manualshive.com logo in svg

Cisco ME 3400 Series, Software Configuration Manual

The Cisco ME 3400 Series is a cutting-edge networking device designed to empower businesses with seamless connectivity. Enhance your networking skills effortlessly with the comprehensive Software Configuration Manual, available for free download from our website. Maximize productivity with this user-friendly manual, exclusively for Cisco ME 3400 Series users.

Share
Download
background image

 

32-3

Cisco ME 3400 Ethernet Access Switch Software Configuration Guide

OL-9639-07

Chapter 32      Configuring Control-Plane Security

Understanding Control-Plane Security

The switch automatically allocates 27 control-plane security policers for CPU protection. At system 
bootup, it assigns a policer to each port numbered 0 to 26. The policer assigned to a port determines if 
the protocol packets arriving on the port are rate-limited or dropped. A policer of 26 means a drop policer 
and is a global policer; any traffic type shown as 26 on any port is dropped. A policer of a value of 0 to 

Table 32-1

Control-Plane Security Actions on Layer 2 Protocol Packets Received on a UNI or ENI 

Protocol

Default 

When Feature Is Enabled

When Layer 2 
Protocol Tunneling 
Is Enabled 

1

1.

Layer 2 protocol traffic is rate-limited when Layer 2 protocol tunneling is enabled for any protocol on any port.

STP

Dropped

Rate limited 

Note

STP can be enabled only on ENIs.

Rate-limited

RSVD_STP (reserved IEEE 
802.1D addresses)

Dropped

When the Ethernet Link Management Interface 
(ELMI) is enabled, globally or on a per-port basis 
whichever is configured last, a throttle policer is 
assigned to a port. When ELMI is disabled (globally or 
on a port, whichever is configured last), a drop policer 
is assigned to a port.

PVST+

Dropped

Rate limited

LACP

Dropped

Rate limited 

Note

LACP can be enabled only on ENIs.

Rate limited

PAgP

Dropped

Rate limited 

Note

PAgP can be enabled only on ENIs.

Rate limited

IEEE 802.1x

Dropped

Rate limited

CDP

Dropped

Rate limited 

Note

CDP can be enabled only on ENIs.

Rate limited

LLDP

Dropped

Rate limited 

Note

LLDP can be enabled only on ENIs.

Rate limited

DTP

Dropped

UDLD

Dropped

Rate limited

Rate limited

VTP

Dropped

Rate limited

CISCO_L2 (any other Cisco 
Layer 2 protocols with the MAC 
address 01:00:0c:cc:cc:cc)

Dropped

Rate limited if 
CDP, DTP, UDLD, 
PAGP, or VTP are 
Layer 2 tunneled

KEEPALIVE (MAC address, 
SNAP encapsulation, LLC, Org 
ID, or HDLC packets)

Rate-limited

Ethernet Connectivity Fault 
Management (CFM)

No policer 
assigned

When CFM is enabled globally, a throttle policer is 
assigned to all ports. When CFM is disabled globally, 
a NULL policer is assigned to all ports.

Summary of Contents for ME 3400 Series

Page 1: ...st Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide Cisco IOS Release 12 2 50 SE March 2009 Text Part Number OL 9639 07 ...

Page 2: ... LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCENT Cisco Eos Cisco HealthPresence the Cisco logo Cisco Lumin Cisco Nexus Cisco StadiumVision Cisco TelePresence Cisco WebEx DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play an...

Page 3: ... Subscriber Security 1 6 Switch Security 1 7 Network Security 1 7 Quality of Service and Class of Service Features 1 8 Layer 2 Virtual Private Network Services 1 9 Layer 3 Features 1 9 Layer 3 VPN Services 1 10 Monitoring Features 1 10 Default Settings After Initial Switch Configuration 1 11 Network Configuration Examples 1 14 Multidwelling or Ethernet to the Subscriber Network 1 14 Layer 2 VPN Ap...

Page 4: ...Understanding the Boot Process 3 1 Assigning Switch Information 3 2 Default Switch Information 3 3 Understanding DHCP Based Autoconfiguration 3 3 DHCP Client Request Process 3 3 Understanding DHCP based Autoconfiguration and Image Update 3 4 DHCP Autoconfiguration 3 5 DHCP Auto Image Update 3 5 Limitations and Restrictions 3 5 Configuring DHCP Based Autoconfiguration 3 6 DHCP Server Configuration ...

Page 5: ...nding Cisco Configuration Engine Software 4 1 Configuration Service 4 2 Event Service 4 3 NameSpace Mapper 4 3 What You Should Know About the CNS IDs and Device Hostnames 4 3 ConfigID 4 3 DeviceID 4 4 Hostname and DeviceID 4 4 Using Hostname DeviceID and ConfigID 4 4 Understanding Cisco IOS Agents 4 5 Initial Configuration 4 5 Incremental Partial Configuration 4 6 Synchronized Configuration 4 6 Co...

Page 6: ...tion 5 12 Configuring the Time Zone 5 12 Configuring Summer Time Daylight Saving Time 5 13 Configuring a System Name and Prompt 5 14 Default System Name and Prompt Configuration 5 15 Configuring a System Name 5 15 Understanding DNS 5 15 Default DNS Configuration 5 16 Setting Up DNS 5 16 Displaying the DNS Configuration 5 17 Creating a Banner 5 17 Default Banner Configuration 5 17 Configuring a Mes...

Page 7: ...lt Password and Privilege Level Configuration 7 2 Setting or Changing a Static Enable Password 7 3 Protecting Enable and Enable Secret Passwords with Encryption 7 3 Disabling Password Recovery 7 5 Setting a Telnet Password for a Terminal Line 7 6 Configuring Username and Password Pairs 7 6 Configuring Multiple Privilege Levels 7 7 Setting the Privilege Level for a Command 7 8 Changing the Default ...

Page 8: ...he RADIUS Configuration 7 31 Controlling Switch Access with Kerberos 7 32 Understanding Kerberos 7 32 Kerberos Operation 7 34 Authenticating to a Boundary Switch 7 34 Obtaining a TGT from a KDC 7 35 Authenticating to Network Services 7 35 Configuring Kerberos 7 35 Configuring the Switch for Local Authentication and Authorization 7 36 Configuring the Switch for Secure Shell 7 37 Understanding SSH 7...

Page 9: ...EEE 802 1x Authentication 8 14 Configuring the Switch to RADIUS Server Communication 8 16 Configuring Periodic Re Authentication 8 17 Manually Re Authenticating a Client Connected to a Port 8 17 Changing the Quiet Period 8 18 Changing the Switch to Client Retransmission Time 8 18 Setting the Switch to Client Frame Retransmission Number 8 19 Setting the Re Authentication Number 8 20 Configuring the...

Page 10: ...9 18 Configuring IEEE 802 3x Flow Control 9 20 Configuring Auto MDIX on an Interface 9 21 Adding a Description for an Interface 9 22 Configuring Layer 3 Interfaces 9 22 Configuring the System MTU 9 24 Monitoring and Maintaining the Interfaces 9 26 Monitoring Interface Status 9 26 Clearing and Resetting Interfaces and Counters 9 27 Shutting Down and Restarting the Interface 9 28 C H A P T E R 10 Co...

Page 11: ...16 Configuring an Ethernet Interface as a Trunk Port 11 16 Interaction with Other Features 11 16 Configuring a Trunk Port 11 17 Defining the Allowed VLANs on a Trunk 11 17 Configuring the Native VLAN for Untagged Traffic 11 19 Configuring Trunk Ports for Load Sharing 11 19 Load Sharing Using STP Port Priorities 11 20 Load Sharing Using STP Path Cost 11 21 Configuring VMPS 11 23 Understanding VMPS ...

Page 12: ... Port 12 11 Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port 12 13 Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 12 14 Monitoring Private VLANs 12 15 C H A P T E R 13 Configuring IEEE 802 1Q Tunneling and Layer 2 Protocol Tunneling 13 1 Understanding 802 1Q Tunneling 13 1 Configuring 802 1Q Tunneling 13 4 Default 802 1Q Tunneling Configuration 13 4 802 1Q Tunne...

Page 13: ...Spanning Tree Modes and Protocols 14 9 Supported Spanning Tree Instances 14 10 Spanning Tree Interoperability and Backward Compatibility 14 10 STP and IEEE 802 1Q Trunks 14 11 Configuring Spanning Tree Features 14 11 Default Spanning Tree Configuration 14 11 Spanning Tree Configuration Guidelines 14 12 Enabling Spanning Tree on an ENI 14 13 Changing the Spanning Tree Mode 14 14 Disabling Spanning ...

Page 14: ... Roles 15 11 Bridge Protocol Data Unit Format and Processing 15 12 Processing Superior BPDU Information 15 13 Processing Inferior BPDU Information 15 13 Topology Changes 15 13 Configuring MSTP Features 15 14 Default MSTP Configuration 15 14 MSTP Configuration Guidelines 15 15 Specifying the MST Region Configuration and Enabling MSTP 15 16 Configuring the Root Switch 15 17 Configuring a Secondary R...

Page 15: ... 8 Enabling EtherChannel Guard 16 9 Enabling Root Guard 16 10 Enabling Loop Guard 16 10 Displaying the Spanning Tree Status 16 11 C H A P T E R 17 Configuring Resilient Ethernet Protocol 17 1 Understanding REP 17 1 Link Integrity 17 3 Fast Convergence 17 4 VLAN Load Balancing 17 4 Spanning Tree Interaction 17 6 REP Ports 17 6 Configuring REP 17 6 Default REP Configuration 17 7 REP Configuration Gu...

Page 16: ... 2 DHCP Snooping 19 2 Option 82 Data Insertion 19 3 Cisco IOS DHCP Server Database 19 6 DHCP Snooping Binding Database 19 6 Configuring DHCP Features 19 7 Default DHCP Configuration 19 8 DHCP Snooping Configuration Guidelines 19 8 Configuring the DHCP Server 19 10 Configuring the DHCP Relay Agent 19 10 Specifying the Packet Forwarding Address 19 10 Enabling DHCP Snooping and Option 82 19 11 Enabli...

Page 17: ... ARP Inspection 20 5 Default Dynamic ARP Inspection Configuration 20 5 Dynamic ARP Inspection Configuration Guidelines 20 5 Configuring Dynamic ARP Inspection in DHCP Environments 20 7 Configuring ARP ACLs for Non DHCP Environments 20 8 Limiting the Rate of Incoming ARP Packets 20 10 Performing Validation Checks 20 11 Configuring the Log Buffer 20 12 Displaying Dynamic ARP Inspection Information 2...

Page 18: ...21 20 Configuring MVR on Trunk Ports 21 22 Displaying MVR Information 21 23 Configuring IGMP Filtering and Throttling 21 23 Default IGMP Filtering and Throttling Configuration 21 24 Configuring IGMP Profiles 21 25 Applying IGMP Profiles 21 26 Setting the Maximum Number of IGMP Groups 21 26 Configuring the IGMP Throttling Action 21 27 Displaying IGMP Filtering and Throttling Configuration 21 28 C H...

Page 19: ...ring CDP 23 2 Default CDP Configuration 23 2 Configuring the CDP Characteristics 23 2 Disabling and Enabling CDP 23 3 Disabling and Enabling CDP on an Interface 23 4 Monitoring and Maintaining CDP 23 5 C H A P T E R 24 Configuring LLDP and LLDP MED 24 1 Understanding LLDP and LLDP MED 24 1 Understanding LLDP 24 1 Understanding LLDP MED 24 2 Configuring LLDP and LLDP MED 24 3 Default LLDP Configura...

Page 20: ...rce VLANs 26 6 VLAN Filtering 26 6 Destination Port 26 6 RSPAN VLAN 26 7 SPAN and RSPAN Interaction with Other Features 26 8 Configuring SPAN and RSPAN 26 9 Default SPAN and RSPAN Configuration 26 9 Configuring Local SPAN 26 10 SPAN Configuration Guidelines 26 10 Creating a Local SPAN Session 26 10 Creating a Local SPAN Session and Configuring Ingress Traffic 26 13 Specifying VLANs to Filter 26 14...

Page 21: ...he Message Display Destination Device 28 5 Synchronizing Log Messages 28 6 Enabling and Disabling Time Stamps on Log Messages 28 7 Enabling and Disabling Sequence Numbers in Log Messages 28 8 Defining the Message Severity Level 28 8 Limiting Syslog Messages Sent to the History Table and to SNMP 28 10 Enabling the Configuration Change Logger 28 10 Configuring UNIX Syslog Servers 28 12 Logging Messa...

Page 22: ...ed Event Manager 30 1 Understanding Embedded Event Manager 30 1 Event Detectors 30 2 Embedded Event Manager Actions 30 4 Embedded Event Manager Policies 30 4 Embedded Event Manager Environment Variables 30 4 Configuring Embedded Event Manager 30 5 Registering and Defining an Embedded Event Manager Applet 30 5 Registering and Defining an Embedded Event Manager TCL Script 30 6 Displaying Embedded Ev...

Page 23: ...ing a MAC ACL to a Layer 2 Interface 31 28 Configuring VLAN Maps 31 29 VLAN Map Configuration Guidelines 31 29 Creating a VLAN Map 31 30 Examples of ACLs and VLAN Maps 31 31 Applying a VLAN Map to a VLAN 31 33 Using VLAN Maps in Your Network 31 33 Wiring Closet Configuration 31 33 Denying Access to a Server on Another VLAN 31 34 Using VLAN Maps with Router ACLs 31 35 VLAN Maps and Router ACL Confi...

Page 24: ... 10 Classification Based on VLAN IDs 33 12 Table Maps 33 13 Policing 33 14 Individual Policing 33 15 Aggregate Policing 33 16 Unconditional Priority Policing 33 18 Marking 33 19 Marking and Queuing CPU Generated Traffic 33 20 Congestion Management and Scheduling 33 20 Traffic Shaping 33 21 Class Based Weighted Fair Queuing 33 23 Priority Queuing 33 25 Congestion Avoidance and Queuing 33 26 Configu...

Page 25: ...nfiguration Examples for Policy Maps 33 66 QoS Configuration for Customer A 33 66 QoS Configuration for Customer B 33 68 Modifying Output Policies and Adding or Deleting Classification Criteria 33 69 Modifying Output Policies and Changing Queuing or Scheduling Parameters 33 70 Modifying Output Policies and Adding or Deleting Configured Actions 33 70 Modifying Output Policies and Adding or Deleting...

Page 26: ...king 34 24 Displaying Link State Tracking Status 34 25 C H A P T E R 35 Configuring IP Unicast Routing 35 1 Understanding IP Routing 35 2 Types of Routing 35 2 Steps for Configuring Routing 35 3 Configuring IP Addressing 35 3 Default Addressing Configuration 35 4 Assigning IP Addresses to Network Interfaces 35 5 Use of Subnet Zero 35 5 Classless Routing 35 6 Configuring Address Resolution Methods ...

Page 27: ...ers 35 29 Configuring Other OSPF Parameters 35 31 Changing LSA Group Pacing 35 32 Configuring a Loopback Interface 35 33 Monitoring OSPF 35 34 Configuring EIGRP 35 34 Default EIGRP Configuration 35 36 Nonstop Forwarding Awareness 35 37 Configuring Basic EIGRP Parameters 35 37 Configuring EIGRP Interfaces 35 38 Configuring EIGRP Route Authentication 35 39 Configuring EIGRP Stub Routing 35 40 Monito...

Page 28: ...5 74 Default BFD Configuration Guidelines 35 74 Configuring BFD Session Parameters on an Interface 35 75 Enabling BFD Routing Protocol Clients 35 76 Configuring BFD for OSPF 35 76 Configuring BFD for IS IS 35 77 Configuring BFD for BGP 35 79 Configuring BFD for EIGRP 35 79 Configuring BFD for HSRP 35 80 Disabling BFD Echo Mode 35 81 Configuring Multi VRF CE 35 81 Understanding Multi VRF CE 35 82 D...

Page 29: ...Information 35 106 Setting Passive Interfaces 35 106 Controlling Advertising and Processing in Routing Updates 35 107 Filtering Sources of Routing Information 35 108 Managing Authentication Keys 35 108 Monitoring and Maintaining the IP Network 35 109 C H A P T E R 36 Configuring IPv6 Unicast Routing 36 1 Understanding IPv6 36 1 IPv6 Addresses 36 2 Supported IPv6 Unicast Routing Features 36 2 128 B...

Page 30: ...t Function 36 16 Configuring IPv6 ICMP Rate Limiting 36 16 Configuring CEF for IPv6 36 17 Configuring Static Routing for IPv6 36 17 Configuring RIP for IPv6 36 19 Configuring OSPF for IPv6 36 20 Configuring EIGRP for IPv6 36 22 Displaying IPv6 36 22 C H A P T E R 37 Configuring IPv6 ACLs 37 1 Understanding IPv6 ACLs 37 2 Supported ACL Features 37 2 IPv6 ACL Limitations 37 3 Configuring IPv6 ACLs 3...

Page 31: ...rvice Levels by Using the UDP Jitter Operation 39 8 Analyzing IP Service Levels by Using the ICMP Echo Operation 39 11 Monitoring IP SLAs Operations 39 13 C H A P T E R 40 Configuring Enhanced Object Tracking 40 1 Understanding Enhanced Object Tracking 40 1 Configuring Enhanced Object Tracking Features 40 2 Default Configuration 40 2 Tracking Interface Line Protocol or IP Routing State 40 2 Config...

Page 32: ... an IP SLAs Operation with Endpoint Discovery 41 12 Displaying Ethernet CFM Information 41 13 Understanding the Ethernet OAM Protocol 41 14 OAM Features 41 15 OAM Messages 41 15 Setting Up and Configuring Ethernet OAM 41 16 Default Ethernet OAM Configuration 41 16 Ethernet OAM Configuration Guidelines 41 16 Enabling Ethernet OAM on an Interface 41 16 Enabling Ethernet OAM Remote Loopback 41 17 Con...

Page 33: ...2 IGMP Version 1 42 3 IGMP Version 2 42 3 Understanding PIM 42 3 PIM Versions 42 3 PIM Modes 42 4 PIM Stub Routing 42 5 IGMP Helper 42 5 Auto RP 42 6 Bootstrap Router 42 6 Multicast Forwarding and Reverse Path Check 42 7 Configuring IP Multicast Routing 42 8 Default Multicast Routing Configuration 42 8 Multicast Routing Configuration Guidelines 42 9 PIMv1 and PIMv2 Interoperability 42 9 Auto RP an...

Page 34: ...PIM Shortest Path Tree 42 35 Modifying the PIM Router Query Message Interval 42 36 Configuring Optional IGMP Features 42 36 Default IGMP Configuration 42 37 Configuring the Switch as a Member of a Group 42 37 Controlling Access to IP Multicast Groups 42 38 Changing the IGMP Version 42 39 Modifying the IGMP Host Query Message Interval 42 40 Changing the IGMP Query Timeout for IGMPv2 42 41 Changing ...

Page 35: ... 43 12 Controlling Source Information that Your Switch Receives 43 12 Configuring an MSDP Mesh Group 43 14 Shutting Down an MSDP Peer 43 14 Including a Bordering PIM Dense Mode Region in MSDP 43 15 Configuring an Originating Address other than the RP Address 43 16 Monitoring and Maintaining MSDP 43 17 C H A P T E R 44 Troubleshooting 44 1 Recovering from Corrupted Software By Using the Xmodem Prot...

Page 36: ... crashinfo File 44 21 A P P E N D I X A Supported MIBs A 1 MIB List A 1 Using FTP to Access the MIB Files A 3 A P P E N D I X B Working with the Cisco IOS File System Configuration Files and Software Images B 1 Working with the Flash File System B 1 Displaying Available File Systems B 2 Setting the Default File System B 3 Displaying Information about Files on a File System B 3 Changing Directories...

Page 37: ...8 Clearing the Startup Configuration File B 19 Deleting a Stored Configuration File B 19 Replacing and Rolling Back Configurations B 19 Understanding Configuration Replacement and Rollback B 19 Configuration Replacement and Rollback Guidelines B 20 Configuring the Configuration Archive B 21 Performing a Configuration Replacement or Rollback Operation B 22 Working with Software Images B 23 Image Lo...

Page 38: ...ported Global Configuration Commands C 3 Unsupported Interface Configuration Commands C 3 IEEE 802 1x C 3 Unsupported Global Configuration Command C 3 Unsupported Interface Configuration Commands C 3 Unsupported Privileged EXEC Commands C 4 Unsupported Global Configuration Command C 4 Unsupported Interface Configuration Commands C 4 IGMP Snooping Commands C 4 Unsupported Global Configuration Comma...

Page 39: ...latform Commands C 10 MSDP C 10 Unsupported Privileged EXEC Commands C 10 Unsupported Global Configuration Commands C 10 NetFlow C 11 Unsupported Global Configuration Commands C 11 QoS C 11 Unsupported Global Configuration Command C 11 Unsupported Interface Configuration Command C 11 Unsupported policy map Class Police Configuration Mode Command C 11 RADIUS C 11 Unsupported Global Configuration Co...

Page 40: ...Contents xl Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 ...

Page 41: ...r 3 functionality such as IP routing support for Routing Information Protocol RIP Open Shortest Path First OSPF Protocol Border Gateway Protocol BGP and Enhanced Interior Gateway Routing Protocol EIGRP multiple VPN routing forwarding on customer edge multi VRF CE devices and IP multicast routing This guide provides procedures for using the commands that have been created or changed for use with th...

Page 42: ...e note Notes contain helpful suggestions or references to materials not contained in this manual Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Related Publications These documents provide complete information about the switch and are available from this Cisco com site http www cisco com en US products ps6580 tsd_produ...

Page 43: ...Cisco 100 Megabit Ethernet SFP Modules Compatibility Matrix Cisco Small Form Factor Pluggable Modules Compatibility Matrix Compatibility Matrix for 1000BASE T Small Form Factor Pluggable Modules Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Pro...

Page 44: ...xliv Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Preface ...

Page 45: ... Intermediate System IS IS dynamic routing Bidirectional Forwarding Detection PFD protocol multiple VPN routing forwarding on customer edge devices multi VRF CE and IP multicast routing Protocol Independent Multicast PIM sparse mode SM and dense mode DM Note Unless otherwise noted all features described in this chapter and in this guide are supported on all images Some features noted in this chapt...

Page 46: ...uto MDIX capability on 10 100 and 10 100 1000 Mbps interfaces and on 10 100 1000 BASE T TX small form factor pluggable SFP module interfaces that enables the interface to automatically detect the required cable connection type straight through or crossover and to configure the connection appropriately Support for routed frames up to 1998 bytes for frames up to 9000 bytes that are bridged in hardwa...

Page 47: ...nt Options CLI The Cisco IOS software supports desktop and multilayer switching features You can access the CLI either by connecting your management station directly to the switch console port or by using Telnet from a remote management station For more information about the CLI see Chapter 2 Using the Command Line Interface Cisco Configuration Engine The Cisco Configuration Engine is a network ma...

Page 48: ...IP access image or metro access image Support for the LLDP MED location TLV that provides location information from the switch to the endpoint device requires the metro IP access or metro access image Network Time Protocol NTP for providing a consistent time stamp to all switches from an external source Cisco IOS File System IFS for providing a single interface to all file systems that the switch ...

Page 49: ...VLANs Rapid PVST for balancing load across VLANs and providing rapid convergence of spanning tree instances IEEE 802 1s Multiple Spanning Tree Protocol MSTP on NNIs or ENIs for grouping VLANs into a spanning tree instance and for providing multiple forwarding paths for data traffic and load balancing and rapid per VLAN Spanning Tree plus rapid PVST based on the IEEE 802 1w Rapid Spanning Tree Prot...

Page 50: ...gement and control of broadcast and multicast traffic and network security by establishing VLAN groups for high security users and network resources VLAN 1 minimization for reducing the risk of spanning tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link With this feature enabled no user traffic is sent or received on the trunk The switch CPU continues to send ...

Page 51: ...covery Protocol and LLLDP MED Media Extensions Adds support for IEEE 802 1AB link layer discovery protocol for interoperability in multi vendor networks Switches exchange speed duplex and power settings with end devices such as IP Phones UNI and ENI default port state is disabled Automatic control plane protection to protect the CPU from accidental or malicious overload due to Layer 2 control traf...

