reads the entry and the calculated checksum value does not equal the stored checksum value The entry and the ones following it are ignored An entry has an expired lease time the switch might not remove a binding entry when the lease time expires The interface in the entry no l...

Page 399: ...er configure a port as trusted by entering the ip dhcp snooping trust interface configuration command If a switch port is connected to a DHCP client configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command Do not enter the ip dhcp snooping information option allow untrusted command on an aggregation switch to which an untrusted device is connected If ...

Page 400: ... a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address When Ethernet switches are deployed in the network they offer connectivity to the directly connected devices In some environments such as on a factory floor if a device fails the replacement device must be working immediately in the ...

Page 401: ...Address Command Purpose 1 configure terminal Enters global configuration mode 2 service dhcp Enables the DHCP server and relay agent on your switch By default this feature is enabled 3 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 interface vlan vlan id Creates a switch virtual interface by entering a VLAN ID and enters interface config...

Page 402: ... a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space 4 ip dhcp snooping information option Enables the switch to insert and to remove DHCP relay information option 82 field in forwarded DHCP request messages to the DHCP server This is the default setting 5 ip dhcp snooping information option format remote id string ASCII string hostname Optional Configur...

Page 403: ...ting for trusted interfaces you might need to increase the rate limit if the port is a trunk port assigned to more than one VLAN with DHCP snooping 11 exit Returns to global configuration mode 12 ip dhcp snooping verify mac address Optional Configures the switch to verify that the source MAC address in a DHCP packet received on untrusted ports matches the client hardware address in the packet The ...

Page 404: ...ng database The vlan id range is from 1 to 4904 The seconds range is from 1 to 4294967295 Enter this command for each entry that you add Note Use this command when you are testing or debugging the switch Command Purpose Command Purpose 1 configure terminal Enters global configuration mode 2 ip dhcp use subscriber id client id Configures the DHCP server to globally use the subscriber identifier as ...

Page 405: ...onfiguration of a specific interface show ip dhcp pool Displays the DHCP address pools show ip dhcp binding Displays address bindings on the Cisco IOS DHCP server ip dhcp snooping database timeout seconds Specifies in seconds how long to wait for the database transfer process to finish before stopping ip dhcp snooping database write delay seconds Specifies in seconds the duration for which the tra...

Page 406: ...Subnet size first next 0 0 Total addresses 254 Leased addresses 0 Excluded addresses 4 Pending event none 1 subnet is currently in the pool Current index IP address range Leased Excluded Total 10 1 1 1 10 1 1 1 10 1 1 254 0 4 254 1 reserved address is currently in the pool Address Client 10 1 1 7 Et1 0 Enabling DHCP Snooping Example This example shows how to enable DHCP snooping globally and on VL...

Page 407: ...on Guide Cisco IOS DHCP Configuration Task List Configuring DHCP chapter of the Cisco IOS IP Configuration Guide Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a pl...

Page 408: ...404 Configuring DHCP Additional References ...

Page 409: ...ciated with the IP address of Host A All hosts within the broadcast domain receive the ARP request and Host A responds with its MAC address However because ARP allows a gratuitous reply from a host even if an ARP request was not received an ARP spoofing attack and the poisoning of ARP caches can occur After the attack all traffic from the device under attack flows through the attacker s computer a...

Page 410: ...ops invalid ARP packets DAI determines the validity of an ARP packet based on valid IP to MAC address bindings stored in a trusted database the DHCP snooping binding database This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch If the ARP packet is received on a trusted interface the switch forwards the packet without any checks On untrusted interfaces...

Page 411: ...te a given ARP packet on all switches in the VLAN Rate Limiting of ARP Packets The switch CPU performs DAI validation checks therefore the number of incoming ARP packets is rate limited to prevent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection lim...

Page 412: ...eives many packets on the same VLAN with the same ARP parameters the switch combines the packets as one entry in the log buffer and generates a single system message for the entry If the log buffer overflows it means that a log event does not fit into the log buffer and the display for the show ip arp inspection log privileged EXEC command is affected Dashes in the display appears in place of all ...

Page 413: ...all the interfaces combined on the channel receive an aggregate 400 pps The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel port members The rate of incoming packets on a physical port is checked aga...

Page 414: ...ange Enables DAI on a per VLAN basis By default DAI is disabled on all VLANs vlan range Specifies a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4096 Specifies the same VLAN ID for both switches 4 interface interface id Specifies the interface connected to the other switch and enters interface configurat...

Page 415: ...14 4 exit Returns to global configuration mode 5 ip arp inspection filter arp acl name vlan vlan range static Applies the ARP ACL to the VLAN By default no defined ARP ACLs are applied to any VLAN arp acl name Specifies the name of the ACL created in Step 2 vlan range Specifies the VLAN that the switches and hosts are in You can specify a single VLAN identified by VLAN ID number a range of VLANs s...

Page 416: ...tion mode 2 interface interface id Specifies the interface to be rate limited and enters interface configuration mode 3 ip arp inspection limit rate pps burst interval seconds none Limits the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second rate pps Specifies an upper l...

Page 417: ...AC address in the Ethernet header against the target MAC address in ARP body This check is performed for ARP responses When enabled packets with different MAC addresses are classified as invalid and are dropped ip Checks the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and all IP multicast addresses Sender IP addresses are checked in all ARP requests a...

Page 418: ...ting of 0 The logs and interval settings interact If the logs number X is greater than interval seconds Y X divided by Y X Y system messages are sent every second Otherwise one system message is sent every Y divided by X Y X seconds 3 ip arp inspection vlan vlan range logging acl match matchlog none dhcp bindings all none permit Controls the type of packets that are logged per VLAN By default all ...

Page 419: ...onal References The following sections provide references related to switch administration Command Description clear ip arp inspection log Clears the DAI log buffer clear ip arp inspection statistics Clears the DAI statistics show arp access list acl name Displays detailed information about ARP ACLs show errdisable recovery Displays the error disabled recovery timer information show ip arp inspect...

Page 420: ...locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support w...

Page 421: ... IPSG when DHCP snooping is enabled on an untrusted interface After IPSG is enabled on an interface the switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping A port access control list ACL is applied to the interface The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic Note The por...

Page 422: ...s equivalent to port security at Layer 3 IPSG for static hosts also supports dynamic hosts If a dynamic host receives a DHCP assigned IP address that is available in the IP DHCP snooping table the same entry is learned by the IP device tracking table When you enter the show ip device tracking all EXEC command the IP device tracking table displays the entries as ACTIVE Note Some IP hosts with multi...

Page 423: ...ping uses option 82 data to identify the host port When configuring IP source guard on interfaces on which a private VLAN is configured port security is not supported IP source guard is not supported on EtherChannels You can enable this feature when 802 1x port based authentication is enabled If the number of ternary content addressable memory TCAM entries exceeds the maximum the CPU usage increas...

Page 424: ...e tracking port security Enables IPSG for static hosts with MAC address filtering Note When you enable both IPSG and port security by using the ip verify source port security interface configuration command The DHCP server must support option 82 or the client is not assigned an IP address The MAC address in the DHCP packet is not learned as a secure address The MAC address of the DHCP client is le...

Page 425: ... stop IPSG with static hosts on an interface Switch config if no ip verify source Switch config if no ip device tracking max 10 end Returns to privileged EXEC mode 11 show ip verify source interface interface id Verifies the configuration and displays IPSG permit ACLs for static hosts 12 show ip device track all active inactive count Verifies the configuration by displaying the IP to MAC binding f...

Page 426: ... reached the maximum Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip device tracking Switch config interface gigabitethernet 0 3 Switch config if switchport mode access Switch config if switchport access vlan 1 Switch config if ip device tracking maximum 5 Switch config if switchport port security Switch config if switchport port security maximu...

Page 427: ...0600 0000 9 GigabitEthernet1 17 ACTIVE 200 1 1 2 0001 0600 0000 9 GigabitEthernet1 17 ACTIVE 200 1 1 3 0001 0600 0000 9 GigabitEthernet1 17 ACTIVE 200 1 1 4 0001 0600 0000 9 GigabitEthernet1 17 ACTIVE 200 1 1 5 0001 0600 0000 9 GigabitEthernet1 17 ACTIVE This example displays all inactive IP or MAC binding entries for all interfaces The host was first learned on GigabitEthernet 0 1 and then moved ...

Page 428: ...rds Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new o...

Page 429: ... to snoop on the IGMP transmissions between the host and the router and to keep track of multicast groups and member ports When the switch receives an IGMP report from a host for a particular multicast group the switch adds the host port number to the forwarding table entry when it receives an IGMP Leave Group message from a host it removes the host port from the table entry It also periodically d...

Page 430: ...ess or on proxy reports An IGMPv3 switch supports Basic IGMPv3 Snooping Support BISS which includes support for the snooping features on IGMPv1 and IGMPv2 switches and for IGMPv3 membership report messages BISS constrains the flooding of multicast traffic when your network includes IGMPv3 hosts It constrains traffic to approximately the same set of ports as the IGMP snooping feature on IGMPv2 or I...

Page 431: ...ckets for the multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group If another host for example Host 4 sends an unsolicited IGMP join message for the same group Figure 66 on page 428 the CPU receives that message and adds the port number...

Page 432: ...ng table If the router receives no reports from a VLAN it removes the group for the VLAN from its IGMP cache Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group specific queries to the interface The VLAN interface is pruned...

Page 433: ... enabled the default the switch sends the first IGMP report from all hosts for a group to all the multicast routers The switch does not send the remaining IGMP reports for the group to the multicast routers This feature prevents duplicate reports from being sent to the multicast devices If the multicast router query includes requests only for IGMPv1 and IGMPv2 reports the switch forwards only the ...

Page 434: ...ng 1 general query If you set the count to 7 the flooding continues until 7 general queries are received Groups are relearned based on the general queries received during the TCN event Flood Mode for TCN When a topology change occurs the spanning tree root sends a special IGMP leave message also known as global leave with the group multicast address 0 0 0 0 However when you enable the ip igmp snoo...

Page 435: ...ible host with an Ethernet connection Although MVR operates on the underlying mechanism of IGMP snooping the two features operate independently of each other One can be enabled or disabled without affecting the behavior of the other feature However if IGMP snooping and MVR are both enabled MVR reacts only to join and leave messages from multicast groups configured under MVR Join and leave messages...

Page 436: ...ticast stream when it is received from the multicast VLAN Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports Figure 67 Multicast VLAN Registration Example When a subscriber changes channels or turns off the television the set top box sends an IGMP leave message for the multicast stream The switch CPU sends a MAC based general query through ...

Page 437: ... ports and forward them to the multicast VLAN of the source uplink port based on the MVR mode Default MVR Settings MVR Configuration Guidelines and Limitations Receiver ports can only be access ports they cannot be trunk ports Receiver ports on a switch can be in different VLANs but should not belong to the multicast VLAN The maximum number of multicast entries MVR group addresses that can be conf...

Page 438: ... has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses not static configuration With the IGMP throttling feature you can set the maximum number of IGMP groups that...

Page 439: ...ied only to Layer 2 ports You can use this command on a logical EtherChannel interface but cannot use it on ports that belong to an EtherChannel port group When the maximum group limitation is set to the default no maximum entering the ip igmp max groups action deny replace command has no effect If you configure the throttling action and set the maximum group limitation after an interface has adde...

Page 440: ...ntrol traffic pim dvmrp Snoops on IGMP queries and PIM DVMRP packets This is the default 3 ip igmp snooping vlan vlan id mrouter interface interface id Adds a multicast router port adds a static connection to a multicast router Optional Specifies the multicast router VLAN ID and the interface to the multicast router The VLAN ID range is 1 to 1001 and 1006 to 4096 The interface can be a physical in...

Page 441: ...olicitation is disabled Note Enable the switch to send the global leave message whether or not it is the spanning tree root 4 interface interface id Specifies the interface to be configured and enter interface configuration mode 5 no ip igmp snooping tcn flood Disables the flooding of multicast traffic during a spanning tree TCN event By default multicast flooding is enabled on an interface 6 end ...

Page 442: ...d EXEC mode Command Purpose Command Purpose 1 configure terminal Enters global configuration mode 2 no ip igmp snooping report suppression Disables IGMP report suppression 3 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 mvr Enables MVR on the switch 3 mvr group ip address count Configures an IP multicast address on the switch or use the...

Page 443: ...ports All source ports on a switch belong to the single multicast VLAN receiver Configures a port as a receiver port if it is a subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLAN The default configuration is as ...

Page 444: ...e the range command multiple times to enter multiple addresses or ranges of addresses 5 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 interface interface id Specifies the physical interface and enter interface configuration mode The interface must be a Layer 2 port that does not belong to an EtherChannel port group 3 ip igmp filter prof...

Page 445: ...nooping ip_address Displays characteristics of the multicast group with the specified group IP address user Displays only the user configured multicast entries show ip igmp snooping mrouter vlan vlan id Displays information on dynamically learned and manually configured multicast router interfaces Note When you enable IGMP snooping the switch automatically learns the interface to which a multicast...

Page 446: ...nal Switch config ip igmp snooping vlan 105 static 224 2 4 12 interface gigabitethernet1 1 Switch config end show mvr interface interface id members vlan vlan id Displays all MVR interfaces and their MVR configurations When a specific interface is entered displays this information Type Receiver or Source Status One of these Active means the port is part of a VLAN Up Down means that the port is for...

Page 447: ...ows how to set the IGMP snooping querier feature to version 2 Switch configure terminal Switch config no ip igmp snooping querier version 2 Switch config end Enabling MVR Examples This example shows how to enable MVR configure the group address set the query time to 1 second 10 tenths specify the MVR multicast VLAN as VLAN 22 and set the MVR mode as dynamic Switch config mvr Switch config mvr grou...

Page 448: ...ig igmp profile range 229 9 9 0 Switch config igmp profile end Switch show ip igmp profile 4 IGMP Profile 4 permit range 229 9 9 0 229 9 9 0 Applying an IGMP Profile Example This example shows how to apply IGMP profile 4 to a port Switch config interface GigabitEthernet1 18 Switch config if ip igmp filter 4 Switch config if end Limiting IGMP Groups Example This example shows how to limit to 25 the...

Page 449: ...MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Techni...

Page 450: ...446 Configuring IGMP Snooping and MVR Additional References ...

Page 451: ... packets per second and for small frames This feature is enabled globally The threshold for small frames is configured for each interface With each method the port blocks traffic when the rising threshold is reached The port remains blocked until the traffic rate drops below the falling threshold if one is specified and then resumes normal forwarding If the falling suppression level is not specifi...

Page 452: ...ted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported on physical interfaces You can also configure storm control on an EtherChannel When storm control is configured on an EtherChannel the storm control setting...

Page 453: ... all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to another you can block a port protected or nonprotected from flooding unknown unicast or multicast packets to other ports Note With multicast traffic the port blocking feature blocks only pure Layer ...

Page 454: ...abase Management SDM template This number is the total of available MAC addresses including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces Security Violations It is a security violation when one of these situations occurs The maximum number of secure MAC addresses have been added to the address table and a station whose MAC address is not in the ...

Page 455: ...t learned on the access VLAN If you connect a single PC to the Cisco IP phone no additional MAC addresses are required If you connect more than one PC to the Cisco IP phone you must configure enough secure addresses to allow one for each PC and one for the phone Table 47 Security Violation Mode Actions Violation Mode Traffic is Forwarded1 Sends SNMP Trap Sends syslog Message Displays Error Message...

Page 456: ...he previous value the new value overwrites the previously configured value If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not support port security aging of sticky secure MAC addresses Port Security Aging You can use port security aging to set the aging time for all secure...

Page 457: ...s flooded with Address Resolution Protocol ARP or control packets high CPU utilization can cause the CPU to overload These issues can occur Routing protocol can flap because the protocol control packets are not received and neighboring adjacencies are dropped Spanning Tree Protocol STP reconverges because the STP bridge protocol data unit BPDU cannot be sent or received CLI is slow or unresponsive...

Page 458: ...w Specifies the falling threshold level as a percentage up to two decimal places of the bandwidth This value must be less than or equal to the rising suppression value The port forwards traffic when traffic drops below this level If you do not configure a falling suppression level it is set to the rising suppression level The range is 0 00 to 100 00 If you set the threshold to the maximum value 10...

Page 459: ...trap when a storm is detected 5 end Returns to privileged EXEC mode Command Purpose Command Purpose 1 configure terminal Enters global configuration mode 2 errdisable detect cause small frame Enables the small frame rate arrival feature on the switch 3 errdisable recovery interval interval Optional Specifies the time to recover from the specified error disabled state 4 errdisable recovery cause sm...

Page 460: ...known multicast forwarding out of the port Note Only pure Layer 2 multicast traffic is blocked Multicast packets that contain IPv4 or IPv6 information in the header are not blocked 4 switchport block unicast Blocks unknown unicast forwarding out of the port 5 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 interface interface id Specifies...

Page 461: ... including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces Optional vlan Sets a per VLAN maximum value Enter one of these options after you enter the vlan keyword vlan list On a trunk port sets a per VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas For nonspecified VLANs the per VLAN maximum val...

Page 462: ...y violation mode per VLAN In this mode the VLAN is error disabled instead of the entire port when a violation occurs Note When a secure port is in the error disabled state you can bring it out of this state by entering the errdisable recovery cause psecure violation global configuration command You can manually reenable it by entering the shutdown and no shutdown interface configuration commands o...

Page 463: ...added to the running configuration Note If you do not enable sticky learning before this command is entered an error message appears and you cannot enter a sticky secure MAC address Optional vlan Sets a per VLAN maximum value Enter one of these options after you enter the vlan keyword vlan id On a trunk port specifies the VLAN ID and the MAC address If you do not specify a VLAN ID the native VLAN ...

Page 464: ...inactivity The secure addresses on this port age out only if there is no data traffic from the secure source addresses for the specified time period 4 end Returns to privileged EXEC mode Command Purpose Command Purpose 1 configure terminal Enters global configuration mode 2 psp arp dhcp igmp pps value Configures protocol storm protection for ARP IGMP or DHCP value Specifies the threshold value for...

Page 465: ...ion settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered show port security interface interface id Displays port security settings for the switch or for the specified interface including the maximum allowed ...

Page 466: ...Port Security Examples This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50 The violation mode is the default no static secure MAC addresses are configured and sticky learning is enabled Switch config interface GigabitEthernet1 17 Switch config if switchport mode access Switch config if switchport port security Switch config if switchport...

Page 467: ... for the secure addresses on a port Switch config interface GigabitEthernet1 17 Switch config if switchport port security aging time 120 This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface Switch config if switchport port security aging time 2 Switch config if switchport port security aging ...

Page 468: ...ing Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands o...

Page 469: ...use Except for traffic that is required for the SPAN or RSPAN session destination ports do not receive or forward traffic Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored by using SPAN traffic routed to a source VLAN cannot be monitored For example if incoming traffic is being monitored traffic that gets routed from another VLAN to the ...

Page 470: ...ch RSPAN session is carried over a user specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as RSPAN sources The desti...

Page 471: ... you associate a set of source ports or source VLANs with an RSPAN VLAN The output of this session is the stream of SPAN packets that are sent to the RSPAN VLAN To configure an RSPAN destination session on another device you associate the destination port with the RSPAN VLAN The destination session collects all RSPAN VLAN traffic and sends it out the RSPAN destination port An RSPAN source session ...

Page 472: ... local SPAN and RSPAN in a single session That is an RSPAN source session cannot have a local destination port an RSPAN destination session cannot have a local source port and an RSPAN destination session and an RSPAN source session that are using the same RSPAN VLAN cannot run on the same switch Monitored Traffic Types for SPAN Sessions Receive Rx SPAN The goal of receive or ingress SPAN is to mo...

Page 473: ...urce packet are sent to the SPAN destination port For example a bidirectional both Rx and Tx SPAN session is configured for the Rx monitor on port A and Tx monitor on port B If a packet enters the switch through port A and is switched to port B both incoming and outgoing packets are sent to the destination port Both packets are the same unless a Layer 3 rewrite occurs in which case the packets are...

Page 474: ...se VLANs in the list are monitored on trunk ports or on voice VLAN access ports SPAN traffic coming from other port types is not affected by VLAN filtering that is all VLANs are allowed on other ports VLAN filtering affects only traffic forwarded to the destination SPAN port and does not affect the switching of normal traffic Destination Port Each local SPAN session or RSPAN destination session mu...

Page 475: ...on replicate enabled can contain a mixture of untagged or IEEE 802 1Q tagged packets For RSPAN the original VLAN ID is lost because it is overwritten by the RSPAN VLAN identification Therefore all packets appear on the destination port as untagged RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions It has these special characteristics All traffic in the RSP...

Page 476: ...igured as a SPAN source port and still be a part of the EtherChannel In this case data from the physical port is monitored as it participates in the EtherChannel However if a physical port that belongs to an EtherChannel group is configured as a SPAN destination it is removed from the group After the port is removed from the SPAN session it rejoins the EtherChannel group Ports removed from an Ethe...

Page 477: ...ies you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches For RSPAN configuration you can distribute the source ports and the destination ports across multiple switches in your ...

Page 478: ... Native form untagged packets Ingress forwarding destination port Disabled VLAN filtering On a trunk interface used as a source port all VLANs are monitored RSPAN VLANs None configured Command Purpose 1 configure terminal Enters global configuration mode 2 no monitor session session_number all local remote Removes any existing SPAN configuration for the session session_number The range is 1 to 68 ...

Page 479: ...AN to monitor The range is 1 to 4096 excluding the RSPAN VLAN Note A single session can include multiple sources ports or VLANs defined in a series of commands but you cannot combine source ports and source VLANs in one session Optional Specify a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional Specify the direction of traffi...

Page 480: ... it cannot be an EtherChannel and it cannot be a VLAN Optional Specifies a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional encapsulation replicate Specifies that the destination interface replicates the source interface encapsulation method If not selected the default is to send packets in native form untagged Note You can u...

Page 481: ...capsulation method If not selected the default is to send packets in native form untagged ingress Enables forwarding of incoming traffic on the destination port and specifies the encapsulation type dot1q vlan vlan id Accepts incoming packets with IEEE 802 1Q encapsulation with the specified VLAN as the default VLAN untagged vlan vlan id or vlan vlan id Accepts incoming packets with untagged encaps...

Page 482: ... port it cannot be an EtherChannel and it cannot be a VLAN Optional Specifies a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional encapsulation replicate Specifies that the destination interface replicates the source interface encapsulation method If not selected the default is to send packets in native form untagged 6 end Ret...

Page 483: ...ecifies the source VLAN to monitor The range is 1 to 4096 excluding the RSPAN VLAN A single session can include multiple sources ports or VLANs defined in a series of commands but you cannot combine source ports and source VLANs in one session Optional Specifies a series or range of interfaces Enter a space before and after the comma enter a space before and after the hyphen Optional Specify the d...

Page 484: ...es all remote SPAN sessions 6 monitor session session_number source remote vlan vlan id Specifies the RSPAN session and the source RSPAN VLAN session_number The range is 1 to 68 vlan id Specifies the source RSPAN VLAN to monitor 7 monitor session session_number destination interface interface id Specifies the RSPAN session and the destination interface session_number Enters the number defined in S...

Page 485: ...pecifies the destination interface The destination interface must be a physical interface Though visible in the command line help string encapsulation replicate is not supported for RSPAN The original VLAN ID is overwritten by the RSPAN VLAN ID and all packets appear on the destination port as untagged Optional Specifies a series or range of interfaces Enter a space before and after the comma ente...

Page 486: ...al sessions remote Removes all remote SPAN sessions 3 monitor session session_number source interface interface id Specifies the characteristics of the source port monitored port and SPAN session session_number The range is 1 to 68 interface id Specifies the source port to monitor The interface specified must already be configured as a trunk port 4 monitor session session_number filter vlan vlan i...

Page 487: ...source vlan 10 Switch config end This example shows how to remove any existing configuration on SPAN session 2 configure SPAN session 2 to monitor received traffic on Gigabit Ethernet source port 1 and send it to destination Gigabit Ethernet port 2 with the same egress encapsulation type as the source port and to enable ingress forwarding with IEEE 802 1Q encapsulation and VLAN 6 as the default in...

Page 488: ...nitor session 1 destination remote vlan 901 Switch config end This example shows how to configure VLAN 901 as the source remote VLAN in RSPAN session 2 to configure Gigabit Ethernet source port 2 as the destination interface and to enable forwarding of incoming traffic on the interface with VLAN 6 as the default receiving VLAN Switch config monitor session 2 source remote vlan 901 Switch config mo...

Page 489: ...by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and sup...

Page 490: ...486 Configuring SPAN and RSPAN Additional References ...

Page 491: ...lue descriptions and are referred to as TLVs LLDP supported devices can use TLVs to receive and send information to their neighbors This protocol can advertise details such as configuration information device capabilities and device identity The switch supports these basic management TLVs These are mandatory LLDP TLVs Port description TLV System name TLV System description TLV System capabilities ...

Page 492: ...s information and postal information Examples of civic location information are street address road name and postal community name information ELIN location information Provides the location information of a caller The location is determined by the emergency location identifier number ELIN which is a phone number that routes an emergency call to the local public safety answering point PSAP and whi...

Page 493: ...nk down Slot and port that was disconnected MAC address IP address 802 1X username if applicable Device category is specified as a wired station State is specified as delete Serial number UDI Time in seconds since the switch detected the disassociation When the switch shuts down it sends an attachment notification with the state delete and the IP address before closing the NMSP connection to the M...

Page 494: ... profile You cannot configure a network policy profile on a private VLAN port For wired location to function you must first enter the ip device tracking global configuration command LLDP MED TLVs By default the switch only sends LLDP packets until it receives LLDP MED packets from the end device It then sends LLDP packets with MED TLVs When the LLDP MED entry has been aged out it only sends LLDP p...

Page 495: ...rface interface id Specifies the interface on which you are enabling LLDP and enter interface configuration mode 4 lldp transmit Enables the interface to send LLDP packets 5 lldp receive Enables the interface to receive LLDP packets 6 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 lldp holdtime seconds Optional Specifies the amount of ti...

Page 496: ...ype voice signaling Specifies the voice signaling application type vlan Specifies the native VLAN for voice traffic vlan id Optional Specifies the VLAN for voice traffic The range is 1 to 4096 cos cvalue Optional Specifies the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 0 dscp dvalue Optional Specifies the differentiated services code point DSCP...

Page 497: ...figuring the location information and enters interface configuration mode 5 location additional location information word civic location id id elin location id id Enters location information for an interface additional location information Specifies additional information for a location or place civic location id Specifies global civic location information for an interface elin location id Specifi...

Page 498: ...ce show lldp entry entry name Displays information about a specific neighbor You can enter an asterisk to display all neighbors or you can enter the neighbor name show lldp interface interface id Displays information about interfaces with LLDP enabled You can limit the display to a specific interface show lldp neighbors interface id detail Displays information about neighbors including device type...

Page 499: ...e terminal Switch config network policy profile 1 Switch config network policy voice vlan 100 cos 4 Switch config network policy exit Switch config interface GigabitEthernet1 17 Switch config if network policy profile 1 Switch config if lldp med tlv select network policy Configuring Voice Application Example This example shows how to configure the voice application type for the native VLAN with pr...

Page 500: ... No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modifie...

Page 501: ...pically represented by a table in the NAT device Layer 2 NAT has two translation tables where private to public and public to private subnet translations can be defined Layer 2 NAT is a hardware based implementation that provides the same high level of bump on the wire wire speed performance This implementation also supports multiple VLANs through the NAT boundary for enhanced network segmentation...

Page 502: ...498 Configuring Layer 2 NAT ...

Page 503: ... device sends periodic messages to a multicast address advertising at least one address at which it can receive SNMP messages The advertisements also contain time to live or holdtime information which is the length of time a receiving device holds CDP information before discarding it Each device also listens to the messages sent by other devices to learn about neighboring devices On the switch CDP...

Page 504: ...ctivity Feature Default Setting CDP global state Enabled CDP interface state Enabled CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP Version 2 advertisements Enabled Command Purpose 1 configure terminal Enters global configuration mode 2 cdp timer seconds Optional Sets the transmission frequency of CDP updates in seconds The range is 5 to 254 the default...

Page 505: ...s frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Displays information about a specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or informat...

Page 506: ...ation Related Documents Standards MIBs RFCs Related Topic Document Title Cisco IOS basic commands Cisco IOS system management commands Cisco IOS Configuration Fundamentals Command Reference Switch cluster configuration Configuring Switch Clusters page 91 Standards Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this featu...

Page 507: ...nd alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traffic on fiber optic ...

Page 508: ...affic is flowing bidirectionally between the correct neighbors This check cannot be performed by autonegotiation because autonegotiation operates at Layer 1 Methods to Detect Unidirectional Links UDLD operates by using two methods Neighbor database maintenance UDLD learns about other UDLD capable neighbors by periodically sending a hello packet also called an advertisement or probe on every active...

Page 509: ... mode and to set the configurable message timer on all fiber optic ports on the switch TX TX RX RX Switch A Switch B Switch B successfully receives traffic from Switch A on this port 98648 However Switch A does not receive traffic from Switch B on the same port If UDLD is in aggressive mode it detects the problem and disables the port If UDLD is in normal mode the logical link is considered undete...

Page 510: ...n the advertisement phase and are detected to be bidirectional The range is from 1 to 90 seconds Note This command affects fiber optic ports only Use the udld interface configuration command to enable UDLD on other port types For more information see Enabling UDLD on an Interface page 506 3 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 ...

Page 511: ...es the disabled ports 5 errdisable recovery cause udld Optional Enables the timer to automatically recover from the UDLD error disabled state 6 errdisable recovery interval interval Optional Specifies the time to recover from the UDLD error disabled state 7 interface interface id Enters interface configuration mode 8 no udld port Optional Disables the UDLD fiber optic port 9 udld port aggressive O...

Page 512: ...OS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands of pages of ...

Page 513: ...abilities Restrictions for RMON 64 bit counters are not supported for RMON alarms Information About RMON RMON RMON is an Internet Engineering Task Force IETF standard monitoring specification that allows various network agents and console systems to exchange network monitoring data You can use the RMON feature with the Simple Network Management Protocol SNMP agent in the switch to monitor all the ...

Page 514: ...an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardware counters for RMON data processing the monitoring is more efficient and little processing power is required Note 64 bit counters are not supported for RMON alarms RMON is disable...

Page 515: ...rd to test the change between samples of a MIB variable value Specifies a number at which the alarm is triggered and one for when the alarm is reset The range for the rising threshold and falling threshold values is 2147483648 to 2147483647 Optional event number Specifies the event number to trigger when the rising or falling threshold exceeds its limit Optional owner string Specifies the owner of...

Page 516: ...on history group of statistics The range is 1 to 65535 The default is 50 buckets Optional interval seconds Specifies the number of seconds in each polling cycle The range is 1 to 3600 The default is 1800 seconds Optional owner ownername Enters the name of the owner of the RMON group of statistics 4 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration...

Page 517: ... can be triggered again Creating an RMON Event Number Example The following example creates RMON event number 1 Switch config rmon event 1 log trap eventtrap description High ifOutErrors owner jjones The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this command This example...

Page 518: ...ure MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cis...

Page 519: ... that generated them has finished You can set the severity level of the messages to control the type of messages displayed on the consoles and each of the destinations You can time stamp log messages or set the syslog source address to enhance real time debugging and management You can access logged system messages by using the switch command line interface CLI or by saving them to a properly conf...

Page 520: ...tion To disable logging to the console use the no logging console global configuration command To disable logging to a terminal other than the console use the no logging monitor global configuration command To disable logging to syslog servers use the no logging trap global configuration command Table 49 on page 517 describes the level keywords It also lists the corresponding UNIX syslog definitio...

Page 521: ... from the network If this is the case with your system use the UNIX man syslogd command to decide what options must be added to or removed from the syslog command line to enable logging of remote syslog messages Log in as root and perform these steps 1 Add a line such as the following to the file etc syslog conf local7 debug usr adm logs cisco log The local7 keyword specifies the logging facility ...

Page 522: ... supported by the software For more information about these facilities consult the operator s manual for your UNIX operating system Table 50 UNIX System Facilities Facility Type Keyword Description auth Authorization system cron Cron facility daemon System daemon kern Kernel local0 7 Locally defined messages lpr Line printer system mail Mail system news USENET news sys9 14 System use syslog System...

Page 523: ...in the middle of command output Setting the Message Display Destination Device If message logging is enabled you can send messages to specific locations in addition to the console Beginning in privileged EXEC mode use one or more of the following commands to specify the locations that receive messages Feature Default Setting System message logging to the console Enabled Console severity Debugging ...

Page 524: ...ver To build a list of syslog servers that receive logging messages enter this command more than once 4 logging file flash filename max file size min file size severity level number type Stores log messages in a file in flash memory filename Enters the log message filename Optional max file size Specifies the maximum logging file size The range is 4096 to 2147483647 The default is 4096 bytes Optio...

Page 525: ...an change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration 3 logging synchronous level severity level all limit number of buffers Enables synchronous logging of messages Optional level severity level Specifies the message severity level Messa...

Page 526: ...me stamps on log messages showing the time since the system was rebooted The second command enables time stamps on log messages Depending on the options selected the time stamp can include the date time in milliseconds relative to the local time zone and the time zone name 3 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 service sequence...

Page 527: ... records the session the user and the command that was entered to change the configuration You can configure the size of the configuration log from 1 to 1000 entries the default is 100 Configuring the UNIX System Logging Facility When sending system log messages to an external device you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities Command Pur...

Page 528: ...isplay Examples This example shows part of a logging display with the service timestamps log datetime global configuration command enabled Mar 1 18 46 11 SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 This example shows part of a logging display with the service timestamps log uptime global configuration command enabled 00 00 46 LINK 3 UPDOWN Interface Port channel1 changed state to u...

Page 529: ... an example of output for the configuration log Switch show archive log config all idx sess user line Logged command 38 11 unknown user vty3 no aaa authorization config commands 39 12 unknown user vty3 no aaa authorization network default group radius 40 12 unknown user vty3 no aaa accounting dot1x default start stop group radius 41 13 unknown user vty3 no aaa accounting system default 42 14 temi ...

Page 530: ...by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description ...

Page 531: ...onfigure the SNMP engine ID using the snmp server engineID global configuration with the remote option The remote agent s SNMP engine ID and user password are used to compute the authentication and privacy digests If you do not configure the remote engine ID first the configuration command fails Restrictions for SNMP When configuring SNMP informs you need to configure the SNMP engine ID for the re...

Page 532: ...strative Framework of SNMPv2C while retaining the bulk retrieval and improved error handling of SNMPv2Classic It has these features SNMPv2 Version 2 of the Simple Network Management Protocol a Draft Internet Standard defined in RFCs 1902 through 1907 SNMPv2C The community string based Administrative Framework for SNMPv2 an Experimental Internet Protocol defined in RFC 1901 SNMPv3 Version 3 of the ...

Page 533: ...y string match for authentication SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication SNMPv3 noAuthNoPriv Username No Uses a username match for authentication SNMPv3 authNoPriv Message Digest 5 MD5 or Secure Hash Algorithm SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv MD5 or SHA Data Encryption Standard DES or Adva...

Page 534: ... does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management ...

Page 535: ...eived or the request times out Traps are sent only once but an inform might be resent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs require a trade off between reliability and resources If it is important that the SNMP manager receive every notification use inform requests If traffic on the network or memory in ...

Page 536: ...nd configure a trap manager to receive them To enable the sending of SNMP inform notifications use the snmp server enable traps global configuration command combined with the snmp server host host addr informs global configuration command Table 54 Switch Notification Types Notification Type Keyword Description bridge Generates STP bridge MIB traps config Generates a trap for SNMP configuration cha...

Page 537: ...urity snmp server enable traps port security trap rate rate rtr Generates a trap for the SNMP Response Time Reporter RTR snmp Generates a trap for SNMP type notifications for authentication cold start warm start link up or link down storm control Generates a trap for SNMP storm control You can also set a maximum trap rate per minute The range is from 0 to 1000 the default is 0 no limit is imposed ...

Page 538: ... not enter a value for the community string Feature Default Setting SNMP agent Disabled1 1 This is the default when the switch starts and the startup configuration does not have any snmp server global configuration commands SNMP trap receiver None configured SNMP traps None enabled except the trap for TCP connections tty SNMP version If no version keyword is present the default is Version 1 SNMPv3...

Page 539: ...nt stations to retrieve MIB objects or specifies read write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optional access list number Specifies an IP standard access list numbered from 1 to 99 and 1300 to 1999 3 access list access list number deny permit source source wildcard Optional If you...

Page 540: ...string with the name of the copy of SNMP You need not specify the entire 24 character engine ID if it has trailing zeros Specify only the portion of the engine ID up to the point where only zeros remain in the value For example to configure an engine ID of 123400000000000000000000 you can enter this snmp server engineID local 1234 If you select remote specify the ip address of the device that cont...

Page 541: ...NoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional read readview Specifies a string not to exceed 64 characters that is the name of the view in which you can only view the contents of the agent Optional...

Page 542: ...o exceed 64 characters If you enter v3 and the switch is running the cryptographic software image you can also configure a private priv encryption algorithm and password string priv password not to exceed 64 characters priv Specifies the User based Security Model USM des Specifies the use of the 56 bit DES algorithm 3des Specifies the use of the 168 bit DES algorithm aes Specifies the use of the D...

Page 543: ...ion 3 is specified enter the SNMPv3 username Note The symbol is used for delimiting the context information Avoid using the symbol as part of the SNMP community string when configuring this command Optional notification type Specifies a notification type Use the keywords listed in Table 54 on page 532 If no type is specified all notifications are sent 6 snmp server enable traps notification types ...

Page 544: ... notification type to CPU process utilization interrupt Sets the notification type to CPU interrupt utilization rising percentage Specifies the percentage 1 to 100 of CPU resources that when exceeded for the configured interval sends a CPU threshold notification interval seconds Specifies the duration of the CPU threshold violation in seconds 5 to 86400 that when met sends a CPU threshold notifica...

Page 545: ...dress of the TFTP servers that can access the switch Optional source wildcard Enters the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything 4 end Returns to privileged EXEC mode Command Purpose show snmp Displays SNMP statistics sho...

Page 546: ...sco com using the community string public Switch config snmp server community comaccess ro 4 Switch config snmp server enable traps snmp authentication Switch config snmp server host cisco com version 2c public Configure SNMP Traps Examples This example shows how to send entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send entity MIB t...

Page 547: ...P Example This example shows how to assign the string comaccess to SNMP to allow read only access and to specify that IP access list 4 can use the community string to gain access to the switch SNMP agent Switch config snmp server community comaccess ro 4 Additional References The following sections provide references related to switch administration ...

Page 548: ...o locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support...

Page 549: ...twork If you do not configure ACLs all packets passing through the switch could be allowed onto all parts of the network You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces For example you can allow e mail traffic to be forwarded but not Telnet traffic ACLs can be configured to block inbou...

Page 550: ... network or to part of a network Figure 74 on page 546 is an example of using port ACLs to control access to a network when all workstations are in the same VLAN ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network but prevent Host B from accessing the same network Port ACLs can only be applied to Layer 2 interfaces in the inbound direction Figure 74 Using ACL...

Page 551: ...acket A is a TCP packet from host 10 2 2 2 port 65000 going to host 10 1 1 1 on the SMTP port If this packet is fragmented the first fragment matches the first ACE a permit as if it were a complete packet because all Layer 4 information is present The remaining fragments also match the first ACE even though they do not contain the SMTP port information because the first ACE only checks Layer 3 inf...

Page 552: ...ontrol The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don t care mask of 0 0 0 0 are moved to the top of the list above any entries with non zero don t care masks Therefore in show command output and in the configuration file the ACEs do not necessarily appear in the order in which they were entered After creating a...

Page 553: ... list number whether the packet was permitted or denied the source IP address of the packet and the number of packets from that source permitted or denied in the prior 5 minute interval Numbered Extended ACL Although standard ACLs use only source addresses for matching you can use extended ACL source and destination addresses for matching operations and optional protocol type information for finer...

Page 554: ...d After creating a numbered extended ACL you can apply it to terminal lines see Applying an IPv4 ACL to a Terminal Line page 560 to interfaces see Applying an IPv4 ACL to an Interface page 560 or to VLANs see Monitoring and Maintaining Network Security with ACLs page 562 Resequencing ACEs in an ACL Sequence numbers for the entries in an access list are automatically generated when you create a new...

Page 555: ...n use the time range to define when the permit or deny statements in the ACL are in effect for example during a specified time period or on specified days of the week These are some of the many possible benefits of using time ranges You have more control over permitting or denying a user access to resources such as an application identified by an IP address mask pair and a port number You can cont...

Page 556: ...enied by an access group These access group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP unreachable message Port ACLs are an exception They do not generate ICMP unreachable messages ICMP unreachable messages can be disabled on router ACLs with the no ip unreachables interface command For inbound ACLs after receiving a packet the swi...

Page 557: ...XEC command to obtain some basic hardware ACL statistics for switched and routed packets Troubleshooting ACLs If this ACL manager message appears where chars is the access list name the switch then has insufficient resources to create a hardware representation of the ACL ACLMGR 2 NOVMR Cannot generate hardware representation of access list chars The resources include hardware memory and label spac...

Page 558: ...fault the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end With standard access lists if you omit the mask from an associated IP host address ACL specification 0 0 0 0 is assumed to be the mask Command Purpose 1 configure terminal Enters global configuration mode 2 access list access list number deny permit source source wi...

Page 559: ...555 Configuring Network Security with ACLs How to Configure Network Security with ACLs Creating a Numbered Extended ACL ...

Page 560: ...see steps 2b through 2e source The number of the network or host from which the packet is sent source wildcard Applies wildcard bits to the source destination The network or host number to which the packet is sent destination wildcard Applies wildcard bits to the destination source source wildcard destination and destination wildcard can be specified as The 32 bit quantity in dotted decimal format...

Page 561: ...rotocol The parameters are the same as those described in Step 2a with these exceptions Optional operator and port compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port number range requires tw...

Page 562: ...ed by the ICMP message code type a number from 0 to 255 icmp message Filters ICMP packets by the ICMP message type name or the ICMP message type and code name To see a list of ICMP message type names and code names use the or see the Configuring IP Services section of the Cisco IOS IP Configuration Guide Release 12 2 Step 2e access list access list number deny permit igmp source source wildcard de...

Page 563: ...rce wildcard host source any destination destination wildcard host destination any precedence precedence tos tos established log time range time range name In access list configuration mode specifies one or more conditions denied or permitted to decide if the packet is forwarded or dropped host source A source and source wildcard of source 0 0 0 0 any A source and source wildcard of 0 0 0 0 255 25...

Page 564: ...gure different hours for weekdays and weekends See the example configurations 4 end Returns to privileged EXEC mode Command Purpose 1 configure terminal Enters global configuration mode 2 line console vty line number Identifies a specific line to configure and enters in line configuration mode console Specifies the console terminal line The console port is DCE vty Specifies a virtual terminal for ...

Page 565: ...n also enter these options type mask Specifies an arbitrary EtherType number of a packet with Ethernet II or SNAP encapsulation in decimal hexadecimal or octal with optional mask of don t care bits applied to the EtherType before testing for a match lsap lsap mask Specifies an LSAP number of a packet with IEEE 802 2 encapsulation in decimal hexadecimal or octal with optional mask of don t care bit...

Page 566: ... Extended IP access list 102 10 deny tcp 171 69 198 0 0 0 0 255 172 20 52 0 0 0 0 255 eq telnet 20 permit tcp any any Command Purpose show access lists number name Displays the contents of one or all current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Displays the contents of all current IP access lists or a specific IP access list n...

Page 567: ...ig access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp any any time range new_year_day_2006 inactive 20 permit tcp any any time range workhours inactive Using Named ACLs Example This example uses named ACLs to permit and deny the same tr...

Page 568: ...ist chars The flag related operators are not available To avoid this issue Move the fourth ACE before the first ACE by using ip access list resequence global configuration command permit tcp source source wildcard destination destination wildcard permit tcp source source wildcard destination destination wildcard range 5 60 permit tcp source source wildcard destination destination wildcard range 15...

Page 569: ... 95 The ACL is applied to traffic coming out of routed Port 1 from the specified source address Switch config access list 6 permit 172 20 128 64 0 0 0 31 Switch config end Switch show access lists Standard IP access list 6 permit 172 20 128 64 wildcard bits 0 0 0 31 Switch config interface GigabitEthernet1 17 Switch config if ip access group 6 out This example uses an extended ACL to filter traffi...

Page 570: ...u have a network connected to the Internet and you want any host on the network to be able to form TCP connections to any host on the Internet However you do not want IP hosts to be able to form TCP connections to hosts on your network except to the mail SMTP port of a dedicated mail host SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The same port num...

Page 571: ...hours of 8 00 a m and 6 00 p m 18 00 The example allows UDP traffic only on Saturday and Sunday from noon to 8 00 p m 20 00 Switch config time range no http Switch config periodic weekdays 8 00 to 18 00 Switch config time range udp yes Switch config periodic weekend 12 00 to 20 00 Switch config ip access list extended strict Switch config ext nacl deny tcp any any eq www time range no http Switch ...

Page 572: ...end Switch show logging Syslog logging enabled 0 messages dropped 0 flushes 0 overruns Console logging level debugging 37 messages logged Monitor logging level debugging 0 messages logged Buffer logging level debugging 37 messages logged File logging disabled Trap logging level debugging 39 message lines logged Log Buffer 4096 bytes 00 00 48 NTP authentication delay calculation problems output tru...

Page 573: ...command is only valid when applied to a physical Layer 2 interface You cannot use the command on EtherChannel port channels After receiving a packet the switch checks it against the inbound ACL If the ACL permits it the switch continues to process the packet If the ACL rejects the packet the switch discards it When you apply an undefined ACL to an interface the switch acts as if the ACL has not be...

Page 574: ...rds are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by th...

Page 575: ... ios 12_2 qos command reference fqos_r html Understanding QoS page 571 QoS Treatment for Performance Monitoring Protocols page 590 Configuring QoS page 600 Displaying QoS Information page 645 Configuration Examples for Policy Maps page 646 Understanding QoS Typically networks operate on a best effort delivery basis which means that all traffic has equal priority and an equal chance of being delive...

Page 576: ...nd traffic limiting features class based weighted fair queuing CBWFQ class based traffic shaping port shaping and class based priority queuing You can provide guaranteed bandwidth to a particular class of traffic while still servicing other traffic queues For more information see Congestion Management and Scheduling page 593 Queuing on the switch is enhanced with the weighted tail drop WTD algorit...

Page 577: ...ority queue limit or shape average commands for output policy maps Note A packet can match only one traffic class within a traffic policy If a packet matches more than one traffic class in the traffic policy the first traffic class defined in the policy is used To configure more than one match criterion for packets you can associate multiple traffic classes with a single traffic policy 3 Attach th...

Page 578: ...4 classes plus class default You can configure a maximum of 64 classes in an input policy Output Policy Maps Output policy map classification criteria include matching a CoS a DSCP an IP precedence or a QoS group value Output policy maps can have any of these actions Queuing queue limit Scheduling bandwidth priority and shape average Output policy maps do not support matching of access groups You ...

Page 579: ...e in the packet or by the VLAN ID Figure 78 on page 576 has examples of classification information carried in a Layer 2 or a Layer 3 IP packet header using six bits from the deprecated IP type of service ToS field to carry the classification information On ports configured as Layer 2 IEEE 802 1Q trunks all traffic is in 802 1Q frames except for traffic in the native VLAN Layer 2 802 1Q frame heade...

Page 580: ...tch against a specific traffic flow to further classify it If you have more than one type of traffic that you want to classify you can create another class map and use a different name When you enter the class map command with a class map name the switch enters the class map configuration mode In this mode you define the match criterion for the traffic by using the match class map configuration co...

Page 581: ...a non IP classification match cos or match access group for a MAC ACL in the same policy map or class map When an input policy map with only Layer 2 classification is attached to a routed port or a switch port containing a routed switch virtual interface SVI the service policy acts only on switching eligible traffic and not on routing eligible traffic On an 802 1Q tunnel port you can use only an i...

Page 582: ...ne end of the network to the other Entering Class Selector CS service values of 1 to 7 corresponding to IP precedence bits in the ToS field of the packet Using Expedited Forwarding EF to specify a low latency path This corresponds to a DSCP value of 46 EF services use priority queuing to preempt lower priority traffic classes This display shows the available classification options Switch config cm...