Page 52: ...ode Point DSCP and IEEE 802 1p class of service CoS packet fields ACL lookup or assigning a QoS label for output classification Policing One rate policing based on average rate and burst rate for a policer Two color policing that allows different actions for packets that conform to or exceed the rate Aggregate policing for policers shared by multiple traffic classes Weighted tail drop WTD as the c...

Page 53: ... full Layer 3 routing between two or more VLANs allowing each VLAN to maintain its own autonomous data link domain Policy based routing PBR for configuring defined policies for traffic flows Static IP routing for manually building a routing table of network path information Equal cost routing for load balancing and redundancy Internet Control Message Protocol ICMP and ICMP Router Discovery Protoco...

Page 54: ... traffic monitoring on any port or VLAN SPAN and RSPAN support of Intrusion Detection Systems IDS to monitor repel and report network security violations Four groups history statistics alarms and events of embedded RMON agents for network monitoring and traffic analysis Syslog facility for logging system messages about authentication or authorization errors resource issues and time out events Laye...

Page 55: ...ings Note For information about assigning an IP address by using the CLI based setup program see the hardware installation guide If you do not configure the switch at all the Cisco ME 3400 switch operates with the default settings shown in Table 1 1 Table 1 1 Default Settings After Initial Switch Configuration Feature Default Setting More information in Switch IP address subnet mask and default ga...

Page 56: ... Configuring IEEE 802 1Q Tunneling and Layer 2 Protocol Tunneling Layer 2 protocol tunneling requires metro IP access or metro access image Disabled Spanning Tree Protocol STP Rapid PVST enabled on NNIs in VLAN 1 Chapter 14 Configuring STP MSTP Disabled not supported on UNIs can be configured on ENIs Chapter 15 Configuring MSTP Optional spanning tree features Disabled not supported on UNIs can be ...

Page 57: ...r 25 Configuring UDLD SPAN and RSPAN Disabled Chapter 26 Configuring SPAN and RSPAN RMON Disabled Chapter 27 Configuring RMON Syslog messages Enabled displayed on the console Chapter 28 Configuring System Message Logging SNMP Enabled Version 1 Chapter 29 Configuring SNMP ACLs None configured Chapter 31 Configuring Network Security with ACLs QoS Not configured Chapter 33 Configuring QoS EtherChanne...

Page 58: ...ts allows no local switching between the ports the subscribers are protected from each other UNIs also do not process control protocols from customers so denial of service attacks are avoided The Cisco ME switch also provides mechanisms such as port security and IP Source Guard to protect against MAC or IP spoofing By using advanced access control lists the service providers have granular control ...

Page 59: ... Network Address Translation NAT services voice over IP VoIP gateway services and WAN and Internet access Figure 1 1 Cisco ME Switches in a Multidwelling Configuration Layer 2 VPN Application Enterprise customers need not only high bandwidth but also the ability to extend their private network across the service provider s shared infrastructure With Ethernet in the WAN network service providers ca...

Page 60: ...ncapsulate each customer s control plane traffic and send it transparently across the service provider network See Chapter 13 Configuring IEEE 802 1Q Tunneling and Layer 2 Protocol Tunneling for more information on configuring these features Figure 1 2 Layer 2 VPN Configuration Multi VRF CE Application A VPN is a collection of sites sharing a common routing table A customer site is connected to th...

Page 61: ...between the CE and the PE The shared CE maintains separate VRF tables for each customer and switches or routes packets for each customer based on its own routing table Multi VRF CE extends limited PE functionality to a CE device giving it the ability to maintain separate VRF tables to extend the privacy and security of a VPN to the branch office Figure 1 3 shows a configuration using Cisco ME 3400...

Page 62: ...1 18 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 1 Overview Where to Go Next ...

Page 63: ...n on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are not saved when the switch reboots To have access to...

Page 64: ...he entire switch VLAN configuration While in global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure VLAN parameters Interface configuration While in global configuration mode enter the interface command with a specific interface Swi...

Page 65: ... configuration privileged EXEC command in an abbreviated form Switch show conf Table 2 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command entry Tab Complete a partial command name For ex...

Page 66: ...tch Using Command History The software provides a history or record of commands that you have entered The command history feature is particularly useful for recalling long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size page 2 5 optional Recalling Commands page 2 5 option...

Page 67: ...optional Disabling the Command History Feature The command history feature is automatically enabled You can disable it for the current terminal session or for the command line These procedures are optional To disable the feature during the current terminal session enter the terminal no history privileged EXEC command To disable command history for the line enter the no history line configuration c...

Page 68: ...e Switch terminal editing To reconfigure a specific line to have enhanced editing mode enter this command in line configuration mode Switch config line editing Editing Commands through Keystrokes Table 2 5 shows the keystrokes that you need to edit command lines These keystrokes are optional Table 2 5 Editing Commands through Keystrokes Capability Keystroke1 Purpose Move around the command line to...

Page 69: ...ze or lowercase words or capitalize a set of letters Press Esc C Capitalize at the cursor Press Esc L Change the word at the cursor to lowercase Press Esc U Capitalize letters from the cursor to the end of the word Designate a particular keystroke as an executable command perhaps as a shortcut Press Ctrl V or Esc Q Scroll down a line or screen on displays that are longer than the terminal screen c...

Page 70: ...te the entry press Ctrl A to check the complete syntax before pressing the Return key to execute the command The dollar sign appears at the end of the line to show that the line has been scrolled to the right Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 The software assumes you have a terminal screen that is 80 columns wide If you have a width other than that use th...

Page 71: ... for a Terminal Line section on page 7 6 You can use one of these methods to establish a connection with the switch Connect the switch console port to a management station or dial up modem For information about connecting to the console port see the switch hardware installation guide Use any Telnet TCP IP or encrypted Secure Shell SSH package from a remote management station The switch must have n...

Page 72: ...2 10 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 2 Using the Command Line Interface Accessing the CLI ...

Page 73: ...ssigning Switch Information page 3 2 Checking and Saving the Running Configuration page 3 14 Modifying the Startup Configuration page 3 16 Scheduling a Reload of the Software Image page 3 21 Note Information in this chapter about configuring IP addresses and DHCP is specific to IP Version 4 IPv4 Understanding the Boot Process To start your switch you need to follow the procedures in the hardware i...

Page 74: ...more information see the Disabling Password Recovery section on page 7 5 Before you can assign switch information make sure you have connected a PC or terminal to the console port and configured the PC or terminal emulation software baud rate and character format to match these of the switch console port Baud rate default is 9600 Data bits default is 8 Note If the data bits option is set to 8 set ...

Page 75: ... associated with IP addresses If you are using DHCP to relay the configuration file location on the network you might also need to configure a Trivial File Transfer Protocol TFTP server and a Domain Name System DNS server The DHCP server for your switch can be on the same LAN or on a different LAN than the switch If the DHCP server is running on a different LAN you should configure a DHCP relay de...

Page 76: ...rs sent to the client in the DHCPOFFER unicast message are invalid a configuration error exists the client returns a DHCPDECLINE broadcast message to the DHCP server The DHCP server sends the client a DHCPNAK denial broadcast message which means that the offered configuration parameters have not been assigned that an error has occurred during the negotiation of the parameters or that the client ha...

Page 77: ...5 description of the file settings For procedures to configure the switch as a DHCP server see the Configuring DHCP Based Autoconfiguration section on page 3 6 and the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 2 After you install the switch in your network the auto image update feature starts The downloaded configuration f...

Page 78: ...s default gateway address to be used by the switch required If you want the switch to receive the configuration file from a TFTP server you must configure the DHCP server with these lease options TFTP server name required Boot filename the name of the configuration file that the client needs recommended Hostname optional Depending on the settings of the DHCP server the switch can receive IP addres...

Page 79: ...es not contain all the required information described previously a relay must be configured to forward the TFTP packets to the TFTP server For more information see the Configuring the Relay Device section on page 3 7 The preferred solution is to configure the DHCP server with all the required information Configuring the DNS The DHCP server uses the DNS server to resolve the TFTP server name to an ...

Page 80: ...the switch but the TFTP server address is not provided in the DHCP reply one file read method The switch receives its IP address subnet mask and the configuration filename from the DHCP server The switch sends a broadcast message to a TFTP server to retrieve the named configuration file from the base directory of the server and upon receipt it completes its boot up process Only the IP address is r...

Page 81: ... name cannot be resolved to an IP address Example Configuration Figure 3 3 shows a sample network for retrieving IP information by using DHCP based autoconfiguration Figure 3 3 DHCP Based Autoconfiguration Network Example Table 3 2 shows the configuration of the reserved leases on the DHCP server Switch 1 00e0 9f1e 2001 Cisco router 111394 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP serve...

Page 82: ...0 24 DHCP Client Configuration No configuration file is present on Switch A through Switch D Configuration Explanation In Figure 3 3 Switch A reads its configuration file as follows It obtains its IP address 10 0 0 21 from the DHCP server If no configuration filename is given in the DHCP server reply Switch A reads the network confg file from the base directory of the TFTP server It adds the conte...

Page 83: ...figuration mode Step 2 ip dhcp poolname Create a name for the DHCP Server address pool and enter DHCP pool configuration mode Step 3 bootfile filename Specify the name of the configuration file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that com...

Page 84: ...y the name of the file that is used as a boot image Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash Step 5 default...

Page 85: ...onfig save C Caution Saving Configuration File to NVRAM May Cause You to Nolonger Automatically Download Configuration Files at Reboot C Switch config vlan 99 Switch config vlan interface vlan 99 Switch config if no shutdown Switch config if end Switch show boot BOOT path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER path lis...

Page 86: ...Running Configuration You can check the configuration settings you entered or changes you made by entering this privileged EXEC command Switch show running config Building configuration Current configuration 2010 bytes Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP informa...

Page 87: ...t copy no file verify auto spanning tree mode rapid pvst spanning tree extend system id vlan internal allocation policy ascending vlan 2 10 class map match all test1 class map match all class2 class map match all class1 policy map test class class1 police cir percent 30 policy map test2 class class2 police cir 8500 bc 1500 policy map test3 interface FastEthernet0 1 interface FastEthernet0 2 shutdo...

Page 88: ...his privileged EXEC command Switch copy running config startup config Destination filename startup config Building configuration This command saves the configuration settings that you made If you fail to do this your configuration will be lost the next time you reload the system To display information stored in the NVRAM section of flash memory use the show startup config or more startup config pr...

Page 89: ...ileged EXEC mode follow these steps to specify a different configuration filename Table 3 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot the system using information in the BOOT environment variable If the variable is not set the switch attempts to load and execute the first executable image it can by performing a recu...

Page 90: ...irectory is completely searched before continuing the search in the original directory However you can specify a specific image to boot Step 4 show boot Verify your entries The boot config file global configuration command changes the setting of the CONFIG_FILE environment variable Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Comman...

Page 91: ... terminal emulators that do not support the break keys To view this table see http www cisco com warp public 701 61 html how to When you enter the break key the boot loader switch prompt appears The switch boot loader software provides support for nonvolatile environment variables which can be used to control how the boot loader or any other software running on the system behaves Boot loader envir...

Page 92: ...riables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem file url A semicolon separated list of executable files to try to load and execute when automatically booting If the BOOT environment variable is not set the system attempts to load and execute the first executable image it can find by using a recursive depth first search through the flash file sys...

Page 93: ...current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has been set through Network Time Protocol NTP the hardware calendar or manually The time is relative to the configured time zone on the switch To schedul...

Page 94: ...TC Thu Jun 20 1996 in 344 hours and 53 minutes Proceed with reload confirm To cancel a previously scheduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information inclu...

Page 95: ... Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 4 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their configurations and delivering them as needed The Configuration Engine ...

Page 96: ...ion Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration ...

Page 97: ... unique group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses name...

Page 98: ...nnection to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the sw...

Page 99: ... the new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon su...

Page 100: ...ration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Configuring Cisco IOS Agents The Cisco IOS agents embedded in the switch Cisco IOS software allow the switch to be connected and automatically configu...

Page 101: ...configuration agent DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the Configuration Engine The switch configured to use either the switch MAC address or the serial number inst...

Page 102: ... port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway is established Optional For keepalive seconds enter how often the switch s...

Page 103: ...iguration mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout seconds...

Page 104: ...fy the point to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify more int...

Page 105: ...paddress mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event and ima...

Page 106: ...ce ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Opt...

Page 107: ...ing a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal...

Page 108: ...using the HTTPS protocol Determine how to handle error messages generated by image agent operations Error messages can be sent to the CNS Event Bus or an HTTP or HTTPS URL Restrictions for the CNS Image Agent During automated image loading operations you must try to prevent the Cisco IOS device from losing connectivity with the file server that is providing the image Image reloading is subject to ...

Page 109: ...CNS Configuration You can use the privileged EXEC commands in Table 4 2 to display CNS configuration information Step 5 cns image retry number Specify the number of times to retry and download the image Step 6 cns image server ip address status ip address Download the image from the server to the switch Step 7 end Return to privileged EXEC mode Command Purpose Table 4 2 Displaying CNS Configuratio...

Page 110: ...4 16 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 4 Configuring Cisco IOS Configuration Engine Displaying CNS Configuration ...

Page 111: ...Switch page 5 19 Managing the MAC Address Table page 5 20 Managing the ARP Table page 5 29 Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fun...

Page 112: ...e packet per minute is necessary to synchronize two devices to within a millisecond of one another NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP au...

Page 113: ...stream switches Switch B and Switch F Figure 5 1 Typical NTP Network Configuration If the network is isolated from the Internet Cisco s implementation of NTP allows a device to act as if it is synchronized through NTP when in fact it has learned the time by using other means Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always consider...

Page 114: ...ult NTP configuration NTP is enabled on all interfaces by default All interfaces receive NTP packets Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server Beginning in privileged EXEC mode follow these steps...

Page 115: ...ch synchronizes to the other device and not the other way around Step 3 ntp authentication key number md5 value Define the authentication keys By default none are defined For number specify a key number The range is 1 to 4294967295 md5 specifies that message authentication support is provided by using the message digest algorithm 5 MD5 For value enter an arbitrary string of up to eight characters ...

Page 116: ... simply be configured to send or receive broadcast messages However the information flow is one way only Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ntp peer ip address version number key keyid source interface prefer or ntp server ip address version number key keyid source interface prefer Configure the switch system clock to synchronize a peer or to be synchr...

Page 117: ... mode Step 2 interface interface id Specify the interface to send NTP broadcast packets and enter interface configuration mode Step 3 no shutdown Enable the port if necessary By default user network interfaces UNIs and enhanced network interfaces ENIs are disabled and network node interfaces NNIs are enabled Step 4 ntp broadcast version number key keyid destination address Enable the interface to ...

Page 118: ... client Enable the interface to receive NTP broadcast packets By default no interfaces receive NTP broadcast packets Step 5 exit Return to global configuration mode Step 6 ntp broadcastdelay microseconds Optional Change the estimated round trip delay between the switch and the NTP broadcast server The default is 3000 microseconds the range is 1 to 999999 Step 7 end Return to privileged EXEC mode S...

Page 119: ...ervices use the no ntp access group query only serve only serve peer global configuration command This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99 However the switch restricts access to allow only time requests from access list 42 Switch configure terminal Switch config ntp access group peer 99 Switch config ntp access group serve only 42 ...

Page 120: ... source address for all packets sent to all destinations If a source address is to be used for a specific association use the source keyword in the ntp peer or ntp server global configuration command as described in the Configuring NTP Associations section on page 5 5 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configurati...

Page 121: ...m clock These sections contain this configuration information Setting the System Clock page 5 11 Displaying the Time and Date Configuration page 5 12 Configuring the Time Zone page 5 12 Configuring Summer Time Daylight Saving Time page 5 13 Setting the System Clock If you have an outside source on the network that provides time services such as an NTP server you do not need to manually set the sys...

Page 122: ...configure the time zone The minutes offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC For example the time zone for some sections of Atlantic Canada AST is UTC 3 5 where the 3 means 3 hours and 5 means 50 percent In this case the necessary command is clock timezone AST 3 30 To set th...

Page 123: ...onfig clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 clock summer time zone recurring week day month hh mm week day month hh mm offset Configure summer time to start and end on the specified days every year Summer time is disabled by default If you specify clock summer time zone recurring...

Page 124: ...he first 20 characters of the system name are used as the system prompt A greater than symbol is appended The prompt is updated whenever the system name changes For complete syntax and usage information for the commands used in this section see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 and the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 2...

Page 125: ...aming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the delimiting characters For example Cisco Systems is a commercial organization that IP identifies by a com domain name so its domain name is cisco com A specific device in this domain for example the File Transfer Protocol FTP system is identified as ftp cisco com To keep...

Page 126: ...hat separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name might be set by the BOOTP or DHCP server if the servers were configured with this information Step 3 ip name server server address1 server address2 server address6 Spec...

Page 127: ...lobal configuration command Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns ...

Page 128: ...mple shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message...

Page 129: ... not operating However the switch can also operate with a single power supply You can enter the no power supply dual global configuration command to suppress the alarm when the switch is using a single power supply Note The no power supply dual command is supported only on the Cisco ME 3400G 12CS switches When two power supplies are operating and you enter the no power supply dual command alarms a...

Page 130: ...ered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For complete syntax and usage information for the commands used in this section see the command reference for this release These sections contain this configurati...

Page 131: ...es for example could be forwarded to port 1 in VLAN 1 and ports 1 9 and 10 in VLAN 5 Each VLAN maintains its own logical address table A known address in one VLAN is unknown in another until it is learned or statically associated with a port in the other VLAN When private VLANs are configured address learning depends on the type of MAC address Dynamic MAC addresses learned in one VLAN of a private...

Page 132: ...can impact switch performance Beginning in privileged EXEC mode follow these steps to configure the dynamic address table aging time To return to the default value use the no mac address table aging time global configuration command Table 5 3 Default MAC Address Table Configuration Feature Default Setting Aging time 300 seconds Dynamic addresses Automatically learned Static addresses None configur...

Page 133: ...tores the MAC address activity for each hardware port for which the trap is enabled MAC address notifications are generated for dynamic and secure MAC addresses events are not generated for self addresses multicast addresses or other static addresses Beginning in privileged EXEC mode follow these steps to configure the switch to send MAC address notification traps to an NMS host Command Purpose St...

Page 134: ...on added You can verify the previous commands by entering the show mac address table notification interface and the show mac address table notification privileged EXEC commands Step 5 mac address table notification interval value history size value Enter the trap interval time and the history table size Optional For interval value specify the notification trap interval in seconds between each set ...

Page 135: ...ssociated VLANs Static MAC addresses configured in a private VLAN primary or secondary VLAN are not replicated in the associated VLAN For more information about private VLANs see Chapter 12 Configuring Private VLANs Beginning in privileged EXEC mode follow these steps to add a static address To remove static entries from the address table use the no mac address table static mac addr vlan vlan id i...

Page 136: ...kets with that MAC address depending on which command was entered last The second command that you entered overrides the first command For example if you enter the mac address table static mac addr vlan vlan id interface interface id global configuration command followed by the mac address table static mac addr vlan vlan id drop command the switch drops packets with the specified MAC address as a ...

Page 137: ... IP packets in the Layer 2 domain You can disable MAC address learning on a single VLAN ID from 1 to 4094 for example no mac address table learning vlan 223 or a range of VLAN IDs separated by a hyphen or comma for example no mac address table learning vlan 1 10 15 We recommend that you disable MAC address learning only in VLANs with two ports If you disable MAC address learning on a VLAN with mor...

Page 138: ...address table learning vlan vlan id Disable MAC address learning on the specified VLAN or VLANs You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma Valid VLAN IDs 1 to 4094 It cannot be an internal VLAN Step 3 end Return to privileged EXEC mode Step 4 show mac address table learning vlan vlan id Verify the configuration Step 5 copy running config startup config O...

Page 139: ...dia or MAC addresses and the VLAN ID Using an IP address ARP finds the associated MAC address When a MAC address is found the IP MAC address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by ...

Page 140: ...5 30 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 5 Administering the Switch Managing the ARP Table ...

Page 141: ...e SDM templates for IP Version 4 IPv4 and select the default template to balance system resources or select the layer 2 template to support only Layer 2 features in hardware Note Switches running the metro base or metro access image support only the layer 2 template Layer 2 The layer 2 template maximizes system resources for Layer 2 functionality and does not support routing You should use this te...

Page 142: ...ents supporting both IPv4 and IPv6 Using the dual stack templates results in less TCAM capacity allowed for each resource Do not use them if you plan to forward only IPv4 traffic These SDM templates support IPv4 and IPv6 environments Dual IPv4 and IPv6 default template supports Layer 2 multicast routing QoS and ACLs for IPv4 and Layer 2 routing and ACLs for IPv6 on the switch Dual IPv4 and IPv6 ro...

Page 143: ...IP access image is the default template The default and only template supported on switches running the metro base or metro access image is the layer 2 template Table 6 2 Approximate Feature Resources Allowed by Dual IPv4 IPv6 Templates Resource IPv4 and IPv6 Default IPv4 and IPv6 Routing IPv4 and IPv6 VLAN Unicast MAC addresses 2 K 1 5 K 8 K IPv4 IGMP groups and multicast routes 1 K 1K 1 K Total ...

Page 144: ...each resource so do not use if you plan to forward only IPv4 traffic Setting the SDM Template Beginning in privileged EXEC mode follow these steps to use the SDM template to select a template on a switch running the metro IP access image After the system reboots you can use the show sdm prefer privileged EXEC command to verify the new template configuration If you enter the show sdm prefer command...

Page 145: ...global configuration command This example shows how to configure a switch with the layer 2 template Switch config sdm prefer layer 2 Switch config end Switch reload Proceed with reload confirm Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template Use the show sdm prefer default dual ipv4 and ipv6 default routing vlan layer 2 ...

Page 146: ...le of output from the show sdm prefer dual ipv4 and ipv6 routing command Switch show sdm prefer dual ipv4 and ipv6 routing desktop IPv4 and IPv6 routing template The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 1 5K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicas...

Page 147: ...sers who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords...

Page 148: ...nd usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 2 These sections contain this configuration information Default Password and Privilege Level Configuration page 7 2 Setting or Changing a Static Enable Password page 7 3 Protecting Enable and Enable Secret Passwords with Encryption page 7 3 Disabling Password Recovery page 7 5 Setting...

Page 149: ...r any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a ne...

Page 150: ...lobal configuration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1...

Page 151: ...the end user interrupts the boot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch We recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the XMODEM protocol For more informatio...

Page 152: ...e that user can access the switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port The default data characteristics of the console port are 9600 8 1 no parity You might need to press the Retu...

Page 153: ...information Setting the Privilege Level for a Command page 7 8 Changing the Default Privilege Level for Lines page 7 9 Logging into and Exiting a Privilege Level page 7 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the u...

Page 154: ...mand Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is ...

Page 155: ...ng into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for t...

Page 156: ...ACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should configure a TACACS server before the configuring TACACS features on your switch TACACS provides for separate and modular authe...

Page 157: ...control session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accounti...

Page 158: ...user is prompted for additional authentication information After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again contacted and it returns an ACCEPT or REJECT author...

Page 159: ...CS Accounting page 7 17 Default TACACS Configuration TACACS and AAA are disabled by default To prevent a lapse in security you cannot configure TACACS through a network management application When enabled TACACS can authenticate users accessing the switch through the CLI Note Although TACACS configuration is performed through the CLI the TACACS server authenticates HTTP connections that have been ...

Page 160: ... used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to crea...

Page 161: ...ecify a character string to name the list you are creating For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Select one of these methods enable Use the enable password for authentication Before you can use this authentication method you must define an enable passwor...

Page 162: ...hese authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured Beginning in privileged EXEC mode follow these steps to specify TACACS ...

Page 163: ...lay TACACS server statistics use the show tacacs privileged EXEC command Controlling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible administrative control over authentication and authorization processes RADIUS is facilitated through AAA and can be enabled only through AAA commands Note For complete...

Page 164: ...rd access control system In one case RADIUS has been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco switch containing a RADIUS client to the network This might be the first step when you make a transition to a TACACS server See Figure 7 2 on page 7 19 Network in which the user must only access a single...