Page 583: ...r S VLAN by default The set cos policy map class configuration commands always apply to the outer most VLAN tag after processing is complete that is the S VLAN ID For example in 802 1Q tunnels entering a set cos command changes only the CoS value of the outer tag of the encapsulated packet When you configure a policy by entering the match dscp class map configuration command and you enter the set ...

Page 584: ... Note Only one access group is supported per class for an input policy map Classification Based on QoS Groups A QoS group is an internal label used by the switch to identify packets as a members of a specific class The label is not part of the packet header and is restricted to the switch that sets the label QoS groups provide a way to tag a packet for subsequent QoS action without explicitly mark...

Page 585: ...d in the input policy map for the same service class This allows the input marking and policing functions to be decoupled from the egress classification function if necessary because only the QoS group must be used for egress classification To communicate an ACL classification to an output policy you assign a QoS number to specify packets at ingress This example identifies specific packets as part...

Page 586: ... VLANs We also recommend that you restrict VLAN membership on the trunk ports to which the per port per VLAN is applied by using the switchport trunk allowed vlan interface configuration command Overlapping VLAN membership between trunk ports that have per port per VLAN policies with Layer 3 classification could also result in unexpected QoS behavior In this example the class maps in the child lev...

Page 587: ...Table maps are used only in input policy maps Table maps can be used to Correlate specific CoS DSCP or IP precedence values to specific CoS DSCP or IP precedence values Mark down a CoS DSCP or IP precedence value Assign defaults for unmapped values A table map includes one of these default actions default default value applies a specific default value 0 to 63 for all unmapped values default copy m...

Page 588: ...ss Packets that exceed the permitted average rate or burst rate are out of profile or nonconforming These packets are dropped or modified marked for further processing depending on the policer configuration Policing is used primarily on receiving interfaces You can attach a policy map with a policer only in an input service policy The only policing allowed in an output policy map is in priority cl...

Page 589: ... input interface configuration command Policing is done only on received traffic so you can only attach a policer to an input service policy You can use the conform action and exceed action policy map class configuration commands or the conform action and exceed action policy map class police configuration commands to specify the action to be taken when the packet conforms to or exceeds the specif...

Page 590: ... color policer For 2 rate 3 color policing you can then optionally set actions to perform on packets that conform to the specified CIR and PIR conform action packets that conform to the PIR but not the CIR exceed action and packets that exceed the PIR value violate action Note If the conform action is set to drop the exceed and violate actions are automatically set to drop If the exceed action is ...

Page 591: ...te policer as parameters in the policer aggregate global configuration command but you must enter the actions in a particular order See the configuration guideline in Configuring Input Policy Maps with Aggregate Policing page 617 After you configure the aggregate policer you create a policy map and an associated class map associate the policy map with the aggregate policer and apply the service po...

Page 592: ...g if switchport mode trunk Switch config if service policy input customer 1 ingress Switch config pmap c exit Unconditional Priority Policing Priority policing applies only to output policy maps You can use the priority policy map class configuration command in an output policy map to designate a low latency path or class based priority queuing for a specific traffic class With strict priority que...

Page 593: ...tions can use the marking information to judge the relative and absolute importance of the packet The marking function can use information from the policing function or directly from the classification function You can specify and mark traffic by using the set commands in a policy map for all supported QoS markings CoS IP DSCP IP precedence and QoS groups A set command unconditionally marks the pa...

Page 594: ...ge 590 QoS Treatment for IP SLA and TWAMP Probes page 590 QoS Marking for CPU Generated Traffic page 591 QoS Queuing for CPU Generated Traffic page 592 Configuration Guidelines page 592 Two Way Active Measurement Protocol For information about the Two Way Active Measurement Protocol TWAMP see Understanding TWAMP page 41 14 and Configuring TWAMP page 41 15 QoS Treatment for IP SLA and TWAMP Probes ...

Page 595: ...e dscp table map table map name precedence table map table map name cpu traffic qos dscp dscp_value cos table map table map name dscp table map table map name precedence table map table map name cpu traffic qos precedence precedence_value cos table map table map name dscp table map table map name precedence table map table map name cpu traffic qos qos group value You can mark CoS IP DSCP IP preced...

Page 596: ...os global configuration command with table mapping you can configure multiple marking and queuing policies to work together or independently You can queue native VLAN traffic based on the CoS markings configured using the cpu traffic qos global configuration command The cpu traffic qos command specifies the traffic to which it applies all CPU traffic only CPU IP traffic or only CPU non IP traffic ...

Page 597: ...e classified and queued by an output policy map based on the marked CoS value The CoS value of non IP packets is mapped by using the CoS value in the packet and the configured table map Packets can be classified and queued by an output policy map based on the marked CoS value If the cpu traffic qos cos global configuration command is configured with a map from value of DSCP or precedence and CoS T...

Page 598: ...her traffic classes with bandwidth or shape average depending on requirements These sections contain additional information about scheduling Traffic Shaping page 594 Class Based Weighted Fair Queuing page 595 Priority Queuing page 596 Traffic Shaping Traffic shaping is a traffic control mechanism similar to traffic policing While traffic policing is used in input policy maps traffic shaping occurs...

Page 599: ...50000000 Switch config pmap c exit The second policy level the child level is used to control a specific traffic stream or class as in this example Switch config policy map child Switch config pmap class class1 Switch config pmap c priority Switch config pmap c exit Note The total of the minimum bandwidth guarantees CIR for each queue of the child policy cannot exceed the total port shape rate Thi...

Page 600: ...ot eligible for any excess bandwidth and as a result receives no bandwidth Priority Queuing You can use the priority policy map class configuration command to ensure that a particular class of traffic is given preferential treatment With strict priority queuing the priority queue is constantly serviced All packets in the queue are scheduled and sent until the queue is empty Priority queuing allows...

Page 601: ...her traffic queues are configured to use 50 and 20 percent of the bandwidth that is left as in the previous example Switch config policy map policy1 Switch config pmap class out class1 Switch config pmap c priority Switch config pmap c police 200000000 Switch config pmap c exit Switch config pmap class out class2 Switch config pmap c bandwidth percent 50 Switch config pmap c exit Switch config pma...

Page 602: ...group in the same queue Setting a queue limit establishes a drop threshold for the associated traffic when congestion occurs Note You cannot configure queue size by using the queue limit policy map class command without first configuring a scheduling action bandwidth shape average or priority The only exception to this is when you configure queue limit for the class default of an output policy map...

Page 603: ...r of packets is from 16 to 544 in multiples of 16 where each packet is a fixed unit of 256 bytes Note For optimal performance we strongly recommend that you configure the queue limit to 272 or less Queue bandwidth and queue size queue limit are configured separately and are not interdependent You should consider the type of traffic being sent when you configure bandwidth and queue limit A large bu...

Page 604: ...se factors The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requirements and speed of the network Location of congestion points in the network These sections describe how to classify police and mark incoming traffic and schedule and q...

Page 605: ...han 256 you receive an error message and the configuration fails A profile is a combination of commit rate peak rate commit burst and peak burst You can attach one profile to multiple instances but if one of these characteristics differs the policer is considered to have a new profile You can specify 256 unique VLAN classification criteria within a per port per VLAN policy map across all ports on ...

Page 606: ...kets See the configuration sections for specific QoS features for more configuration guidelines related to each feature Using ACLs to Classify Traffic You can classify IP traffic by using IP standard or IP extended ACLs You can classify IP and non IP traffic by using Layer 2 MAC ACLs Follow these guidelines when configuring QoS ACLs You cannot match IP fragments against configured IP extended ACLs...

Page 607: ...ndard ACL repeating the command as many times as necessary For access list number enter the access list number The range is 1 to 99 and 1300 to 1999 Always use the permit keyword for ACLs used as match criteria in QoS policies QoS policies do not match ACLs that use the deny keyword For source enter the network or host from which the packet is being sent You can use the any keyword as an abbreviat...

Page 608: ...ing the packet The destination wildcard applies wildcard bits to the destination You can specify source destination and wildcards as The 32 bit quantity in dotted decimal format The keyword any for 0 0 0 0 255 255 255 255 any host The keyword host for a single host 0 0 0 0 Other keywords are optional and have these meanings precedence Enter to match packets with a precedence level specified as a n...

Page 609: ...fig ext macl exit Command Purpose 1 configure terminal Enter global configuration mode 2 mac access list extended name Create a Layer 2 MAC ACL by specifying the name of the list and enter extended MAC ACL configuration mode 3 permit host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Always use the permit keyword for ACLs used as match criteria in QoS policies For src MAC add...

Page 610: ...cy in input hierarchical policy maps for per port per VLAN QoS on trunk ports A policy is considered a parent policy map when it has one or more of its classes associated with a child policy map Each class within a parent policy map is called a parent class You can configure only the match vlan command in parent classes You cannot configure the match vlan command in classes within the child policy...

Page 611: ... Matching access groups is supported only in input policy maps For cos cos list enter a list of up to four CoS values in a single line to match against incoming packets Separate each value with a space You can enter multiple cos list lines to match more than four CoS values The range is 0 to 7 For ip dscp dscp list enter a list of up to eight IPv4 DSCP values to match against incoming packets Sepa...

Page 612: ...ow to create a parent class map called parent class which matches incoming traffic with VLAN IDs in the range from 30 to 40 Switch config class map match any parent class Switch config cmap match vlan 30 40 Switch config cmap exit Configuring Table Maps You can configure table maps to manage a large number of traffic flows with a single command You use table maps to correlate specific DSCP IP prec...

Page 613: ...put policy maps You can attach a service policy only to a physical port You can attach only one input policy map and one output policy map per port Command Purpose 1 configure terminal Enter global configuration mode 2 table map table map name Create a table map by entering a table map name and entering table map configuration mode 3 map from from value to to value Enter the mapping values to be i...

Page 614: ...s After you have attached a single level policy map to an interface by using the service policy input interface configuration command you can modify the policy without detaching it from the interface You can add or delete classification criteria add or delete classes add or delete actions or change the parameters of the configured actions policers rates mapping marking and so on This also applies ...

Page 615: ...er reserved for internal use When CPU protection is enabled the default you can configure 45 ingress policers per port If you disable CPU protection by entering the no policer cpu uni all global configuration command and reloading the switch you can configure a maximum of 63 policers per port 62 on every 4th port for user defined classes and one for class default You can enter the show policer cpu...

Page 616: ...ame precedence table table map name or conform action ip dscp dscp_value cos table table map name dscp table table map name precedence table table map name or conform action ip precedence precedence_value cos table table map name dscp table table map name precedence table table map name or conform action qos group value or transmit Optional Enter the action to be taken on packets that conform to t...

Page 617: ...table map default behavior is copy See Configuring Table Maps page 608 For qos group value identify a QoS group to be used at egress to identify specific packets The range is from 0 to 99 Note You can enter a single exceed action as part of the command string following the police command Or you can press Enter after the police command to enter policy map class police configuration mode where you c...

Page 618: ...he class of traffic By default no policer is defined For rate bps specify average traffic rate in bits per second bps The range is 8000 to 1000000000 For cir cir bps specify a committed information rate at which the bc token bucket is updated in bits per second b s The range is 8000 to 1000000000 For burst bytes optional specify the normal burst size in bytes The range is 8000 to 1000000 Optional ...

Page 619: ...tional For action specify one of these actions to perform on the packets drop Drop the packet Note If the conform action is set to drop the exceed and violate actions are automatically set to drop If the exceed action is set to drop the violate action is automatically set to drop set cos transmit cos value Enter a new CoS value to be assigned to the packet and send the packet The range is from 0 t...

Page 620: ...p c police cir 5000000 pir 8000000 Switch config pmap c police conform action transmit Switch config pmap c police exceed action set dscp transmit 24 Switch config pmap c police violate action drop Switch config pmap c police end This example shows how to create a traffic classification with a CoS value of 4 create a policy map and attach it to an ingress port The average traffic rate is limited t...

Page 621: ...using table maps The policy map sets a committed information rate of 23000 bps and a conform burst size of 10000 bytes The policy map includes the default conform action transmit and the exceed action to mark the Layer 2 CoS value based on the table map and to mark IP DSCP to af41 Switch config policy map in policy Switch config pmap class in class 1 Switch config pmap c police cir 23000 bc 10000 ...

Page 622: ...f the associated class map represents an IP classification the map from type of action that references the table map must be either dscp or precedence If the associated class map represents a non IP classification the map from type of action that references the table map must be cos Table maps are not supported for violate action for aggregate policing unless a table map is configured for exceed a...

Page 623: ...00 bytes Optional For conform action specify the action to take on packets that conform to the CIR The default is to send the packet Optional For exceed action specify the action to take on packets that exceed the CIR The default is to drop the packet See the command reference for this release or Configuring Input Policy Maps with Individual Policing page 611 for definitions of the available keywo...

Page 624: ...rst bytes optional specify the normal burst size in bytes The range is 8000 to 1000000 Optional For bc conform burst specify the conformed burst used by the first token bucket for policing The range is 8000 to 1000000 bytes Optional For pir pir bps specify the peak information rate at which the second token bucket for policing is updated The range is 8000 to 1000000000 bits per second If you do no...

Page 625: ...onfig if service policy input testexample Switch config if exit This example shows how to create a 2 rate 3 color aggregate policer and attach it to multiple classes within a policy map The policy map is attached to an ingress port Switch config policer aggregate example cir 10900000 pir 80000000 conform action transmit exceed action drop violate action drop Switch config class map testclass1 Swit...

Page 626: ...arks traffic Command Purpose 1 configure terminal Enter global configuration mode 2 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode 3 class class map name class default Enter a class map name or class default to match all unclassified packets and enter policy map class configuration mode If you enter a class map name you must h...

Page 627: ...p where the parent level defines the VLAN based classification and the child level defines the QoS policy to be applied to the corresponding VLAN or VLANs You can configure multiple service classes at the parent level to match different combinations of VLANs and you can apply independent QoS policies to each parent service class using any child policy map A policy is considered a parent policy map...

Page 628: ...icy is attached Not following this rule could result in improper QoS behavior for traffic ingressing the switch on these VLANs We also recommend that you restrict VLAN membership on the trunk ports to which the per port per VLAN is applied by using the switchport trunk allowed vlan interface configuration command Overlapping VLAN membership between trunk ports that have per port per VLAN policies ...

Page 629: ... is supported For access group acl index or name specify the number or name of an ACL Matching access groups is supported only in input policy maps For cos cos list enter a list of up to four CoS values in a single line to match against incoming packets Separate each value with a space You can enter multiple cos list lines to match more than four CoS values The range is 0 to 7 For ip dscp dscp lis...

Page 630: ...VLANs separated by a hyphen to be used in a parent policy map for per port per VLAN QoS on a trunk port The VLAN ID range is 1 to 4094 You can also enter the match vlan command multiple times to match multiple VLANs 4 end Return to privileged EXEC mode 5 show class map Verify your entries 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose 1 co...

Page 631: ...e and enter policy map configuration mode 3 class parent class map name Enter the parent class map name and enter policy map class configuration mode 4 service policy child policy map name Associate the child policy map with the parent policy map 5 end Return to privileged EXEC mode 6 show policy map parent policy map name class class map name Verify your entries 7 copy running config startup conf...

Page 632: ...ass customer1 vlan Switch config pmap c service policy child policy 1 Switch config pmap c exit Switch config pmap class customer2 vlan Switch config pmap c service policy child policy 2 Switch config pmap c exit Switch config interface fastethernet0 1 Switch config if switchport mode trunk Switch config if switchport trunk allowed vlan 100 105 110 120 Switch config if service policy input uni par...

Page 633: ...n you create the policy map even if you are not ready to use all three at that time You cannot add a class to a policy map after it has been attached to an interface When at least one output policy map is attached to a active port other active ports without output policy maps attached might incorrectly schedule and incorrectly order traffic that uses the same classes as the attached output policy ...

Page 634: ...the classes the same proportion as the CIR rates If you configure the CIR rate of a class to be 0 that class is not eligible for any excess bandwidth and will receive no bandwidth Beginning in privileged EXEC mode follow these steps to use CBWFQ to control bandwidth allocated to a traffic class by specifying a minimum bandwidth as a bit rate or a percentage Command Purpose 1 configure terminal Ent...

Page 635: ... used for the committed information rate CIR for the class Follow these guidelines when configuring class based shaping Configuring a queue for traffic shaping sets the maximum bandwidth or peak information rate PIR of the queue Configuring traffic shaping automatically also sets the minimum bandwidth guarantee or CIR of the queue to the same value as the PIR You cannot configure CBWFQ bandwidth o...

Page 636: ...mode 3 class class map name class default Enter a child class map name or class default to match all unclassified packets and enter policy map class configuration mode 4 shape average target bps Specify the average class based shaping rate For target bps specify the average bit rate in bits per second The range is from 64000 to 1000000000 5 exit Return to policy map configuration mode 6 exit Retur...

Page 637: ...queues can possibly delay packets in other queues and create unnecessary congestion You can configure strict priority queuing priority without police or you can configure an unconditional priority policer priority with police Follow these guidelines when configuring priority queuing You can associate the priority command with a single unique class for all attached output policies on the switch Whe...

Page 638: ... out class1 Switch config pmap c priority Command Purpose 1 configure terminal Enter global configuration mode 2 class map class map name Create classes for three egress queues Enter match conditions classification for each class 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode 4 class class map name Enter the name of the prio...

Page 639: ...000000000 bps even though the range that appears in the CLI help is 8000 to 1000000000 You cannot attach an output service policy with an out of range rate You cannot configure priority with policing for a traffic class when bandwidth remaining percent is configured for another class in the same output policy map You can configure 1 rate 2 color policers for output policies with priority You canno...

Page 640: ...priority in an output policy map only the default conform action of transmit is supported Although visible in the command line help string the other police conform actions are not supported in output policy maps 8 exceed action drop Optional Enter the action to be taken for packets that do not conform to the CIR If no action is entered the default action is to drop the packet Note You can enter a ...

Page 641: ...il drop WTD adjusts the queue size buffer size associated with a traffic class You configure WTD by using the queue limit policy map class configuration command Follow these guidelines when configuring WTD Configuring WTD with the queue limit command is supported only when you first configure a scheduling action such as bandwidth shape average or priority The exception to this is when you are conf...

Page 642: ...but different threshold values would create a new unique queue limit configuration Beginning in privileged EXEC mode follow these steps to use WTD to adjust the queue size for a traffic class Command Purpose 1 configure terminal Enter global configuration mode 2 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode 3 class class map ...

Page 643: ...specify an IP precedence value The range is from 0 to 7 Optional For qos group value enter a QoS group value The range is from 0 to 99 For number of packets set the minimum threshold for WTD The range is from 16 to 544 in multiples of 16 where each packet is a fixed unit of 256 bytes Note For optimal performance we strongly recommend that you configure the queue limit to 272 or less The value is s...

Page 644: ... map table map name dscp table map table map name prec table map table map name Mark traffic by setting a new CoS value or by specifying a table map For cos value enter a new CoS value The range is from 0 to 7 You can also mark CoS based on the CoS DSCP or IP precedence value You can optionally use a table map to configure CoS If you do not enter table map table map name the table map default beha...

Page 645: ...verride 4 critical 5 internet 6 network 7 You can also configure a table map to mark precedence based on the CoS DSCP or IP precedence value You can optionally enter the table name If you do not enter table map table map map name the table map default behavior is copy See Table Maps page 583 When you complete this step go to Step 7 on page 641 6 cpu traffic qos qos group qos group value Mark traff...

Page 646: ...map class class default Switch config pmap c bandwidth percent 30 Switch config pmap c exit Interface Switch config interface fastethernet0 1 Switch config if service policy output output policy Switch config pmap c exit Example 2 This example shows how to mark the CoS of CPU generated IP traffic including IP SLA and TWAMP based on the DSCP value in the packet and to configure egress queuing based...

Page 647: ...ig cpu traffic qos cos dscp table map dscp to cos Switch config cpu traffic qos cos cos Class Switch config class map match any video Switch config cmap match cos 3 Switch config cmap exit Switch config class map match any voice Switch config cmap match cos 5 Switch config cmap exit Switch config class map match any network internetwork control Switch config cmap match cos 6 7 Switch config cmap e...

Page 648: ...generated IP packets the CoS value resets to 0 All CPU generated non IP traffic with the CoS values of 5 6 and 7 retain the existing markings For all other CPU generated non IP packets the CoS value resets to 0 All CPU generated traffic goes through a single class called cpu traffic The user voice classes user voice and user video are reserved for user traffic As a result CPU traffic and user traf...

Page 649: ...ercent 40 Switch config pmap c exit Switch config pmap class cpu traffic Switch config pmap c bandwidth percent 10 Switch config pmap c exit Switch config pmap class class default Switch config pmap c bandwidth percent 30 Switch config pmap c exit Interface Switch config interface fastethernet0 1 Switch config if service policy output output policy Switch config pmap c exit Displaying QoS Informat...

Page 650: ...CoS values of the incoming frames on the port These statistics do not provide any information about the MQC input policy map configured on the interface For output policy maps you can use the show policy map interface interface id command to display per class classification statistics that show the total number of packets that match the specified class This count includes the total number of packe...

Page 651: ...s Each class configuration must be based on the classification marking done in the input policy map This example configures classes for input service policies and defines three classes of service gold silver and bronze Because a match all classification the default can have only single classification criterion the match any classification is used so that you can add classification criteria in the ...

Page 652: ... pmap class silver out Switch config pmap c shape average 200000 Switch config pmap c exit Switch config pmap class bronze out Switch config pmap c bandwidth percent 10 Switch config pmap c exit This example attaches the input and output service policies to the Gigabit Ethernet ports and activates them Switch config interface range GigabitEthernet1 17 18 Switch config if range service policy input...

Page 653: ...config cmap exit This example modifies classes for an output service policy adding classification criteria to the silver out class to also match dscp cs5 This adds dscp cs5 to the silver out class on all configured and attached output service policies The dscp cs5 flow now receives the same queuing and scheduling treatment as the silver out class Switch config terminal Switch config class map matc...

Page 654: ... the output policy map The defined classes must be the same as other output policy maps The number of defined classes in each output policy map must be same You must assign an action to each class that is there can be no empty class Each class configuration must be based on the classification marking done in the input policy map These steps shut down all ports carrying the output policy in this ca...

Page 655: ...s from all Ethernet ports Delete the class Reattach the output policies to the Ethernet ports Take the Ethernet ports out of the shutdown state These steps shut down all active and applicable Ethernet ports Switch config interface range GigabitEthernet1 17 18 Switch config if range shutdown Switch config if range exit These steps detach all output policies from the affected Ethernet ports Switch c...

Page 656: ...ervice policy Note Problems can occur if you do not follow the previous sequence When a policy map is attached to an interface all traffic that does not explicitly match the configured class maps within the policy map should go through the default queue class class default However in some cases traffic that does not explicitly match the output policy map classes could go through more than one queu...

Page 657: ...dcast domain and keeps local traffic local However network devices in different VLANs cannot communicate with one another without a Layer 3 device to route traffic between the VLANs referred to as inter VLAN routing You configure one or more routers to route traffic to the appropriate destination VLAN Figure 83 on page 653 shows a basic routing topology Switch A is in VLAN 10 and Switch B is in VL...

Page 658: ...atic routes including user configured routes and the default route and any directly connected routes and default routes for the management interface The switch can have an IP address assigned to each SVI Before enabling routing enter the sdm prefer lanbase routing global configuration command and reload the switch Procedures for configuring routing To support VLAN interfaces create and configure V...

Page 659: ...move a static route The switch retains static routes until you remove them When an interface goes down all static routes through that interface are removed from the IP routing table When the software can no longer find a valid next hop for the address specified as the forwarding router s address in a static route the static route is also removed from the IP routing table Monitoring and Maintaining...

Page 660: ...re supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this fe...

Page 661: ... this URL http www cisco com en US products ps6553 products_ios_technology_home html For information about IPv6 and other features in this chapter See the Cisco IOS IPv6 Configuration Library at this URL http www cisco com en US docs ios xml ios ipv6 configuration 15 1mt ipv6 15 1mt book html This section describes IPv6 implementation on the switch These sections are included IPv6 Addresses page 6...

Page 662: ... page 660 SNMP and Syslog Over IPv6 page 661 HTTP over IPv6 page 661 Support on the switch includes expanded address capability header format simplification improved support of extensions and options and hardware parsing of the extension header The switch supports hop by hop extension header packets which are routed or bridged in software 128 Bit Wide Unicast Addresses The switch supports aggregat...