Page 165: ...REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied c CHALLENGE A challenge requires additional data from the user d CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization Users must first success...

Page 166: ...d have access to and should configure a RADIUS server before configuring RADIUS features on your switch These sections contain this configuration information Default RADIUS Configuration page 7 20 Identifying the RADIUS Server Host page 7 20 required Configuring RADIUS Login Authentication page 7 23 required Defining AAA Server Groups page 7 25 optional Configuring RADIUS Authorization for User Pr...

Page 167: ... order that they are configured A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RADIUS to use the AAA security commands you must specify the host running the RADIUS server daemon and a secret text key string that it shares with the switch The timeout retransmission and encryption key values can be configured globally for all R...

Page 168: ...n command setting If no timeout is set with the radius server host command the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius ...

Page 169: ...ically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to aut...

Page 170: ...n use this authentication method you must define an enable password by using the enable password global configuration command group radius Use RADIUS authentication Before you can use this authentication method you must configure the RADIUS server For more information see the Identifying the RADIUS Server Host section on page 7 20 line Use the line password for authentication Before you can use th...

Page 171: ...ver if each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you configure two different host entries on the same RADIUS server for the same service for example accounting the second configured host entry acts as a fail over backup to the first one You use the ...

Page 172: ...ransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key a...

Page 173: ...er Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You ca...

Page 174: ...ices To disable accounting use the no aaa accounting network exec start stop method1 global configuration command Step 3 aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access The exec keyword might return user profile information such as autocommand information Step 4 end Return to privileged EXEC mode Step 5 show running config Ver...

Page 175: ...attributes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared se...

Page 176: ...eged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 2 Configuring the Switch for Vendor Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies...

Page 177: ... be evenly across all RADIUS servers in a server group For more information see the RADIUS Server Load Balancing chapter of the Cisco IOS Security Configuration Guide Release 12 2 http www ciscosystems com en US docs ios 12_2sb feature guide sbrdldbl html Displaying the RADIUS Configuration To display the RADIUS configuration use the show running config privileged EXEC command Command Purpose Step...

Page 178: ...ps1835 products_command_reference_book09186a 0080087e33 html Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference Release 12 2 the trusted third party can be a Cisco ME switch that supports Kerberos that is configured as a network security server and that can authenticate users by using the Kerberos protocol Understanding Kerberos Kerberos is a secret key net...

Page 179: ...redentials have a default lifespan of eight hours Instance An authorization level label for Kerberos principals Most Kerberos principals are of the form user REALM for example smith EXAMPLE COM A Kerberos principal with a Kerberos instance has the form user instance REALM for example smith admin EXAMPLE COM The Kerberos instance can be used to specify the authorization level for the user if authen...

Page 180: ...e and password 3 The switch requests a TGT from the KDC for this user 4 The KDC sends an encrypted TGT that includes the user identity to the switch KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and later Kerberos versions the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it In Kerberos versions earlier than Kerberos 5 KE...

Page 181: ...this URL http www cisco com en US products sw iosswrel ps1835 products_configuration_guide_chapter0918 6a00800ca7ad html Authenticating to Network Services This section describes the third layer of security through which a remote user must pass The user with a TGT must now authenticate to the network services in a Kerberos realm For instructions about how to authenticate to a network service see t...

Page 182: ...tep 2 aaa new model Enable AAA Step 3 aaa authentication login default local Set the login authentication to use the local username database The default keyword applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Config...

Page 183: ...uide_chapter0918 6a00800ca7d5 html Note For complete syntax and usage information for the commands used in this section see the command reference for this release and the command reference for Cisco IOS Release 12 2 at this URL http www cisco com en US products sw iosswrel ps1835 products_command_reference_book09186a 0080087e33 html Understanding SSH SSH is a protocol that provides a secure remote...

Page 184: ...rts only the execution shell application The SSH server and the SSH client are supported only on DES 56 bit and 3DES 168 bit data encryption software The switch does not support the Advanced Encryption Standard AES symmetric encryption algorithm Configuring SSH This section has this configuration information Configuration Guidelines page 7 38 Setting Up the Switch to Run SSH page 7 39 required Con...

Page 185: ...ee the Configuring the Switch for Local Authentication and Authorization section on page 7 36 Beginning in privileged EXEC mode follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration command After the ...

Page 186: ...out seconds authentication retries number Configure the SSH control parameters Specify the time out value in seconds the default is 120 seconds The range is 0 to 120 seconds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for mul...

Page 187: ...ion is necessary Before enabling SCP you must correctly configure SSH authentication and authorization on the switch Because SCP relies on SSH for its secure transport the router must have an Rivest Shamir and Adelman RSA key pair Note When using SCP you cannot enter the password into the copy command You must enter the password when prompted Information About Secure Copy To configure the Secure C...

Page 188: ...7 42 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 7 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Page 189: ...e 8 1 Configuring IEEE 802 1x Authentication page 8 10 Displaying IEEE 802 1x Statistics and Status page 8 24 Understanding IEEE 802 1x Port Based Authentication The IEEE 802 1x standard defines a client server based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated The aut...

Page 190: ...es Client the device workstation that requests access to the LAN and switch services and responds to requests from the switch The workstation must be running IEEE 802 1x compliant client software such as that offered in the Microsoft Windows XP operating system The client is the supplicant in the IEEE 802 1x specification Note To resolve Windows XP network connectivity and IEEE 802 1x authenticati...

Page 191: ...ation If you enable authentication on a port by using the dot1x port control auto interface configuration command the switch initiates authentication when the link state changes from down to up or periodically as long as the port remains up and unauthenticated The switch sends an EAP request identity frame to the client to request its identity Upon receipt of the frame the client responds with an ...

Page 192: ...mes as if the port is in the authorized state You control the port authorization state by using the dot1x port control interface configuration command and these keywords force authorized disables IEEE 802 1x authentication and causes the port to change to the authorized state without any authentication exchange required The port sends and receives normal traffic without IEEE 802 1x based authentic...

Page 193: ... network access but does not keep track of network usage IEEE 802 1x accounting is disabled by default You can enable IEEE 802 1x accounting to monitor this activity on IEEE 802 1x enabled ports User successfully authenticates User logs off Link down occurs Re authentication successfully occurs Re authentication fails The switch does not log IEEE 802 1x accounting information Instead it sends this...

Page 194: ... replaced with another client the switch changes the port link state to down and the port returns to the unauthorized state In multiple hosts mode you can attach multiple hosts to a single IEEE 802 1x enabled port Figure 8 3 on page 8 7 shows IEEE 802 1x port based authentication in a wireless LAN In this mode only one of the attached clients must be authorized for all clients to be granted networ...

Page 195: ...n you enable port security and IEEE 802 1x on a port IEEE 802 1x authenticates the port and port security manages network access for all MAC addresses including that of the client You can then limit the number or group of clients that can access the network through an IEEE 802 1x port These are some examples of the interaction between IEEE 802 1x and port security on the switch When a client is au...

Page 196: ...ed on the username of the client connected to the switch port You can use this feature to limit network access for certain users When configured on the switch and the RADIUS server IEEE 802 1x with VLAN assignment has these characteristics If no VLAN is supplied by the RADIUS server or if IEEE 802 1x authorization is disabled the port is configured in its access VLAN after successful authenticatio...

Page 197: ...e 7 29 802 1x Switch Supplicant with Network Edge Access Topology NEAT NEAT extends identity to areas outside the wiring closet such as conference rooms through the following 802 1x switch supplicant You can configure a switch to act as a supplicant to another switch by using the 802 1x supplicant feature This configuration is helpful in a scenario where for example a switch is outside a wiring cl...

Page 198: ...guring the Switch to RADIUS Server Communication page 8 16 required Configuring Periodic Re Authentication page 8 17 optional Manually Re Authenticating a Client Connected to a Port page 8 17 optional Changing the Quiet Period page 8 18 optional Changing the Switch to Client Retransmission Time page 8 18 optional Setting the Switch to Client Frame Retransmission Number page 8 19 optional Setting t...

Page 199: ...e port changes to the unauthorized state Quiet period 60 seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number ...

Page 200: ...rror message appears and IEEE 802 1x is not enabled Switched Port Analyzer SPAN and Remote SPAN RSPAN destination ports You can enable IEEE 802 1x on a port that is a SPAN or RSPAN destination port However IEEE 802 1x is disabled until the port is removed as a SPAN or RSPAN destination port You can enable IEEE 802 1x on a SPAN or RSPAN source port You can configure any VLAN except an RSPAN VLAN or...

Page 201: ...thin the timeout period If the client does not respond to the query the client is not IEEE 802 1x capable No syslog message is generated The readiness check can be sent on a port that handles multiple hosts for example a PC that is connected to an IP phone A syslog message is generated for each of the clients that respond to the readiness check within the timer period Beginning in privileged EXEC ...

Page 202: ...configuration mode Step 2 aaa new model Enable AAA Step 3 aaa authentication dot1x default method1 Create an IEEE 802 1x authentication method list To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports...

Page 203: ...eate a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Note Though other keywords are visible in the comma...

Page 204: ...transmission and encryption key values for all RADIUS servers by using the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Configuring Settings for All RADIUS Servers section on page 7 29 Command Pur...

Page 205: ... set the number of seconds between re authentication attempts to 4000 Switch config if dot1x reauthentication Switch config if dot1x timeout reauth period 4000 Manually Re Authenticating a Client Connected to a Port You can manually re authenticate the client connected to a specific port at any time by entering the dot1x re authenticate interface interface id privileged EXEC command This step is o...

Page 206: ...sion time and then resends the frame Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Beginning in privileged EXEC mode follow these steps to change the amount of time that the switch waits for client notification This procedure is optional Comma...

Page 207: ...rvers Beginning in privileged EXEC mode follow these steps to set the switch to client frame retransmission number This procedure is optional To return to the default retransmission number use the no dot1x max req interface configuration command This example shows how to set 5 as the number of times that the switch sends an EAP request before restarting the authentication process Switch config if ...

Page 208: ...2 1x authorized port that has the dot1x port control interface configuration command set to auto This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x max reauth req count Set the number of times that the switch restarts the authenticati...

Page 209: ...al Configuring IEEE 802 1x Accounting Enabling AAA system accounting with IEEE 802 1x accounting allows system reload events to be sent to the accounting RADIUS server for logging The server can then infer that all active IEEE 802 1x sessions are closed Because RADIUS uses the unreliable UDP transport protocol accounting messages might be lost due to poor network conditions If the switch does not ...

Page 210: ... aaa accounting system default start stop group radius Configuring 802 1x Switch Supplicant with NEAT Configuring this feature requires that one switch outside a wiring closet is configured as supplicant and is connected to an authenticator switch Note You cannot enable MDA or multiauth mode on the authenticator switch interface that connects to one more supplicant switches For overview informatio...

Page 211: ... mode to auto Step 6 dot1x pae authenticator Configure the interface as a port access entity PAE authenticator Step 7 spanning tree portfast Enable Port Fast on an access port connected to a single workstation or server Step 8 end Return to privileged EXEC mode Step 9 show running config interface interface id Verify your configuration Step 10 copy running config startup config Optional Save your ...

Page 212: ...atistics and Status To display IEEE 802 1x statistics for all ports use the show dot1x all statistics privileged EXEC command To display IEEE 802 1x statistics for a specific port use the show dot1x statistics interface interface id privileged EXEC command To display the IEEE 802 1x administrative and operational status for the switch use the show dot1x all privileged EXEC command To display the I...

Page 213: ... and usage information for the commands used in this chapter see the switch command reference for this release and the online Cisco IOS Interface Command Reference Release 12 2 Understanding Interface Types This section describes the different types of interfaces supported by the switch with references to chapters that contain more detailed information about configuring these interface types The r...

Page 214: ...appropriate for two or more UNIs or ENIs to exchange traffic within the switch the UNIs and ENIs can be assigned to a community VLAN See Chapter 11 Configuring VLANs for instructions on how to configure community VLANs Note Even though the default state for a UNI or ENI is shutdown entering the default interface interface id command changes the port to the enabled state The default status for an N...

Page 215: ...LAN database VLAN configuration is saved in the switch running configuration and you can save it in the switch startup configuration file by entering the copy running config startup config privileged EXEC command Add ports to a VLAN by using the switchport interface configuration commands Identify the interface For a trunk port set trunk characteristics and if desired define the VLANs to which it ...

Page 216: ...atabase A trunk port supports simultaneous tagged and untagged traffic An IEEE 802 1Q trunk port is assigned a default Port VLAN ID PVID and all untagged traffic travels on the port default PVID All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the port default PVID A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged All other traffic...

Page 217: ...hen re enables it which might generate messages on the device to which the interface is connected When you put an interface that is in Layer 2 mode into Layer 3 mode the previous configuration information related to the affected interface might be lost The number of routed ports that you can configure is not limited by software However the interrelationship between this number and the number of ot...

Page 218: ...traffic load across the links in the channel If a link within the EtherChannel fails traffic previously carried over the failed link changes to the remaining links You can group multiple trunk ports into one logical trunk port group multiple access ports into one logical access port group multiple tunnel ports into one logical tunnel port or group multiple routed ports into one logical routed port...

Page 219: ...ave to exchange information through a router By default the Cisco ME switch provides VLAN isolation between UNIs or ENIs UNIs and ENIs cannot exchange traffic unless they are changed to NNIs or assigned to a UNI ENI community VLAN By using the switch with routing enabled when you configure both VLAN 20 and VLAN 30 with an SVI to which an IP address is assigned packets can be sent from Host A to Ho...

Page 220: ...more than one interface type for example 10 100 ports and SFP module ports the port numbers restart with the second interface type gigabitethernet 0 1 You can identify physical interfaces by physically checking the interface location on the switch You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch The remainder o...

Page 221: ...e configuration mode all command parameters that you enter are attributed to all interfaces within that range until you exit this mode Beginning in privileged EXEC mode follow these steps to configure a range of interfaces with the same parameters When using the interface range global configuration command note these guidelines Valid entries for port range vlan vlan ID vlan ID where the VLAN ID is...

Page 222: ...e range to enable Fast Ethernet ports 1 to 3 and Gigabit Ethernet ports 1 and 2 to receive IEEE 802 3x flow control pause frames Switch configure terminal Switch config interface range fastethernet0 1 3 gigabitethernet0 1 2 Switch config if range flowcontrol receive on If you enter multiple configuration commands while you are in interface range mode each command is executed as it is entered The c...

Page 223: ...isplays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Fast Ethernet ports all Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named e...

Page 224: ... Default Ethernet Interface Configuration page 9 12 Configuring the Port Type page 9 14 Configuring Interface Speed and Duplex Mode page 9 15 Configuring a Dual Purpose Port page 9 18 Configuring IEEE 802 3x Flow Control page 9 20 Configuring Auto MDIX on an Interface page 9 21 Adding a Description for an Interface page 9 22 Default Ethernet Interface Configuration Table 9 1 shows the Ethernet int...

Page 225: ...nknown unicast traffic Disabled not blocked only Layer 2 interfaces See the Configuring Port Blocking section on page 22 7 Broadcast multicast and unicast storm control Disabled See the Default Storm Control Configuration section on page 22 3 Port security Disabled only Layer 2 interfaces See the Default Port Security Configuration section on page 22 11 Port Fast Disabled See the Default Optional ...

Page 226: ...nd the default for NNIs is enabled Note By default the switch sends keepalive messages on UNI s and ENIs and does not send keepalive messages on NNIs Changing the port type from UNI or ENI to NNI or from NNI to UNI or ENI has no effect on the keepalive status You can change the keepalive state from the default setting by entering the no keepalive interface configuration command If you enter the ke...

Page 227: ...nfiguration Guidelines page 9 15 Setting the Interface Speed and Duplex Parameters page 9 16 Speed and Duplex Configuration Guidelines When configuring an interface speed and duplex mode note these guidelines You can configure interface speed on Fast Ethernet 10 100 Mbps and Gigabit Ethernet 10 100 1000 Mbps ports You can configure Fast Ethernet ports to full duplex half duplex or to autonegotiate...

Page 228: ...on the supported side When STP is enabled and a port is reconfigured the switch can take up to 30 seconds to check for loops The port LED is amber while STP reconfigures On the Cisco ME switch STP is supported on NNIs by default and can be enabled on ENIs UNIs do not support STP Caution Changing the interface speed and duplex mode configuration might shut down and re enable the interface during th...

Page 229: ...gotiate speed with the connected device If you use the 10 100 or the 1000 keywords with the auto keyword the port autonegotiates only at the specified speeds The nonegotiate keyword is available only for SFP module ports SFP module ports operate only at 1000 Mbps but can be configured to not negotiate if connected to a device that does not support autonegotiation Note When a Cisco1000BASE T SFP mo...

Page 230: ...aces the switch activates only one connector of the pair By default the dual purpose ports are user network interfaces UNIs and the SFP only module ports are network node interfaces NNIs If the switch is running the metro IP access image you can configure any number of ports as NNIs If the switch is running the metro base or metro access image you can configure only four ports as NNIs When running...

Page 231: ... switch gives preference to the SFP module interface See the media type interface configuration command in the command reference for more information Step 3 media type auto select rj45 sfp Select the active interface and media type of a dual purpose port The keywords have these meanings auto select The switch dynamically selects the media type This is the default When a linkup is achieved the swit...

Page 232: ...rames the port can receive pause frames receive off IEEE 802 3x flow control does not operate in either direction In case of congestion no indication is given to the link partner and no pause frames are sent or received by either device Note For details on the command settings and the resulting IEEE 802 3x flow control resolution on local and remote ports see the flowcontrol interface configuratio...

Page 233: ...s not supported on 1000 BASE SX or LX SFP module interfaces Table 9 3 shows the link states that result from auto MDIX settings and correct and incorrect cabling Beginning in privileged EXEC mode follow these steps to configure auto MDIX on an interface To disable auto MDIX use the no mdix auto interface configuration command Table 9 3 Link Conditions and Auto MDIX Settings Local Side Auto MDIX Re...

Page 234: ...rface gigabitethernet0 2 Switch config if description Connects to Marketing Switch config if end Switch show interfaces gigabitethernet0 2 description Interface Status Protocol Description Gi 0 2 admin down down Connects to Marketing Configuring Layer 3 Interfaces The switch must be running the metro IP access image to support Layer 3 interfaces The Cisco ME switch supports these types of Layer 3 ...

Page 235: ... boot up with a configuration that has more VLANs and routed ports than hardware can support the VLANs are created but the routed ports are shut down and the switch sends a message that this was due to insufficient hardware resources All Layer 3 interfaces require an IP address to route traffic This procedure shows how to configure an interface as a Layer 3 interface and how to assign an IP addres...

Page 236: ...TU size automatically defaults to the new system MTU size Gigabit Ethernet ports are not affected by the system mtu command Fast Ethernet ports are not affected by the system mtu jumbo command because jumbo frames are not supported on 10 100 interfaces including 100BASE FX and 100BASE BX SFP modules If you do not configure the system mtu jumbo command the setting of the system mtu command applies ...

Page 237: ...encies and the MTU of the link For example the Open Shortest Path First OSPF protocol uses this MTU value before setting up an adjacency with a peer router To view the MTU value for routed packets for a specific VLAN use the show platform port asic mvid privileged EXEC command Note If Layer 2 Gigabit Ethernet interfaces are configured to accept frames greater than the 10 100 interfaces jumbo frame...

Page 238: ...ersions of the software and the hardware the configuration and statistics about the interfaces Table 9 4 lists some of these interface monitoring commands You can display the full list of show commands by using the show command at the privileged EXEC prompt These commands are fully described in the Cisco IOS Interface Command Reference Release 12 2 Table 9 4 Show Commands for Interfaces Command Pu...

Page 239: ...ical Monitoring DoM capable transceiver if one is installed in the switch dom supported list Optional List all supported DoM transceivers module number Optional Limit display to interfaces on module on the switch The range is 1 to 9 This option is not available if you entered a specific interface ID properties Optional Display speed duplex and inline power settings on an interface threshold table ...

Page 240: ...cated to other network servers through all dynamic routing protocols The interface is not mentioned in any routing updates Beginning in privileged EXEC mode follow these steps to shut down an interface Use the no shutdown interface configuration command to enable an interface To verify that an interface is disabled enter the show interfaces privileged EXEC command A disabled interface is shown as ...

Page 241: ...mmand macro is a set of command line interface CLI commands that you define Command macros do not contain new CLI commands they are simply a group of existing CLI commands When you apply a command macro on an interface the CLI commands within the macro are configured on the interface When the macro is applied to an interface the existing interface configurations are not lost The new commands are a...

Page 242: ...are invalid and are not applied When a macro is applied globally to a switch or to a switch interface all existing configuration on the interface is retained This is helpful when applying an incremental configuration If you modify a macro definition by adding or deleting commands the changes are not reflected on the interface where the original macro was applied You need to reapply the updated mac...

Page 243: ...r a macro name A macro definition can contain up to 3000 characters Enter the macro commands with one command per line Use the character to end the macro Use the character at the beginning of a line to enter comment text within the macro Optional You can define keywords within a macro by using a help string to specify the keywords Enter macro keywords word to define the keywords that are available...

Page 244: ...er interface configuration mode and specify the interface on which to apply the macro Step 5 no shutdown Enable the port if necessary By default UNIs and enhanced network interfaces ENIs are disabled and network node interfaces NNIs are enabled Step 6 default interface interface id Optional Clear all configuration from the specified interface Step 7 macro apply trace macro name parameter value par...

Page 245: ...g command snmp server enable traps linkup Applying command snmp server enable traps linkdown Applying command snmp server host Error Unknown error Applying command snmp server ip precedence 7 This example shows how to apply the user created macro called desktop config and to verify the configuration Switch config interface gigabitethernet0 2 Switch config if macro apply desktop config Switch confi...

Page 246: ...10 6 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 10 Configuring Command Macros Displaying Command Macros ...

Page 247: ...4 Configuring VLAN Trunks page 11 14 Configuring VMPS page 11 23 Understanding VLANs A VLAN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can b...

Page 248: ...e based or static VLAN membership Note The switch does not support VLAN Trunking Protocol VTP Traffic between VLANs must be routed Switches that are running the metro IP access image can route traffic between VLANs by using switch virtual interfaces SVIs To route traffic between VLANs an SVI must be explicitly configured and assigned an IP address For more information see the Switch Virtual Interf...

Page 249: ...E 802 1Q trunking for sending VLAN traffic over Ethernet ports Normal Range VLANs Normal range VLANs are VLANs with VLAN IDs 1 to 1005 You can add modify or remove configurations for VLANs 2 to 1001 in the VLAN database VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be removed Configurations for VLAN IDs 1 to 1005 are written to the file vlan dat VLAN database and you can display...

Page 250: ...configuration details for most of these parameters For complete information on the commands and parameters that control VLAN configuration see the command reference for this release Extended Range VLANs You can create extended range VLANs in the range 1006 to 4094 to enable service providers to extend their infrastructure to a greater number of customers The extended range VLAN IDs are allowed for...

Page 251: ...AN list For information about configuring trunk ports see the Configuring an Ethernet Interface as a Trunk Port section on page 11 16 Dynamic access A dynamic access port can belong to one VLAN VLAN ID 1 to 4094 and is dynamically assigned by a VMPS The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch for example but never a Cisco ME 3400 Ethernet Access switch The Cisco ME 3400 switch i...

Page 252: ...orwarding state Network node interfaces NNIs are not affected by the type of UNI ENI VLAN to which they belong Switching can occur between NNIs and other NNIs or UNIs or ENIs on the switch or other switches that are part of the same VLAN regardless of VLAN type In the configuration in Figure 11 2 if VLAN 10 is a UNI ENI isolated VLAN and VLAN 20 is a UNI ENI community VLAN local switching does not...

Page 253: ...ines page 11 8 Creating or Modifying an Ethernet VLAN page 11 9 Assigning Static Access Ports to a VLAN page 11 11 Creating an Extended Range VLAN with an Internal VLAN ID page 11 11 Configuring UNI ENI VLANs page 11 12 If the switch is running the metro IP access or metro access image for more efficient management of the MAC address table space available on the switch you can control which VLANs ...

Page 254: ...ing VLANs If you have already used all available spanning tree instances on a switch adding another VLAN creates a VLAN on that switch that is not running spanning tree If you have the default allowed list on the trunk ports of that switch which is to allow all VLANs the new VLAN is carried on all trunk ports Depending on the topology of the network this could create a loop in the new VLAN that wo...

Page 255: ...not enough hardware resources available an error message is generated and the extended range VLAN is rejected Creating or Modifying an Ethernet VLAN To access VLAN configuration mode enter the vlan global configuration command with a VLAN ID Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN You can use the default VLAN configuration Table 11 2 or enter commands ...

Page 256: ... mode and save the new VLAN in the switch startup configuration file Switch config vlan 2000 Switch config vlan end Switch copy running config startup config Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter VLAN configuration mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN The availabl...

Page 257: ...Range VLAN with an Internal VLAN ID If you enter an extended range VLAN ID that is already assigned to an internal VLAN an error message appears and the extended range VLAN is rejected To manually release an internal VLAN ID you must temporarily shut down the routed port that is using the internal VLAN ID Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface in...

Page 258: ...move the community VLAN type by entering the no uni vlan VLAN configuration command Then enter the private vlan VLAN configuration command To change a VLAN from a UNI ENI isolated VLAN to an RSPAN VLAN enter the rspan vlan VLAN configuration command Command Purpose Step 1 show vlan internal usage Display the VLAN IDs being used internally by the switch If the VLAN ID that you want to use is an int...

Page 259: ...n the ENIs and UNIs in the community VLAN and ENIs can support spanning tree while UNIs do not Configuring UNI ENI VLANs By default every VLAN created on the switch is a UNI ENI isolated VLAN You can change the configuration to UNI ENI community VLAN or to a private VLAN or RSPAN VLAN For procedures for configuring private VLANs or RSPAN VLANs see Chapter 12 Configuring Private VLANs and Chapter 2...

Page 260: ...release Configuring VLAN Trunks Trunking Overview page 11 14 Default Layer 2 Ethernet Interface VLAN Configuration page 11 16 Configuring an Ethernet Interface as a Trunk Port page 11 16 Configuring Trunk Ports for Load Sharing page 11 19 Trunking Overview A trunk is a point to point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch Ethe...

Page 261: ...arated by a cloud of non Cisco IEEE 802 1Q switches The non Cisco IEEE 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches Make sure that the native VLAN for an IEEE 802 1Q trunk is the same on both ends of the trunk link If the native VLAN on one end of the trunk is different from the native VLAN on the other end spanning tree loops might result Table...

Page 262: ...he Native VLAN for Untagged Traffic page 11 19 Interaction with Other Features Trunking interacts with other features in these ways A trunk port cannot be a secure port A trunk port cannot be a tunnel port Trunk ports can be grouped into EtherChannel port groups but all trunks in the group must have the same configuration When a group is first created all ports follow the parameters set for the fi...

Page 263: ...the Allowed VLANs on a Trunk By default a trunk port sends traffic to and receives traffic from all VLANs All VLAN IDs 1 to 4094 are allowed on each trunk However you can remove VLANs from the allowed list preventing traffic from those VLANs from passing over the trunk To restrict the traffic a trunk carries use the switchport trunk allowed vlan remove vlan list interface configuration command to ...

Page 264: ... EXEC mode follow these steps to modify the allowed list of an IEEE 802 1Q trunk To return to the default allowed VLAN list of all VLANs use the no switchport trunk allowed vlan interface configuration command This example shows how to remove VLAN 2 from the allowed VLAN list on a port Switch config interface fastethernet0 1 Switch config if switchport trunk allowed vlan remove 2 Switch config if ...

Page 265: ...s STP normally blocks all but one parallel link between switches Using load sharing you divide the traffic between the links according to the VLAN to which the traffic belongs You configure load sharing on trunk ports that have STP enabled by using STP port priorities or STP path costs For load sharing using STP port priorities both load sharing links must be connected to the same switch For load ...

Page 266: ...unk 2 carries traffic for VLANs 3 through 6 If the active trunk fails the trunk with the lower priority takes over and carries the traffic for all of the VLANs No duplication of traffic occurs over any trunk port Figure 11 3 Load Sharing by Using STP Port Priorities Beginning in privileged EXEC mode on Switch A follow these steps to configure the network shown in Figure 11 3 Note that you can use ...

Page 267: ...unk port 1 of 19 VLANs 8 through 10 are assigned a path cost of 30 on Trunk port 2 VLANs 2 through 4 retain the default 100Base T path cost on Trunk port 2 of 19 Step 15 show interfaces gigabitethernet 0 1 switchport Verify the port configuration Step 16 configure terminal Enter global configuration mode Step 17 interface gigabitethernet 0 2 Define the interface to be configured as the Trunk 2 int...

Page 268: ...et0 2 Define the interface to be configured as Trunk port 2 and enter interface configuration mode Step 7 port type nni eni Configure the interface as an NNI or ENI UNIs do not support STP If you configure the port as an ENI you must also enable STP on the port by entering the spanning tree interface configuration command Step 8 switchport mode trunk Configure the port as a trunk port Step 9 end R...

Page 269: ...S Client Configuration section on page 11 25 VMPS Configuration Guidelines section on page 11 25 Configuring the VMPS Client section on page 11 25 Monitoring the VMPS section on page 11 28 Troubleshooting Dynamic Access Port VLAN Membership section on page 11 28 VMPS Configuration Example section on page 11 28 Understanding VMPS Each time the client switch receives the MAC address of a new host it...

Page 270: ...from 1 to 4094 When the link comes up the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic access port and attempts to match the MAC address to a VLAN in the VMPS database Note Only UNIs or ENIs can be dynamic access ports If there is a match the VMP...

Page 271: ...ic access ports but you can enter the switchport access vlan dynamic interface configuration command for a trunk port In this case the switch retains the setting and applies it if the port is later configured as an access port You must turn off trunking on the port before the dynamic access setting takes effect Dynamic access ports cannot be monitor ports Secure ports cannot be dynamic access port...

Page 272: ...tch acting as the primary VMPS server Step 3 vmps server ipaddress Optional Enter the IP address of the switch acting as a secondary VMPS server You can enter up to three secondary server addresses Step 4 end Return to privileged EXEC mode Step 5 show vmps Verify your entries in the VMPS Domain Server field of the display Step 6 copy running config startup config Optional Save your entries in the ...

Page 273: ...se steps to change the number of times that the switch attempts to contact the VMPS before querying the next server To return the switch to its default setting use the no vmps retry global configuration command Command Purpose Step 1 vmps reconfirm Reconfirm dynamic access port VLAN membership Step 2 show vmps Verify the dynamic VLAN reconfirmation status Command Purpose Step 1 configure terminal ...

Page 274: ...expired or you can force it by entering the vmps reconfirm privileged EXEC command This is an example of output for the show vmps privileged EXEC command Switch show vmps VQP Client Status VMPS VQP Version 1 Reconfirm Interval 60 min Server Retry Count 3 VMPS domain server 172 20 128 86 primary current 172 20 128 87 Reconfirmation status VMPS Action other Troubleshooting Dynamic Access Port VLAN M...

Page 275: ...tion Primary VMPS Server 1 Catalyst 6500 series Secondary VMPS Server 2 Catalyst 6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dyna...

Page 276: ...11 30 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 11 Configuring VLANs Configuring VMPS ...

Page 277: ...s assigned a subnet address space or a block of addresses which can waste the unused IP addresses and cause IP address management problems Using private VLANs addresses the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers These sections describe how private VLANs work Types of Private VLANs and Private VLAN Ports page 12 1 IP ...

Page 278: ...ts that are one of these types Promiscuous A promiscuous port belongs to the primary VLAN and can communicate with all interfaces including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN Note Promiscuous ports must be network node interfaces NNIs UNIs or ENIs cannot be configured as promiscuous ports Isolated An isolated port is a host por...

Page 279: ...nd UNI ENI community VLANs When a VLAN is created it is by default a UNI ENI isolated VLAN Traffic is not switched among UNIs and ENIs on a switch that belong to a UNI ENI isolated VLAN For more information on UNI ENI VLANs see Chapter 11 Configuring VLANs A promiscuous port can serve only one primary VLAN one isolated VLAN and multiple community VLANs Layer 3 gateways are typically connected to t...

Page 280: ...When new devices are added the DHCP server assigns them the next available address from a large pool of subnet addresses Private VLANs across Multiple Switches As with regular VLANs private VLANs can span multiple switches A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch The trunk port treats the private VLAN as any other VLAN A feature of private VLANs across mult...

Page 281: ... In a Layer 3 switch a switch running the metro IP access image a switch virtual interface SVI represents the Layer 3 interface of a VLAN Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs Configure Layer 3 VLAN interfaces only for primary VLANs You cannot configure Layer 3 VLAN interfaces for secondary VLANs SVIs for secondary VLANs are i...

Page 282: ...condary VLANs to a Primary VLAN Layer 3 VLAN Interface section on page 12 14 Step 5 Verify private VLAN configuration Default Private VLAN Configuration No private VLANs are configured Newly created VLANs are UNI ENI isolated VLANs Private VLAN Configuration Guidelines Guidelines for configuring private VLANs fall into these categories Secondary and Primary VLAN Configuration page 12 7 Private VLA...

Page 283: ...al configuration command is supported only on SVIs belonging to private VLANs The ip sticky arp interface configuration command is only supported on Layer 3 interfaces SVIs belonging to normal VLANs SVIs belonging to private VLANs For more information about using the ip sticky arp global configuration and the ip sticky arp interface configuration commands see the command reference for this release...

Page 284: ...ature to all Port Fast configured Layer 2 LAN ports Do not enable Port Fast and BPDU guard on promiscuous ports If you delete a VLAN used in the private VLAN configuration the private VLAN ports associated with the VLAN become inactive Private VLAN ports can be on different network devices if the devices are trunk connected and the primary and secondary VLANs have not been removed from the trunk A...

Page 285: ...secondary VLAN is replicated in the primary VLAN When the original dynamic MAC address is deleted or aged out the replicated addresses are removed from the MAC address table Configure Layer 3 VLAN interfaces only for primary VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode follow these steps to configure a private VLAN Note The private vlan commands do no...

Page 286: ...sly been configured as UNI ENI community VLANs Switch configure terminal Switch config vlan 20 Switch config vlan private vlan primary Switch config vlan exit Switch config vlan 501 Switch config vlan private vlan isolated Switch config vlan exit Switch config vlan 502 Switch config vlan no uni vlan Switch config vlan private vlan community Switch config vlan exit Switch config vlan 503 Switch con...

Page 287: ... if no shutdown Switch config if switchport mode private vlan host Switch config if switchport private vlan host association 20 501 Switch config if end Switch show interfaces fastethernet0 22 switchport Name Fa0 22 Switchport Enabled Administrative Mode private vlan host Operational Mode private vlan host Administrative Trunking Encapsulation dot1q Operational Trunking Encapsulation native Negoti...

Page 288: ...ry_vlan_list parameter cannot contain spaces It can contain multiple comma separated items Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs Enter a secondary_vlan_list or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the private VLAN promiscuous port Use the remove keyword with a secondary_vlan_list to clear the mapping between seco...

Page 289: ...ary VLANs to the SVI of a primary VLAN to allow Layer 3 switching of private VLAN traffic Note The private vlan mapping interface configuration command only affects private VLAN traffic that is switched through Layer 3 When you map secondary VLANs to the Layer 3 VLAN interface of a primary VLAN note this syntax information The secondary_vlan_list parameter cannot contain spaces It can contain mult...

Page 290: ...ary VLAN Type vlan10 501 isolated vlan10 502 community Monitoring Private VLANs Table 12 1 shows the privileged EXEC commands for monitoring private VLAN activity This is an example of the output from the show vlan private vlan command Switch config show vlan private vlan Primary Secondary Type Ports 10 501 isolated Fa0 1 Gi0 1 Gi0 2 10 502 community Fa0 11 Fa0 12 Gi0 1 10 503 non operational Tabl...

Page 291: ...ling page 13 4 Understanding Layer 2 Protocol Tunneling page 13 7 Configuring Layer 2 Protocol Tunneling page 13 10 Monitoring and Maintaining Tunneling and Mapping Status page 13 18 Understanding 802 1Q Tunneling Business customers of service providers often have specific requirements for VLAN IDs and the number of VLANs to be supported The VLAN ranges required by different customers in the same ...

Page 292: ... For more information about UNI ENI VLANs see Chapter 11 Configuring VLANs Figure 13 1 802 1Q Tunnel Ports in a Service Provider Network Packets coming from the customer trunk port into the tunnel port on the service provider edge switch are normally 802 1Q tagged with the appropriate VLAN ID The the tagged packets remain intact inside the switch and when they exit the trunk port into the service ...

Page 293: ...ir networks the traffic remains segregated within the service provider network because the outer tag is different Each customer controls its own VLAN numbering space which is independent of the VLAN numbering space used by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered I...

Page 294: ...nontrunking links When 802 1Q trunks are used in these core switches the native VLANs of the 802 1Q trunks must not match any native VLAN of the nontrunking tunneling port on the same switch because traffic on the native VLAN would not be tagged on the 802 1Q sending trunk port See Figure 13 3 VLAN 40 is configured as the native VLAN for the 802 1Q trunk port from Customer X at the ingress edge sw...

Page 295: ...o tag is added you must configure all switches in the service provider network to be able to process maximum frames by increasing the switch system MTU size to at least 1504 bytes The maximum allowable system MTU for Gigabit Ethernet interfaces is 9000 bytes the maximum system MTU for Fast Ethernet interfaces is 1998 bytes 802 1Q Tunneling and Other Features Although 802 1Q tunneling works well fo...

Page 296: ...ort is configured as an 802 1Q tunnel port spanning tree bridge protocol data unit BPDU filtering is automatically enabled on the interface and the Cisco Discovery Protocol CDP and the Layer Link Discovery Protocol LLDP are automatically disabled on the interface UNIs do not support BPDU filtering CDP or LLDP In a UNI ENI isolated VLAN 802 1Q tunneled access ports are isolated from each other but ...

Page 297: ... local sites STP must run properly and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service provider network Cisco Discovery Protocol CDP must discover neighboring Cisco devices from local and remote sites VLAN Trunking Protocol VTP must provide consistent VLAN configuration throughout all sites in the customer network that are partici...

Page 298: ... protocol tunneling is enabled on the trunk port the encapsulated tunnel MAC address is removed and the protocol packets have their normal MAC address Layer 2 protocol tunneling can be used independently or can enhance 802 1Q tunneling If protocol tunneling is not enabled on 802 1Q tunneling ports remote switches at the receiving end of the service provider network do not receive the PDUs and cann...

Page 299: ...n of EtherChannels by emulating a point to point network topology When you enable protocol tunneling PAgP or LACP on the SP switch remote customer switches receive the PDUs and can negotiate the automatic creation of EtherChannels Customer X Site 2 VLANs 1 to 100 Customer Y Site 2 VLANs 1 to 200 Customer Y Site 1 VLANs 1 to 200 Customer X Site 1 VLANs 1 to 100 VLAN 30 Trunk ports Switch A Trunk po...

Page 300: ... tunneling for LLDP Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tunneled packets to many ports could lead to a network failure When the Layer 2 PDUs that entered the service provider inbound edge switch through a Layer 2 protocol enabled port exit through the trunk port into the service provider network t...

Page 301: ...Table 13 1 shows the default Layer 2 protocol tunneling configuration Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling The switch supports tunneling of CDP STP including multiple STP MSTP and VTP Protocol tunneling is disabled by default but can be enabled for the individual protocols on 802 1Q t...

Page 302: ...rk does not forward BPDUs to tunnel ports CDP packets are not forwarded from tunnel ports When protocol tunneling is enabled on an interface you can set a per protocol per port shutdown threshold for the PDUs generated by the customer network If the limit is exceeded the port shuts down You can also limit BPDU rate by using QoS ACLs and policy maps on a tunnel port When protocol tunneling is enabl...

Page 303: ...gured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 7 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the thr...

Page 304: ... configure Layer 2 point to point tunneling to facilitate the creation of EtherChannels you need to configure both the SP edge switch and the customer switch Configuring the SP Edge Switch Beginning in privileged EXEC mode follow these steps to configure a SP edge switch for Layer 2 protocol tunneling for EtherChannels Command Purpose Step 1 configure terminal Enter global configuration mode Step ...

Page 305: ...psulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a shutdown threshold on this interface the drop threshold value must be less than or equal to the shutdown threshold value Step...

Page 306: ... to point udld Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitethernet0 2 Switch config if switchport access vlan 18 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface ...

Page 307: ...Switch config if exit Switch config interface fastethernet0 3 Switch config if no shutdown Switch config if switchport mode trunk This example shows how to configure the customer switch at Site 1 Fast Ethernet interfaces 1 2 3 and 4 are set for 802 1Q trunking UDLD is enabled EtherChannel group 1 is enabled and the port channel is shut down and then enabled to activate the EtherChannel configurati...

Page 308: ...nneling Command Purpose clear l2protocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery ...

Page 309: ... about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 15 Configuring MSTP For information about other spanning tree features such as Port Fast root guard and so forth see Chapter 16 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command re...

Page 310: ...t elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration Note On the Cisco ME 3400 switch only NNIs and ENIs on which STP has been enabled participate in STP Active UNIs and ENIs on which STP is not enabled are always in the forwarding state In this overview STP ports can ...

Page 311: ... timers When a switch receives a configuration BPDU that contains superior information lower bridge ID lower path cost and so forth it stores the information for that port If this BPDU is received on the root port of the switch the switch also forwards it with an updated message to all attached LANs for which it is the designated switch If a switch receives a configuration BPDU that contains infer...

Page 312: ... bridge ID As shown in Table 14 1 the two bytes previously used for the switch priority are reallocated into a 4 bit priority value and a 12 bit extended system ID value equal to the VLAN ID Spanning tree uses the extended system ID the switch priority and the allocated spanning tree MAC address to make the bridge ID unique for each VLAN Support for the extended system ID affects how you manually ...

Page 313: ... ENIs in the default STP mode disabled are also in forwarding state but you can enable STP on an ENI A port participating in spanning tree moves through these states From initialization to blocking From blocking to listening or to disabled From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 14 1 illustrates how an interface moves ...

Page 314: ...d Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding After initialization a BPDU is sent to each switch interface or to each switch STP port A switch initially functions as the root until it exchanges BPDUs with other switches This exchange establishes which switch in the network is the root or root switch If there is only one switch in the network no...

Page 315: ...te A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree An interface in the disabled state is nonoperational A disabled interface performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Does not receive BPDUs How a Switch or Port Becomes the Root ...

Page 316: ...port to a higher priority lower numerical value than the root port the Gigabit Ethernet port becomes the new root port Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces that are participating in spanning tree to another device or to two different devices as shown in Figure 14 3 Spanning tree automatically disables on...

Page 317: ...N basis A spanning tree reconfiguration on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch Spanning Tree Modes and Protocols The switch NNIs and ENIs with STP enabled support these spanning tree modes and protocols PVST This spanning tr...

Page 318: ...witched network For more information see Chapter 15 Configuring MSTP For information about the number of supported spanning tree instances see the next section Supported Spanning Tree Instances In PVST or rapid PVST mode the switch supports up to 128 spanning tree instances In MSTP mode the switch supports up to 65 MST instances The number of VLANs that can be mapped to a particular MST instance i...

Page 319: ... all PVST or rapid PVST information is maintained by Cisco switches separated by a cloud of non Cisco 802 1Q switches The non Cisco 802 1Q cloud separating the Cisco switches is treated as a single trunk link between the switches PVST is automatically enabled on IEEE 802 1Q trunks and no user configuration is required The external spanning tree behavior on access ports is not affected by PVST For ...

Page 320: ...anning tree instance can break loops Therefore spanning tree must be running on enough switches to break all the loops in the network for example at least one switch on each loop in the VLAN must be running spanning tree It is not absolutely necessary to run spanning tree on all switches in the VLAN However if you are running spanning tree only on a minimal set of switches an incautious change to ...

Page 321: ...ce is created The switch supports PVST rapid PVST and MSTP but only one version can be active at any time For example all VLANs run PVST all VLANs run rapid PVST or all VLANs run MSTP For information about the different spanning tree modes and how they interoperate see the Spanning Tree Interoperability and Backward Compatibility section on page 14 10 Caution Loop guard works only on point to poin...

Page 322: ...cal interface is a UNI before attempting to configure it as a spanning tree link you must enter the port type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port See Enabling Spanning Tree on an ENI section on page 14 13 If the interface is a VLAN only ports with spanning tree enabled in the VLAN will run spanning tree If the interface is a port...

Page 323: ...ge ID consisting of the switch priority and the switch MAC address is associated with each instance For each VLAN the switch with the lowest bridge ID becomes the root switch for that VLAN To configure a switch to become the root for the specified VLAN use the spanning tree vlan vlan id root global configuration command to modify the switch priority from the default value 32768 to a significantly ...

Page 324: ...that you avoid manually configuring the hello time forward delay time and maximum age time through the spanning tree vlan vlan id hello time spanning tree vlan vlan id forward time and the spanning tree vlan vlan id max age global configuration commands Beginning in privileged EXEC mode follow these steps to configure a switch to become the root for the specified VLAN This procedure is optional To...

Page 325: ...rwarding state You can assign higher priority values lower numerical values to ports that you want selected first and lower priority values higher numerical values to ones that you want selected last If all spanning tree ports have the same priority value spanning tree puts the port with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 conf...

Page 326: ...with spanning tree enabled in the VLAN will run spanning tree If the interface is a port channel all members of the port channel must be NNIs or ENIs with spanning tree enabled Step 3 spanning tree port priority priority Configure the port priority for the spanning tree port For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 48 64 80 96 112 128 144 1...

Page 327: ... global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical NNIs or ENIs with STP enabled and port channel logical interfaces port channel port channel number that contain only NNIs or STP enabled ENIs Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning t...

Page 328: ...g tree vlan vlan id root secondary global configuration commands to modify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode...

Page 329: ...nfiguration command Table 14 4 Spanning Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the STP port begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an STP port Command P...

Page 330: ... listening states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config star...

Page 331: ...n about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 14 5 Commands for Displaying Spanning Tree Status Command Purpose show spanning tree active Displays spanning tree information only on active spanning tree interfaces show spanning tree detail Displays a detailed summary of interface information show spanning tree interface in...

Page 332: ...14 24 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 14 Configuring STP Displaying the Spanning Tree Status ...

Page 333: ...itial deployment of MSTP is in the backbone and distribution layers of a Layer 2 switched network This deployment provides the highly available network required in a service provider environment When the switch is in the MST mode the Rapid Spanning Tree Protocol RSTP which is based on IEEE 802 1w is automatically enabled The RSTP provides rapid convergence of the spanning tree through explicit han...

Page 334: ...region by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance MST configuration command specify the region name by using the name MST configuration command and set the revision number by using the revision MST configuration command A region can have ...

Page 335: ...dge ID and path cost to the CST root The IST master also is the CST root if there is only one region within the network If the CST root is outside the region one of the MSTP switches at the boundary of the region is selected as the IST master When an MSTP switch initializes it sends BPDUs claiming itself as the root of the CST and the IST master with both of the path costs to the CST root and to t...

Page 336: ...ST instance sends and receives BPDUs and MST instances add their spanning tree information into the BPDUs to interact with neighboring switches and compute the final spanning tree topology Because of this the spanning tree parameters related to BPDU transmission for example hello time forward time max age and max hops are configured only on the CST instance but affect all MST instances Parameters ...

Page 337: ...vant to the IST instance 0 Table 15 1 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spanning tree m...

Page 338: ... as a boundary port This means a port cannot receive a mix of internal and external messages An MST region includes both switches and LANs A segment belongs to the region of its designated port Therefore a port in a different region than the designated port for a segment is a boundary port This definition allows two ports internal to a region to share a segment with a port belonging to a different...

Page 339: ...standard switches can fail you can use an interface configuration command to identify prestandard ports A region cannot be formed between a standard and a prestandard switch but they can interoperate by using the CIST Only the capability of load balancing over different instances is lost in that particular case The CLI displays different flags depending on the port configuration when a port receiv...

Page 340: ...ersion set to 0 it sends only IEEE 802 1D BPDUs on that port An MSTP switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MSTP BPDU Version 3 associated with a different region or an RSTP BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the lega...