Page 663: ...ICMPv6 redirect for routes with mask lengths less than 64 bits ICMP redirect is not supported for host routes or for summarized routes with mask lengths greater than 64 bits Neighbor discovery throttling ensures that the switch CPU is not unnecessarily burdened while it is in the process of obtaining the next hop forwarding information to route an IPv6 packet The switch drops any additional IPv6 p...

Page 664: ... usage to both IPv4 and IPv6 protocols Figure 84 shows a router forwarding both IPv4 and IPv6 traffic through the same interface based on the IP packet and destination addresses Figure 84 Dual IPv4 and IPv6 Support on an Interface Use the dual IPv4 and IPv6 switch database management SDM template to enable dual stack environments supporting both IPv4 and IPv6 The dual IPv4 and IPv6 templates allow...

Page 665: ...nsport mechanism called SR_IPV6_TRANSPORT Sends SNMP notifications over IPv6 transport Supports SNMP named access lists for IPv6 transport Supports SNMP proxy forwarding using IPv6 transport Verifies SNMP Manager feature works with IPv6 transport For information on SNMP over IPv6 including configuration procedures see the Managing Cisco IOS Applications over IPv6 chapter in the Cisco IOS IPv6 Conf...

Page 666: ... address on an interface automatically configures a link local address and activates IPv6 for the interface The configured interface automatically joins these required multicast groups for that link solicited node multicast group FF02 0 0 0 0 1 ff00 104 for each unicast address assigned to the interface this address is used in the neighbor discovery process all nodes link local multicast group FF0...

Page 667: ...identifier EUI in the low order 64 bits of the IPv6 address Specifies only the network prefix the last 64 bits are automatically computed from the switch MAC address This enables IPv6 processing on the interface Specifies a link local address on the interface to be used instead of the link local address that is automatically configured when IPv6 is enabled on the interface This command enables IPv...

Page 668: ...dded to the bucket The range is from 0 to 2147483647 milliseconds bucketsize Optional The maximum number of tokens stored in the bucket The range is from 1 to 200 3 end Returns to privileged EXEC mode Command Purpose show ipv6 interface interface id Displays IPv6 interface status and configuration show ipv6 mtu Displays IPv6 MTU per destination cache show ipv6 neighbors Displays IPv6 neighbor cach...

Page 669: ...gh for the router on an interface Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if ipv6 nd router preference high Switch config if end Configuring an IPv6 ICMP Error Message Interval This example shows how to configure an IPv6 ICMP error message interval of 50 milliseconds and a bucket size of 20 tokens Switch config ipv6 icmp error interval 50 20 Displaying ...

Page 670: ...Static U Per user Static route L FF00 8 0 0 via Null0 receive This is an example of the output from the show ipv6 traffic privileged EXEC command Switch show ipv6 traffic IPv6 statistics Rcvd 1 total 1 local destination 0 source routed 0 truncated 0 format errors 0 hop count exceeded 0 bad header 0 unknown option 0 bad source 0 unknown protocol 0 not a router 0 fragments 0 total reassembled 0 reas...

Page 671: ...oup reduce 0 router solicit 9944 router advert 0 redirects 84 neighbor solicit 84 neighbor advert UDP statistics Rcvd 0 input 0 checksum errors 0 length errors 0 no port 0 dropped Sent 26749 output TCP statistics Rcvd 0 input 0 checksum errors Sent 0 output 0 retransmitted Additional References The following sections provide references related to switch administration ...

Page 672: ... feature and support for existing standards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support fo...

Page 673: ...n access or trunk mode or a routed port Figure 85 on page 671 shows a network configured with link state tracking To enable link state tracking create a link state group and specify the interfaces that are assigned to the link state group In a link state group these interfaces are bundled together The downstream interfaces are bound to the upstream interfaces Interfaces connected to servers are re...

Page 674: ... router fails the cables are disconnected or the link is lost These are the interactions between the downstream and upstream interfaces when link state tracking is enabled If any of the upstream interfaces are in the link up state the downstream interfaces can change to or remain in the link up state If all of the upstream interfaces become unavailable link state tracking automatically puts the do...

Page 675: ...or any group 141680 Network Layer 3 link Server 1 Server 2 Server 3 Server 4 Distribution switch 1 Distribution switch 2 Switch A Switch B Port 1 Port 5 Port 4 Port 3 Port 2 Port 2 Port 3 Port 4 Port 8 Port 7 Port 6 Port 5 Port 1 Port 6 Port 7 Port 8 Link state group 2 Link state group 1 Link state group 1 Link state group 2 Link state group 2 Link state group 1 Link state group 1 Primary link Sec...

Page 676: ...Group 1 Status Enabled Down Upstream Interfaces Fa1 7 Dwn Fa1 8 Dwn Downstream Interfaces Fa1 3 Dis Fa1 4 Dis Fa1 5 Dis Fa1 6 Dis Link State Group 2 Status Enabled Down Upstream Interfaces Fa1 6 Dwn Fa1 7 Dwn Fa1 8 Dwn Downstream Interfaces Fa1 2 Dis Fa1 3 Dis Fa1 4 Dis Fa1 5 Dis Command Purpose 1 configure terminal Enters global configuration mode 2 link state track number Creates a link state gr...

Page 677: ...witch config interface range GigabitEthernet1 17 2 Switch config if link state group 1 upstream Switch config if interface GigabitEthernet1 17 Switch config if link state group 1 downstream Switch config if interface GigabitEthernet1 17 Switch config if link state group 1 downstream Switch config if interface GigabitEthernet1 18 Switch config if link state group 1 downstream Switch config if end A...

Page 678: ... locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support ...

Page 679: ...page 730 This chapter includes the following sections Information About Cisco s Implementation of IP Multicast Routing page 675 Prerequisites page 685 Guidelines and Limitations page 686 Default Settings page 688 Configuring IP Multicast Routing page 688 Configuring Advanced PIM Features page 710 Configuring Optional IGMP Features page 712 Configuring Optional Multicast Routing Features page 721 V...

Page 680: ...on on the location or number of members in a multicast group A host can be a member of more than one multicast group at a time How active a multicast group is and what members it has can vary from group to group and from time to time A multicast group can be active for a long time or it can be very short lived Membership in a group can constantly change A group that has members can have no activit...

Page 681: ... Sparse Mode Protocol Specification draft ietf idmr igmp v2 06 txt Internet Group Management Protocol Version 2 draft ietf pim v2 dm 03 txt PIM Version 2 Dense Mode This section includes the following topics PIM Versions page 677 PIM Modes page 678 PIM Stub Routing page 678 IGMP Helper page 679 Auto RP page 679 Bootstrap Router page 680 Multicast Forwarding and Reverse Path Check page 680 PIM Vers...

Page 682: ...ers It also registers sources through register messages received from the source s first hop router designated router DR to complete the shared tree path from the source to the receiver When using a shared tree sources must send their traffic to the RP so that the traffic reaches all receivers Prune messages are sent up the distribution tree to prune multicast group traffic This action permits bra...

Page 683: ...he need to manually configure the RP information in every router and multilayer switch in the network For Auto RP to work you configure a Cisco router or multilayer switch as the mapping agent It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements Candidate RPs periodically send multicast RP announce messages to a par...

Page 684: ...essage in their local RP cache The routers and switches select the same RP for a given group because they all use a common RP hashing algorithm Multicast Forwarding and Reverse Path Check With unicast routing routers and multilayer switches forward traffic through the network along a single path from the source to the destination host whose IP address appears in the destination address field of th...

Page 685: ...lticast The Source Specific Multicast SSM feature is an extension of IP multicast in which datagram traffic is forwarded to receivers from only those multicast sources that the receivers have explicitly joined For multicast groups configured for SSM only SSM distribution trees no shared trees are created SSM Components Overview SSM is a datagram delivery model that best supports one to many applic...

Page 686: ...of the IP multicast group address range Cisco IOS software allows SSM configuration for the IP multicast address range of 224 0 0 0 through 239 255 255 255 When an SSM range is defined existing IP multicast receiver applications do not receive any traffic when they try to use an address in the SSM range unless the application is modified to use an explicit S G channel subscription SSM Operations A...

Page 687: ...erships for the well known sources associated with this group When the router receives an IGMPv1 or IGMPv2 membership report for a group the router uses SSM mapping to determine one or more source IP addresses for the group SSM mapping then translates the membership report as an IGMPv3 report and continues as if it had received an IGMPv3 report The router then sends PIM joins and continues to be j...

Page 688: ... Thus the server side switchover mechanism ensures that only one of the servers is actively sending video traffic for the TV channel To look up one or more source addresses for a group that includes G1 G2 G3 and G4 you must configure these DNS records on the DNS server G4 G3 G2 G1 multicast domain timeout IN A source address 1 IN A source address 2 IN A source address n Refer to your DNS server do...

Page 689: ...y 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tree 8 The RP deletes the link to Router C from the outgoing interface of S G The RP triggers a prune ...

Page 690: ...es in the domain use the PIMv2 hash function to select multiple RPs Dense mode groups in a mixed PIMv1 and PIMv2 region need no special configuration they automatically interoperate Sparse mode groups in a mixed PIMv1 and PIMv2 region are possible because the Auto RP feature in PIMv1 interoperates with the PIMv2 RP feature Although all PIMv2 devices can also use PIMv1 we recommend that the RPs be ...

Page 691: ...ls sharing the same group they do not benefit from these existing mechanisms Instead both receivers receive all S G channel traffic and filter out the unwanted traffic on input Because SSM can re use the group addresses in the SSM range for many independent applications this situation can lead to decreased traffic filtering in a switched network For this reason it is important to use random IP add...

Page 692: ... with these reports Default Settings Configuring IP Multicast Routing This section includes the following topics Configuring Basic Multicast Routing page 689 required Configuring PIM Stub Routing page 691 optional Configuring Source Specific Multicast page 692 Configuring SSM Mapping page 693 Configuring a Rendezvous Point page 697 required if the interface is in sparse dense mode and you want to ...

Page 693: ...going interface might not be able to sustain line rate for multicast traffic because of the extra unnecessary replication In populating the multicast routing table dense mode interfaces are always added to the table Sparse mode interfaces are added to the table only when periodic join messages are received from downstream devices or when there is a directly connected member on the interface When f...

Page 694: ...ser network interfaces UNIs and enhanced network interfaces ENIs are disabled and network node interfaces NNIs are enabled 5 ip pim version 1 2 Configure the PIM version on the interface By default Version 2 is enabled and is the recommended setting An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor The interface returns to Version 2 mode after...

Page 695: ...ing to assist the PIM stub router behavior DETAILED STEPS To disable PIM stub routing on an interface use the no ip pim passive interface configuration command EXAMPLE In this example IP multicast routing is enabled Switch A PIM uplink port 25 is configured as a routed uplink port with spare dense mode enabled PIM stub routing is enabled on the VLAN 100 interfaces and on Gigabit Ethernet port 20 i...

Page 696: ...stub configuration and status show ip pim interface displays the PIM stub that is enabled on each interface show ip igmp detail displays the interested clients that have joined the specific multicast source group show ip igmp mroute verifies that the multicast stream forwards from the source to the interested clients Configuring Source Specific Multicast This section describes how to configure sou...

Page 697: ...SM Mapping page 696 optional Configuring Static SSM Mapping BEFORE YOU BEGIN See Information About Source Specific Multicast Mapping page 683 and SSM Mapping Configuration Guidelines page 688 Before you configure SSM mapping enable IP multicast routing enable PIM sparse mode and configure SSM For information on enabling IP multicast routing and PIM sparse mode see Configuring Basic Multicast Routi...

Page 698: ...lobal configuration mode 2 ip igmp ssm map enable Enable SSM mapping for groups in the configured SSM range Note By default this command enables DNS based SSM mapping 3 no ip igmp ssm map query dns Optional Disable DNS based SSM mapping Note Disable DNS based SSM mapping if you only want to rely on static SSM mapping By default the ip igmp ssm map global configuration command enables DNS based SSM...

Page 699: ... enable Switch config ip name server 10 0 0 0 Switch config end Command Purpose 1 configure terminal Enter global configuration mode 2 ip igmp ssm map enable Enable SSM mapping for groups in a configured SSM range 3 ip igmp ssm map query dns Optional Enable DNS based SSM mapping By default the ip igmp ssm map command enables DNS based SSM mapping Only the no form of this command is saved to the ru...

Page 700: ...ically forwarded groups on Ethernet interface 0 interface ethernet 0 ip igmp static group 239 1 2 1 source ssm map Command Purpose 1 configure terminal Enter global configuration mode 2 interface type number Select an interface on which to statically forward traffic for a multicast group using SSM mapping and enter interface configuration mode Note Static forwarding of traffic with SSM mapping wor...

Page 701: ...through register messages received from the source s first hop router designated router and forwarded to the RP Receivers of multicast packets use RPs to join a multicast group by using explicit join messages RPs are not members of the multicast group rather they serve as a meeting place for multicast sources and group members You can configure a single RP for multiple groups defined by an access ...

Page 702: ...dard access list number from 1 to 99 If no access list is configured the RP is used for all groups Optional The override keyword means that if there is a conflict between the RP configured with this command and one learned by Auto RP or BSR the RP configured with this command prevails 3 access list access list number deny permit source source wildcard Create a standard access list repeating the co...

Page 703: ...faces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups These sections describe how to configure Auto RP Setting up Auto RP in a New Internetwork page 699 optional Adding Auto RP to an Existing Sparse Mode Cloud page 699 optional Preventing Join Messages to False RPs page 701 optional Filtering Incoming RP Announce...

Page 704: ...P address Valid interfaces include physical ports port channels and VLANs For scope ttl specify the time to live value in hops Enter a hop count that is high enough so that the RP announce messages reach all mapping agents in the network There is no default setting The range is 1 to 255 For group list access list number enter an IP standard access list number from 1 to 99 If no access list is conf...

Page 705: ...igured RP to support the two well known groups 224 0 1 39 and 224 0 1 40 Auto RP uses these two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ip pim accept rp command accepting the RP must be configured as follows Switch config ip pim accept rp 172 10 20 1 1 Switch config access list 1 permit ...

Page 706: ...n all mapping agents to avoid inconsistencies in Auto RP operations An improperly configured ip pim rp announce filter command may result in RP announcements being ignored In addition the ip pim rp announce filter command should only be configured on the mapping agent if not the command will fail because non mapping agents do not listen to group 224 0 1 39 and do not know how to distribute the nec...

Page 707: ...o conflicts occur in the Group to RP mapping information 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched...

Page 708: ...nnouncements from 172 16 5 1 or 172 16 2 1 if the announcements are for any groups in the 239 0 0 0 through 239 255 255 255 range This range is the administratively scoped address range Configuring PIMv2 BSR These sections describe how to set up BSR in your PIMv2 network Defining the PIM Domain Border page 704 optional Defining the IP Multicast Boundary page 705 optional Configuring Candidate BSRs...

Page 709: ...obal configuration mode 2 interface interface id Specify the interface to be configured and enter interface configuration mode 3 no shutdown Enable the port if necessary By default UNIs and ENIs are disabled and NNIs are enabled 4 ip pim bsr border Define a PIM bootstrap message boundary for the PIM domain Enter this command on each interface that connects to other bordering PIM domains This comma...

Page 710: ...de 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 which carry Auto RP information Optional For source wildcard enter the wildcard bits in d...

Page 711: ...v2 routers and multilayer switches and with routers from other vendors any device can be used as an RP In a network of Cisco PIMv1 routers Cisco PIMv2 routers and routers from other vendors configure only Cisco PIMv2 routers and multilayer switches as RPs This procedure is optional Command Purpose 1 configure terminal Enter global configuration mode 2 ip pim bsr candidate interface id hash mask le...

Page 712: ...nterface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group list access list number enter an IP standard access list number from 1 to 99 If no group list is specified the switch is a candidate RP for all groups 3 access list access list number deny permit source source wildcard Create a standard acc...

Page 713: ... to the longest match lookup in the RP mapping database Follow this procedure to verify the consistency of group to RP mappings This procedure is optional BEFORE YOU BEGIN Review the Auto RP and BSR Configuration Guidelines page 686 DETAILED STEPS Monitoring the RP Mapping Information To monitor the RP mapping information use these commands in privileged EXEC mode show ip pim bsr displays informat...

Page 714: ...out PIM Shared Tree and Source Tree page 684 This change occurs because the ip pim spt threshold global configuration command controls that timing The shortest path tree requires more memory than the shared tree but reduces delay You might want to postpone its use Instead of allowing the leaf router to immediately move to the shortest path tree you can specify that the traffic must first reach a t...

Page 715: ...will apply Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything 3 ip pim spt threshold kbps infinity group list access list number Specify the threshold that must be reached before moving to shor...

Page 716: ...tion About PIM page 677 DETAILED STEPS To return to the default setting use the no ip pim query interval seconds interface configuration command EXAMPLE The following example shows how to set the PIM hello interval to 45 seconds interface FastEthernet0 1 ip pim query interval 45 Configuring Optional IGMP Features This section includes the following topics Default IGMP Configuration page 713 Config...

Page 717: ... multicast group pinging that group causes all these devices to respond The devices respond to IGMP echo request packets addressed to a group of which they are members Another example is the multicast trace route tools provided in the software This procedure is optional BEFORE YOU BEGIN Caution Performing this procedure might impact the CPU performance because the CPU will receive all data traffic...

Page 718: ...nterface to restrict the multicast groups that hosts on the subnet serviced by the interface can join This procedure is optional BEFORE YOU BEGIN Review the Information About IGMP page 676 Command Purpose 1 configure terminal Enter global configuration mode 2 interface interface id Specify the interface to be configured and enter interface configuration mode 3 no shutdown Enable the port if necess...

Page 719: ...ss list number Specify the multicast groups that hosts on the subnet serviced by an interface can join By default all groups are allowed on an interface For access list number specify an IP standard access list number The range is 1 to 99 5 exit Return to global configuration mode 6 access list access list number deny permit source source wildcard Create a standard access list For access list numb...

Page 720: ...hosts are members of a multicast group the software stops forwarding multicast packets to the local network from remote origins for that group and sends a prune message upstream toward the source The switch elects a PIM designated router DR for the LAN subnet The DR is the router or multilayer switch with the highest IP address for IGMPv2 For IGMPv1 the DR is elected according to the multicast rou...

Page 721: ... response time Use the ip igmp query max response time command to change the maximum query response time value from the default 10 seconds to a specified length of time if required DETAILED STEPS To return to the default setting use the no ip igmp query interval interface configuration command EXAMPLE The following example shows how to configure the switch to wait 240 seconds from the time it rece...

Page 722: ... BEGIN We recommend that you do not modify the IGMP query interval and IGMP querier timeout values However if you configure the appropriate commands to change the query interval and querier timeout default values the following conditions apply If you use the ip igmp query interval command to configure the query interval the timeout value is automatically adjusted to two times the query interval th...

Page 723: ...s is overridden by the specified value interface GigabitEthernet0 1 ip igmp querier timeout 250 Changing the Maximum Query Response Time for IGMPv2 If you are using IGMPv2 you can change the maximum query response time advertised in IGMP queries The maximum query response time enables the switch to quickly detect that there are no more directly connected group members on a LAN Decreasing the value...

Page 724: ...e switch does not accept the packets itself but only forwards them This method enables fast switching The outgoing interface appears in the IGMP cache but the switch itself is not a member as evidenced by lack of an L local flag in the multicast route entry This procedure is optional BEFORE YOU BEGIN If you configure the ip igmp join group command for the same group address as the ip igmp static g...

Page 725: ...audio video and so forth are required on your workstation The MBONE Session Directory Version 2 sdr tool provides this information This freeware application can be downloaded from several sites on the World Wide Web one of which is http www video ja net mice index html SDR is a multicast application that listens to a well known multicast group address and port for Session Announcement Protocol SAP...

Page 726: ...ack 0 ip address 10 0 0 51 255 255 255 0 ip pim sparse dense mode ip sap listen Limiting How Long an SAP Cache Entry Exists You can limit how long an SAP entry remains active so that if a source stops advertising SAP information old advertisements are not needlessly kept This procedure is optional BEFORE YOU BEGIN Setting the cache timeout to a value less than 30 minutes is not recommended Command...

Page 727: ...multicast domains however TTL thresholds are not supported by the switch You should use multicast boundaries instead of TTL thresholds to limit the forwarding of multicast traffic outside of a domain or a subdomain Figure 91 on page 724 shows that Company XYZ has an administratively scoped boundary set for the multicast address range 239 0 0 0 8 on all routed interfaces at the perimeter of its net...

Page 728: ...irection The boundary allows the same multicast group address to be reused in different administrative domains The IANA has designated the multicast address range 239 0 0 0 to 239 255 255 255 as the administratively scoped addresses This range of addresses can then be reused in domains administered by different organizations The addresses would be considered local not globally unique This procedur...

Page 729: ...the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source enter the number of the network or host from which the packet is being sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the sour...

Page 730: ...Note This release does not support per route statistics You can display information to learn resource utilization and solve network problems You can also display information about node reachability and discover the routing path your device s packets are taking through the network Command Purpose clear ip igmp group group name group address interface Delete entries from the IGMP cache clear ip mrou...

Page 731: ...how ip igmp interface type number Display multicast related information about an interface show ip mcache group source Display the contents of the IP fast switching cache show ip mpacket source address name group address name detail Display the contents of the circular cache header buffer show ip mroute group name group address source summary count active kbps Display the contents of the IP multic...

Page 732: ...st routing ip pim ssm default interface GigabitEthernet3 1 0 ip address 172 21 200 203 255 255 255 0 description backbone interface ip pim sparse mode interface GigabitEthernet3 2 0 ip address 131 108 1 2 255 255 255 0 ip pim sparse mode description ethernet connected to hosts ip igmp version 3 The following example shows how to enable static SSM mapping In this example the router is configured to...

Page 733: ...st 20 deny 239 0 0 0 0 0 255 255 Switch config access list 20 permit 224 0 0 0 15 255 255 255 The following example configures the interface to be the PIM domain border interface ethernet 1 ip pim bsr border This example shows a portion of an IP multicast boundary configuration that denies Auto RP information Switch config access list 1 deny 224 0 1 39 Switch config access list 1 deny 224 0 1 40 S...

Page 734: ...hange the default value 60 seconds the default timeout period of two times the query interval or 120 seconds is overridden by the specified value interface GigabitEthernet0 1 ip igmp querier timeout 250 The following example configures a maximum response time of 8 seconds ip igmp query max response time 8 The following example shows how to configure group address 239 100 100 101 on Ethernet interf...

Page 735: ...ut MSDP MSDP allows multicast sources for a group to be known to all rendezvous points RPs in different domains Each PIM SM domain uses its own RPs and does not depend on RPs in other domains An RP runs MSDP over the Transmission Control Protocol TCP to discover multicast sources in other domains An RP in a PIM SM domain has an MSDP peering relationship with MSDP enabled devices in another domain ...

Page 736: ...he originating RP of the SA message Such a peer is called an RPF peer reverse path forwarding peer The MSDP device forwards the message to all MSDP peers other than the RPF peer For information on how to configure an MSDP peer when BGP and MBGP are not supported see Configuring a Default MSDP Peer page 734 Figure 92 MSDP Running Between RP Peers If the MSDP peer receives the same SA message from a...

Page 737: ...d Limitations MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol MBGP which works closely with MSDP However it is possible to create default peers that MSDP can operate with if MBGP is not running Default Settings MSDP is not enabled and no default MSDP peer exists Configuring MSDP This section includes the following topics Confi...

Page 738: ...d Router C but accepts SA messages only from Router A or only from Router C If Router A is first in the configuration file it is used if it is running If Router A is not running only then does Switch B accept SA messages from Router C This is the default behavior without a prefix list If you specify a prefix list the peer is a default peer only for the prefixes in the list You can have multiple ac...

Page 739: ...tive peer accepts all SA messages If that peer fails the next configured default peer accepts all SA messages This syntax is typically used at a stub site 3 ip prefix list name description string seq number permit deny network length Optional Create a prefix list using the name specified in Step 2 Optional For description string enter a description of up to 80 characters to describe this prefix li...

Page 740: ...g ip msdp default peer 10 1 1 1 prefix list site a Router config ip prefix list site b permit 10 0 0 0 1 Caching Source Active State By default the switch does not cache source group pairs from received SA messages When the switch forwards the MSDP SA information it does not store it in memory Therefore if a member joins a group soon after a SA message is received by the local RP that member needs...

Page 741: ...ting the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wil...

Page 742: ...t messages to the MSDP peer at 171 69 1 1 Switch config ip msdp sa request 171 69 1 1 Controlling Source Information that Your Switch Originates You can control the multicast source information that originates with your switch Sources you advertise based on your sources Receivers of source information based on knowing the requestor For more information see Redistributing Sources page 738 and Filte...

Page 743: ...r list access list name enter the name or number of an IP standard or extended access list The range is 1 to 99 for standard access lists and 100 to 199 for extended lists The access list controls which local sources are advertised and to which groups they send Optional For asn aspath access list number enter the IP standard or extended access list number in the range 1 to 199 This access list num...

Page 744: ...ary or Create an IP extended access list repeating the command as many times as necessary For access list number the range is 1 to 99 for standard access lists and 100 to 199 for extended lists Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol nam...

Page 745: ...p msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for groups that pass the standard access list The access list describes a multicast group address The range for the access list number is 1 to 99 3 access list access list...

Page 746: ...se methods are described in the next sections Using a Filter By creating a filter you can perform one of these actions Filter all source group pairs Specify an IP extended access list to pass only certain source group pairs Filter based on match criteria in a route map Follow this procedure to apply a filter This procedure is optional BEFORE YOU BEGIN For best practice information related to confi...

Page 747: ...ildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the netw...

Page 748: ...is optional DETAILED STEPS To return to the default setting use the no ip msdp ttl threshold ip address name global configuration command EXAMPLE The following example shows how to configure a TTL threshold of 8 hops Switch config ip msdp ttl threshold 192 168 1 5 8 Controlling Source Information that Your Switch Receives By default the switch receives all SA messages that its MSDP RPF peers send ...

Page 749: ...t to pass certain source group pairs Filter based on match criteria in a route map Follow this procedure to apply a filter This procedure is optional BEFORE YOU BEGIN For best practice information related to configuring MSDP SA message filters see the Multicast Source Discovery Protocol SA Filter Recommendations tech note ...

Page 750: ...e wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the n...

Page 751: ... domain You can configure multiple mesh groups with different names in a single switch This procedure is optional DETAILED STEPS To remove an MSDP peer from a mesh group use the no ip msdp mesh group name ip address name global configuration command EXAMPLE The following example shows how to configure the MSDP peer at address 192 168 1 3 to be a member of the mesh group named internal Switch confi...

Page 752: ...bal configuration command It is better to configure the border router in the sparse mode domain to proxy register sources in the dense mode domain to the RP of the sparse mode domain and have the sparse mode domain use standard MSDP procedures to advertise these sources If you use the ip msdp border sa address command you must constrain the sources advertised by using the ip msdp redistribute comm...

Page 753: ...tch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface This procedure is optional BEFORE YOU BEGIN If both the ip msdp border sa address and the ip msdp originator id global configuration commands are configured the address derived from the ip msdp originator id command specifies the address...

Page 754: ... SA messages Switch config ip msdp originator id ethernet1 Table 0 11 Command Purpose 1 configure terminal Enter global configuration mode 2 ip msdp originator id interface id Configures the RP address in SA messages to be the address of the originating device interface For interface id specify the interface on the local switch 3 end Return to privileged EXEC mode 4 show running config Verify your...

Page 755: ...00 Switch config access list 100 permit ip 171 69 0 0 0 0 255 255 224 2 0 0 0 0 255 255 Table 45 58 Command Purpose debug ip msdp peer address name detail routes Debugs an MSDP activity debug ip msdp resets Debugs MSDP peer reset reasons show ip msdp count autonomous system number Displays the number of sources and groups originated in SA messages from each autonomous system The ip msdp cache sa s...

Page 756: ...isco com list 100 Switch config access list 100 permit ip 171 69 0 0 0 0 255 255 224 20 0 0 0 255 255 The following example shows how to configure a TTL threshold of 8 hops Switch config ip msdp ttl threshold 192 168 1 5 8 This example shows how to filter all SA messages from the peer named switch cisco com Switch config ip msdp peer switch cisco com connect source gigabitethernet0 1 Switch config...

Page 757: ...mically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices In IPv6 MLD snooping performs a similar function With MLD snooping IPv6 multicast data is selectively forwarded to a list of ports that want to receive the data instead of being flooded to all ports in a VLAN This list is constructed by snooping IPv6 multicast...

Page 758: ...2 messages MLD messages that do not have valid link local IPv6 source addresses are ignored by MLD routers and switches MLD Queries The switch sends out MLD queries constructs an IPv6 multicast address database and generates MLD group specific and MLD group and source specific queries in response to MLD Done messages The switch also supports report suppression report proxying Immediate Leave funct...

Page 759: ...led on the switch Received IPv6 multicast router control packets are always flooded to the ingress VLAN whether or not MLD snooping is enabled on the switch After the discovery of the first IPv6 multicast router port unknown IPv6 multicast data is forwarded only to the discovered router ports before that time all IPv6 multicast data is flooded to the ingress VLAN MLD Reports The processing of MLDv...

Page 760: ...d port is the last member of the multicast address the multicast address is also deleted and the switch sends the address leave information to all detected multicast routers Topology Change Notification Processing When topology change notification TCN solicitation is enabled by using the ipv6 mld snooping tcn query solicit global configuration command MLDv1 snooping sets the VLAN to flood all IPv6...

Page 761: ...is MLD snooping is enabled only on VLAN interfaces in the default state enabled Table 46 60 Feature Default Setting MLD snooping Global Disabled MLD snooping per VLAN Enabled MLD snooping must be globally enabled for VLAN MLD snooping to take place IPv6 Multicast addresses None configured IPv6 Multicast router ports None configured MLD snooping Immediate Leave Disabled MLD snooping robustness vari...

Page 762: ... it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping on a VLAN interface use the no ipv6 mld snooping vlan vlan id global configuration command for the specified VLAN number EXAMPLE This example shows how to enable MLD snooping on a VLAN Table 46 12 Command Purpose 1 configure terminal Enter global configuration mode 2 ipv6 mld snooping G...

Page 763: ... use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch BEFORE YOU BEGIN Static connections to multicast routers are supported only on switch ports Table 46 14 Command Purpose 1 configure terminal Enter global configurat...

Page 764: ...VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command Table 46 15 Command Purpose 1 configure terminal Enter global configuration mode 2 ipv6 mld snooping vlan vlan id mrouter interface interface id Specify the multicast router VLAN ID and specify the interface to the multicast router The VLAN ID range is 1 to 1001 and 1006 to 4094 The interface can be a physi...

Page 765: ...ve Switch config exit Configuring MLD Snooping Queries When Immediate Leave is not enabled and a port receives an MLD Done message the switch generates MASQs on the port and sends them to the IPv6 multicast address for which the Done message was sent You can optionally configure the number of MASQs that are sent and the length of time the switch waits for a response before deleting the port from t...

Page 766: ...d last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart 6 ipv6 mld snooping last listener query interval interval Optional Set the maximum response time that the switch waits after sending out a MAS...

Page 767: ...oping listener message suppression global configuration command EXAMPLE This example shows how to disable MLD message suppression Switch configure terminal Switch config no ipv6 mld snooping listener message suppression Switch config end Verifying Configuration You can display MLD snooping information for dynamically learned and statically configured router ports and VLAN interfaces You can also d...

Page 768: ...witch automatically learns the interface to which a multicast router is connected These are dynamically learned interfaces Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most recently received MLD query messages in th...

Page 769: ...nooping robustness variable 3 Switch config exit This example shows how to set the MLD snooping last listener query count for a VLAN to 3 Switch configure terminal Switch config ipv6 mld snooping vlan 200 last listener query count 3 Switch config exit This example shows how to set the MLD snooping last listener query interval maximum response time to 2000 2 seconds Switch configure terminal Switch...

Page 770: ...766 Configuring IPv6 MLD Snooping Related Documents ...

Page 771: ... availability of any single router It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN When HSRP is configured on a network or segment it provides a virtual Media Access Control MAC address and an IP address that is shared among a group of configured routers HSRP allows two or more HSRP configured rout...

Page 772: ... standby router and also configure another interface on switch 2 as an active router with another interface on switch 1 as its standby router Figure 47 94 shows a segment of a network configured for HSRP Each router is configured with the MAC address and IP network address of the virtual router Instead of configuring hosts on the network with the IP address of Router A you configure them with the ...

Page 773: ...nt packet format than HSRPv1 A HSRPv2 packet uses the type length value TLV format and has a 6 byte identifier field with the MAC address of the physical router that sent the packet If an interface running HSRPv1 gets an HSRPv2 packet the type field is ignored Multiple HSRP The switch supports Multiple HSRP MHSRP an extension of HSRP that allows load sharing between two or more HSRP groups You can...

Page 774: ... MHSRP page 775 Configuring HSRP Authentication and Timers page 776 Enabling HSRP Support for ICMP Redirect Messages page 777 Configuring HSRP Groups and Clustering page 777 Troubleshooting HSRP page 777 Default HSRP Configuration Table 47 62 shows the default HSRP configuration 121235 Active router for group 1 Standby router for group 2 Client 1 Router A Router B 10 0 0 1 10 0 0 2 Active router f...

Page 775: ...port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Layer 3 EtherChannels section All Layer 3 interfaces must have assigned IP addresses Configure only one instance of an FHRP The switches support H...

Page 776: ...p 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to enable HSRP Step 3 standby version 1 2 Optional Configure the HSRP version on the interface 1 Select HSRPv1 2 Select HSRPv2 If you do not enter this command or do not specify a keyword the interface runs the default HSRP versio...

Page 777: ...keyword priority preempt or both The priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router goes down The standby track interface configuration command ties the router hot standby priority to the availability of its interfaces and is useful for tracking interfaces that are not configured for HSRP When a tracked...

Page 778: ...igure the router to preempt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the active...

Page 779: ... interface configuration command on each HSRP interface so that if a router fails and comes back up the preemption occurs and restores load balancing Router A is configured as the active router for group 1 and Router B is configured as the active router for group 2 The HSRP interface for Router A has an IP address of 10 0 0 1 with a group 1 standby priority of 110 the default is 100 The HSRP inter...

Page 780: ...tication string Use the no standby group number timers hellotime holdtime interface configuration command to restore timers to their default values This example shows how to configure word as the authentication string required to allow Hot Standby routers in group 1 to interoperate Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interfa...

Page 781: ...be lost ICMP redirect messages are automatically enabled on interfaces configured with HSRP This feature filters outgoing ICMP redirect messages through HSRP in which the next hop IP address might be changed to an HSRP virtual IP address Configuring HSRP Groups and Clustering When a device is participating in an HSRP standby routing and clustering is enabled you can use the same standby group for ...

Page 782: ...is local Standby virtual mac address is 0000 0c07 ac01 Name is bbb VLAN1 Group 100 Local state is Active priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 262 Hot standby IP address is 172 20 138 51 configured Active router is local Standby router is unknown expired Standby virtual mac address is 0000 0c07 ac64 Name is test Configuring VRRP The Virtual Router Redundancy ...

Page 783: ...The switch supports either HSRP or VRRP but not both The switch cannot join a stack that has both HSRP and VRRP configured The VRRP implementation on the switch does not support the MIB specified in RFC 2787 The VRRP implementation on the switch supports only text based authentication You cannot enable VRRP for IPv4 and IPv6 groups simultaneously ...

Page 784: ... 780 Cisco Industrial Ethernet 4000 Series Switch Software Configuration Guide Chapter Configuring HSRP and VRRP Configuring VRRP ...

Page 785: ... only which can be routed ports switch virtual interfaces SVIs or Layer 3 EtherChannels IPv6 router ACLs apply only to routed IPv6 packets IPv6 port ACLs on inbound traffic on Layer 2 interfaces only The switch applies IPv6 port ACLs to all IPv6 packets entering the interface You can apply both IPv4 and IPv6 ACLs to an interface As with IPv4 ACLs IPv6 port ACLs take precedence over router ACLs Whe...

Page 786: ... Not Supported The switch does not support VLAN ACLs VLAN maps for IPv6 traffic The switch does not apply MAC based ACLs on IPv6 frames You cannot apply IPv6 port ACLs to Layer 2 EtherChannels The switch does not support output port ACLs Cisco IOS IPv6 ACLs Functions Not Supported The switch does not support matching on these keywords flowlabel routing header and undetermined transport The switch ...

Page 787: ... hardware memory is full for any additional configured ACLs the switch forwards the packets to the CPU and the software applies the ACLs Default Settings Configuring IPv6 ACLs This section includes the following topics Creating IPv6 ACLs page 783 Applying an IPv6 ACL to an Interface page 787 BEFORE YOU BEGIN Review the Guidelines and Limitations page 782 for this feature Select one of the dual IPv...

Page 788: ...tocol number For additional specific parameters for ICMP TCP and UDP see Steps 3b through 3d source ipv6 prefix prefix length or destination ipv6 prefix prefix length Source or destination IPv6 network or class of networks for which to set deny or permit conditions specified in hexadecimal and using 16 bit values between colons Enter any as an abbreviation for the IPv6 prefix 0 host source ipv6 ad...

Page 789: ...range name Specify the time range that applies to the deny or permit statement Step 3b deny permit tcp source ipv6 prefix prefix length any host source ipv6 address operator port number destination ipv6 prefix prefix length any host destination ipv6 address operator port number ack dscp value established fin log log input neq port protocol psh range port protocol rst routing sequence value syn tim...

Page 790: ...User Datagram Protocol The UDP parameters are the same as those described for TCP except that the operator port port number or name must be a UDP port number or name and the established parameter is not valid for UDP Step 3d deny permit icmp source ipv6 prefix prefix length any host source ipv6 address operator port number destination ipv6 prefix prefix length any host destination ipv6 address ope...

Page 791: ...interface for port ACLs or Layer 3 interface for router ACLs on which to apply an access list and enter interface configuration mode 3 no switchport If applying a router ACL change the interface from Layer 2 mode the default to Layer 3 mode 4 ipv6 address ipv6 address Configure an IPv6 address on a Layer 3 interface for router ACLs Note This command is not required on Layer 2 interfaces or if the ...

Page 792: ...icit deny all condition is at the end of each IPv6 access list Applies the access list CISCO to outbound traffic on a Layer 3 interface Switch config ipv6 access list CISCO Switch config ipv6 acl deny tcp any any gt 5000 Switch config ipv6 acl deny 0 lt 5000 0 log Switch config ipv6 acl permit icmp any any Switch config ipv6 acl permit any any Switch config ipv6 acl exit Switch config interface gi...

Page 793: ...nts page 796 Information About Embedded Event Manager EEM monitors key system events and then acts on them through a set policy This policy is a programmed script that you can use to customize a script to invoke an action based on a given set of events occurring The script generates actions such as generating custom syslog or Simple Network Management Protocol SNMP traps invoking CLI commands forc...

Page 794: ...he EEM polices where an action can be implemented EEM allows these event detectors Application specific event detector Allows any EEM policy to publish an event IOS CLI event detector Generates policies based on the commands entered through the CLI Generic Online Diagnostics GOLD event detector Publishes an event when a GOLD failure event is detected on a specified card and subcard Counter event d...

Page 795: ...ifier OID value at the beginning the period and the actual OID value when the event is published matches a specified value SNMP notification event detector Intercepts SNMP trap and inform messages received by the switch The event is generated when an incoming message matches a specified value or crosses a defined threshold Syslog event detector Allows for screening syslog messages for a regular ex...

Page 796: ...t Manager Environment Variables EEM uses environment variables in EEM policies These variables are defined in an EEM policy tool command language TCL script by running a CLI command and the event manager environment command User defined variables Defined by the user for a user defined policy Cisco defined variables Defined by Cisco for a specific sample policy Cisco built in variables available in...

Page 797: ...e sent from the Cisco IOS device to the SNMP server Other relevant snmp server commands must also be configured for details see the action snmp trap command page Guidelines and Limitations The EEM feature is supported with both Lanbase and IP Services license starting with the 15 2 4 EC release for the IE 4010 and with the15 2 5 E release for IE 4000 and IE 5000 Prior to the 15 2 5 E release IP Se...

Page 798: ...e 1 configure terminal Enter global configuration mode 2 event manager applet applet name Register the applet with EEM and enter applet configuration mode 3 event snmp oid oid value get type exact next entry op gt ge eq ne lt le entry val entry val exit comb or and exit op gt ge eq ne lt le exit val exit val exit time exit time val poll interval poll int val Specify the event criteria that causes ...

Page 799: ...on about EEM including EEM registered policies and EEM history data see Cisco IOS Embedded Event Manager Command Reference Configuration Example This example shows the output for EEM when one of the fields specified by an SNMP object ID crosses a defined threshold Command Purpose 1 configure terminal Enter global configuration mode 1 show event manager environment all variable name Optional The sh...

Page 800: ...w ver 3 _syslog_pattern UPDOWN Ethernet1 0 4 _config_cmd1 interface Ethernet1 0 5 _config_cmd2 no shut This example shows a CRON timer environment variable which is assigned by the software to be set to every second minute every hour of every day Switch config event manager environment_cron_entry 0 59 2 0 23 1 0 6 This example shows the sample EEM policy named tm_cli_cmd tcl registered as a system...

Page 801: ...798 Configuring IP Addressing page 799 Enabling IPv4 Unicast Routing page 816 Configuring RIP page 817 Configuring OSPF page 823 Configuring EIGRP page 838 Configuring BGP page 846 Configuring ISO CLNS Routing page 871 Configuring BFD page 883 Configuring Multi VRF CE page 894 Configuring Protocol Independent Features page 906 Verifying Configuration page 924 Related Documents page 924 Information...

Page 802: ...inations By dynamically calculating routes by using a routing protocol Dynamic routing protocols are used by routers to dynamically calculate the best route for forwarding traffic Routing protocols supported by the switch are Routing Information Protocol RIP Border Gateway Protocol BGP Open Shortest Path First OSPF protocol Enhanced IGRP EIGRP System to Intermediate System IS IS and Bidirectional ...

Page 803: ...Pv4 routing use the sdm prefer default global configuration command to set the Switch Database Management sdm feature to balance resources For more information on the SDM templates see the sdm prefer command in the command reference listed in the Related Documents page 924 Steps for Configuring Routing Configuring IPv4 routing consists of several main procedures Configure Layer 3 interfaces Enable...

Page 804: ...sulation Standard Ethernet style ARP Timeout 14400 seconds 4 hours IP broadcast address 255 255 255 255 all ones IP classless routing Enabled IP default gateway Disabled IP directed broadcast Disabled all IP directed broadcasts are dropped IP domain Domain list No domain names defined Domain lookup Enabled Domain name Enabled IP forward protocol If a helper address is defined or User Datagram Prot...

Page 805: ...ses For example if network 131 108 0 0 is subnetted as 255 255 255 0 subnet zero would be written as 131 108 0 0 which is the same as the network address Command Purpose 1 configure terminal Enter global configuration mode 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure 3 no shutdown Enable the interface if necessary User network interface...

Page 806: ...n page 802 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet Figure 98 IP Classless Routing In Figure 99 on page 803 the router in netwo...

Page 807: ...dling of IP by using address resolution A device using IP can have both a local address or MAC address which uniquely defines the device on its local segment or LAN and a network address which identifies the network to which the device belongs To communicate with a device on Ethernet the software must learn the MAC address of the device The process of learning the MAC address from an IP address is...

Page 808: ...l RARP which functions the same as ARP does except that the RARP packets request an IP address instead of a local MAC address Using RARP requires a RARP server on the same network segment as the router interface Use the ip rarp server address interface configuration command to identify the server For more information on RARP see IP Addressing ARP Configuration Guide Cisco IOS Release 15M T You can...

Page 809: ...ype Globally associate an IP address with a MAC hardware address in the ARP cache and specify encapsulation type as one of these arpa ARP encapsulation for Ethernet interfaces snap Subnetwork Address Protocol encapsulation for Token Ring and FDDI interfaces sap HP s ARP type 3 arp ip address hardware address type alias Optional Specify that the switch respond to ARP requests as if it were the owne...

Page 810: ...cify the Layer 3 interface to configure 3 no shutdown Enable the interface if necessary By default UNIs and ENIs are disabled and NNIs are enabled 4 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork Address Protocol 5 end Return to privileged EXEC mode 6 show interfaces interface id Verify ARP encapsulation configuration on all interfaces or the sp...

Page 811: ...ch forwards it to the intended host Proxy ARP treats all networks as if they are local and performs ARP requests for every IP address Proxy ARP is enabled by default To enable it after it has been disabled see Enabling Proxy ARP page 806 Proxy ARP works as long as other routers support it Default Gateway Another method for locating routes is to define a default router or default gateway All nonloc...

Page 812: ... time after which a device is assumed to be down if no further packets are received Each device discovered becomes a candidate for the default router and a new highest priority router is selected when a higher priority router is discovered when the current default router is declared down or when a TCP connection is about to time out because of excessive retransmissions The only required task for I...

Page 813: ...UNIs and ENIs are disabled and NNIs are enabled 4 ip irdp Enable IRDP processing on the interface 5 ip irdp multicast Optional Send IRDP advertisements to the multicast address 224 0 0 1 instead of IP broadcasts 6 ip irdp holdtime seconds Optional Set the IRDP period for which advertisements are valid The default is three times the maxadvertinterval value It must be greater than maxadvertinterval ...

Page 814: ...rk segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most modern IP implementations you can set the address to be used as the broadcast address The switch supports several addressing schemes for forwarding broadcast messages Enabling Directed Broadcast to Physical Broadcast Translation page 810 Fo...

Page 815: ...terface id Enter interface configuration mode and specify the interface to configure 3 no shutdown Enable the interface if necessary By default UNIs and ENIs are disabled and NNIs are enabled 4 ip directed broadcast access list number Enable directed broadcast to physical broadcast translation on the interface You can include an access list to control which broadcasts are forwarded When an access ...

Page 816: ...rvices Command Reference for the list of ports that are forwarded by default if you do not specify any UDP ports DETAILED STEPS Use the no ip helper address interface configuration command to disable the forwarding of broadcast packets to specific addresses Use the no ip forward protocol global configuration command to remove a protocol or port EXAMPLE The following example defines a helper addres...

Page 817: ... bridging is not configured on an interface the interface can receive broadcasts but it never forwards the broadcasts it receives and the router never uses that interface to send broadcasts received on a different interface Packets that are forwarded to a single network address using the IP helper address mechanism can be flooded Only one copy of the packet is sent on each network segment To be co...

Page 818: ...d protocol spanning tree global configuration command to disable the flooding of IP broadcasts EXAMPLE The following example permits IP broadcasts to be flooded through the internetwork in a controlled fashion Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip forward protocol spanning tree Switch config end Speeding up STP Based UDP Flooding In th...

Page 819: ...using the clear privileged EXEC commands You can display specific statistics such as the contents of IP routing tables caches and databases the reachability of nodes and the routing path that packets are taking through the network Command Purpose 1 configure terminal Enter global configuration mode 2 ip forward protocol turbo flood Use the spanning tree database to speed up flooding of UDP datagra...

Page 820: ...iases Display IP addresses mapped to TCP ports aliases show ip arp Display the IP ARP cache show ip interface interface id Display the IP status of interfaces show ip irdp Display IRDP values show ip masks address Display the masks used for network addresses and the number of subnets using each mask show ip redirects Display the address of a default gateway show ip route address mask protocol Disp...

Page 821: ...ts to rate the value of different routes The hop count is the number of routers that can be traversed in a route A directly connected network has a hop count of zero a network with a hop count of 16 is unreachable This small range 0 to 15 makes RIP unsuitable for large networks If the router has a default network path RIP advertises a route that links the router to the pseudonetwork 0 0 0 0 The 0 ...

Page 822: ...re Default Setting Auto summary Enabled Default information originate Disabled Default metric Built in automatic metric translations IP RIP authentication key chain No authentication Authentication mode clear text IP RIP receive version According to the version router configuration command IP RIP send version According to the version router configuration command IP RIP triggered According to the v...

Page 823: ...onds holddown The time before a route is removed from the routing table The default is 180 seconds flush The amount of time for which routing updates are postponed The default is 240 seconds 8 version 1 2 Optional Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets By default the switch receives Version 1 and 2 but sends only Version 1 You can also use the interfac...