Page 341: ...ed switch is attached to the LAN is called the designated port Alternate port Offers an alternate path toward the root switch to that provided by the current root port Backup port Acts as a backup for the path provided by a designated port toward the leaves of the spanning tree A backup port can exist only when two ports are connected together in a loopback by a point to point link or when a switc...

Page 342: ...h a point to point link and all of the ports are in the blocking state Assume that the priority of Switch A is a smaller numerical value than the priority of Switch B Switch A sends a proposal message a configuration BPDU with the proposal flag set to Switch B proposing itself as the designated switch After receiving the proposal message Switch B selects as its new root port the port from which th...

Page 343: ...TP port is in the forwarding state and is not configured as an edge port it transitions to the blocking state when the RSTP forces it to synchronize with new root information In general when the RSTP forces a port to synchronize with root information and the port does not satisfy any of the above conditions its port state is set to blocking After ensuring all of the ports are synchronized the swit...

Page 344: ...ch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN The port role in the proposal message is always set to the designated port The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal The port role in the agreement message is always set to the root port 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Des...

Page 345: ... path cost and so forth than currently stored for the port with a designated port role it immediately replies with its own information Topology Changes This section describes the differences between the RSTP and the IEEE 802 1D in handling spanning tree topology changes Detection Unlike IEEE 802 1D in which any transition between the blocking and the forwarding state causes a topology change only ...

Page 346: ... 14 MSTP Configuration Guidelines page 15 15 Specifying the MST Region Configuration and Enabling MSTP page 15 16 required Configuring the Root Switch page 15 17 optional Configuring a Secondary Root Switch page 15 18 optional Configuring Port Priority page 15 19 optional Configuring Path Cost page 15 21 optional Configuring the Switch Priority page 15 22 optional Configuring the Hello Time page 1...

Page 347: ...mmended trunk port configuration see the Interaction with Other Features section on page 11 16 You can manually configure the MST configuration region name revision number and VLAN to instance mapping on each switch within the MST region by using the command line interface CLI or through the SNMP support For load balancing across redundant paths in the network to work all VLAN to instance mapping ...

Page 348: ...range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN series use a comma for example instance 1 vlan 10 20 30 maps VLANs 10 ...

Page 349: ...es the root switch To configure a switch to become the root use the spanning tree mst instance id root global configuration command to modify the switch priority from the default value 32768 to a significantly lower value so that the switch becomes the root switch for the specified spanning tree instance When you enter this command the switch checks the switch priorities of the root switches Becau...

Page 350: ... switch fails This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch You can execute this command on more than one switch to configure multiple backup root switches Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance i...

Page 351: ... Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root secondary diameter net diameter hello time seconds Configure a switch as the secondary root switch For instance id you can specify a single instance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 Optional For diameter net diameter spe...

Page 352: ...f a physical interface is a UNI before attempting to configure MST port priority you must enter the port type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port See Enabling Spanning Tree on an ENI section on page 14 13 If the interface is a VLAN only ports with spanning tree enabled in the VLAN will run spanning tree If the interface is a port...

Page 353: ...ort channel range is 1 to 48 Note If a physical interface is a UNI before attempting to configure MST port priority you must enter the port type nni interface configuration command or configure the port as an ENI and enable spanning tree on the port See Enabling Spanning Tree on an ENI section on page 14 13 If the interface is a VLAN only ports with spanning tree enabled in the VLAN will run spann...

Page 354: ...ify the switch priority Beginning in privileged EXEC mode follow these steps to configure the switch priority This procedure is optional To return the switch to its default setting use the no spanning tree mst instance id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id priority priority Configure t...

Page 355: ... This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst hello time seconds Configure the hello time for all MST instances The hello time is the interval between the generation of configuration messages by the root switch These messages mean that the switch is alive For seconds the range is 1 to 10 the default is 2 Step 3 end Re...

Page 356: ... Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max age seconds Configure the maximum aging time for all MST instances The maximum aging time is the number of seconds a switch waits without receiving spanning tree configuration messages before attempting a reconfiguration For seconds the range is 6 to 40 the default is 20 Step 3 end Return to privileged ...

Page 357: ...estandard and IEEE 802 1s standard compliant devices By default ports can automatically detect prestandard devices but they can still receive both standard and prestandard BPDUs When there is a mismatch between a device and its neighbor only the CIST runs on the interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to...

Page 358: ...the switch to which it is connected has joined the region To restart the protocol migration process force the renegotiation with neighboring switches on the switch use the clear spanning tree detected protocols privileged EXEC command To restart the protocol migration process on a specific interface use the clear spanning tree detected protocols interface interface id privileged EXEC command Comma...

Page 359: ...r keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 15 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information ...

Page 360: ...15 28 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 15 Configuring MSTP Displaying the MST Configuration and Status ...

Page 361: ...he switch do not participate in STP UNIs and ENIs on which STP is not enabled immediately forward traffic when they are brought up For information on configuring the PVST and rapid PVST see Chapter 14 Configuring STP For information about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 15 Configuring MSTP Note For complete synta...

Page 362: ...rotocol data units BPDUs An STP port with Port Fast enabled goes through the normal cycle of spanning tree status changes when the switch is restarted Note Because the purpose of Port Fast is to minimize the time interfaces must wait for spanning tree to converge it is effective only when used on STP ports connected to end stations If you enable Port Fast on an interface connecting to another swit...

Page 363: ...ltering feature can be globally enabled on the switch or can be enabled per interface but the feature operates with some differences At the global level you can enable BPDU filtering on Port Fast enabled STP ports by using the spanning tree portfast bpdufilter default global configuration command This command prevents interfaces that are in a Port Fast operational state from sending or receiving B...

Page 364: ...o the root If a switch outside the SP network becomes the root switch the interface is blocked root inconsistent state and spanning tree selects a new root switch The customer s switch does not become the root switch and is not in the path to the root If the switch is operating in multiple spanning tree MST mode root guard forces the interface to be a designated port If a boundary port is blocked ...

Page 365: ...ent on nonboundary ports only if the interface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features Default Optional Spanning Tree Configuration page 16 5 Optional Spanning Tree Configuration Guidelines page 16 6 Enabling Port Fast page 16 6 optional Enabling BPDU Guard page 16 7 optional E...

Page 366: ...STP Beginning in privileged EXEC mode follow these steps to enable Port Fast This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an STP interface to configure and enter interface configuration mode If the interface is a UNI before you enable Port Fast you must change the port type to NNI or ENI to enable STP Ent...

Page 367: ...ack in service Use the BPDU guard feature in a service provider network to prevent an access port from participating in the spanning tree Caution Configure Port Fast only on STP ports that connect to end stations otherwise an accidental topology loop could cause a data packet loop and disrupt switch and network operation You also can use the spanning tree bpduguard enable interface configuration c...

Page 368: ...stations otherwise an accidental topology loop could cause a data packet loop and disrupt switch and network operation You can also use the spanning tree bpdufilter enable interface configuration command to enable BPDU filtering on any STP port without also enabling the Port Fast feature This command prevents the STP port from sending or receiving BPDUs Caution Enabling BPDU filtering on an STP po...

Page 369: ...ltering By default BPDU filtering is disabled Note Globally enabling BPDU filtering enables it only on STP ports the command has no effect on UNIs or ENIs on which STP is not enabled Step 3 interface interface id Specify the interface connected to an end station and enter interface configuration mode If the interface is a UNI before you enable Port Fast you must change the port type to NNI or ENI ...

Page 370: ... an interface This procedure is optional To disable root guard use the no spanning tree guard interface configuration command Enabling Loop Guard You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only...

Page 371: ...formation about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 show spanning tree active or show spanning tree mst Verify which interfaces are alternate or root ports Step 2 configure terminal Enter global configuration mode Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled...

Page 372: ...16 12 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 16 Configuring Optional Spanning Tree Features Displaying the Spanning Tree Status ...

Page 373: ...pter includes these sections Understanding REP page 17 1 Configuring REP page 17 6 Monitoring REP page 17 14 Understanding REP A REP segment is a chain of ports connected to each other and configured with a segment ID Each segment consists of standard nonedge segment ports and two user configured edge ports A switch can have only two ports belonging to the same segment and each segment port can ha...

Page 374: ... with both edge ports located on the same switch is a ring segment In this configuration there is connectivity between the edge ports through the segment With this configuration you can create a redundant connection between any two switches in the segment Figure 17 2 REP Ring Segment REP segments have these characteristics If all ports in the segment are operational one port referred to as the alt...

Page 375: ...iled port within the segment multiple port failures within the REP segment cause loss of network connectivity You should configure REP only in networks with redundancy Configuring REP in a network without redundancy causes loss of connectivity Link Integrity REP does not use an end to end polling mechanism between edge ports to verify link integrity It implements local link failure detection The R...

Page 376: ...gence recovery time on fiber interfaces is less than 200 ms for the local segment with 200 VLANs configured Convergence for VLAN load balancing is 300 ms or less VLAN Load Balancing One edge port in the REP segment acts as the primary edge port the other as the secondary edge port The primary edge port always participates in VLAN load balancing in the segment REP VLAN balancing is achieved by bloc...

Page 377: ...g is configured it does not start working until triggered by either manual intervention or a link failure and recovery When VLAN load balancing is triggered the primary edge port sends a message to alert all interfaces in the segment about the preemption When the secondary port receives the message it is reflected into the network to notify the alternate port to block the set of VLANs specified in...

Page 378: ...ng all VLANs A regular segment port converted to an edge port or an edge port converted to a regular segment port does not always result in a topology change If you convert an edge port into a regular segment port VLAN load balancing is not implemented unless it has been configured For VLAN load balancing you must configure two edge ports in the segment A segment port that is reconfigured as a spa...

Page 379: ...ort based on the alternate port election mechanism REP ports must be Layer 2 trunk ports Be careful when configuring REP through a Telnet connection Because REP blocks all VLANs until another REP interface sends a message to unblock the VLAN you might lose connectivity to the switch if you enable REP in a Telnet session that accesses the switch through the REP interface You cannot run REP and STP ...

Page 380: ...iguring the REP Administrative VLAN To avoid the delay introduced by relaying messages in software for link failure or VLAN blocking notification during load balancing REP floods packets at the hardware flood layer HFL to a regular multicast address These messages are flooded to the whole network not just the REP segment You can control flooding of these messages by configuring an administrative V...

Page 381: ... PDU rx 3322 tx 1722 HFL PDU rx 32 tx 5 BPA TLV rx 16849 tx 508 BPA STCN LSL TLV rx 0 tx 0 BPA STCN HFL TLV rx 0 tx 0 EPA ELECTION TLV rx 118 tx 118 EPA COMMAND TLV rx 0 tx 0 EPA INFO TLV rx 4214 tx 4190 Configuring REP Interfaces For REP operation you need to enable it on each segment interface and to identify the segment ID This step is required and must be done before other REP configuration Yo...

Page 382: ...n configure VLAN load balancing Note Although each segment can have only one primary edge port if you configure edge ports on two different switches and enter the primary keyword on both switches the configuration is allowed However REP selects only one of these ports as the segment primary edge port You can identify the primary edge port for a segment by entering the show rep topology privileged ...

Page 383: ...4 on page 17 5 for an example of neighbor offset numbering Note Because you enter this command at the primary edge port offset number 1 you would never enter an offset value of 1 to identify an alternate port Enter preferred to select the regular segment port previously identified as the preferred alternate port for VLAN load balancing Enter vlan vlan list to block one VLAN or a range of VLANs Ent...

Page 384: ... conf if end This example shows how to configure the same configuration when the interface has no external REP neighbor Switch configure terminal Switch conf interface gigabitethernet0 1 Switch conf if rep segment 1 edge no neighbor primary Switch conf if rep stcn segment 2 5 Switch conf if rep block port 0009001818D68700 vlan all Switch conf if rep preempt delay 60 Switch conf if rep lsl age time...

Page 385: ...o send REP specific traps to notify the SNMP server of link operational status changes and port role changes Beginning in privileged EXEC mode follow these steps to configure REP traps To remove the trap enter the no snmp mib rep trap rate global configuration command This example configures the switch to send REP traps at a rate of 10 per second Switch config snmp mib rep trap rate 10 Command Pur...

Page 386: ...mmands in Table 17 1to monitor REP Table 17 1 REP Monitoring Commands Command Purpose show interface interface id rep detail Displays REP configuration and status for a specified interface or for all interfaces show rep topology segment segment_id archive detail Displays REP topology information for a segment or for all segments including the primary and secondary edge ports in the segment ...

Page 387: ...C Address Table Move Update page 18 1 Configuring Flex Links and MAC Address Table Move Update page 18 7 Monitoring Flex Links and the MAC Address Table Move Update page 18 14 Understanding Flex Links and the MAC Address Table Move Update Flex Links page 18 1 VLAN Flex Link Load Balancing and Support page 18 2 Flex Link Multicast Fast Convergence page 18 3 MAC Address Table Move Update page 18 6 F...

Page 388: ... up it goes into standby mode and does not forward traffic port 2 continues forwarding traffic You can also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic In Figure 18 1 for example you can configure the Flex Link pair with preemption mode so that after port 1 comes back up in the scenario if it has greater bandwidth than port 2 port 1 begins forwar...

Page 389: ... ports are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port Both Flex Link ports are always part of multicast groups Though both Flex Link ports are part of the groups in normal operation mode all traffic on the backup port is blocked So the normal multicast data flow is not affected by the addition of the backup port as an mrouter port When the changeover hap...

Page 390: ...ast fast convergence command When this feature has been enabled at changeover the switch does not generate the proxy reports on the backup port which became the forwarding port Configuration Examples This configuration example shows learning the other Flex Link port as the mrouter port when Flex Link is configured on GigabitEthernet 0 11 and GigabitEthernet 0 12 The example shows the output for th...

Page 391: ... proxy reports for the groups 228 1 5 1 and 228 1 5 2 on behalf of the host The upstream router learns the groups and starts forwarding multicast data This is the default behavior of Flex Link This behavior changes when the user configures fast convergence using the switchport backup interface gigabitEthernet 0 12 multicast fast convergence command This example shows turning on this feature Switch...

Page 392: ...D through a Flex Link pair Port 1 is forwarding traffic and port 2 is in the backup state Traffic from the PC to the server is forwarded from port 1 to port 3 The MAC address of the PC has been learned on port 3 of switch C Traffic from the server to the PC is forwarded from port 3 to port 1 If the MAC address table move update feature is not configured and port 1 goes down port 2 starts forwardin...

Page 393: ... 7 Configuration Guidelines page 18 8 Configuring Flex Links page 18 8 Configuring VLAN Load Balancing on Flex Links page 18 10 Configuring the MAC Address Table Move Update Feature page 18 12 Default Configuration The Flex Links are not configured and there are no backup interfaces defined The preemption mode is off The preemption delay is 35 seconds Flex Link VLAN load balancing is not configure...

Page 394: ... standby link begins to forward traffic STP is disabled on Flex Link ports If STP is configured on the switch Flex Links do not participate in STP in all VLANs in which STP is configured With STP not running be sure that there are no loops in the configured topology Note STP is available only on NNIs or ENIs Follow these guidelines to configure VLAN load balancing on the Flex Links feature For Fle...

Page 395: ...her interface is in standby mode Step 5 end Return to privileged EXEC mode Step 6 show interface interface id switchport backup Verify the configuration Step 7 copy running config startup config Optional Save your entries in the switch startup configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the inter...

Page 396: ... these steps to configure VLAN load balancing on Flex Links Step 6 switchport backup interface interface id preemption delay delay time Configure the time delay until a port preempts another port Note Setting a delay time only works with forced and bandwidth modes Step 7 end Return to privileged EXEC mode Step 8 show interface interface id switchport backup Verify the configuration Step 9 copy run...

Page 397: ...Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet0 6 GigabitEthernet0 8 Active Down Backup Up Vlans Preferred on Active Interface 1 50 Vlans Preferred on Backup Interface 60 100 120 When a Flex Link interface comes up VLANs preferred on this interface are blocked on the peer interface and moved to the forwa...

Page 398: ...tion mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 no shutdown Enable the port if necessary By default UNIs and ENIs are disabled and NNIs are enabled Step 4 switchport backup interface interface id or switchport backup interface interface id mmu primary vlan vlan id Configure a physical Layer 2 interface or port...

Page 399: ...face Po2 Rcv last src mac address 000b 462d c502 Rcv last switch ID 0403 fd6a 8700 Xmt packet count 0 Xmt packet count this min 0 Xmt threshold exceed count 0 Xmt pak buf unavail cnt 0 Xmt last interface None Beginning in privileged EXEC mode follow these steps to configure a switch to get and process MAC address table move update messages To disable the MAC address table move update feature use t...

Page 400: ...te Table 18 1 shows the privileged EXEC command for monitoring Flex Link configuration Table 18 1 Flex Link Monitoring Command Command Purpose show interface interface id switchport backup Displays the Flex Link backup interface configured for an interface or displays all Flex Links configured on the switch and the state of each active and backup interface up or standby mode show mac address table...

Page 401: ...Information page 19 15 Understanding DHCP Server Port Based Address Allocation page 19 15 Configuring DHCP Server Port Based Address Allocation page 19 15 Displaying DHCP Server Port Based Address Allocation page 19 18 Understanding IP Source Guard page 19 18 Configuring IP Source Guard page 19 19 Displaying IP Source Guard Information page 19 22 Understanding DHCP Features DHCP is widely used in ...

Page 402: ...CP Snooping Information section on page 19 15 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch Note For DHCP snooping to function properly all DHCP servers must be connected to the switch through trusted inter...

Page 403: ... ip dhcp snooping information option allowed trust global configuration command the aggregation switch accepts packets with option 82 information from the edge switch The aggregation switch learns the bindings for hosts connected through an untrusted switch interface The DHCP security features such as dynamic ARP inspection or IP source guard can still be enabled on the aggregation switch while th...

Page 404: ... server The DHCP server receives the packet If the server is option 82 capable it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the r...

Page 405: ...ts for user configured remote ID and circuit ID suboptions The switch uses these packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option format remote id global configuration command and the ip dhcp snooping vlan information option format type circuit id string interface configuration command The values for these fields in the packets change from the...

Page 406: ...e in hexadecimal format the interface to which the binding applies and the VLAN to which the interface belongs The database agent stores the bindings in a file at a configured location At the end of each entry is a checksum value that accounts for all the bytes associated with the entry Each entry is 72 bytes followed by a space and then the checksum value To keep the bindings when the switch relo...

Page 407: ...le of a binding file 2bb4c2a1 TYPE DHCP SNOOPING VERSION 1 BEGIN 192 1 168 1 3 0003 47d8 c91f 2BB6488E Fa1 0 4 21ae5fbb 192 1 168 3 3 0003 44d6 c52f 2BB648EB Fa1 0 4 1bdb223f 192 1 168 2 3 0003 47d9 c8f1 2BB648AB Fa1 0 4 584a38f0 END When the switch starts and the calculated checksum value equals the stored checksum value the switch reads entries from the binding file and adds the bindings to its ...

Page 408: ... switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client DHCP packet forwarding address None configured Checking the relay agent information Enabled invalid messages are dropped 2 DHCP relay agent forwarding policy Replace the existing relay agent information2 DHCP snooping enabled globally Disabled DHCP snooping information option Enabled D...

Page 409: ...t supported If a switch port is connected to a DHCP server configure a port as trusted by entering the ip dhcp snooping trust interface configuration command If a switch port is connected to a DHCP client configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command Follow these guidelines when configuring the DHCP snooping binding database Because both NV...

Page 410: ... clients are on different networks or subnets and the switch is running the metro IP access image you must configure the switch with the ip helper address address interface configuration command The general rule is to configure the command on the Layer 3 interface closest to the client The address used in the ip helper address command can be a specific DHCP server IP address or it can be the netwo...

Page 411: ...n to global configuration mode Step 6 interface range port range or interface interface id Configure multiple physical ports that are connected to the DHCP clients and enter interface range configuration mode or Configure a single physical port that is connected to the DHCP client and enter interface configuration mode Step 7 no shutdown Enable the interface s if necessary By default user network ...

Page 412: ...ing DHCP snooping packets with option 82 information from the edge switch The default is disabled Note You must enter this command only on aggregation switches that are connected to trusted devices Step 7 interface interface id Specify the interface to be configured and enter interface configuration mode Step 8 no shutdown Enable the port if necessary By default UNIs and ENIs are disabled and NNIs...

Page 413: ...If DHCP snooping is already configured on the primary VLAN and you configure DHCP snooping with different settings on a secondary VLAN the configuration for the secondary VLAN does not take effect You must configure DHCP snooping on the primary VLAN If DHCP snooping is not configured on the primary VLAN this message appears when you are configuring DHCP snooping on the secondary VLAN such as VLAN ...

Page 414: ...st filename http username password hostna me host ip directory image name tar rcp user host filename tftp host filename Specify the URL for the database agent or the binding file by using one of these forms flash filename ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filename Step 3 ip dhcp snooping database timeou...

Page 415: ...t port The DHCP protocol recognizes DHCP clients by the client identifier option in the DHCP packet Clients that do not include the client identifier option are identified by the client hardware address When you configure this feature the port name of the interface overrides the client identifier or hardware address and the actual point of connection the switch port becomes the client identifier I...

Page 416: ...d EXEC mode follow these steps to globally enable port based address allocation and to automatically generate a subscriber identifier on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp use subscriber id client id Configure the DHCP server to globally use the subscriber identifier as the client identifier on all incoming DHCP messages Step 3 ip ...

Page 417: ...HCP messages and uses the subscriber identifier instead The subscriber identifier is based on the short name of the interface and the client preassigned IP address 10 1 1 7 switch show running config Building configuration Current configuration 4899 bytes version 12 2 hostname switch no aaa new model clock timezone EST 0 ip subnet zero ip dhcp relay information policy removal pad no ip dhcp use vr...

Page 418: ... allocation information use one or more of the privileged EXEC commands in Table 19 3 Understanding IP Source Guard IP source guard is a security feature that restricts IP traffic on nonrouted Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings You can use IP source guard to prevent traffic attacks caused when a host tri...

Page 419: ...n interface the switch modifies the port ACL using the IP source binding changes and re applies the port ACL to the interface If you enable IP source guard on an interface on which IP source bindings dynamically learned by DHCP snooping or manually configured are not configured the switch creates and applies a port ACL that denies all IP traffic on the interface If you disable IP source guard the ...

Page 420: ... and MAC address filtering is enabled DHCP snooping and port security must be enabled on the interface You must also enter the ip dhcp snooping information option global configuration command and ensure that the DHCP server supports option 82 When IP source guard is enabled with MAC address filtering the DHCP host MAC address is not learned until the host is granted a lease When forwarding packets...

Page 421: ...ering Enable IP source guard with source IP and MAC address filtering Note When you enable both IP Source Guard and Port Security by using the ip verify source port security interface configuration command there are two caveats The DHCP server must support option 82 or the client is not assigned an IP address The MAC address in the DHCP packet is not learned as a secure address The MAC address of ...

Page 422: ...mation Displaying IP Source Guard Information To display the IP source guard information use one or more of the privileged EXEC commands in Table 19 4 Table 19 4 Commands for Displaying IP Source Guard Information Command Purpose show ip source binding Display the IP source bindings on a switch show ip verify source Display the IP source guard configuration on the switch ...

Page 423: ... For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A All hosts within the broadcast domain receive the ARP request and Host A responds with its MAC address However because ARP allows a gratu...

Page 424: ...pection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a valid IP to MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination Drops invalid ARP packets Dynamic ARP inspecti...

Page 425: ...r connected to Switch A only Switch A binds the IP to MAC address of Host 1 Therefore if the interface between Switch A and Switch B is untrusted the ARP packets from Host 1 are dropped by Switch B Connectivity between Host 1 and Host 2 is lost Figure 20 2 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection Configuring interfaces to be trusted when they are actually untrusted leaves...

Page 426: ...ion information see the Limiting the Rate of Incoming ARP Packets section on page 20 10 Relative Priority of ARP ACLs and DHCP Snooping Entries Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP to MAC address bindings ARP ACLs take precedence over entries in the DHCP snooping binding database The switch uses ACLs only if you configure them by using the ip arp ...