Page 824: ...fig router rip Switch config router network 10 108 0 0 Router config router passive interface Ethernet 1 Router config router neighbor 10 108 20 4 Router config router end Configuring RIP Authentication RIP Version 1 does not support authentication If you are sending and receiving RIP Version 2 packets you can enable RIP authentication on an interface The key chain specifies the set of keys that c...

Page 825: ...outing loops Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated This feature can optimize communication among multiple routers when links are broken BEFORE YOU BEGIN In general Cisco does not recommend disabling split horizon unless you are certain that your application requires disabling it to properly advertise ...

Page 826: ...is enabled neither autosummary nor interface IP summary addresses are advertised BEFORE YOU BEGIN If the interface is in Layer 2 mode the default you must enter a no switchport interface configuration command before entering the ip address interface configuration command Command Purpose 1 configure terminal Enter global configuration mode 2 interface interface id Enter interface configuration mode...

Page 827: ...iving packets This section briefly describes how to configure OSPF For a complete description of the OSPF commands see the OSPF documents listed in the Related Documents page 924 Note OSPF classifies different media into broadcast nonbroadcast multiaccess NBMA or point to point networks Broadcast and nonbroadcast networks can also be configured as point to multipoint networks The switch supports a...

Page 828: ...t so stubby areas NSSAs per RFC 1587 are supported OSPF typically requires coordination among many internal routers area border routers ABRs connected to multiple areas and autonomous system boundary routers ASBRs The minimum configuration would use all default parameter values no authentication and interfaces assigned to areas If you customize your environment you must ensure coordinated configur...

Page 829: ...nd the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from other routing domains 110 OSPF database filter Disabled All outgoing link state advertisements LSAs are flooded to the interface IP OSPF name l...

Page 830: ...ase 15S Configuring Basic OSPF Parameters Enabling OSPF requires that you create an OSPF routing process specify the range of IP addresses to be associated with the routing process and assign area IDs to be associated with that range BEFORE YOU BEGIN Complete the OSPF network strategy and planning for your network For example you must decide whether multiple areas are required Timers LSA group pac...

Page 831: ...ration commands are all optional BEFORE YOU BEGIN If you modify these parameters be sure all routers in the network have compatible values Command Purpose 1 configure terminal Enter global configuration mode 2 router ospf process id Enable OSPF routing and enter router configuration mode The process ID is an internally used identification parameter that is locally assigned and can be any positive ...

Page 832: ...Optional Set the number of seconds between hello packets sent on an OSPF interface The value must be the same for all nodes on a network The range is 1 to 65535 seconds The default is 10 seconds 9 ip ospf dead interval seconds Optional Set the number of seconds after the last device hello packet was seen before its neighbors declare the OSPF router to be down The value must be the same for all nod...

Page 833: ...r point to multipoint regardless of the default media type Configuring OSPF for Nonbroadcast Networks Because many routers might be attached to an OSPF network a designated router is selected for the network If broadcast capability is not configured in the network the designated router selection requires special configuration parameters You need to configure these parameters only for devices that ...

Page 834: ...ure an interface as point to multipoint when the media does not support broadcast you should use the neighbor command to identify neighbors BEFORE YOU BEGIN Complete the OSPF network strategy and planning for your network Command Purpose 1 configure terminal Enter global configuration mode 2 router ospf process id Configure an OSPF routing process and enter router configuration mode 3 neighbor ip ...

Page 835: ...to point Specify an OSPF point to point network 5 exit Return to global configuration mode 6 router ospf process id Optional for point to multipoint required for point to multipoint nonbroadcast Configure an OSPF routing process and enter router configuration mode 7 neighbor ip address cost number Optional for point to multipoint required for point to multipoint nonbroadcast Specify a configured O...

Page 836: ...d not so stubby areas NSSAs Stub areas are areas into which information on external routes is not sent Instead the area border router ABR generates a default external route into the stub area for destinations outside the autonomous system AS An NSSA does not flood all LSAs from the core into the area but can import AS external routes within the area by redistribution Route summarization is the con...

Page 837: ... summary Optional Define an area as a stub area The no summary keyword prevents an ABR from sending summary link advertisements into the stub area 6 area area id nssa no redistribution default information originate no summary Optional Defines an area as a not so stubby area Every router within the same area must agree that the area is NSSA Select one of these keywords no redistribution Select when...

Page 838: ...it by router ID or neighbor ID Default Metrics OSPF calculates the OSPF metric for an interface according to the bandwidth of the interface The metric is calculated as ref bw divided by bandwidth where ref is 10 by default and bandwidth bw is specified by the bandwidth interface configuration command For multiple links with high bandwidth you can specify a larger number to differentiate the cost o...

Page 839: ...kup Optional Configure DNS name lookup The default is disabled 7 ip auto cost reference bandwidth ref bw Optional Specify an address range for which a single route will be advertised Use this command only with area border routers 8 distance ospf inter area dist1 inter area dist2 external dist3 Optional Change the OSPF distance values The default distance for each type of route is 110 The range is ...

Page 840: ...umes the risks associated with changing the default timer values DETAILED STEPS To return to the default value use the no timers pacing lsa group router configuration command EXAMPLE The following example configures OSPF group packet pacing updates between LSA groups to occur in 60 second intervals for OSPF routing process 1 Switch config router ospf 1 Switch config router timers pacing lsa group ...

Page 841: ... 5 show ip interface Verify your entries 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose show ip ospf process id Display general information about OSPF routing processes show ip ospf process id database router link state id show ip ospf process id database router self originate show ip ospf process id database router adv router ip address s...

Page 842: ...iency reliability is provided only when necessary For example on a multiaccess network that has multicast capabilities it is not necessary to send hellos reliably to all neighbors individually Therefore EIGRP sends a single multicast hello with an indication in the packet informing the receivers that the packet need not be acknowledged Other types of packets such as updates require acknowledgment ...

Page 843: ...tance Internal distance 90 External distance 170 EIGRP log neighbor changes Disabled No adjacency changes logged IP authentication key chain No authentication provided IP authentication mode No authentication provided IP bandwidth percent 50 percent IP hello interval For low speed nonbroadcast multiaccess NBMA networks 60 seconds all other networks 5 seconds IP hold time For low speed NBMA network...

Page 844: ...3 switch continues to forward packets from the neighboring router during the interval between the primary Route Processor RP in a router failing and the backup RP taking over or while the primary RP is manually reloaded for a nondisruptive software upgrade This feature cannot be disabled For more information on this feature see the Configuring Nonstop Forwarding chapter in the High Availability Co...

Page 845: ...orks 4 eigrp log neighbor changes Optional Enable logging of EIGRP neighbor changes to monitor routing system stability 5 metric weights tos k1 k2 k3 k4 k5 Optional Adjust the EIGRP metric Although the defaults have been carefully set to provide excellent operation in most networks you can adjust them Caution Setting metrics is complex and is not recommended without guidance from an experienced ne...

Page 846: ...of bandwidth that can be used by EIGRP on an interface The default is 50 percent 5 ip summary address eigrp autonomous system number address mask Optional Configure a summary aggregate address for a specified interface not usually necessary if auto summary is enabled 6 ip hello interval eigrp autonomous system number seconds Optional Change the hello time interval for an EIGRP routing process The ...

Page 847: ...d in Step 4 8 key number In key chain configuration mode identify the key number 9 key string text In key chain key configuration mode identify the key string 10 accept lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be received The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The ...

Page 848: ...tch responds to all queries for summaries connected routes and routing updates Note EIGRP stub routing only advertises connected or summary routes from the routing tables to other switches in the network The switch uses EIGRP stub routing at the access layer to eliminate the need for other types of routing advertisements If you try to configure multi VRF CE and EIGRP stub routing at the same time ...

Page 849: ...e 2 router eigrp 1 Configure a remote or distribution router to run an EIGRP process and enter router configuration mode 3 network network number Associate networks with an EIGRP routing process 4 eigrp stub receive only connected static summary Configure a remote router as an EIGRP stub router The keywords have these meanings Enter receive only to set the router as a receive only neighbor Enter c...

Page 850: ... that networks within the AS can be reached by defining internal BGP peering among routers within the AS and by redistributing BGP routing information to IGPs that run within the AS such as IGRP and OSPF Routers that run a BGP routing process are often referred to as BGP speakers BGP uses the Transmission Control Protocol TCP as its transport protocol specifically port 179 Two BGP speakers that ha...

Page 851: ...mation about the list of AS paths with other BGP systems This information can be used to determine AS connectivity to prune routing loops and to enforce AS level policy decisions A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next hop router and it has received synchronization from an IGP unless IGP synchronization is disabled When ...

Page 852: ... network None specified no backdoor route advertised BGP route dampening Disabled by default When enabled Half life is 15 minutes Re use is 750 10 second increments Suppress is 2000 10 second increments Max suppress time is 4 times half life 60 minutes BGP router ID The IP address of a loopback interface if one is configured or the highest IP address configured for a physical interface on the rout...

Page 853: ...one used Maximum number of prefixes received No limit Neighbor Next hop router as next hop for BGP neighbor Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defined Private AS number removal Disabled Route maps None applied to a peer Send community attributes None sent to neighbors Shutdown or soft ...

Page 854: ...m the AS path by using the neighbor remove private as router configuration command Then when an update is passed to an external neighbor if the AS path includes private AS numbers these numbers are dropped If your AS must pass traffic through it from another AS to a third AS it is important to be consistent about the routes it advertises If BGP advertises a route before all routers in the network ...

Page 855: ...ress belongs to the specified AS For EBGP neighbors are usually directly connected and the IP address is the address of the interface at the other end of the connection For IBGP the IP address can be the address of any of the router interfaces 6 neighbor ip address peer group name remove private as Optional Remove private AS numbers from the AS path in outbound routing updates 7 no synchronization...

Page 856: ...hbor 175 220 212 1 remote as 200 Switch config router neighbor 192 208 10 1 remote as 300 Router D Switch config router bgp 300 Switch config router neighbor 192 208 10 2 remote as 200 To verify that BGP peers are running use the show ip bgp neighbors privileged EXEC command This is the output of this command on Router A Switch show ip bgp neighbors BGP neighbor is 129 213 1 1 remote AS 200 extern...

Page 857: ...ard reset and soft reset The switch supports a soft reset without any prior configuration when both BGP peers support the soft route refresh capability which is advertised in the OPEN message sent when the peers establish a TCP session A soft reset allows the dynamic exchange of route refresh requests and routing information between BGP routers and the subsequent re advertisement of the respective...

Page 858: ...IP address of the next hop that is going to be used to reach a destination For EBGP this is usually the IP address of the neighbor specified by the neighbor remote as router configuration command You can disable next hop processing by using route maps or the neighbor next hop self router configuration command 2 Prefer the path with the largest weight a Cisco proprietary parameter The weight attrib...

Page 859: ...d You can configure the MED by using route maps or by using the default metric router configuration command When an update is sent to an IBGP peer the MED is included 8 Prefer the external EBGP path over the internal IBGP path 9 Prefer the route that can be reached through the closest IGP neighbor the lowest IGP metric This means that the router will prefer the shortest internal path within the AS...

Page 860: ... switch to consider a missing MED as having a value of infinity making the path without a MED value the least desirable path 8 bgp always compare med Optional Configure the switch to compare MEDs for paths from neighbors in different autonomous systems By default MED comparison is only done among paths in the same AS 9 bgp bestpath med confed Optional Configure the switch to consider the MED in ch...

Page 861: ...OU BEGIN Enable BGP routing as described in the Enabling BGP Routing page 850 DETAILED STEPS Use the no route map map tag command to delete the route map Use the no set ip next hop ip address command to re enable next hop processing EXAMPLE In the following example the inbound route map named rmap sets the next hop Switch config route map rmap permit 10 Switch config route map set ip next hop 10 2...

Page 862: ... from the neighbor EXAMPLE The following router configuration mode example applies list 39 to incoming advertisements from neighbor172 16 4 1 List 39 permits the advertisement of network 10 109 0 0 Switch config router bgp 109 Switch config router network 10 108 0 0 Switch config router neighbor 172 16 4 1 distribute list 39 in Configuring BGP Filtering By Access Lists Another method of filtering ...

Page 863: ...efixes An implicit deny is assumed if a given prefix does not match any entries in a prefix list When multiple entries of a prefix list match a given prefix the sequence number of a prefix list entry identifies the entry with the lowest sequence number By default sequence numbers are generated automatically and incremented in units of five If you disable the automatic generation of sequence number...

Page 864: ...ength that is less than or equal to 24 bits Switch config ip prefix list YELLOW permit 10 0 0 0 8 le 24 In the following example a prefix list is configured to deny routes from the 10 0 0 0 8 network that have a mask length that is greater than or equal to 25 bits Switch config ip prefix list PINK deny 10 0 0 0 8 ge 25 Command Purpose 1 configure terminal Enter global configuration mode 2 ip prefi...

Page 865: ...his route to EBGP peers no advertise Do not advertise this route to any peer internal or external local as Do not advertise this route to peers outside the local autonomous system Based on the community you can control which routing information to accept prefer or distribute to other neighbors A BGP speaker can set append or modify the community of a route when learning advertising or redistributi...

Page 866: ... community list number permit deny community number Create a community list and assign it a number The community list number is an integer from 1 to 99 that identifies one or more permit or deny groups of communities The community number is the number configured by a set community route map configuration command 3 router bgp autonomous system Enter BGP router configuration mode 4 neighbor ip addre...

Page 867: ...bors as peer group members You configure the peer group by using the neighbor router configuration commands By default peer group members inherit all the configuration options of the peer group including the remote as if configured version update source out route map out filter list out dist list minimum advertisement interval and next hop self All peer group members also inherit changes made to t...

Page 868: ...peer group name ebgp multihop Optional Allow BGP sessions even when the neighbor is not on a directly connected segment The multihop session is not established if the only route to the multihop peer s address is the default route 0 0 0 0 11 neighbor ip address peer group name local as number Optional Specify an AS number to use as the local AS The range is 1 to 65535 12 neighbor ip address peer gr...

Page 869: ...added to the BGP table when there is at least one more specific entry in the BGP table 18 neighbor ip address peer group name timers keepalive holdtime Optional Set timers for the neighbor or peer group The keepalive interval is the time within which keepalive messages are sent to peers The range is 1 to 4294967295 seconds the default is 60 The holdtime is the interval after which a peer is declar...

Page 870: ... 1 configure terminal Enter global configuration mode 2 router bgp autonomous system Enter BGP router configuration mode 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the AS and the atomic aggregate attribute is set to indicate that information might be missing 4 aggregate address address mask as set Optional Ge...

Page 871: ...page 850 DETAILED STEPS EXAMPLE In the following example the routing domain is divided into autonomous systems 50001 50002 50003 50004 50005 and 50006 and is identified by the confederation identifier 50007 Neighbor 10 2 3 4 is a peer inside of the routing domain confederation Neighbor 10 4 5 6 is a peer outside of the routing domain confederation To external peers and routing domains the confeder...

Page 872: ...meshed Usually a cluster of clients have a single route reflector and the cluster is identified by the route reflector router ID To increase redundancy and to avoid a single point of failure a cluster might have more than one route reflector In this case all route reflectors in the cluster must be configured with the same 4 byte cluster ID so that a route reflector can recognize updates from route...

Page 873: ...configuration command with values EXAMPLE In the following example BGP dampening is applied to prefixes filtered through the route map named BLUE Switch config ip prefix list RED permit 10 0 0 0 8 Switch config Switch config route map BLUE Switch config route map match ip address ip prefix list RED Switch config route map exit Command Purpose 1 configure terminal Enter global configuration mode 2 ...

Page 874: ...peer groups to which the prefix has been advertised Also display prefix attributes such as the next hop and the local prefix show ip bgp cidr only Display all BGP routes that contain subnet and supernet network masks show ip bgp community community number exact Display routes that belong to the specified communities show ip bgp community list community list number exact match Display routes that a...

Page 875: ... routing process per Layer 3 switch or router by using the multiarea IS IS configuration syntax You then configure the parameters for each instance of the IS IS routing process Small IS IS networks are built as a single area that includes all the routers in the network As the network grows larger it is usually reorganized into a backbone area made up of the connected set of all Level 2 routers fro...

Page 876: ...rrences 5 seconds Initial LSP generation delay 50 ms Hold time between the first and second LSP generation 5000 ms LSP maximum lifetime without a refresh 1200 seconds 20 minutes before the LSP packet is deleted LSP refresh interval Send LSP refreshes every 900 seconds 15 minutes Maximum LSP packet size 1497 bytes NSF1 Awareness 1 NSF Nonstop Forwarding Enabled2 Allows Layer 3 switches to continue ...

Page 877: ...outing process You then enable IS IS routing on the interface and specify the area for each instance of the routing process BEFORE YOU BEGIN You should know your network design and how you want traffic to flow through it before configuring IS IS Define areas prepare an addressing plan for the devices including defining the NETs and determine the interfaces that will run integrated IS IS To facilit...

Page 878: ... specify a name for a NET and for an address 5 is type level 1 level 1 2 level 2 only Optional You can configure the router to act as a Level 1 station router a Level 2 area router for multi area routing or both the default level 1 act as a station router only level 1 2 act as both a station router and an area router level 2 act as an area router only 6 exit Return to global configuration mode 7 i...

Page 879: ...0001 0000 0000 000c 00 Switch config router exit Switch config interface gigabitethernet0 1 Switch config if ip router isis Switch config if clns router isis Switch config interface gigabitethernet0 2 Switch config if ip router isis Switch config if clns router isis Switch config router exit Configuring IS IS Global Parameters These are some optional IS IS global parameters that you can configure ...

Page 880: ...re the switch to generate a log message when an IS IS adjacency changes state up or down If a link in the network has a maximum transmission unit MTU size of less than 1500 bytes you can lower the LSP MTU so that routing will still occur The partition avoidance router configuration command prevents an area from becoming partitioned when full connectivity is lost among a Level1 2 border router adja...

Page 881: ... level 9 set overload bit on startup seconds wait for bgp Optional Set an overload bit a hippity bit to allow other routers to ignore the router in their shortest path first SPF calculations if the router is having problems Optional on startup sets the overload bit only on startup If on startup is not specified the overload bit is set immediately and remains set until you enter the no set overload...

Page 882: ...erval prc max wait prc initial wait prc second wait Optional Sets IS IS partial route computation PRC throttling timers prc max wait the maximum interval in seconds between two consecutive PRC calculations The range is 1 to 120 the default is 5 prc initial wait the initial PRC calculation delay in milliseconds after a topology change The range is 1 to 10 000 the default is 2000 prc second wait the...

Page 883: ...some interface level parameters you can configure The default metric on the interface which is used as a value for the IS IS metric and assigned when there is no quality of service QoS routing performed The hello interval length of time between hello packets sent on the interface or the default hello packet multiplier used on the interface to determine the hold time sent in IS IS hello packets The...

Page 884: ... on a multiaccess network which in turn reduces the amount of routing protocol traffic and the size of the topology database The interface circuit type which is the type of adjacency desired for neighbors on the specified interface Password authentication for the interface BEFORE YOU BEGIN Enable IS IS routing as described in the Enabling IS IS Routing page 873 ...

Page 885: ...e is 1 second seconds the range is from 1 to 65535 The default is 10 seconds 6 isis hello multiplier multiplier level 1 level 2 Optional Specify the number of IS IS hello packets a neighbor must miss before the router should declare the adjacency as down The range is from 3 to 1000 The default is 3 Using a smaller hello multiplier causes fast convergence but can result in more routing instability ...

Page 886: ... 1 2 level 2 only Optional Configure the type of adjacency desired for neighbors on the specified interface specify the interface circuit type level 1 a Level 1 adjacency is established if there is at least one area address common to both this node and its neighbors level 1 2 a Level 1 and 2 adjacency is established if the neighbor is also configured as both Level 1 and Level 2 and there is at lea...

Page 887: ... CLNS neighbor information from the adjacency database clear clns route Remove dynamically derived CLNS routing information show clns Display information about the CLNS network show clns cache Display the entries in the CLNS routing cache show clns es neighbors Display ES neighbor entries including the associated areas show clns filter expr Display filter expressions show clns filter set Display f...

Page 888: ...D version 0 and version 1 BFD neighbors automatically negotiate the version and the protocol always runs at the higher version The default version is version 1 By default BFD neighbors exchange both control packets and echo packets for detecting forwarding failures The switch sends echo packets at the configured BFD interval rate from 50 to 999 ms and control packets at the BFD slow timer rate fro...

Page 889: ...hronous BFD echo mode is enabled when a BFD session is configured Default BFD Configuration Guidelines The switch supports a maximum of 28 BFD sessions at one time To run BFD on a switch Configure basic BFD interval parameters on each interface over which you want to run BFD sessions Enable routing on the switch You can configure BFD without enabling routing but BFD sessions do not become active u...

Page 890: ...ry User network interfaces UNIs and enhanced network interfaces ENIs are disabled by default network node interfaces NNIs are enabled by default 4 no switchport Remove the interface from Layer 2 configuration mode 5 ip address ip address subnet mask Configure the IP address and IP subnet mask 6 bfd interval milliseconds min_rx milliseconds multiplier value Set BFD parameters for echo packets on th...

Page 891: ...DETAILED STEPS To disable OSPF BFD on all interfaces enter the no bfd all interfaces router configuration command To disable it on an interface enter the no ip osfp bfd or the ip ospf bfd disable interface configuration command on the interface If you want to run OSPF BFD on only one or a few interfaces you can enter the ip ospf bfd interface configuration command on those interfaces instead of en...

Page 892: ...abitethernet0 1 Switch config if ip ospf bfd Configuring BFD for IS IS When you start BFD sessions for IS IS IS IS must be running on all devices participating in BFD You can enable BFD support for IS IS by enabling it globally on all IS IS interfaces or by enabling it on one or more interfaces Configuring BFD for IS IS Globally BEFORE YOU BEGIN Configure BFD parameters on the interface as describ...

Page 893: ...all interfaces Switch config router exit Configuring BFD for IS IS on an Interface BEFORE YOU BEGIN Configure BFD parameters on the interface as described in the Configuring BFD Session Parameters on an Interface page 886 Configure IS IS as described in the Configuring IS IS Dynamic Routing page 871 Command Purpose 1 configure terminal Enter global configuration mode 2 router is is area tag Specif...

Page 894: ... BEGIN Configure BFD parameters on the interface as described in the Configuring BFD Session Parameters on an Interface page 886 Configure BGP as described in the Configuring BGP page 846 Command Purpose 1 configure terminal Enter global configuration mode 2 router is is area tag Specify an IS IS process and enter router configuration mode 3 exit Return to global configuration mode 4 interface int...

Page 895: ... interface as described in the Configuring BFD Session Parameters on an Interface page 886 Configure EIGRP as described in the Configuring EIGRP page 838 Command Purpose 1 configure terminal Enter global configuration mode 2 router bgp as tag Specify a BGP autonomous system and enter router configuration mode 3 neighbor ip address fall over bfd Enable BFD support for fallover on the BFD neighbor 4...

Page 896: ...devices have HSRP enabled and CEF enabled the default Command Purpose 1 configure terminal Enter global configuration mode 2 router eigrp as number Specify an EIGRP autonomous system number and enter router configuration mode 3 log adjacency changes detail Configure the switch to send a system logging message when an EIGRP neighbor goes up or down 4 bfd all interfaces interface interface id Enable...

Page 897: ...it sends no echo packets and but only sends back echo packets received from a neighbor When echo mode is disabled control packets are used to detect forwarding failures You can configure slow timers to reduce the frequency of BFD control packets BEFORE YOU BEGIN Configure BFD parameters on the interface as described in the Configuring BFD Session Parameters on an Interface page 886 Command Purpose...

Page 898: ... does not use Multiprotocol Label Switching MPLS to support VPNs For information about MPLS VRF refer to the MPLS Layer 3 VPNs Configuration Guide Cisco IOS Release 15M T Information About Multi VRF CE page 895 Default Multi VRF CE Configuration page 896 Multi VRF CE Configuration Guidelines page 896 Configuring VRFs page 897 Configuring VRF Aware Services page 898 Configuring a VPN Routing Sessio...

Page 899: ...F After learning local VPN routes from CEs a PE router exchanges VPN routing information with other PE routers by using internal BGP IBPG Provider routers or core routers are any routers in the service provider network that do not attach to CE devices With multi VRF CE multiple customers can share one CE and only one physical link is used between the CE and the PE The shared CE maintains separate ...