Page 427: ...amic ARP Inspection Configuration Guidelines Dynamic ARP inspection is an ingress security feature it does not perform any egress checking Table 20 1 Default Dynamic ARP Inspection Configuration Feature Default Setting Dynamic ARP inspection Disabled on all VLANs Interface trust state All interfaces are untrusted Rate limit of incoming ARP packets The rate is 15 pps on untrusted interfaces assumin...

Page 428: ...quently the trust state of the first physical port need not match the trust state of the channel Conversely when you change the trust state on the port channel the switch configures a new trust state on all the physical ports that comprise the channel The operating rate for the port channel is cumulative across all the physical ports within the channel For example if you configure the port channel...

Page 429: ...see Chapter 19 Configuring DHCP Features and IP Source Guard For information on how to configure dynamic ARP inspection when only one switch supports the feature see the Configuring ARP ACLs for Non DHCP Environments section on page 20 8 Beginning in privileged EXEC mode follow these steps to configure dynamic ARP inspection You must perform this procedure on both switches This procedure is requir...

Page 430: ... 2 is not static it is impossible to apply the ACL configuration on Switch A you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them Step 6 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the trusted inte...

Page 431: ...on page 20 12 Step 4 exit Return to global configuration mode Step 5 ip arp inspection filter arp acl name vlan vlan range static Apply the ARP ACL to the VLAN By default no defined ARP ACLs are applied to any VLAN For arp acl name specify the name of the ACL created in Step 2 For vlan range specify the VLAN that the switches and hosts are in You can specify a single VLAN identified by VLAN ID num...

Page 432: ...r disabled recovery so that ports automatically emerge from this state after a specified timeout period Note Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ...

Page 433: ...tdown Enable the port if necessary By default UNIs and ENIs are disabled and NNIs are enabled Step 4 ip arp inspection limit rate pps burst interval seconds none Limit the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps spe...

Page 434: ...er global configuration mode Step 2 ip arp inspection validate src mac dst mac ip Perform a specific check on incoming ARP packets By default no checks are performed The keywords have these meanings For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with diffe...

Page 435: ... ARP inspection logging buffer By default when dynamic ARP inspection is enabled denied or dropped ARP packets are logged The number of log entries is 32 The number of system messages is limited to 5 per second The logging rate interval is 1 second The keywords have these meanings For entries number specify the number of entries to be logged in the buffer The range is 0 to 1024 For logs number int...

Page 436: ...Ns separated by a comma The range is 1 to 4094 For acl match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets t...

Page 437: ...ivileged EXEC commands in Table 20 4 For more information about these commands see the command reference for this release Table 20 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC valid...

Page 438: ...20 16 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 20 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Page 439: ...5 Configuring MVR page 21 18 Displaying MVR Information page 21 23 Configuring IGMP Filtering and Throttling page 21 23 Displaying IGMP Filtering and Throttling Configuration page 21 28 Note You can either manage IP multicast group addresses through features such as IGMP snooping and MVR or you can use static IP addresses Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constr...

Page 440: ...ed and IGMP snooping learned settings You can configure an IGMP snooping querier to support IGMP snooping in subnets without multicast interfaces because the multicast traffic does not need to be routed For more information about the IGMP snooping querier see the Configuring the IGMP Snooping Querier section on page 21 12 If a port spanning tree a port group or a VLAN ID change occurs the IGMP sno...

Page 441: ...r it forwards the query to all ports in the VLAN IGMP Version 1 or Version 2 hosts wanting to join the multicast group respond by sending a join message to the switch The switch CPU creates a multicast forwarding table entry for the group if it is not already present The CPU also adds the interface where the join message was received to the forwarding table entry The host associated with that inte...

Page 442: ...because the forwarding table directs IGMP messages to only the CPU the message is not flooded to other ports on the switch Any known multicast traffic is forwarded to the group and not to the CPU Figure 21 2 Second Host Joining a Multicast Group Multicast capable router ports are added to the forwarding table for every Layer 2 multicast entry The switch learns of such ports through one of these me...

Page 443: ...sion 2 hosts The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group specific queries to the interface The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message Immediate Leave ensures optimal bandwidth management for all hosts on a switched ...

Page 444: ... IGMP reports are forwarded to the multicast routers For configuration steps see the Disabling IGMP Report Suppression section on page 21 14 Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their content Default IGMP Snooping Configuration page 21 6 Enabling or Disabling IGMP Snooping page 21 7 Configuring a Multicast Router Por...

Page 445: ...rface To disable IGMP snooping on a VLAN interface use the no ip igmp snooping vlan vlan id global configuration command for the specified VLAN number Configuring a Multicast Router Port To add a multicast router port add a static connection to a multicast router use the ip igmp snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are suppor...

Page 446: ... Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter interface interface id Specify the multicast router VLAN ID and the interface to the multicast router The VLAN ID range is 1 to 1001 and 1006 to 4094 The interface can be a physical interface or a port channel The port channel range is 1 to 48 Step 3 end Return to privileged EXEC...

Page 447: ...mediate Leave on VLAN 130 Switch configure terminal Switch config ip igmp snooping vlan 130 immediate leave Switch config end Configuring the IGMP Leave Timer Follow these guidelines when configuring the IGMP leave timer You can configure the leave time globally or on a per VLAN basis Configuring the leave time on a VLAN overrides the global setting The default leave time is 1000 milliseconds The ...

Page 448: ...ries for which multicast data traffic is flooded after a TCN event Some examples of TCN events are the client changed its location and the receiver is on same port that was blocked but is now forwarding and a port went down without sending a leave message If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command the flooding stops after receiving one gen...

Page 449: ...the no ip igmp snooping tcn query solicit global configuration command Disabling Multicast Flooding During a TCN Event When the switch receives a TCN multicast traffic is flooded to all the ports until two general queries are received If the switch has many ports with attached hosts that are subscribed to different multicast groups the flooding might exceed the capacity of the link and cause packe...

Page 450: ...w ip interface privileged EXEC command The IGMP snooping querier does not generate an IGMP general query if it cannot find an available IP address on the switch The IGMP snooping querier supports IGMP Versions 1 and 2 When administratively enabled the IGMP snooping querier moves to the nonquerier state if it detects the presence of a multicast router in the network When it is administratively enab...

Page 451: ...querier Step 3 ip igmp snooping querier ip_address Optional Specify an IP address for the IGMP snooping querier If you do not specify an IP address the querier tries to use the global IP address configured for the IGMP querier Note The IGMP snooping querier does not generate an IGMP general query if it cannot find an IP address on the switch Step 4 ip igmp snooping querier query interval interval ...

Page 452: ... entries for a VLAN configured for IGMP snooping To display IGMP snooping information use one or more of the privileged EXEC commands in Table 21 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no ip igmp snooping report suppression Disable IGMP report suppression Step 3 end Return to privileged EXEC mode Step 4 show ip igmp snooping Verify that IGMP report suppr...

Page 453: ...led MVR reacts only to join and leave messages from multicast groups configured under MVR Join and leave messages from all other multicast groups are managed by IGMP snooping show ip igmp snooping groups vlan vlan id ip_address count dynamic count user count Display multicast table information for a multicast VLAN or about a specific parameter for the VLAN vlan id The VLAN ID range is 1 to 1001 an...

Page 454: ... data and client ports that the MVR hosts have joined either by IGMP reports or by MVR static configuration Any IGMP reports received from MVR hosts are also forwarded from all the MVR data ports in the switch This eliminates using unnecessary bandwidth on MVR data port links which occurs when the switch runs in compatible mode Only Layer 2 ports take part in MVR You must configure ports as MVR re...

Page 455: ...mbership reports If no reports are received in a configured time period the receiver port is removed from multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave was received As soon as the leave message is received the receiver port is removed from multicast group membership which speeds up leave latency Enable the Immediate Leave f...

Page 456: ...s page 21 18 Configuring MVR Global Parameters page 21 19 Configuring MVR on Access Ports page 21 20 Configuring MVR on Trunk Ports page 21 22 Default MVR Configuration Table 21 5 shows the default MVR configuration MVR Configuration Guidelines and Limitations Receiver ports on a switch can be in different VLANs but they should not belong to the multicast VLAN Trunk ports or access ports can be co...

Page 457: ...omplete syntax and usage information for the commands used in this section see the command reference for this release Beginning in privileged EXEC mode follow these steps to configure MVR parameters Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mvr Enable MVR on the switch Step 3 mvr group ip address count Configure an IP multicast address on the switch or use th...

Page 458: ...ivileged EXEC command to verify the MVR multicast group addresses on the switch Configuring MVR on Access Ports Note For more information about access and trunk ports see Chapter 9 Configuring Interfaces Beginning in privileged EXEC mode follow these steps to configure Layer 2 MVR interfaces on access ports Step 7 end Return to privileged EXEC mode Step 8 show mvr or show mvr members Verify the co...

Page 459: ... subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLAN The default configuration is as a non MVR port If you attempt to configure a non MVR port with MVR characteristics the operation fails Step 6 mvr vlan vlan id ...

Page 460: ...guration mode Step 2 mvr Enable MVR on the switch Step 3 interface interface id Enter the Layer 2 port to configure and enter interface configuration mode Step 4 switchport mode trunk Set trunking mode to TRUNK unconditionally Note When you are configuring a trunk port as an MVR receiver port we recommend that the source port is configured as a network node interface NNI and the MVR trunk receiver...

Page 461: ...opped and the port is not allowed to receive IP multicast traffic from that group If the filtering action permits access to the multicast group the IGMP report from the port is forwarded for normal processing You can also set the maximum number of IGMP groups that a Layer 2 interface can join Table 21 6 Commands for Displaying MVR Information Command Purpose show mvr Displays MVR status and values...

Page 462: ...P join report you can configure an interface to drop the IGMP report or to replace the randomly selected multicast entry with the received IGMP report Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering These sections contain this configuration information Default IGMP Filtering and Throttling Configuration page 21 24 Configuring IGMP Profiles page 21 25 option...

Page 463: ...multicast address or range of IP multicast addresses use the no range ip multicast address IGMP profile configuration command This example shows how to create IGMP profile 4 allowing access to the single IP multicast address and how to verify the configuration If the action was to deny the default it would not appear in the show ip igmp profile output display Switch config ip igmp profile 4 Switch...

Page 464: ... Maximum Number of IGMP Groups You can set the maximum number of IGMP groups that a Layer 2 interface can join by using the ip igmp max groups interface configuration command Use the no form of this command to set the maximum back to the default which is no limit This restriction can be applied to Layer 2 ports only you cannot set a maximum number of IGMP groups on routed ports or SVIs You can use...

Page 465: ...place command has no effect If you configure the throttling action and set the maximum group limitation after an interface has added multicast entries to the forwarding table the forwarding table entries are either aged out or removed depending on the throttling action If you configure the throttling action as deny the entries that were previously in the forwarding table are not removed but are ag...

Page 466: ...file characteristics and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the physical interf...

Page 467: ...1 8 Commands for Displaying IGMP Filtering and Throttling Configuration Command Purpose show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running config interface interface id Displays the configuration of the specified interface or the configuration of all interfaces on the switch including if configured the maximum number ...

Page 468: ...21 30 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 21 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Page 469: ... Default Storm Control Configuration page 22 3 Configuring Storm Control and Threshold Levels page 22 3 Configuring Small Frame Arrival Rate page 22 5 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when packets flood the LAN creating excessive traffic and degradi...

Page 470: ...multicast traffic except control traffic such as bridge protocol data unit BDPU and Cisco Discovery Protocol CDP frames are blocked However the switch does not differentiate between routing updates such as OSPF and regular multicast data traffic so both types of traffic are blocked The graph in Figure 22 1 shows broadcast traffic patterns on an interface over a given period of time The example can...

Page 471: ...cause of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported on physical interfaces You can also configure storm control on an Ethe...

Page 472: ... The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops below this level The range is 0 0 to 10000000000 0 For pps pps specify the rising threshold level for broadcast multicast or unicast traffic in packets per secon...

Page 473: ...e small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global configuration command is entered the port is re enabled after a specified time You specify the reco...

Page 474: ...ected port does not forward any traffic unicast multicast or broadcast to any other port that is also a protected port Data traffic cannot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 d...

Page 475: ...icast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to another you can block a port protected or nonprotected from flooding unknown unicast or multicast packets to other ports These sections contain this configuration information Default Port Blocking Configuration page 22 7 B...

Page 476: ...n you assign secure MAC addresses to a secure port the port does not forward packets with source addresses outside the group of defined addresses If you limit the number of secure MAC addresses to one and assign a single secure MAC address the workstation attached to that port is assured the full bandwidth of the port If a port is configured as a secure port and the maximum number of secure MAC ad...

Page 477: ...ically configured stored only in the address table and removed when the switch restarts Sticky secure MAC addresses These can be dynamically learned or manually configured stored in the address table and added to the running configuration If these addresses are saved in the configuration file when the switch restarts the interface does not need to dynamically reconfigure them You can configure an ...

Page 478: ...rt The protect mode disables learning when any VLAN reaches its maximum limit even if the port has not reached its maximum limit restrict when the number of secure MAC addresses reaches the maximum limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum...

Page 479: ...AN only the access VLAN is assigned an IP address When you enter a maximum secure address value for an interface and the new value is greater than the previous value the new value overwrites the previously configured value If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not...

Page 480: ...ic Address Resolution Protocol ARP inspection Yes Flex Links Yes Table 22 3 Port Security Compatibility with Other Switch Features continued Type of Port or Feature on Port Compatible with Port Security Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 no shutd...

Page 481: ... when a security violation is detected as one of these protect When the number of port secure MAC addresses reaches the maximum limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses You are not notified that a security violation ha...

Page 482: ...icky secure MAC addresses and are added to the running configuration Optional vlan set a per VLAN maximum value Enter one of these options after you enter the vlan keyword vlan id On a trunk port you can specify the VLAN ID and the MAC address If you do not specify a VLAN ID the native VLAN is used access On an access port specify the VLAN as an access VLAN Step 9 switchport port security mac addr...

Page 483: ...xcept those that were manually configured are deleted You must specifically delete configured secure MAC addresses from the address table by using the no switchport port security mac address mac address interface configuration command This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50 The violation mode is the default no static secure M...

Page 484: ...ace configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 no shutdown Enable the port if necessary By default UNIs and ENIs are disabled and NNIs are enabled Step 4 switchport port security aging static time time type absolute inactivity Enabl...

Page 485: ... private vlan promiscuous Switch config if switchport port security maximum 288 Switch config if switchport port security Switch config if switchport port security violation restrict Note Ports that have both port security and private VLANs configured can be labeled secure PVLAN ports When a secure address is learned on a secure PVLAN port the same secure address cannot be learned on another secur...

Page 486: ...s of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered show port security interface interface id Displays p...

Page 487: ...ent applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer only two systems that support different net...

Page 488: ...re all optional and can be performed in any order Table 23 1 Default CDP Configuration Feature Default Setting CDP global state Enabled CDP interface state Enabled only on NNIs disabled on ENIs Note CDP is not supported on UNIs CDP timer packet update frequency 60 seconds CDP holdtime before discarding 180 seconds CDP Version 2 advertisements Enabled Command Purpose Step 1 configure terminal Enter...

Page 489: ...th connected devices Disabling CDP can interrupt device connectivity Beginning in privileged EXEC mode follow these steps to globally disable the CDP device discovery capability Beginning in privileged EXEC mode follow these steps to globally enable CDP when it has been disabled This example shows how to globally enable CDP if it has been disabled Switch configure terminal Switch config cdp run Sw...

Page 490: ...terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are disabling CDP and enter interface configuration mode Note If the interface is a UNI you must enter the port type nni or port type eni interface configuration command before configuring CDP By default CDP is enabled on NNIs and disabled on ENIs Step 3 no cdp enable Disable CDP on the interf...

Page 491: ...erisk to display all CDP neighbors or you can enter the name of the neighbor about which you want information You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device show cdp interface interface id Display information about interfaces where CDP is enabled You can limit the display to the ...

Page 492: ...23 6 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 23 Configuring CDP Monitoring and Maintaining CDP ...

Page 493: ... protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges access servers and switches CDP allows network management applications to automatically discover and learn about other Cisco devices connected to the network To support non Cisco devices and to allow for interoperability between other devices the switch supports the IEEE 802 1AB Link Layer Discov...

Page 494: ...d provides additional TLVs for capabilities discovery network policy Power over Ethernet and inventory management LLDP MED supports these TLVs LLDP MED capabilities TLV Allows LLDP MED endpoints to determine the capabilities that the connected device supports and what capabilities the device has enabled Network policy TLV Allows both network connectivity devices and endpoints to advertise VLAN con...

Page 495: ...uring LLDP and LLDP MED Default LLDP Configuration page 24 3 Configuring LLDP Characteristics page 24 4 Disabling and Enabling LLDP Globally page 24 5 Disabling and Enabling LLDP on an Interface page 24 5 Configuring LLDP MED TLVs page 24 6 Default LLDP Configuration Table 24 1 shows the default LLDP configuration To change the default settings use the LLDP global configuration and LLDP interface ...

Page 496: ...ch config lldp timer 30 Switch config end For additional LLDP show commands see the Monitoring and Maintaining LLDP and LLDP MED section on page 24 8 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp holdtime seconds Optional Specify the amount of time a receiving device should hold the information sent by your device before discarding it The range is 0 to 65535...

Page 497: ...n Interface LLDP is disabled by default on all NNIs to send and to receive LLDP information It is disabled by default on ENIs but it can be enabled by entering the lldp transmit and lldp receive interface configuration commands LLDP is not supported on UNIs Note If the interface is configured as a tunnel port LLDP is automatically disabled Beginning in privileged EXEC mode follow these steps to di...

Page 498: ...it No LLDP packets are sent on the interface Step 4 no lldp receive No LLDP packets are received on the interface Step 5 end Return to privileged EXEC mode Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on whic...

Page 499: ...LDP MED TLVs continued LLDP MED TLV Description Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are configuring a LLDP MED TLV and enter interface configuration mode Step 3 no lldp med tlv select tlv Specify the TLV to disable Step 4 end Return to privileged EXEC mode Step 5 copy running config startup confi...

Page 500: ...ialize on an interface show lldp entry entry name Display information about a specific neighbor You can enter an asterisk to display all neighbors or you can enter the name of the neighbor about which you want information show lldp interface interface id Display information about interfaces where LLDP is enabled You can limit the display to the interface about which you want information show lldp ...

Page 501: ...cause a variety of problems including spanning tree topology loops Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to misconnected ports on fiber optic connections In aggressive mode UDLD can also detect unidirectional links due to one way traffic on fiber optic and twisted pair links and to misconnec...

Page 502: ...ly the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidirectional link If both fiber strands in a cable are working normally from a Layer 1 perspective UDLD in aggressive mode detects whether those fiber strands are connected correctly and whether traffic is flowing bidirectionally between the correct neighbors This check cannot be performed ...

Page 503: ...either in the advertisement or in the detection phase UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbor UDLD shuts down the port if after the fast train of messages the link state is still undetermined Figure 25 1 shows an example of a unidirectional link condition Figure 25 1 UDLD Detection of a Unidirectional Link Configuring UDLD Default UDLD Configur...

Page 504: ...figuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 25 1 Default UDLD Configuration Feature Default Setting UDLD global enable state Globally disabled UDLD per port enable state for fiber optic...

Page 505: ...fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 25 1 message time message timer interval Configures the period of time between UDLD probe messages on ports that are in the advertisem...

Page 506: ...tate and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release Ste...

Page 507: ...ent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ports do not receive or forward traffic Only traffic that enters or leaves source ports or traffic that ente...

Page 508: ...0 receives all network traffic from port 5 without being physically attached to port 5 Figure 26 1 Example of Local SPAN Configuration on a Single Switch Remote SPAN RSPAN supports source ports source VLANs and destination ports on different switches enabling remote monitoring of multiple switches across your network Figure 26 2 shows source ports on Switch A and Switch B The traffic for each RSPA...

Page 509: ...ified by the user and form them into a stream of SPAN data which is directed to the destination port RSPAN consists of at least one RSPAN source session an RSPAN VLAN and at least one RSPAN destination session You separately configure RSPAN source sessions and RSPAN destination sessions on different network devices To configure an RSPAN source session on a device you associate a set of source port...

Page 510: ...ted ports can be configured as SPAN sources and destinations SPAN sessions do not interfere with the normal operation of the switch However an oversubscribed SPAN destination for example a 10 Mbps port monitoring a 100 Mbps port can result in dropped or lost packets When RSPAN is enabled each packet being monitored is transmitted twice once as normal traffic and once as a monitored packet Therefor...

Page 511: ...can have a mixture of untagged and IEEE 802 1Q tagged packets appear on the destination port Switch congestion can cause packets to be dropped at ingress source ports egress source ports or SPAN destination ports In general these characteristics are independent of one another For example A packet might be forwarded normally but dropped from monitoring due to an oversubscribed SPAN destination port...

Page 512: ...ination port belongs to a source VLAN it is excluded from the source list and is not monitored If ports are added to or removed from the source VLANs the traffic on the source VLAN received by those ports is added to or removed from the sources being monitored You cannot use filter VLANs in the same session with VLAN sources You can monitor only Ethernet VLANs VLAN Filtering When you monitor a tru...

Page 513: ...e incoming traffic is disabled The port does not send any traffic except that required for the SPAN session Incoming traffic is never learned or forwarded on a destination port If incoming traffic forwarding is enabled for a network security device the destination port forwards traffic at Layer 2 It does not participate in any of the Layer 2 protocols STP VTP CDP DTP PagP A destination port that b...

Page 514: ...at traffic is not monitored and is not received on the SPAN destination port STP A destination port does not participate in STP while its SPAN or RSPAN session is active The destination port can participate in STP after the SPAN or RSPAN session is disabled On a source port SPAN does not affect the STP status STP can be active on trunk ports carrying an RSPAN VLAN However only NNIs or ENIs can sup...

Page 515: ...ss forwarding is enabled on the destination port For RSPAN source sessions do not enable port security on any ports with monitored egress An IEEE 802 1x port can be a SPAN source port You can enable IEEE 802 1x on a port that is a SPAN destination port however IEEE 802 1x is disabled until the port is removed as a SPAN destination For SPAN sessions do not enable IEEE 802 1x on ports with monitored...

Page 516: ...l remote global configuration command to delete configured SPAN parameters For local SPAN outgoing packets through the SPAN destination port carry the original encapsulation headers untagged or IEEE 802 1Q if the encapsulation replicate or encapsulation dot1q keywords are specified If the keywords are not specified the packets are sent in native form For RSPAN destination ports outgoing packets ar...

Page 517: ...itors both sent and received traffic both Monitor both received and sent traffic This is the default rx Monitor received traffic tx Monitor sent traffic Note You can use the monitor session session_number source command multiple times to configure multiple source ports Step 4 monitor session session_number destination interface interface id encapsulation dot1q replicate Specify the SPAN session an...

Page 518: ...ation interface gigabitethernet0 2 encapsulation replicate Switch config end This example shows how to remove port 1 as a SPAN source for SPAN session 1 Switch config no monitor session 1 source interface gigabitethernet0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 s...

Page 519: ...t the packet encapsulation and the ingress VLAN and encapsulation For session_number specify the session number entered in Step 3 For interface id specify the destination port The destination interface must be a physical port it cannot be an EtherChannel and it cannot be a VLAN Optional Specify a series or range of interfaces Enter a space before and after the comma or hyphen Optional Enter encaps...

Page 520: ...t0 1 rx Switch config monitor session 2 destination interface gigabitethernet0 2 encapsulation replicate ingress dot1q vlan 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_number all local remo...

Page 521: ...s section on page 26 10 apply to RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches Step 5 monitor session session_number destina...

Page 522: ...d that you configure an RSPAN VLAN before you configure an RSPAN source or a destination session Configuring a VLAN as an RSPAN VLAN Create a new VLAN to be the RSPAN VLAN for the RSPAN session You must create the RSPAN VLAN in all switches that will participate in RSPAN You must configure RSPAN VLAN on source and destination switches and any intermediate switches To get an efficient flow of RSPAN...

Page 523: ... is 1 to 66 Enter a source port or source VLAN for the RSPAN session For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A single session can inclu...

Page 524: ...hich the source session was configured Beginning in privileged EXEC mode follow these steps to define the RSPAN VLAN on that switch to create an RSPAN destination session and to specify the source RSPAN VLAN and the destination port Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in th...

Page 525: ...ng an RSPAN Destination Session section on page 26 18 This procedure assumes that the RSPAN VLAN has been configured Step 7 monitor session session_number destination interface interface id Specify the RSPAN session and the destination interface For session_number enter the number defined in Step 6 Note In an RSPAN destination session you must use the same session number for the source RSPAN VLAN ...

Page 526: ...ss VLAN and encapsulation For session_number enter the number defined in Step 4 Note In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Note Though visible in the command line help string encapsulation replicate is not suppor...

Page 527: ...pecify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id Specify the characteristics of the source port monitored port and SPAN session For session_number the range is 1 to 66 For interface id specify the source port to monitor The interface specified must already be co...

Page 528: ...6 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured SPAN or RSPAN sessions ...

Page 529: ...information Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Understanding RMON page 27 1 Configuring RMON page 27 2 Displaying RMON Status page 27 6 Understanding RMON RMON is an Internet Engineering Task Force IETF standard monitoring specifica...

Page 530: ...cified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches supported by this software release use hardwar...

Page 531: ...red Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to 65535 For variable specify the MIB object to monitor For interval specify the time in seconds t...

Page 532: ...and can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this comm...

Page 533: ...network interfaces ENIs are disabled and network node interfaces NNIs are enabled Step 4 rmon collection history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets des...

Page 534: ...own Enable the port if necessary By default UNIs and ENIs are disabled and NNIs are enabled Step 4 rmon collection stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 5 end Return to privileged EXEC mode ...

Page 535: ...ut from system messages and debug privileged EXEC commands to a logging process The logging process controls the distribution of logging messages to various destinations such as the logging buffer terminal lines or a UNIX syslog server depending on your configuration The process also sends messages to the console Note The syslog format is compatible with 4 3 BSD UNIX When the logging process is di...

Page 536: ...onizing Log Messages page 28 6 optional Enabling and Disabling Time Stamps on Log Messages page 28 7 optional Enabling and Disabling Sequence Numbers in Log Messages page 28 8 optional Defining the Message Severity Level page 28 8 optional Limiting Syslog Messages Sent to the History Table and to SNMP page 28 10 optional Enabling the Configuration Change Logger page 28 10 optional Configuring UNIX...

Page 537: ...umber only if the service sequence numbers global configuration command is configured For more information see the Enabling and Disabling Sequence Numbers in Log Messages section on page 28 8 timestamp formats mm dd hh mm ss or hh mm ss short uptime or d h long uptime Date and time of the message or event This information appears only if the service timestamps log datetime log global configuration...

Page 538: ... the middle of command output The logging synchronous global configuration command also affects the display of messages to the console When this command is enabled messages appear only after you press Return For more information see the Synchronizing Log Messages section on page 28 6 To re enable message logging after it has been disabled use the logging on global configuration command Synchronous...

Page 539: ...be used as the syslog server To build a list of syslog servers that receive logging messages enter this command more than once For complete syslog server configuration steps see the Configuring UNIX Syslog Servers section on page 28 12 Step 4 logging file flash filename max file size min file size severity level number type Store log messages in a file in flash memory For filename enter the log me...

Page 540: ...When synchronous logging of unsolicited messages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solicite...

Page 541: ... this value are printed asynchronously Low numbers mean greater severity and high numbers mean lesser severity The default is 2 Optional Specifying level all means that all messages are printed asynchronously regardless of the severity level Optional For limit number of buffers specify the number of buffers to be queued for the terminal after which new messages are dropped The range is 0 to 214748...

Page 542: ...uence numbers enabled 000019 SYS 5 CONFIG_I Configured from console by vty2 10 34 195 36 Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message which are described in Table 28 3 Beginning in privileged EXEC mode follow these steps to define the message severity level This procedure is optional Command Purpose Step...

Page 543: ...utput from the debug commands displayed at the debugging level Debug commands are typically used only by the Technical Assistance Center Interface up or down transitions and system restart messages displayed at the notifications level This message is only for information switch functionality is not affected Step 4 logging trap level Limit messages logged to the syslog servers By default syslog ser...

Page 544: ...story table to the default value use the no logging history size global configuration command Enabling the Configuration Change Logger You can enable a configuration logger to keep track of configuration changes made with the command line interface CLI When you enter the logging enable configuration change logger configuration command the log records the session the user and the command that was e...

Page 545: ...ch config archive log cfg end This is an example of output for the configuration log Switch show archive log config all idx sess user line Logged command 38 11 unknown user vty3 no aaa authorization config commands 39 12 unknown user vty3 no aaa authorization network default group radius 40 12 unknown user vty3 no aaa accounting dot1x default start stop group radius 41 13 unknown user vty3 no aaa ...

Page 546: ...for information on the facilities The debug keyword specifies the syslog level see Table 28 3 on page 28 9 for information on the severity levels The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field The file must already exist and the syslog daemon must have permission to write to it Step 2 Create the log file by entering these commands a...

Page 547: ...is display see the Cisco IOS Configuration Fundamentals Command Reference Release 12 2 Step 3 logging trap level Limit messages logged to the syslog servers Be default syslog servers receive informational messages and lower See Table 28 3 on page 28 9 for level keywords Step 4 logging facility facility type Configure the syslog facility See Table 28 4 on page 28 13 for facility type keywords The d...

Page 548: ...28 14 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 28 Configuring System Message Logging Displaying the Logging Configuration ...

Page 549: ...ystem consists of an SNMP manager an SNMP agent and a MIB The SNMP manager can be part of a network management system NMS such as CiscoWorks The agent and MIB reside on the switch To configure SNMP on the switch you define the relationship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an ag...

Page 550: ... defined in RFC 1901 SNMPv3 Version 3 of the SNMP is an interoperable standards based protocol defined in RFCs 2273 to 2275 SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network and includes these security features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source...

Page 551: ...ing No Uses a community string match for authentication SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication SNMPv3 noAuthNoPriv Username No Uses a username match for authentication SNMPv3 authNoPriv MD5 or SHA No Provides authentication based on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv requires the cryptographic software image MD5 or SHA DES Provide...

Page 552: ...ead access to authorized management stations to all objects in the MIB except the community strings but does not allow write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software CiscoWorks 20...

Page 553: ... soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher overhead on the network Therefore traps and informs require a trade off between reliability and resources If it is important that the SNMP manager receiv...

Page 554: ...terval After you configure the data to be collected a single virtual bulk statistics file is created with all the collected data You can specify how the file is transferred to the NMS FTP RCP or TFTP how often the file is transferred the default is 30 minutes and a secondary destination if the primary NMS is not available The transfer interval time is also the collection interval time After the co...

Page 555: ...e used to compute the authentication and privacy digests If you do not configure the remote engine ID first the configuration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it If a local user is not associated with a remote host the switch does not send informs for the a...

Page 556: ...manager and the agent The community string acts like a password to permit access to the agent on the switch Optionally you can specify one or more of these characteristics associated with the string An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain access to the agent A MIB view which defines the subset of all MIB objects accessible to the g...

Page 557: ...orized management stations to retrieve MIB objects or specify read write rw if you want authorized management stations to retrieve and modify MIB objects By default the community string permits read only access to all objects Optional For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildca...

Page 558: ...low these steps to configure SNMP on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID local engineid string remote ip address udp port port number engineid string Configure a name for either the local or remote copy of SNMP The engineid string is a 24 character ID string with the name of the copy of SNMP You need not specify the entir...

Page 559: ...ket authentication noauth Enables the noAuthNoPriv security level This is the default if no keyword is specified priv Enables Data Encryption Standard DES packet encryption also called privacy Note The priv keyword is available only when the cryptographic software image is installed Optional Enter read readview with a string not to exceed 64 characters that is the name of the view in which you can...

Page 560: ...groupname is the name of the group to which the user is associated Enter remote to specify a remote SNMP entity to which the user belongs and the hostname or IP address of that entity with the optional UDP port number The default is 162 Enter the SNMP version number v1 v2c or v3 If you enter v3 you have these additional options encrypted specifies that the password appears in encrypted format This...

Page 561: ...enable any or all of these traps invalid PIM messages neighbor changes and rendezvous point RP mapping changes port security Generates SNMP port security traps You can also set a maximum trap rate per second The range is from 0 to 1000 the default is 0 which means that there is no rate limit Note When you configure a trap by using the notification type port security configure the port security tra...

Page 562: ...ing in privileged EXEC mode follow these steps to configure the switch to send traps or informs to a host Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server engineID remote ip address engineid string Specify the engine ID for the remote host Step 3 snmp server user username groupname remote host udp port port v1 access access list v2c access access list v3...

Page 563: ...9 5 on page 29 12 If no type is specified all notifications are sent Step 6 snmp server enable traps notification types Enable the switch to send traps or informs and specify the type of notifications to be sent For a list of notification types see Table 29 5 on page 29 12 or enter snmp server enable traps To enable multiple types of traps you must enter a separate snmp server enable traps command...

Page 564: ...ation types and values Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 process cpu threshold type total process interrupt rising percentage interval seconds falling fall percentage interval seconds Set the CPU threshold notification types and values total set the notification type to total CPU utilization process set the notification type to CPU process utilization...

Page 565: ...Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server tftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter...

Page 566: ...p mib bulkstat object list list name Define an SNMP bulk statistics object list and enter bulk statistics object list configuration mode Step 3 add object name oid Add a MIB object to the bulk statistics object list For object name enter the name of the MIB object to add to the list You can enter only object names from the Interfaces MIB or the Cisco Committed Access Rate MIB For oid enter the Obj...

Page 567: ...cify an instance OID for the schema Step 8 poll interval interval Set the time interval in minutes for collection of data from the object instances specified in the schema The range is from 1 to 20000 minutes the default is 5 minutes Step 9 end Return to privileged EXEC mode Step 10 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purp...

Page 568: ...old Table You can use the CLI to configure the Cisco Process MIB CPU threshold table Note For commands for configuring the Cisco Process MIB CPU threshold table see the Cisco IOS Commands Master List Release 12 4 at this URL at this URL http www cisco com en US products ps6350 products_product_indices_list html Step 7 url primary URL Specify the NMS host that the bulk statistics file should be tra...

Page 569: ...mber size seconds Set the process entry limit and the size of the history table for CPU utilization statistics For entry percentage number enter the percentage 1 to 100 of CPU utilization that a process must use to become part of the history table Optional For size seconds set the duration of time in seconds for which CPU statistics are stored in the history table The range is from 5 to 86400 seco...

Page 570: ...and to send auth authNoPriv authentication level informs when the user enters global configuration mode Switch config snmp server engineID remote 192 180 1 27 00000063000100a1c0b4011b Switch config snmp server group authgroup v3 auth Switch config snmp server user authuser authgroup remote 192 180 1 27 v3 auth md5 mypassword Switch config snmp server user authuser authgroup v3 auth md5 mypassword ...

Page 571: ...MP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP group on the network show snmp mib bulk transfer Displays transfer status of files generated by the Periodic MIB Data Collection and Transfer Mechanism bulk statistics feature show snmp pending Displays information on pending SNMP requests show snmp sessions Displays informati...

Page 572: ...29 24 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 29 Configuring SNMP Displaying SNMP Status ...

Page 573: ... events and then acts on them through a set policy This policy is a programmed script that you can use to customize a script to invoke an action based on a given set of events occurring The script generates actions such as generating custom syslog or Simple Network Management Protocol SNMP traps invoking CLI commands forcing a failover and so forth The event management capabilities of EEM are usef...

Page 574: ...gent being monitored for example SNMP and the EEM polices where an action can be implemented EEM allows these event detectors Application specific event detector Allows any EEM policy to publish an event IOS CLI event detector Generates policies based on the commands entered through the CLI Generic Online Diagnostics GOLD event detector Publishes an event when a GOLD failure event is detected on a...

Page 575: ...alues or crosses specified thresholds The SNMP delta value the difference between the monitored Object Identifier OID value at the beginning the period and the actual OID value when the event is published matches a specified value SNMP notification event detector Intercepts SNMP trap and inform messages received by the switch The event is generated when an incoming message matches a specified valu...

Page 576: ...f keyword extensions facilitate the development of EEM policies These keywords identify the detected event the subsequent action utility information counter values and system information For complete information on configuring EEM policies and scripts see the Cisco IOS Network Management Configuration Guide Release 12 4T Embedded Event Manager Environment Variables EEM uses environment variables i...

Page 577: ...ple shows the output for EEM when one of the fields specified by an SNMP object ID crosses a defined threshold Switch config applet event snmp oid 1 3 6 1 4 1 9 9 48 1 1 1 6 1 get type exact entry op lt entry val 5120000 poll interval 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 event manager applet applet name Register the applet with EEM and enter applet co...

Page 578: ...s example shows the sample EEM policy named tm_cli_cmd tcl registered as a system policy The system policies are part of the Cisco IOS image User defined TCL scripts must first be copied to flash memory Switch config event manager policy tm_cli_cmd tcl type system Displaying Embedded Event Manager Information To display information about EEM including EEM registered policies and EEM history data s...

Page 579: ...derstanding ACLs Packet filtering can help limit network traffic and restrict network use by certain users or devices ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs An ACL is a sequential collection of permit and deny conditions that apply to packets When a packet is received on an interface the switch compares the fiel...

Page 580: ...interface Router ACLs access control routed traffic between VLANs and are applied to Layer 3 interfaces in a specific direction inbound or outbound The switch must be running the metro IP access image to support router ACLs VLAN ACLs or VLAN maps access control all packets forwarded and routed You can use VLAN maps to filter traffic between devices in the same VLAN VLAN maps are configured to prov...

Page 581: ...d VLAN maps For more information about IEEE 802 1Q tunneling refer to Chapter 13 Configuring IEEE 802 1Q Tunneling and Layer 2 Protocol Tunneling Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces and can be applied only on interfaces in the inbound direction These access lists are s...

Page 582: ...face the new ACL replaces the previously configured one Router ACLs If the switch is running the metro IP access image you can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces You apply router ACLs on interfaces for specific directions inbound or outbound You can apply one router ACL in e...

Page 583: ...ng MAC VLAN maps IP traffic is not access controlled by MAC VLAN maps You can enforce VLAN maps only on packets going through the switch you cannot enforce VLAN maps on traffic between hosts on a hub or on another switch connected to this switch With VLAN maps forwarding of packets is permitted or denied based on the action specified in the map Figure 31 2 shows how a VLAN map is applied to preven...

Page 584: ... the second ACE a deny because all Layer 3 and Layer 4 information is present The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information Instead they match the third ACE a permit Because the first fragment was denied host 10 1 1 2 cannot reassemble a complete packet so packet B is effectively denied However the later fragments that are permitted ...

Page 585: ...s a sequential collection of permit and deny conditions One by one the switch tests packets against the conditions in an access list The first match determines whether the switch accepts or rejects the packet Because the switch stops testing after the first match the order of the conditions is critical If no conditions match the switch denies the packet The software supports these types of ACLs or...

Page 586: ...d IP access list That is any packet that matches the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containin...

Page 587: ...k from an associated IP host address ACL specification 0 0 0 0 is assumed to be the mask Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard log Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or ...

Page 588: ...on for finer granularity of control When you are creating ACEs in numbered extended access lists remember that after you create the ACL any additions are placed at the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Some protocols also have specific parameters and keywords that apply to that protocol These IP protocols are supported protocol keywo...

Page 589: ...ic parameters for TCP UDP ICMP and IGMP see steps 2b through 2e The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard ca...

Page 590: ... Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a port nu...

Page 591: ...agments log log input time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings icmp type Enter to filter by ...

Page 592: ...nfigure more IPv4 access lists in a router than if you were to use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbe...

Page 593: ...rce and source wildcard of source 0 0 0 0 any A source and source wildcard of 0 0 0 0 255 255 255 255 Step 4 end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode...

Page 594: ...d IPv4 ACLs section on page 31 7 and the Creating Named Standard and Extended ACLs section on page 31 14 These are some of the many possible benefits of using time ranges You have more control over permitting or denying a user access to resources such as an application identified by an IP address mask pair and a port number You can control logging messages ACL entries can be set to log traffic onl...

Page 595: ... deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp any any time range new_year_day_2006 inactive 20 permit tcp any any time range workhours inactive This example uses named ACLs to permit and deny the same traffic Switch config ip access list extended...

Page 596: ...command To remove the remark use the no form of this command In this example the Jones subnet is not allowed to use outbound Telnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet out Switch config ext nacl deny tcp host 171 69 2 88 any eq telnet Applying an IPv4 ACL to a Terminal Line You can use numbered ACLs to control access to...

Page 597: ...ry and secondary VLAN Layer 3 traffic Note By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group These access group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP unreachable message Beginning in privileged EXEC mode follow these steps to control access to an ...

Page 598: ...n be changed by using the ip icmp rate limit unreachable global configuration command When you apply an undefined ACL to an interface the switch acts as if the ACL has not been applied to the interface and permits all packets Remember this behavior if you use undefined ACLs for network security Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware but requ...

Page 599: ...hardware resources causes this problem Logical operation units are needed for a TCP flag match or a test other than eq ne gt lt or range on TCP UDP or SCTP port numbers Use one of these workarounds Modify the ACL configuration to use fewer resources Rename the ACL with a name or number that alphanumerically precedes the ACL names or numbers To determine the specialized hardware resources enter the...

Page 600: ...S Security Configuration Guide Release 12 2 and to the Configuring IP Services section in the IP Addressing and Services chapter of the Cisco IOS IP Configuration Guide Release 12 2 Figure 31 3 shows a small networked office environment with routed Port 2 connected to Server A containing benefits and other information that all employees can access and routed Port 1 connected to Server B containing...

Page 601: ...e network 36 0 0 0 is a Class A network whose second octet specifies a subnet that is its subnet mask is 255 255 0 0 The third and fourth octets of a network 36 0 0 0 address specify a particular host Using access list 2 the switch accepts one address on subnet 48 and reject all others on that subnet The last line of the list shows that the switch accepts addresses on all other network 36 0 0 0 su...

Page 602: ...et_filter ACL allows all traffic from the source address 1 2 3 4 Switch config ip access list standard Internet_filter Switch config ext nacl permit 1 2 3 4 Switch config ext nacl exit The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171 69 0 0 0 0 255 255 and denies any other TCP traffic It permits ICMP traffic denies UDP traffic from any source to the...

Page 603: ...med ACL the Jones subnet is not allowed access Switch config ip access list standard prevention Switch config std nacl remark Do not allow Jones subnet through Switch config std nacl deny 171 69 0 0 0 0 255 255 In this example of a named ACL the Jones subnet is not allowed to use outbound Telnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subne...

Page 604: ... ext1 permitted icmp 10 1 1 15 10 1 1 61 0 0 7 packets 01 26 12 SEC 6 IPACCESSLOGP list ext1 denied udp 0 0 0 0 0 255 255 255 255 0 1 packet 01 31 33 SEC 6 IPACCESSLOGP list ext1 denied udp 0 0 0 0 0 255 255 255 255 0 8 packets Note that all logging entries for IP ACLs start with SEC 6 IPACCESSLOG with minor variations in format depending on the kind of ACL and the access entry that has been match...

Page 605: ...source MAC address mask any host destination MAC address destination MAC address mask type mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address wit...

Page 606: ...to apply MAC access list mac1 to a port to filter packets entering the port Switch config interface gigabitethernet0 2 Router config if mac access group mac1 in Note The mac access group interface configuration command is only valid when applied to a physical Layer 2 interface You cannot use the command on EtherChannel port channels After receiving a packet the switch checks it against the inbound...

Page 607: ...s map global configuration command to create a VLAN ACL map entry Step 3 In access map configuration mode optionally enter an action forward the default or drop and enter the match command to specify an IP packet or a non IP packet with only a known MAC address and to match the packet against one or more ACLs standard or extended Note If the VLAN map has a match clause for a type of packet IP or M...

Page 608: ... ingress side For frames going upstream from a host port to a promiscuous port the VLAN map configured on the secondary VLAN is applied For frames going downstream from a promiscuous port to a host port the VLAN map configured on the primary VLAN is applied To filter out specific IP traffic for a private VLAN you should apply the VLAN map to both the primary and secondary VLANs For more informatio...

Page 609: ...atch clauses Switch config ip access list extended ip1 Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map map_1 10 Switch config access map match ip address ip1 Switch config access map action drop This example shows how to create a VLAN map to permit a packet ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded In this m...

Page 610: ...map action drop Switch config access map exit Switch config vlan access map drop ip default 30 Switch config access map match ip address tcp match Switch config access map action forward Example 3 In this example the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets Used with MAC extended access lists good hosts and good protocols the map will hav...

Page 611: ...uration command This example shows how to apply VLAN map 1 to VLANs 20 through 22 Switch config vlan filter map 1 vlan list 20 22 Using VLAN Maps in Your Network Wiring Closet Configuration page 31 33 Denying Access to a Server on Another VLAN page 31 34 Wiring Closet Configuration In a wiring closet configuration routing might not be enabled on the switch In this configuration the switch can stil...

Page 612: ... IP traffic is forwarded Switch config vlan access map map2 10 Switch config access map match ip address http Switch config access map action drop Switch config access map exit Switch config ip access list extended match_all Switch config ext nacl permit ip any any Switch config ext nacl exit Switch config vlan access map map2 20 Switch config access map match ip address match_all Switch config ac...

Page 613: ... that will drop IP packets that match SERVER1_ACL and forward IP packets that do not match the ACL Switch config vlan access map SERVER1_MAP Switch config access map match ip address SERVER1_ACL Switch config access map action drop Switch config vlan access map SERVER1_MAP 20 Switch config access map action forward Switch config access map exit Step 3 Apply the VLAN map to VLAN 10 Switch config vl...

Page 614: ...g the router ACL with the VLAN map might significantly increase the number of ACEs If you must configure a router ACL and a VLAN map on the same VLAN use these guidelines for both router ACL and VLAN map configuration You can configure only one VLAN map and one router ACL in each direction input output on a VLAN interface Whenever possible try to write the ACL with all entries having a single acti...

Page 615: ...ble that the packet might be dropped rather than forwarded ACLs and Switched Packets Figure 31 6 shows how an ACL is applied on packets that are switched within a VLAN Packets switched within the VLAN without being routed or forwarded are only subject to the VLAN map of the input VLAN Figure 31 6 Applying ACLs on Switched Packets ACLs and Routed Packets Figure 31 7 shows how ACLs are applied on ro...

Page 616: ...t be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in some of the output VLANs and not in others A copy of the packet is forwarded to those destinations where it is permitted However if the input VLAN map VLAN 10 map in Figure 31 8 drops the packet no destinat...

Page 617: ... current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Displays the contents of all current IP access lists or a specific IP access list numbered or named show ip interface interface id Displays detailed configuration and status of an interface If IP is enabled on the interface and ACLs have been applied by using the ip access group in...

Page 618: ...31 40 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 31 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Page 619: ...nd the customer is not usually required Most Layer 2 protocols are not supported on UNIs To protect against accidental or intentional CPU overload the Cisco ME switch provides control plane security automatically by dropping or rate limiting a predefined set of Layer 2 control packets and some Layer 3 control packets for UNIs You can also configure a third port type an enhanced network interface E...

Page 620: ...an be enabled or tunneled such as CDP STP LLDP VLAN Trunking Protocol VTP UniDirectional Link Detection UDLD Protocol LACP and PAgP packets When enabled these protocol packets are rate limited and tunneled through the switch Control or management packets that are required by the switch such as keepalive packets These control packets are processed by the CPU but are rate limited to normal and safe ...

Page 621: ...02 1D addresses Dropped When the Ethernet Link Management Interface ELMI is enabled globally or on a per port basis whichever is configured last a throttle policer is assigned to a port When ELMI is disabled globally or on a port whichever is configured last a drop policer is assigned to a port PVST Dropped Rate limited LACP Dropped Rate limited Note LACP can be enabled only on ENIs Rate limited P...

Page 622: ...kets are dropped physical policer of 26 These protocols are disabled by default on ENIs as well but you can enable them When enabled on ENIs the control packets are rate limited and a rate limiting policer is assigned to the port for these protocols physical policer of 22 Switch show platform policer cpu interface fastethernet 0 3 Policers assigned for CPU protection Feature Policer Physical Asic ...