Page 900: ...s PE it uses the input policy label to look up the correct VPN routing table If a route is found it forwards the packet within the VPN To configure VRF you create a VRF table and specify the Layer 3 interface associated with the VRF Then configure the routing protocols in the VPN and between the CE and the PE BGP is the preferred routing protocol used to distribute VPN routing information across t...

Page 901: ...tween the CE and the PE However we recommend using external BGP EBGP for these reasons BGP does not require multiple algorithms to communicate with multiple CEs BGP is designed for passing routing information between systems run by different administrations BGP makes it easy to pass attributes of the routes to the CE Multi VRF CE does not affect the packet switching rate If no VRFs are configured ...

Page 902: ... global configuration mode 2 ip routing Enable IP routing 3 ip vrf vrf name Name the VRF and enter VRF configuration mode 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an AS number and an arbitrary number xxx y or an IP address and arbitrary number A B C D y 5 route target export import both route target ext community Create a list of import export or...

Page 903: ...f a configured VRF is working you can use the ping vrf command When attempting to ping from a provider edge PE router to a customer edge CE router or from a PE router to PE router the standard ping command will not usually work The ping vrf command allows you to ping the IP addresses of LAN interfaces on CE routers If you are on a PE router be sure to indicate the specific VRF VPN name as shown in...

Page 904: ...fig snmp server engineID remote 172 16 20 3 vrf trap vrf 80000009030000B064EFE100 Command Purpose 1 ping vrf vrf name ip host Tests a connection in the context of a specific VPN connection Command Purpose 1 configure terminal Enter global configuration mode 2 snmp server trap authentication vrf Enable VRF instance context authentication notifications 3 snmp server engineID remote host vrf vpn inst...

Page 905: ...ch config if standby 1 ip User Interface for Syslog Follow the steps in this procedure to configure VRF aware services for Syslog BEFORE YOU BEGIN Configure a VRF as described in the Configuring VRFs page 897 Command Purpose 1 configure terminal Enter global configuration mode 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure 3 no switchport...

Page 906: ...red 13 red 13 0 msec 10 1 13 15 red 13 red 13 1 msec 2 10 1 8 13 red 13 red 13 0 msec 10 1 7 13 red 13 red 13 0 msec 10 1 8 13 red 13 red 13 0 msec 3 10 1 2 11 red 13 blue 10 1 msec 0 msec 0 msec 4 Command Purpose 1 configure terminal Enter global configuration mode 2 logging on Enable or temporarily disable logging of storage router event message 3 logging host ip address vrf vrf name Specify the...

Page 907: ...rf vpn1 Switch config vrf rd 200 1 Switch config vrf route target both 200 1 Switch config vrf interface ethernet 0 Switch config if ip vrf forwarding vpn1 Switch config if end User Interface for VRF Aware RADIUS To configure VRF aware RADIUS you must first enable AAA on a RADIUS server The switch supports the ip vrf forwarding vrf name server group configuration and the ip radius source interface...

Page 908: ...Switch config exit Configuring BGP PE to CE Routing Sessions BEFORE YOU BEGIN Complete the BGP network strategy and planning for your network Configure OSPF as described in the Configuring OSPF page 823 Configure a VRF as described in the Configuring VRFs page 897 Command Purpose 1 configure terminal Enter global configuration mode 2 router ospf process id vrf vrf name Enable OSPF routing specify ...

Page 909: ...ng Multi VRF CE Status You can use the following privileged EXEC commands to display information about multi VRF CE configuration and status Command Purpose 1 configure terminal Enter global configuration mode 2 router bgp autonomous system number Configure the BGP routing process with the AS number passed to other BGP routers and enter router configuration mode 3 network network number mask netwo...

Page 910: ...Forwarding Information Base FIB lookup table to perform destination based switching of IP packets The two main components in CEF are the distributed FIB and the distributed adjacency tables The FIB is similar to a routing table or information base and maintains a mirror image of the forwarding information in the IP routing table When routing or topology changes occur in the network the IP routing ...

Page 911: ...arding and IP routing enabled on the switch If you enable Cisco Express Forwarding and then create an access list that uses the log keyword the packets that match the access list are not Cisco Express Forwarding switched They are process switched Logging disables Cisco Express Forwarding DETAILED STEPS EXAMPLE Switch config ip cef Switch config interface ethernet 0 Switch config if ip route cache ...

Page 912: ...iguring Static Unicast Routes Static unicast routes are user defined routes that cause packets moving between a source and a destination to take a specified path Static routes can be important if the router cannot build a route to a particular destination and are useful for specifying a gateway of last resort to which all unroutable packets are sent The switch retains static routes until you remov...

Page 913: ...router s address in a static route the static route is also removed from the IP routing table DETAILED STEPS Use the no ip route prefix mask address interface global configuration command to remove a static route EXAMPLE The following example shows how to choose an administrative distance of 110 In this case packets for network 10 0 0 0 will be routed to a router at 172 31 3 4 if dynamic informati...

Page 914: ...ation is not being passed to the system candidates for the default route are specified with the ip default network global configuration command If this network appears in the routing table from any source it is flagged as a possible choice for the default route If the router has no interface on the default network but does have a path to it the network is considered as a possible candidate and the...

Page 915: ...e A route map with no set route map configuration commands is sent to the CPU which causes high CPU utilization You can also identify route map statements as permit or deny If the statement is marked as a deny the packets meeting the match criteria are sent back through the normal forwarding channels destination based routing If the statement is marked as permit set clauses are applied to packets ...

Page 916: ...ccess list number access list name access list number access list name Match a standard access list by specifying the name or number It can be an integer from 1 to 199 6 match metric metric value Match the specified route metric The metric value can be an EIGRP metric with a specified value from 0 to 4294967295 7 match ip next hop access list number access list name access list number access list ...

Page 917: ...edistributed routes for EIGRP only bandwidth Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between 0 and 255 where 255 means 100 percent reliability and 0 means no reliability loading Effective bandwi...

Page 918: ...domain into another and control route distribution Note that the keywords in this procedure are the same as defined in the previous procedure The metrics of one routing protocol do not necessarily translate into the metrics of another In these situations an artificial metric is assigned to the redistributed route Uncontrolled exchanging of routing information between different routing protocols ca...

Page 919: ...low or deny paths based on Identity of a particular end system Application Protocol Command Purpose 1 configure terminal Enter global configuration mode 2 router bgp rip ospf eigrp Enter router configuration mode 3 redistribute protocol process id level 1 level 1 2 level 2 metric metric value metric type type value match internal external type value tag tag value route map map tag weight weight su...

Page 920: ...he end of the list of match statements If match clauses are satisfied you can use a set clause to specify the IP addresses identifying the next hop router in the path For details about PBR commands and keywords see IP Routing Protocol Independent Configuration Guide Cisco IOS Release 15M T PBR Configuration Guidelines Before configuring PBR you should be aware of this information Multicast traffic...

Page 921: ...the match criteria and the resulting action if all of the match clauses are met Then you must enable PBR for that route map on an interface All packets arriving on the specified interface matching the match clauses are subject to PBR PBR can be fast switched or implemented at speeds that do not slow down the switch Fast switched PBR supports most match and set commands PBR must be enabled before y...

Page 922: ... a packet destined for a local address If you do not specify a match command the route map applies to all packets 4 set ip next hop ip address ip address Specify the action to take on the packets that match the criteria Set next hop to which to route the packet the next hop must be adjacent 5 exit Return to global configuration mode 6 interface interface id Enter interface configuration mode and s...

Page 923: ... a local network from dynamically learning about routes you can use the passive interface router configuration command to keep routing update messages from being sent through a router interface When you use this command in the OSPF protocol the interface address you specify as passive appears as a stub network in the OSPF domain OSPF routing information is neither sent nor received through the spe...

Page 924: ...es from being advertised in routing updates and to prevent other routers from learning one or more routes When used in OSPF this feature applies to only external routes and you cannot specify an interface name You can also use a distribute list router configuration command to avoid processing certain routes listed in incoming updates This feature does not apply to OSPF BEFORE YOU BEGIN Configure a...

Page 925: ...tworthiness of a routing information source such as a router or group of routers In a large network some routing protocols can be more reliable than others By specifying administrative distance values you enable the router to intelligently discriminate between sources of routing information The router always picks the route whose routing protocol has the lowest administrative distance Because each...

Page 926: ...er eigrp 109 Switch config router distance 22 10 0 0 0 0 0 0 255 Switch config router distance 33 10 11 0 0 0 0 0 255 Switch config router distance 44 10 11 12 0 0 0 0 255 Switch config router end Managing Authentication Keys Key management is a method of controlling authentication keys used by routing protocols Not all protocols can use key management Authentication keys are available for EIGRP a...

Page 927: ...d Command Purpose 1 configure terminal Enter global configuration mode 2 key chain name of chain Identify a key chain and enter key chain configuration mode 3 key number Identify the key number The range is 0 to 2147483647 4 key string text Identify the key string The string can contain from 1 to 80 uppercase and lowercase alphanumeric characters but the first character cannot be a number 5 accept...

Page 928: ...Router config keychain key key string key2 Router config keychain key accept lifetime 14 30 00 Jan 25 1996 duration 7200 Router config keychain key send lifetime 15 00 00 Jan 25 1996 duration 3600 Verifying Configuration You can remove all contents of a particular cache table or database You can also display specific statistics Related Documents Cisco IOS Master Command List All Releases IP Addres...

Page 929: ...mmand Reference ISO CLNS Configuration Guide Cisco IOS Release 15M T Cisco IOS IP Routing ISIS Command Reference IP Routing ISIS Configuration Guide Cisco IOS Release 15M T High Availability Configuration Guide Cisco IOS Release 15S IP Routing BFD Configuration Guide Cisco IOS Release 15M T Cisco IOS IP Routing Protocol Independent Command Reference IP Routing Protocol Independent Configuration Gu...

Page 930: ...926 Configuring IP Unicast Routing Related Documents ...

Page 931: ...iguration page 953 Configuration Example page 953 Related Documents page 956 Information About IPv6 IPv4 users can move to IPv6 and receive services such as end to end security quality of service QoS and globally unique addresses The IPv6 address space reduces the need for private addresses and Network Address Translation NAT processing by border routers at network edges This section describes IPv...

Page 932: ... simplification improved support of extensions and options and hardware parsing of the extension header The switch supports hop by hop extension header packets which are routed or bridged in software The switch provides IPv6 routing capability over 802 1Q trunk ports for static routes Routing Information Protocol RIP for IPv6 and Open Shortest Path First OSPF Version 3 Protocol It supports up to 1...

Page 933: ...ce or destination addresses to other links DNS for IPv6 IPv6 supports Domain Name System DNS record types in the DNS name to address and address to name lookup processes The DNS AAAA resource record types support IPv6 addresses and are equivalent to an A address record in IPv4 The switch supports DNS resolution for IPv4 and IPv6 Path MTU Discovery for IPv6 Unicast The switch supports advertising t...

Page 934: ...s NDP can either select the same router every time or cycle through the router list By using DRP you can configure an IPv6 host to prefer one router over another provided both are reachable or probably reachable IPv6 Stateless Autoconfiguration and Duplicate Address Detection The switch uses stateless autoconfiguration to manage link subnet and site addressing changes such as management of host an...

Page 935: ... with only one path to an outside network or to provide security for certain types of traffic in a larger network RIP for IPv6 Routing Information Protocol RIP for IPv6 is a distance vector protocol that uses hop count as a routing metric It includes support for IPv6 addresses and prefixes and the all RIP routers multicast group address FF02 9 as the destination address for RIP update messages OSP...

Page 936: ... The HTTP client sends requests to both IPv4 and IPv6 HTTP servers which respond to requests from both IPv4 and IPv6 HTTP clients URLs with literal IPv6 addresses must be specified in hexadecimal using 16 bit values between colons The accept socket call chooses an IPv4 or IPv6 address family The accept socket is either an IPv4 or IPv6 socket The listening socket waits for both IPv4 and IPv6 signal...

Page 937: ...ugh a route with masks greater than 64 bits Load balancing using equal cost and unequal cost routes is not supported for IPv6 host routes or for IPv6 routes with a mask greater than 64 bits The switch cannot forward SNAP encapsulated IPv6 packets There is a similar limitation for IPv4 SNAP encapsulated packets but the packets are dropped at the switch The switch routes IPv6 to IPv4 and IPv4 to IPv...

Page 938: ...al address and activates IPv6 for the interface The configured interface automatically joins these required multicast groups for that link solicited node multicast group FF02 0 0 0 0 1 ff00 104 for each unicast address assigned to the interface the address for the neighbor discovery process all nodes link local multicast group FF02 1 all routers link local multicast group FF02 2 For more informati...

Page 939: ... enter the ipv6 address and ipv6 prefix variables with the address specified in hexadecimal using 16 bit values between colons The prefix length variable preceded by a slash is a decimal value that shows how many of the high order contiguous bits of the address comprise the prefix the network portion of the address ...

Page 940: ...rface interface id Enter interface configuration mode and specify the Layer 3 interface to configure The interface can be a physical interface a switch virtual interface SVI or a Layer 3 EtherChannel 7 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface 8 ipv6 address ipv6 prefix prefix length eui 64 or ipv6 address ipv6 address link local or ipv6 enabl...

Page 941: ... c18 1 20B 46FF FE2F D940 subnet is 2001 0DB8 c18 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds N...

Page 942: ...t an SDM template that supports IPv4 and IPv6 If not already configured use the sdm prefer dual ipv4 and ipv6 default routing vlan global configuration command to configure a template that supports IPv6 When you select a new template you must reload the switch by using the reload privileged EXEC command so that the template takes effect Command Purpose 1 configure terminal Enter global configurati...

Page 943: ...nfiguration mode 6 ip routing Enable IPv4 routing on the switch 7 ipv6 unicast routing Enable forwarding of IPv6 data packets on the switch 8 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure 9 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface 10 ip address ip address mask secondary Specify a prim...

Page 944: ... Release 15 2M T Default DHCPv6 Address Assignment Configuration page 940 DHCPv6 Address Assignment Configuration Guidelines page 940 Enabling the DHCPv6 Server Function page 940 Enabling the DHCPv6 Client Function page 943 Default DHCPv6 Address Assignment Configuration By default no Dynamic Host Configuration Protocol for IPv6 DHCPv6 features are configured on the switch DHCPv6 Address Assignmen...

Page 945: ...x Optional Specify a link address IPv6 prefix When an address on the incoming interface or a link address in the packet matches the specified IPv6 prefix the server uses the configuration information pool This address must be in hexadecimal using 16 bit values between colons 5 vendor specific vendor id Optional Enter vendor specific configuration mode and enter a vendor specific identification num...

Page 946: ...h config dhcpv6 end This example shows how to configure a pool called 350 with vendor specific options 10 ipv6 dhcp server poolname automatic rapid commit preference value allow hint Enable the DHCPv6 server function on an interface poolname Optional User defined name for the IPv6 DHCP pool The pool name can be a symbolic string such as Engineering or an integer such as 0 automatic Optional Enable...

Page 947: ...tch config interface gigabitethernet0 1 Switch config if ipv6 address dhcp rapid commit Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size maximum number of tokens to be stored in a bucket of 10 BEFORE YOU BEGIN Complete the Configuring IPv6 Addressing and Enabling IPv6 Routing page 934 C...

Page 948: ...al configuration command You can verify the IPv6 state by entering the show ipv6 cef privileged EXEC command For more information about configuring CEF see the Implementing IPv6 Addressing and Basic Connectivity chapter in the IPv6 Implementation Guide Cisco IOS Release 15 2M T Configuring Static Routing for IPv6 BEFORE YOU BEGIN Before configuring a static IPv6 route you must Enable routing by us...

Page 949: ...ess of the directly connected next hop The address must be specified in hexadecimal using 16 bit values between colons interface id Specify direct static routes from point to point and broadcast interfaces On point to point interfaces you do not need to specify the IPv6 address of the next hop On broadcast interfaces you should always specify the IPv6 address of the next hop or ensure that the spe...

Page 950: ... IPv6 packets by using the ipv6 unicast routing global configuration command Enable IPv6 on any Layer 3 interfaces on which IPv6 RIP is to be enabled 3 end Return to privileged EXEC mode 4 show ipv6 static ipv6 address ipv6 prefix prefix length interface interface id recursive detail or show ipv6 route static updated Verify your entries by displaying the IPv6 routing table interface interface id O...

Page 951: ...IP can support The range is from 1 to 64 and the default is 4 routes 4 exit Return to global configuration mode 5 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure 6 ipv6 rip name enable Enable the specified IPv6 RIP routing process on the interface 7 ipv6 rip name default information only originate Optional Originate the IPv6 default route 0 ...

Page 952: ...rs and features Be careful when changing the defaults for IPv6 commands Doing so might adversely affect OSPF for the IPv6 network BEFORE YOU BEGIN Before you enable IPv6 OSPF on an interface you must Enable routing by using the ip routing global configuration command Enable the forwarding of IPv6 packets by using the ipv6 unicast routing global configuration command Enable IPv6 on Layer 3 interfac...

Page 953: ...twork portion of the address A slash mark must precede the decimal value advertise Optional Set the address range status to advertise and to generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for th...

Page 954: ... use EIGRPv6 to specify your EIGRP IPv4 interfaces and to select a subset of those as passive interfaces Use the passive interface default command to make all interfaces passive and then use the no passive interface command on selected interfaces to make them active EIGRP IPv6 does not need to be configured on a passive interface For more configuration procedures see the Implementing EIGRP for IPv...

Page 955: ...BGP routing session unless you enter this command before configuring the neighbor remote as command 4 bgp router id ip address Optional Configure a fixed 32 bit router ID as the identifier of the local router running BGP By default the router ID is the IPv4 address of a router loopback interface On a router enabled only for IPv6 no IPv4 address you must manually configure the BGP router ID Note Co...

Page 956: ...952 Configuring IPv6 Unicast Routing Configuring IPv6 network 2010 AB8 2 48 network 2010 AB8 3 48 exit address family ...

Page 957: ...ers Display local IPv6 routers show ipv6 static Display IPv6 static routes show ipv6 traffic Display IPv6 traffic statistics Command Purpose show ipv6 eigrp as number interface Display information about interfaces configured for EIGRP IPv6 show ipv6 eigrp as number neighbor Display the neighbors discovered by EIGRP IPv6 show ipv6 eigrp as number traffic Display the number of EIGRP IPv6 packets sen...

Page 958: ...ow ipv6 cef 0 nexthop 3FFE C000 0 7 777 Vlan7 3FFE C000 0 1 64 attached to Vlan1 3FFE C000 0 1 20B 46FF FE2F D940 128 receive 3FFE C000 0 7 64 attached to Vlan7 3FFE C000 0 7 777 128 attached to Vlan7 3FFE C000 0 7 20B 46FF FE2F D97F 128 receive 3FFE C000 111 1 64 attached to GigabitEthernet0 11 3FFE C000 111 1 20B 46FF FE2F D945 128 receive 3FFE C000 168 1 64 attached to GigabitEthernet0 43 3FFE ...

Page 959: ...routes Code installed in RIB 0 via nexthop 3FFE C000 0 7 777 distance 1 This is an example of the output from the show ipv6 route privileged EXEC command Switch show ipv6 route IPv6 Routing Table 21 entries Codes C Connected L Local S Static R RIP B BGP U Per user Static route I1 ISIS L1 I2 ISIS L2 IA ISIS interarea IS ISIS summary O OSPF intra OI OSPF inter OE1 OSPF ext 1 OE2 OSPF ext 2 ON1 OSPF ...

Page 960: ...ho request 0 echo reply 0 group query 0 group report 0 group reduce 1 router solicit 0 router advert 0 redirects 0 neighbor solicit 0 neighbor advert Sent 10112 output 0 rate limited unreach 0 routing 0 admin 0 neighbor 0 address 0 port parameter 0 error 0 header 0 option 0 hopcount expired 0 reassembly timeout 0 too big 0 echo request 0 echo reply 0 group query 0 group report 0 group reduce 0 rou...

Page 961: ...otocols are used by routers to dynamically calculate the best route for forwarding traffic Routing protocols supported by the switch are Routing Information Protocol RIP Border Gateway Protocol BGP Open Shortest Path First OSPF protocol Enhanced IGRP EIGRP System to Intermediate System IS IS and Bidirectional Forwarding Detection BFD IPv6 Unicast Routing IPv4 users can move to IPv6 and receive ser...

Page 962: ...th a higher priority becomes active The enhanced object tracking feature separates the tracking mechanism from HSRP and creates a separate standalone tracking process that can be used by processes other than HSRP This allows tracking other objects in addition to the interface line protocol state A client process such as HSRP or Gateway Local Balancing Protocol GLBP can register an interest in trac...

Page 963: ... performance Cisco IOS IP SLAs can perform network assessments verify quality of service QoS ease the deployment of new services and assist with network troubleshooting Cisco IOS IP SLAs Cisco IOS IP SLAs sends data across the network to measure performance between multiple network locations or across multiple network paths It simulates network data and IP services and collects network performance...

Page 964: ...sources for example shows the network availability of an NFS server used to store business critical data from a remote site Troubleshooting of network operation by providing consistent reliable measurement that immediately identifies problems and saves troubleshooting time Multiprotocol Label Switching MPLS performance monitoring and network verification if the switch supports MPLS Cisco IOS IP SL...

Page 965: ...n be a source for a destination IP SLAs Responder Figure 106 on page 961 shows where the Cisco IOS IP SLAs responder fits in the IP network The responder listens on a specific port for control protocol messages sent by an IP SLAs operation Upon receipt of the control message it enables the specified UDP or TCP port for the specified duration During this time the responder accepts the requests and ...

Page 966: ...device is the ability to track one way delay jitter and directional packet loss Because much network behavior is asynchronous it is critical to have these statistics However to capture one way delay measurements you must configure both the source router and target router with Network Time Protocol NTP so that the source and target are synchronized to the same clock source One way jitter measuremen...

Page 967: ... carry packet sending and receiving sequence information and sending and receiving time stamps from the source and the operational target Based on these UDP jitter operations measure this data Per direction jitter source to destination and destination to source Per direction packet loss Per direction delay one way delay Round trip delay average round trip time Because the paths for the sending and...

Page 968: ... multiple operation scheduling and proactive threshold monitoring It does not support VoIP service levels using the gatekeeper registration delay operations measurements Configuring the IP SLAs Responder Before You Begin For the IP SLAs responder to function you must also configure a source device such as a Catalyst 3750 or Catalyst 3560 switch running the IP services image that has full IP SLAs s...

Page 969: ...tname Specifies the source IP address or hostname When a source IP address or hostname is not specified IP SLAs chooses the IP address nearest to the destination Optional source port port number Specifies the source port number in the range from 1 to 65535 When a port number is not specified IP SLAs chooses an available port Optional control Enables or disables sending of IP SLAs control messages ...

Page 970: ...hh mm ss to show that the operation should start after the entered time has elapsed Optional ageout seconds Enters the number of seconds to keep the operation in memory when it is not actively collecting information The range is 0 to 2073600 seconds the default is 0 seconds never ages out Optional recurring Sets the operation to automatically run every day 7 end Returns to privileged EXEC mode Com...

Page 971: ...e has elapsed Optional ageout seconds Enters the number of seconds to keep the operation in memory when it is not actively collecting information The range is 0 to 2073600 seconds the default is 0 seconds never ages out Optional recurring Sets the operation to automatically run every day 7 end Returns to privileged EXEC mode Command Purpose Command Purpose show ip sla application Displays global i...

Page 972: ...andomly Scheduled FALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distribution buckets kept 1 Statistic distribution interval milliseconds 20 History Statistics show ip sla mpls lsp monitor collection statistics co...

Page 973: ...hcp Type of Operation to Perform dns Type of Operation to Perform echo Type of Operation to Perform ftp Type of Operation to Perform http Type of Operation to Perform jitter Type of Operation to Perform pathEcho Type of Operation to Perform pathJitter Type of Operation to Perform tcpConnect Type of Operation to Perform udpEcho IP SLAs low memory water mark 21741224 Configuring a Responder UDP Jitt...