Page 623: ...ITCH_IGMP 17 255 0 SWITCH_L2PT 18 255 0 Configuring Control Plane Security CPU protection is enabled by default and CPU policers are pre allocated You can disable CPU protection by entering the no policer cpu uni all global configuration command or reenable it by entering the policer cpu uni all global configuration command When you disable or enable CPU protection you must reload the switch by en...

Page 624: ...return to the default threshold rate use the no policer cpu uni global configuration command To disable CPU protection enter the no policer cpu uni all global configuration command and reload the switch This example shows how to set the CPU protection threshold to 10000 b s and to verify the configuration Switch config t Enter configuration commands one per line End with CNTL Z Switch config polic...

Page 625: ...on or all statistics maintained by the control plane policer drop debug platform policer cpu uni eni Enable debugging of the control plane policer This command displays information messages when any changes are made to CPU protection show platform policer cpu classification interface interface id Display control plane policer information classification show classification statistics interface inte...

Page 626: ...32 8 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 32 Configuring Control Plane Security Monitoring Control Plane Security ...

Page 627: ...mmand Reference at this site http www cisco com en US products sw iosswrel ps1835 products_command_reference_book09186a 0080087f48 html For complete syntax and usage information for the platform specific commands used in this chapter see the command reference for this release Understanding QoS page 33 1 Configuring QoS page 33 29 Displaying QoS Information page 33 65 Configuration Examples for Pol...

Page 628: ... bandwidth requirements bits per second can be conditionally passed through dropped or reclassified For more information see the Marking section on page 33 19 Congestion management uses queuing and scheduling algorithms to queue and sort traffic that is leaving a port The switch supports these scheduling and traffic limiting features class based weighted fair queuing CBWFQ class based traffic shap...

Page 629: ... forwarded according to the QoS specifications set in the traffic policy Packets that fail to meet any of the matching criteria are classified as members of the default traffic class Step 2 Create a traffic policy to associate the traffic class with one or more QoS features You use the policy map policy map name global configuration command to create a traffic policy and to enter policy map config...

Page 630: ...maps perform scheduling and queuing on traffic as it leaves the switch Input policies and output policies have the same basic structure the difference is in the characteristics that they regulate Figure 33 2 shows the relationship of input and output policies You can configure a maximum of 256 policy maps You can apply one input policy map and one output policy map to an interface When CPU protect...

Page 631: ...ding class default because egress ports have a maximum of four queues An output policy map attached to an egress port can match only the packets that have already been matched by an input policy map attached to the ingress port for the packets You can attach an output policy map to any or all ports on the switch The switch supports configuration and attachment of a unique output policy map for eac...

Page 632: ...ps section on page 33 7 The match Command section on page 33 7 Classification Based on Layer 2 CoS section on page 33 8 Classification Based on IP Precedence section on page 33 8 Classification Based on IP DSCP section on page 33 8 Classification Comparisons section on page 33 9 Classification Based on QoS ACLs section on page 33 10 Classification Based on QoS Groups section on page 33 10 Classifi...

Page 633: ... The match Command To configure the type of content used to classify packets you use the match class map configuration command to specify the classification criteria If a packet matches the configured criteria it belongs to a specific class and is forwarded according to the specified policy For example you can use the match class map command with CoS IP DSCP and IP precedence values These values a...

Page 634: ... the binary representation of the DSCP value AF sets the relative probability that a specific class of packets is forwarded when congestion occurs and the traffic does not exceed the maximum permitted rate AF per hop behavior provides delivery of IP packets in four different AF classes AF11 13 the highest AF21 23 AF31 33 and AF41 43 the lowest Each AF class could be allocated a specific amount of ...

Page 635: ...ns Table 33 1 shows suggested IP DSCP IP precedence and CoS values for typical traffic types Table 33 1 Typical Traffic Classifications Traffic Type DSCP per hop DSCP decimal IP Precedence CoS Voice bearer traffic in a priority queue or the queue with the highest service weight and lowest drop priority EF 46 5 5 Voice control signalling traffic related to call setup from a voice gateway or a voice...

Page 636: ... effort IP fragments are denoted by fields in the IP header You can use only ACLs with a permit action in a match access group command ACLs with a deny action are never matched in a QoS policy Note Only one access group is supported per class for an input policy map Classification Based on QoS Groups A QoS group is an internal label used by the switch to identify packets as a members of a specific...

Page 637: ...n QoS group numbers at the ingress to any combination of interfaces VLANs traffic flows and aggregated traffic To assign QoS group numbers configure a QoS group marking in an input policy map along with any other marking or policing actions required in the input policy map for the same service class This allows the input marking and policing functions to be decoupled from the egress classification...

Page 638: ... QoS has these limitations You can apply a per port per VLAN hierarchical policy map only to trunk ports You can configure classification based on VLAN ID only in the parent level of a per port per VLAN hierarchical policy map When the child policy map attached to a VLAN or set of VLANs contains only Layer 3 classification match ip dscp match ip precedence match IP ACL you must be careful to ensur...

Page 639: ...1 ingress Switch config pmap c exit Note Each per port per VLAN parent policy class except class default can have a child policy association See the Configuring Per Port Per VLAN QoS with Hierarchical Input Policy Maps section on page 33 48 for configuration information including configuration guidelines and limitations Table Maps You can use table maps to manage a large number of traffic flows wi...

Page 640: ...th a set command in a policy map or with a conform action or exceed action command in a police function Table maps are not supported in output policy maps For more information set the Configuring Table Maps section on page 33 36 Policing After a packet is classified you can use policing as shown in Figure 33 5 to regulate the class of traffic The policing function limits the amount of bandwidth av...

Page 641: ...g the service policy input interface configuration command Policing is done only on received traffic so you can only attach a policer to an input service policy This is an example of basic policing for all traffic received with a CoS of 4 The first value following the police command limits the average traffic rate to 10 000 000 bits per second bps the second value represents the additional burst s...

Page 642: ...fig pmap c police conform action set dscp transmit dscp table conform dscp to dscp mutation Switch config pmap c police conform action set qos transmit 10 Switch config pmap c police exceed action set cos transmit 2 Switch config pmap c police exceed action set dscp transmit dscp table exceed dscp to dscp mutation Switch config pmap c police exceed action set qos transmit 20 Switch config pmap c p...

Page 643: ...r you configure the policy map and policing actions attach the policy to an ingress port by using the service policy interface configuration command The class maps in this example refer to access lists Switch config policer aggregate agg1 cir 23000 bc 10000 conform action set dscp transmit 46 exceed action drop Switch config class map testclass Switch config cmap match access group 1 Switch config...

Page 644: ...o output policy maps You can use the priority policy map class configuration command in an output policy map to designate a low latency path or class based priority queuing for a specific traffic class With strict priority queuing the packets in the priority queue are scheduled and sent until the queue is empty at the expense of other queues Excessive use of high priority queuing can create conges...

Page 645: ... marking function can use information from the policing function or directly from the classification function You can specify and mark traffic by using the set commands in a policy map for all supported QoS markings CoS IP DSCP IP precedence and QoS groups A set command unconditionally marks the packets that match a specific class You then attach the policy map to an interface as an input policy m...

Page 646: ...no output policy attached to the port the CPU generated traffic is sent through the first non priority queue defined in the output policy map You can also mark native VLAN traffic and tag it by entering the vlan dot1q tag native global configuration command When you configure the cpu traffic qos marking for Ethernet or IP traffic the control plane traffic that the CPU generates is marked with the ...

Page 647: ...onfigure the other traffic classes with bandwidth or shape average depending on requirements These sections contain additional information about scheduling Traffic Shaping page 33 21 Class Based Weighted Fair Queuing page 33 23 Priority Queuing page 33 25 Traffic Shaping Traffic shaping is a traffic control mechanism similar to traffic policing While traffic policing is used in input policy maps t...

Page 648: ...0 Mbps allocated according to the out policy policy map configured in the previous example The service policy policy map class command is used to create a child policy to the parent Switch config policy map out policy parent Switch config pmap class class default Switch config pmap c shape average 90000000 Switch config pmap c service policy out policy Switch config pmap c exit Switch config pmap ...

Page 649: ...for each queue of the policy cannot exceed the total speed of the parent When you use the bandwidth policy map class configuration command to configure a class of traffic as an absolute rate kilobits per second or a percentage of total bandwidth this represents the minimum bandwidth guarantee CIR for that traffic class This means that the traffic class gets at least the bandwidth indicated by the ...

Page 650: ...When you configure CIR bandwidth for a class as an absolute rate or percentage of the total bandwidth any excess bandwidth remaining after servicing the CIR of all the classes in the policy map is divided among the classes in the same proportion as the CIR rates If the CIR rate of a class is configured as 0 that class is also not eligible for any excess bandwidth and as a result receives no bandwi...

Page 651: ...the only form of policing that is supported in output policy maps Using this combination of commands configures a maximum rate on the priority queue and you can use the bandwidth and shape average policy map commands for other classes to allocate traffic rates on other queues Note When priority is configured in an output policy map without the police command you can only configure the other queues...

Page 652: ...estion avoidance uses algorithms such as tail drop to control the number of packets entering the queuing and scheduling stage to avoid congestion and network bottlenecks The switch uses weighted tail drop WTD to manage the queue sizes and provide a drop precedence for traffic classifications You set the queue size limits depending on the markings of the packets in the queue Each packet that travel...

Page 653: ...rage or priority The only exception to this is when you configure queue limit for the class default of an output policy map The switch supports up to three unique queue limit configurations across all output policy maps Within an output policy map only four queues classes are allowed including the class default Each queue has three thresholds defined Only three unique threshold value configuration...

Page 654: ...resholds for a class the WTD thresholds must be less than or equal to the queue maximum threshold A queue size configured with no qualifier must be larger than any queue sizes configured with qualifiers When you configure queue limit the range for the number of packets is from 16 to 544 in multiples of 16 where each packet is a fixed unit of 256 bytes Note For optimal performance we strongly recom...

Page 655: ...tput out policy Switch config if exit You can configure and attach as many output policy maps as there are switch ports but only three unique queue limit configurations are allowed When another output policy map uses the same queue limit and class configurations even if the bandwidth percentages are different it is considered to be the same queue limit configuration Configuring QoS Before configur...

Page 656: ...l ports in the EtherChannel Control traffic such as spanning tree bridge protocol data units BPDUs and routing update packets received by the switch are subject to all ingress QoS processing You are likely to lose data when you change queue settings therefore try to make changes when traffic is at a minimum When you try to attach a new policy to an interface and this brings the number of policer i...

Page 657: ...P standard ACL for IP traffic To delete an access list use the no access list access list number global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number permit source source wildcard Create an IP standard ACL repeating the command as many times as necessary For access list number enter the access list number The r...

Page 658: ...P protocol Use the question mark to see a list of available protocols To match any Internet protocol including ICMP TCP and UDP enter ip The source is the number of the network or host sending the packet The source wildcard applies wildcard bits to the source The destination is the network or host number receiving the packet The destination wildcard applies wildcard bits to the destination You can...

Page 659: ...t extended name Create a Layer 2 MAC ACL by specifying the name of the list and enter extended MAC ACL configuration mode Step 3 permit host src MAC addr mask any host dst MAC addr dst MAC addr mask type mask Always use the permit keyword for ACLs used as match criteria in QoS policies For src MAC addr enter the MAC address of the host from which the packet is being sent You can specify in hexadec...

Page 660: ...h statements entered in the class map configuration mode Follow these guidelines when configuring class maps A match all class map cannot have more than one classification criterion one match statement but a match any class map can contain multiple match statements The match cos and match vlan commands are supported only on Layer 2 802 1Q trunk ports You use a class map with the match vlan command...

Page 661: ...defined Only one match type per class map is supported and only one ACL per class map is supported For access group acl index or name specify the number or name of an ACL Matching access groups is supported only in input policy maps For cos cos list enter a list of up to four CoS values in a single line to match against incoming packets Separate each value with a space You can enter multiple cos l...

Page 662: ...lass3 Switch config cmap match ip precedence 5 6 7 Switch config cmap exit This example shows how to create a parent class map called parent class which matches incoming traffic with VLAN IDs in the range from 30 to 40 Switch config class map match any parent class Switch config cmap match vlan 30 40 Switch config cmap exit Configuring Table Maps You can configure table maps to manage a large numb...

Page 663: ... Create a table map by entering a table map name and entering table map configuration mode Step 3 map from from value to to value Enter the mapping values to be included in the table For example if the table map is a DSCP to CoS table map the from value would be the DSCP value and the to_value would be the CoS value Both ranges are from 0 to 63 Enter this command multiple times to include all the ...

Page 664: ...e steps to attach a policy map to a port To remove the policy map and port association use the no service policy input output policy map name interface configuration command Configuring Input Policy Maps Policy maps specify which traffic class to act on and what actions to take All traffic that fails to meet matching criteria of a traffic class belongs to the default class Input policy maps regula...

Page 665: ...eligible traffic On an 802 1Q tunnel port you can use only an input policy map with Layer 2 classification based on MAC ACLs to classify traffic Input policy maps with Layer 3 classification or with Layer 2 classification based on CoS or VLAN ID are not supported on tunnel ports Input policy maps support policing and marking not scheduling or queuing You cannot configure bandwidth priority queue l...

Page 666: ...y map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode By default no class maps are defined Step 3 class class map name class default Enter a class map name or class default to match all unclassified packets and enter policy map class configuration mode If you enter a class map name you must have already created the class map by using the ...

Page 667: ... 7 For ip dscp dscp_value enter a new DSCP value to be assigned to the classified traffic The range is 0 to 63 For ip precedence precedence_value enter a new IP precedence value to be assigned to the classified traffic The range is 0 to 7 Or you can configure a CoS DSCP or IP precedence table and optionally enter the table name If you do not enter table table map name the table map default behavio...

Page 668: ...fic The range is 0 to 63 For ip precedence precedence_value enter a new IP precedence value to be assigned to the classified traffic The range is 0 to 7 Or you can configure a CoS DSCP or IP precedence table and optionally enter the table name If you do not enter table table map name the table map default behavior is copy See the Configuring Table Maps section on page 33 36 For qos group value ide...

Page 669: ...ce configuration mode to set multiple conform actions and an exceed action The policy map sets a committed information rate of 23000 bits per second bps and a conform burst size of 10000 bytes The policy map includes multiple conform actions for DSCP and for Layer 2 CoS and an exceed action Switch config class map cos set 1 Switch config cmap match cos 3 Switch config cmap exit Switch config polic...

Page 670: ...ult You can enter the show policer cpu uni eni drop rate privileged EXEC command to see if CPU protection is enabled The maximum number of configured aggregate policers is 256 Only one policy map can use any specific aggregate policer Aggregate policing cannot be used to aggregate streams across multiple interfaces You can use aggregate policing only to aggregate streams across multiple classes in...

Page 671: ...o 1000000 bytes Optional For conform action specify the action to take on packets that conform to the CIR The default is to send the packet Optional For exceed action specify the action to take on packets that exceed the CIR The default is to drop the packet See the command reference for this release or the Configuring Input Policy Maps with Individual Policing section on page 33 39 for definition...

Page 672: ... Switch config interface fastethernet0 1 Switch config if service policy input testexample Switch config if exit Configuring Input Policy Maps with Marking You use the set policy map class configuration command to set or modify the attributes for traffic belonging to a specific class Follow these guidelines when configuring marking in policy maps You can configure a maximum of 100 QoS groups on th...

Page 673: ...os table table map name dscp table table map name precedence table table map name Mark traffic by setting a new value in the packet specifying a table map or specifying a QoS group For qos group value identify a QoS group to be used at egress to identify specific packets The range is from 0 to 99 For cos cos_value enter a new CoS value to be assigned to the classified traffic The range is 0 to 7 F...

Page 674: ...ciation it does not allow any actions to be configured For a parent level class map you cannot configure an action or a child policy association for the class class default You cannot configure a mixture of Layer 2 and Layer 3 class maps in a child policy map When you attempt to associate such a child policy map with a parent policy the configuration is rejected However you can associate Layer 2 c...

Page 675: ...n is defined Only one match type per class map is supported and only one ACL per class map is supported For access group acl index or name specify the number or name of an ACL Matching access groups is supported only in input policy maps For cos cos list enter a list of up to four CoS values in a single line to match against incoming packets Separate each value with a space You can enter multiple ...

Page 676: ...or a range of VLANs separated by a hyphen to be used in a parent policy map for per port per VLAN QoS on a trunk port The VLAN ID range is 1 to 4094 You can also enter the match vlan command multiple times to match multiple VLANs Step 4 end Return to privileged EXEC mode Step 5 show class map Verify your entries Step 6 copy running config startup config Optional Save your entries in the configurat...

Page 677: ... the parent class map name and enter policy map class configuration mode Step 4 service policy child policy map name Associate the child policy map with the parent policy map Step 5 end Return to privileged EXEC mode Step 6 show policy map parent policy map name class class map name Verify your entries Step 7 copy running config startup config Optional Save your entries in the configuration file C...

Page 678: ...ction drop Switch config pmap c police exit Switch config pmap c exit Switch config pmap class video Switch config pmap c police cir 40000000 Switch config pmap c police conform action set cos transmit 4 Switch config pmap c police exceed action set cos transmit 1 Switch config pmap c police exit Switch config pmap c exit Switch config pmap class class default Switch config pmap c set cos 0 Switch...

Page 679: ... receives a minimum bandwidth guarantee equal to the unconfigured bandwidth on the port After you have attached an output policy map to an interface by using the service policy interface configuration command you can change only the parameters of the configured actions rates percentages and so on or add or delete classification criteria of the class map while the policy map is attached to the inte...

Page 680: ... the total speed for the interface You cannot configure CBWFQ bandwidth and traffic shape average or priority queuing priority for the same class in an output policy map You cannot configure bandwidth as an absolute rate or a percentage of total bandwidth when strict priority priority without police is configured for another class map You can configure bandwidth as a percentage of remaining bandwi...

Page 681: ...fig if service policy output gold_policy Switch config if exit Step 4 bandwidth rate percent value remaining percent value Set output bandwidth limits for the policy map class Enter a rate to set bandwidth in kilobits per second The range is from 64 to 1000000 Enter percent value to set bandwidth as a percentage of the total bandwidth The range is 1 to 100 percent Enter remaining percent value to ...

Page 682: ...ximum permitted average rate for a class of traffic After you have created an output policy map you attach it to an egress port See the Attaching a Traffic Policy to an Interface section on page 33 38 Use the no form of the appropriate command to delete an existing policy map or class map or to delete a class based shaping configuration Command Purpose Step 1 configure terminal Enter global config...

Page 683: ...hical policy map format to specify class based actions for the queues on the shaped port The total of the minimum bandwidth guarantees CIR for each queue of the child policy cannot exceed the total port shape rate Beginning in privileged EXEC mode follow these steps to use port shaping to configure the maximum permitted average rate for a class of traffic Command Purpose Step 1 configure terminal ...

Page 684: ...e use of the priority queues can possibly delay packets in other queues and create unnecessary congestion You can configure strict priority queuing priority without police or you can configure an unconditional priority policer priority with police Follow these guidelines when configuring priority queuing You can associate the priority command with a single unique class for all attached output poli...

Page 685: ... class map name Create classes for three egress queues Enter match conditions classification for each class Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode Step 4 class class map name Enter the name of the priority class created by using the class map global configuration command and enter policy map class configuration ...

Page 686: ...ps even though the range that appears in the CLI help is 8000 to 1000000000 You cannot attach an output service policy with an out of range rate You cannot configure priority with policing for a traffic class when bandwidth remaining percent is configured for another class in the same output policy map Beginning in privileged EXEC mode follow these steps to configure priority with police Command P...

Page 687: ...he command string following the police command You can also enter a carriage return after the police command and enter policy map class police configuration mode to enter the conform action When the police command is configured with priority in an output policy map only the default conform action of transmit is supported Although visible in the command line help string the other police conform act...

Page 688: ...3 Switch config pmap c bandwidth percent 20 Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet0 1 Switch config if service policy output policy1 Switch config if exit Configuring Output Policy Maps with Weighted Tail Drop Weighted tail drop WTD adjusts the queue size buffer size associated with a traffic class You configure WTD by using the queue limit policy...

Page 689: ...ique class all other output policy maps must use the same format of qualifier type and qualifier value Only queue limit threshold values can be different For example when you configure class A queue limit thresholds for dscp 30 and dscp 50 in policy map1 and you configure class A queue limits in policy map 2 you must use dscp 30 and dscp 50 as qualifiers You cannot use dscp 20 and dscp 40 The thre...

Page 690: ...multiples of 16 where each packet is a fixed unit of 256 bytes Note For optimal performance we strongly recommend that you configure the queue limit to 272 or less The value is specified in packets by default but the packets keyword is optional Note Multiple output policy maps can use the same queue limit configuration However these policy maps can have only three unique queue limit configurations...

Page 691: ...use one or more of the privileged EXEC commands in Table 33 2 For explanations about available keywords see the command reference for this release QoS Statistics There are several ways to display QoS input and output policy map statistics For input policy maps you can use the show policy map interface interface id privileged EXEC command to display per class per policer conform and exceed statisti...

Page 692: ...trictions The sections are broken into different configurations actions that a customer might do Each section provides the exact sequence of steps that you must follow for successful configuration or modification QoS Configuration for Customer A page 33 66 QoS Configuration for Customer B page 33 68 Modifying Output Policies and Adding or Deleting Classification Criteria page 33 69 Modifying Outpu...

Page 693: ...Switch config pmap class silver in Switch config pmap c police 50000000 Switch config pmap class bronze in Switch config pmap c police 20000000 Switch config pmap c exit This example configures classes for output service policies with three classes of service gold silver and bronze The gold class is configured to match the marked value in the input service policy Because a match all classification...

Page 694: ...1 8 Switch config if range service policy input input all Switch config if range service policy output output1 8 Switch config if range no shutdown Switch config if range exit QoS Configuration for Customer B This section provides examples for configuring and activating QoS policies on the switch for a new set of customers without affecting the current customers Input and output QoS service polici...

Page 695: ... due to a change in the service provisioning requirements or a change in the input service policy map You can make the change without shutting down any port In the initial configuration Fast Ethernet ports 1 through 12 are UNIs and are active Fast Ethernet ports 13 through 24 are UNIs and are shut down Gigabit Ethernet ports 1 and 2 are NNIs and are enabled by default This is the overall sequence ...

Page 696: ...ough 12 by providing minimum guaranteed bandwidth of 40 Mb s to the gold class changed from 50 Mb s 30 Mb s to the silver class changed from 20 Mb s and 20 Mb s to the bronze class changed from 10 Mbps Switch config policy map output9 12 Switch config pmap class gold out Switch config pmap c bandwidth 40000 Switch config pmap c exit Switch config pmap class silver out Switch config pmap c bandwidt...

Page 697: ...ercent to the bronze class the policy is modified to provide class based shaping to 100000 bps Switch config policy map output g1 2 Switch config pmap class bronze out Switch config pmap c no bandwidth percent 10 Switch config pmap c shape average 100000 Switch config pmap c exit These steps reattach the output policy to the Gigabit Ethernet ports Switch config interface range gigabitethernet0 1 2...

Page 698: ...licy output output9 12 Switch config if range exit Switch config interface range gigabitethernet0 1 2 Switch config if range no service policy output output g1 2 Switch config if range exit These steps delete a class from all output policy maps and input policy maps the input policy can be left attached or can be detached Switch config policy map output1 8 Switch config pmap no class bronze out Sw...

Page 699: ... we want to delete a class in the output policy Shut down two ports Switch config interface range fastethernet0 1 2 Switch config if range shutdown Switch config if range exit Detach the output policy from both ports Switch config interface range fastEthernet0 1 2 Switch config if no service policy output output1 2 Switch config if exit Delete a class in the output policy Switch config policy map ...

Page 700: ...33 74 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 33 Configuring QoS Configuration Examples for Policy Maps ...

Page 701: ...raffic from the failed link to the remaining links in the channel without intervention This chapter also describes how to configure link state tracking The switch must be running the metro IP access or metro access image to support link state tracking Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release Understanding EtherC...