Page 974: ...rf Name Control Packets enabled Schedule Operation frequency seconds 30 Next Scheduled Start Time Pending trigger Group Scheduled FALSE Randomly Scheduled FALSE Life seconds 3600 Entry Ageout seconds never Recurring Starting Everyday FALSE Status of entry SNMP RowStatus notInService Threshold milliseconds 5000 Distribution Statistics Number of statistic hours kept 2 Number of statistic distributio...

Page 975: ...odified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Desc...

Page 976: ...972 Configuring Cisco IOS IP SLAs Operations Additional References ...

Page 977: ...tion command The show dying gasp packets command displays the detailed information about the created packets The SNMP server for the SNMP Dying Gasp message is specified through the snmp server host configuration command The syslog server sending the syslog Dying Gasp message is specified through the logging host hostname or ipaddress transport udp command The Ethernet OAM Dying Gasp packets are c...

Page 978: ...974 Dying Gasp ...

Page 979: ...ludes these sections Understanding Enhanced Object Tracking page 975 Configuring Enhanced Object Tracking Features page 975 Monitoring Enhanced Object Tracking page 985 Understanding Enhanced Object Tracking Each tracked object has a unique number that is specified in the tracking command line interface CLI Client processes use this number to track a specific object The tracking process periodical...

Page 980: ...ne protocol Optional Create a tracking list to track the line protocol state of an interface and enter tracking configuration mode The object number identifies the tracked object and can be from 1 to 500 The interface interface id is the interface being tracked 3 delay up seconds down seconds up seconds down seconds Optional Specify a period of time in seconds to delay communicating state changes ...

Page 981: ...acking two interfaces using the AND operator up means that both interfaces are up and down means that either interface is down Beginning in privileged EXEC mode follow these steps to configure a tracked list of objects with a Boolean expression Use the no track track number global configuration command to delete the tracked list Command Purpose 1 configure terminal Enter global configuration mode ...

Page 982: ...in order to satisfy the threshold weight Switch config track 4 list threshold weight Switch config track object 1 weight 15 Switch config track object 2 weight 20 Switch config track object 3 weight 30 Command Purpose 1 configure terminal Enter global configuration mode 2 track track number list threshold weight Configure a tracked list object and enter tracking configuration mode The track number...

Page 983: ...sure the state of the list Switch config track 4 list threshold percentage Switch config track object 1 Switch config track object 2 Switch config track object 3 Switch config track threshold percentage up 51 down 10 Switch config track exit Command Purpose 1 configure terminal Enter global configuration mode 2 track track number list threshold percentage Configure a tracked list object and enter ...

Page 984: ...4 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see Configuring a Tracked List with a Boolean Expression page 977 For threshold weight see Configuring a Tracked List with a Weight Threshold page 978 For threshold percentage see Configuring a Tracked List with a Percentage Threshold page 979 Note...

Page 985: ...rmation see the Cisco IOS IP SLAs Command Reference Guide Release 12 4T at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html Object tracking of IP SLAs operations allows clients to track the output from IP SLAs objects and use this information to trigger an action Every IP SLAs operation maintains an SNMP operation return code value such as OK or OverTh...

Page 986: ... global configuration mode 2 track object number rtr operation number state Enter tracking configuration mode to track the state of an IP SLAs operation The object number range is from 1 to 500 The operation number range is from 1 to 2147483647 3 delay up seconds down seconds up seconds down seconds Optional Specify a period of time in seconds to delay communicating state changes of a tracked obje...

Page 987: ...e state of the agent 3 Configure a default static default route using a secondary interface This route is used only if the primary route is removed Configuring a Primary Interface Beginning in privileged EXEC mode follow these steps to configure a primary interface for static routing Beginning in privileged EXEC mode follow these steps to configure a primary interface for DHCP Command Purpose 1 co...

Page 988: ...de 8 ip sla schedule operation number life forever seconds start time time pending now after time ageout seconds recurring Configure the scheduling parameters for a single IP SLAs operation 9 track object number rtr operation number state reachability Track the state of a Cisco IOS IP SLAs operation and enter tracking configuration mode 10 end Return to privileged EXEC mode 11 show track object nu...

Page 989: ...onfigured track object is up 10 end Return to privileged EXEC mode 11 show ip route track table Display information about the IP route track table 12 copy running config startup config Optional Save your entries in the configuration file Command Purpose show ip route track table Display information about the IP route track table show track object number Display information about the all tracking l...

Page 990: ...986 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...

Page 991: ... TCP The switch functions as the server The switch encapsulates a request or response message in a MODBUS TCP application data unit ADU A client sends a message to a TCP port on the switch The default port number is 502 MODBUS and Security page 987 Multiple Request Messages page 988 MODBUS and Security If a firewall or other security services are enabled the switch TCP port might be blocked and th...

Page 992: ...atistics enter the clear scada modbus tcp server statistics privileged EXEC command After you enable MODBUS TCP on the switch this warning appears WARNING Starting Modbus TCP server is a security risk Please understand the security issues involved before proceeding further Do you still want to start the server yes no Command Purpose 1 configure terminal Enters global configuration mode 2 scada mod...

Page 993: ...igure an ACL to permit traffic from specific clients or configure QoS to rate limit traffic Displaying MODBUS TCP Information Command Purpose show scada modbus tcp server Displays the server information and statistics show scada modbus tcp server connections Displays the client information and statistics ...

Page 994: ...990 Configuring MODBUS TCP Displaying MODBUS TCP Information ...

Page 995: ...edge PE to PE device or customer edge to customer edge CE to CE device Ethernet CFM as specified by 802 1ag is the standard for Layer 2 ping Layer 2 traceroute and end to end connectivity check of the Ethernet network For complete command and configuration information for Ethernet CFM see the Configuring Ethernet OAM CFM and E LMI chapter of the System Management guide at this URL http www cisco c...

Page 996: ...992 Ethernet CFM ...

Page 997: ... not interrupt switch operation unless you need to reload the Cisco IOS software However if you remove the compact flash card you do not have access to the flash file system and any attempt to access it generates an error message Use the show flash privileged EXEC command to display the compact flash file settings For more information about the command go to this URL http www cisco com en US docs ...

Page 998: ...e the show platform sdflash privileged EXEC command This example shows an unsupported SD flash memory card Switch show platform sdflash SD Flash Manufacturer SMART MODULAR ID 27h Non IT Size 485MB Serial number B01000A5 Revision 2 0 Manufacturing date 12 2009 This example shows a supported SD flash memory card Switch show platform sdflash SD Flash Manufacturer SMART MODULAR ID 27h Size 972MB Seria...

Page 999: ...ory in the file system in bytes Free b Amount of free memory in the file system in bytes Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for ...

Page 1000: ...isplay information about files on a file system use one of the privileged EXEC commands in Table 67 on page 996 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to change directories and display the working directory Creating and Removing Directories Beginning in privileged EXEC mode follow these steps to create and remove a directory T...

Page 1001: ...the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used as the configuration during system initialization You can also copy from special file systems xmodem ymodem as the source for the file from a network machine that uses the Xmodem or Ymodem protocol Network file system URLs include ftp rcp and tftp and have t...

Page 1002: ... the cd command For file url you specify the path directory and the name of the file to be deleted When you attempt to delete any files the system prompts you to confirm the deletion Caution When files are deleted their contents cannot be recovered This example shows how to delete the file myconfig from the default flash memory device Switch delete myconfig Creating Displaying and Extracting tar F...

Page 1003: ...location directory tar filename tar For the RCP the syntax is rcp username location directory tar filename tar For the TFTP the syntax is tftp location directory tar filename tar The tar filename tar is the tar file to display You can also limit the display of the files by specifying an optional list of files or directories after the tar file then only those files appear If none are specified all ...

Page 1004: ...ts of any readable file including a file on a remote file system use the more ascii binary ebcdic file url privileged EXEC command This example shows how to display the contents of a configuration file on a TFTP server Switch more tftp serverA hampton savedconfig Saved configuration on server version 11 3 service timestamps log datetime localtime service linenumber service udp small servers servic...

Page 1005: ...cp tftp system running config privileged EXEC command loads the configuration files on the switch as if you were entering the commands at the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied ...

Page 1006: ...rvices file contains this line tftp 69 udp You must restart the inetd daemon after modifying the etc inetd conf and etc services files To restart the daemon either stop the inetd process and restart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more information on the TFTP daemon see the documentation for your workstation Ensure that the switch...

Page 1007: ...To upload a configuration file from a switch to a TFTP server for storage follow these steps 1 Verify that the TFTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP page 1002 2 Log into the switch through the console port or a Telnet session 3 Upload the switch configuration to the TFTP server Specify the IP address or hostname of...

Page 1008: ...e username For more information see the documentation for your FTP server Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file by using FTP do these tasks Ensure that the switch has a route to the FTP server The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between su...

Page 1009: ...onfiguration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 config by ftp from 172 16 101 101 Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode follow these steps to upload a configuration file by using...

Page 1010: ...es the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP You only need to have access to a server that supports the remote shell rsh Most UNIX systems support rsh Because you are copying a file from one ...

Page 1011: ...te to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP server by using the ping command If you are accessing the switch through the console or a Telnet session and you do not have a valid username make sure that the current RCP username is the one that you want to use for the RCP downl...

Page 1012: ...55 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile store configured from host2 config by rcp from 172 16 101 101 Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode follow these steps to uploa...

Page 1013: ... reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Clearing the Startup Configuration File To clear the contents of your startup configuration use the erase nvram or the erase startup config privileged EXEC command Caution You cannot restore the startup configuration file after it has been deleted Comman...

Page 1014: ...ed You can specify how many versions of the running configuration are kept in the archive After the maximum number of files are saved the oldest file is automatically deleted when the next most recent file is saved The show archive privileged EXEC command displays information for all the configuration files saved in the configuration archive The Cisco IOS configuration archive in which the configu...

Page 1015: ...ion commands Certain configuration commands such as those pertaining to physical components of a networking device for example physical interfaces cannot be added or removed from the running configuration A configuration replacement operation cannot remove the interface interface id command line from the running configuration if that interface is physically present on the device The interface inte...

Page 1016: ...ation and filename prefix for the files in the configuration archive 5 time period minutes Optional Sets the time increment for automatically saving an archive file of the running configuration in the configuration archive minutes Specifies how often in minutes to automatically save an archive file of the running configuration in the configuration archive 6 end Returns to privileged EXEC mode 7 sh...

Page 1017: ...ration file target url URL accessible by the file system of the saved configuration file that is to replace the running configuration such as the configuration file created in Step 2 by using the archive config privileged EXEC command list Displays a list of the command entries applied by the software parser during each pass of the configuration replacement operation The total number of passes als...

Page 1018: ...f specifying complete paths with each tar file tar File Format of Images on a Server or Cisco com Software images located on a server or downloaded from Cisco com are provided in a tar file format which contains these files An info file which serves as a table of contents for the tar file One or more subdirectories containing other images and files such as Cisco IOS images and web management files...

Page 1019: ...r a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more information on the TFTP daemon see the documentation for your workstation Ensure that the switch has a route to the TFTP server The switch and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the TFTP server by using the pin...

Page 1020: ...the image to the appropriate TFTP directory on the workstation Make sure that the TFTP server is properly configured see the Preparing to Download or Upload an Image File By Using TFTP page 1015 2 Log into the switch through the console port or a Telnet session 3 archive download sw overwrite reload tftp location directory image name tar Downloads the image file from the TFTP server to the switch ...

Page 1021: ...e archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names Copying Image Files By Using FTP You can download a switch i...

Page 1022: ... username and ip ftp password commands to specify a username and password for all copies Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username only for that operation If the server has a directory structure the image file is written to or copied from the directory associated with the username on the server For example if the ...

Page 1023: ...ng image To keep the current image go to Step 7 Command Purpose 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP page 1004 2 Log into the switch through the console port or a Telnet session 3 configure terminal Enters global configuration mode This step is required only if you override the default remote usern...

Page 1024: ...te reload ftp username password location directory i mage name tar Downloads the image file from the FTP server to the switch and overwrite the current image The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username password s...

Page 1025: ...d the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names Copying Image Files By Using RCP You can download a switch image from an RCP server or upload the image from the switch to an RCP server Command Purpose 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload...

Page 1026: ...rivileged EXEC command if a username is specified The username set by the ip rcmd remote username username global configuration command if the command is entered The remote username associated with the current TTY terminal process For example if the user is connected to the router through Telnet and was authenticated through the username command the switch software sends the Telnet username as the...

Page 1027: ... com Switch1 For more information see the documentation for your RCP server Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image Beginning in privileged EXEC mode follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image To keep the current image go to Step 6 Command Purpose 1 Verify that the RCP s...

Page 1028: ...ation directory image nam e tar Downloads the image file from the RCP server to the switch and overwrite the current image The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username specify the username For the RCP copy request...

Page 1029: ... uploading these files in order info the Cisco IOS image and the web management files After these files are uploaded the upload algorithm creates the tar file format Caution For the download and upload algorithms to operate properly do not rename image names Command Purpose 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload a Configuration File ...

Page 1030: ...1026 Working with the Cisco IOS File System Configuration Files and Software Images Working with Software Images ...

Page 1031: ... from the failed link to the remaining links in the channel without intervention This chapter also describes how to configure link state tracking EtherChannels An EtherChannel consists of individual Ethernet links bundled into a single logical link as shown in Figure 108 on page 1027 Figure 108 Typical EtherChannel Configuration The EtherChannel provides full duplex bandwidth up 2 Gb s Gigabit Eth...

Page 1032: ...ne link in an EtherChannel are blocked from returning on any other link of the EtherChannel Port Channel Interfaces When you create an EtherChannel a port channel logical interface is involved With Layer 2 ports use the channel group interface configuration command to dynamically create the port channel logical interface You also can use the interface port channel port channel number global config...

Page 1033: ...tches and on those switches licensed by vendors to support PAgP PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports By using PAgP the switch learns the identity of partners capable of supporting PAgP and the capabilities of each port It then dynamically groups similarly configured ports into a single logical link channel or aggregate port Simi...

Page 1034: ...is an aggregate port learner if it learns addresses by aggregate logical ports The learn method must be configured the same at both ends of the link When a device and its partner are both aggregate port learners they learn the address on the logical port channel The device sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on ...

Page 1035: ... in sync If the active switch fails or resets the standby switch takes over as the active switch If the VSL goes down one core switch knows the status of the other and does not change state PAgP Interaction with Other Features The Dynamic Trunking Protocol DTP and the Cisco Discovery Protocol CDP send and receive packets over the physical ports in the EtherChannel Trunk ports send and receive PAgP...

Page 1036: ...om aggregating Determining which ports are active and which are hot standby is a two step procedure First the system with a numerically lower system priority and system id is placed in charge of the decision Next that system decides which ports are active and which are hot standby based on its values for port priority and port number The port priority and port number values for the other system ar...

Page 1037: ...r destination addresses or both source and destination addresses The selected mode applies to all EtherChannels configured on the switch You configure the load balancing and forwarding method by using the port channel load balance global configuration command With source MAC address forwarding when packets are forwarded to an EtherChannel they are distributed across the ports in the channel based ...

Page 1038: ...articular switch In this method packets sent from the IP address A to IP address B from IP address A to IP address C and from IP address C to IP address B could all use different ports in the channel Different load balancing methods have different advantages and the choice of a particular load balancing method should be based on the position of the switch in the network and the kind of traffic tha...

Page 1039: ...nation based forwarding enabled EtherChannel Switch with source based forwarding enabled Feature Default Setting Channel groups None assigned Port channel logical interface None defined PAgP mode No default PAgP learn method Aggregate port learning on all ports PAgP priority 128 on all ports LACP mode No default LACP learn method Aggregate port learning on all ports LACP port priority 32768 on all...

Page 1040: ...eroperate Do not configure a Switched Port Analyzer SPAN destination port as part of an EtherChannel Do not configure a secure port as part of an EtherChannel or the reverse Do not configure a private VLAN port as part of an EtherChannel Do not configure a port that is an active or a not yet active member of an EtherChannel as an IEEE 802 1x port If you try to enable IEEE 802 1x on an EtherChannel...

Page 1041: ...with the channel group interface configuration command This command automatically creates the port channel logical interface This required task explains how to configure a Layer 2 Ethernet port to a Layer 2 EtherChannel Command Purpose 1 configure terminal Enters global configuration mode 2 interface interface id Specifies a physical port and enter interface configuration mode Valid interfaces inc...

Page 1042: ...her ports by sending PAgP packets on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do ...

Page 1043: ...ribution methods dst ip Specifies the destination host IP address dst mac Specifies the destination host MAC address of the incoming packet src dst ip Specifies the source and destination host IP address src dst mac Specifies the source and destination host MAC address src ip Specifies the source host IP address src mac Specifies the source MAC address of the incoming packet 3 end Returns to privi...

Page 1044: ... both ends of the link 4 pagp port priority priority Assigns a priority so that the selected port is chosen for packet transmission For priority the range is 0 to 255 The default is 128 The higher the priority the more likely that the port will be used for PAgP transmission 5 end Returns to privileged EXEC mode Command Purpose Command Purpose 1 configure terminal Enters global configuration mode 2...

Page 1045: ...1 17 2 Switch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode active Switch config if range end Additional References The following sections provide references related to switch administration Command Purpose show etherchannel channel group number detail port port channel protocol summary detail load balance port p...

Page 1046: ...sco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Description Link The Cisco Technical Support website contains thousands of page...

Page 1047: ...e If a remote device does not autonegotiate configure the duplex settings on the two ports to match The speed parameter can adjust itself even if the connected port does not autonegotiate SFP Module Security and Identification Cisco small form factor pluggable SFP modules have a serial EEPROM that contains the module serial number the vendor name and ID a unique security code and cyclic redundancy...

Page 1048: ... and lets them time out The switch can only identify the path from the source device to the destination device It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host Layer 2 Traceroute Usage Guidelines Cisco Discovery Protocol CDP must be enabled on all the devices in the network For Layer 2 traceroute to functio...

Page 1049: ...eturn messages Traceroute starts by sending a User Datagram Protocol UDP datagram to the destination host with the TTL field set to 1 If a router finds a TTL value of 1 or 0 it drops the datagram and sends an Internet Control Message Protocol ICMP time to live exceeded message to the sender Traceroute finds the address of the first hop by examining the source address field of the ICMP time to live...

Page 1050: ... existing sequence number so the file with the largest sequence number describes the most recent failure Version numbers are used instead of a timestamp because the switches do not include a real time clock You cannot change the name of the file that the system will use when it creates the file However after the file is created you can use the rename privileged EXEC command to rename it but the co...

Page 1051: ...es 8 PID Runtime ms Invoked uSecs 5Sec 1Min 5Min TTY Process 140 8820183 4942081 1784 0 63 0 37 0 30 0 HRPC qos request 100 3427318 16150534 212 0 47 0 14 0 11 0 HRPC pm counters 192 3093252 14081112 219 0 31 0 14 0 11 0 Spanning Tree 143 8 37 216 0 15 0 01 0 00 0 Exec output truncated This example shows normal CPU utilization The output shows that utilization for the last 5 seconds is 8 0 which h...

Page 1052: ... file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar Locate the bin file and extract it by using the tar xvf image_filename tar image_filename bin UNIX command switch tar xvf image_filename tar image_filename binx x image_name bin 3970586 bytes 7756 tape blocks Verify that the bin file was extracted by using the ls l image_filename bin UNIX command switch ls...

Page 1053: ...in make sure that You have physical access to the switch At least one switch port is enabled and is not connected to a device To delete the switch password and set a new one follow these steps 1 Press the Express Setup button until the SETUP LED blinks green and the LED of an available switch downlink port blinks green If no switch downlink port is available for your PC or laptop connection discon...

Page 1054: ...d Catalyst 1900 switch connected to the command switch through a secured port can lose connectivity if the port is disabled because of a security violation Executing Ping If you attempt to ping a host in a different IP subnetwork you must define a static route to the network or have IP routing configured to route between those subnets IP routing is disabled by default on all switches If you need t...

Page 1055: ...msec 8 msec 0 msec 3 171 9 16 6 4 msec 0 msec 0 msec 4 171 9 4 5 0 msec 4 msec 0 msec 5 171 9 121 34 0 msec 4 msec 4 msec 6 171 9 15 9 120 msec 132 msec 128 msec 7 171 9 15 10 132 msec 128 msec 128 msec Switch The display shows the hop count the IP address of the router and the round trip time in milliseconds for each of the three probes that are sent Table 73 on page 1052 lists the characters tha...

Page 1056: ...ter this command to enable the debugging for Switched Port Analyzer SPAN Switch debug span session The switch continues to generate output until you enter the no form of the command If you enable a debug command and no output appears consider these possibilities The switch might not be properly configured to generate the type of traffic you want to monitor Use the show running config command to ch...

Page 1057: ...g format is compatible with 4 3 Berkeley Standard Distribution BSD UNIX and its derivatives Note Be aware that the debugging destination you use affects system overhead Logging messages to the console produces very high overhead whereas logging messages to a virtual terminal produces less overhead Logging messages to a syslog server produces even less and logging to an internal buffer produces the...

Page 1058: ...umber 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index Hit A Data InptACL 40_0D020202_0D010101 00_40000014_000A0000 01FFA 03000000 L2Local 80_00050002_00020002 00_00000000_00000000 00C71 0000002B Station Descriptor 02340000 DestIndex 0239 RewriteIndex F005 Egress Asic 2 switch 1 Output Packets Packet 1 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_00...

Page 1059: ...0014_000A0000 01FFA 03000000 L3Local 00_00000000_00000000 90_00001400_0D020202 010F0 01880290 L3Scndr 12_0D020202_0D010101 00_40000014_000A0000 034E0 000C001D_00000000 Lookup Used Secondary Station Descriptor 02260000 DestIndex 0226 RewriteIndex 0000 This is an example of the output when the packet coming in on port 1 in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 ...

Page 1060: ...tandards has not been modified by this feature MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu http cisco com public sw center netmgmt cmtk mibs shtml RFCs Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modifi...

Page 1061: ... SDHC cards Attempting to operate the switch with a non supported card causes the following message to be displayed WARNING Non IT SD flash detected Use of this card during normal operation can impact and severely degrade performance of the system Please use supported SD flash cards only If the write protect switch on the SD card is in the lock position the switch can read data on the card and boo...

Page 1062: ...m an SD card The SD card takes precedence over internal flash memory If an SD card is installed in the switch the switch attempts to boot in the following order 1 From the IOS image that is specified in the SD card system boot path 2 From the first IOS image in the SD card 3 From the IOS image that is specified in the internal flash memory system boot path 4 From the first IOS image in the interna...

Page 1063: ...is warning message is displayed only once If the system boots from the internal flash memory and you then insert an SD card and run the boot command the following behavior applies If the system boot path or configuration file path points to the internal flash memory the system boot path or configuration file path is saved to the internal flash memory If the system boot path or configuration file p...

Page 1064: ...rsalk9 mz 150 2 EA1 bin Switch sync flash sdflash skip config text vlan dat Sync only IOS image directory from internal flash memory to SD card Switch sync sdflash flash skip config text vlan dat Sync only IOS image directory from SD card to internal flash memory Switch sync flash sdflash skip ios image Sync only IOS configuration files from internal flash memory to SD card Switch sync sdflash fla...

Page 1065: ...g alarm facility sd card sysm Switch config alarm facility sd card syslog Switch config alarm facility sd card relay major Clearing an SD Card Alarm To clear the last SD card alarm warning state enter the following command Switch clear facility alarm ...

Page 1066: ...1062 Using an SD Card SD Card Alarms ...

Reviews:

No comments

Related manuals for IE 4000

ShareCenter DNS-320L

Brand: D-Link Pages: 4

Brand: CSS Pages: 2

Brand: APARIAN Pages: 2

Brand: Billion Pages: 120

NVRx-7300 series

Brand: Swann Pages: 9

Brand: Fluke Pages: 102

Brand: Doro Pages: 50

OmniStor 4900F Series

Brand: Rackable Systems Pages: 196

Brand: Chaparral Pages: 96

Brand: XtendLan Pages: 17

Brand: Intellinet Pages: 12

CNGE28FX4TX24MS2

Brand: Comnet Pages: 154

VAR-SOM-MX6 HEAT PLATE KIT

Brand: Variscite Pages: 3

Bipac 74 Series

Brand: Billion Pages: 8

Brand: Juniper Pages: 12

Brand: Magnescale Pages: 73

Brand: Craftsman Pages: 28

UC-CAM-UPGRD-300

Brand: Crestron Pages: 2

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands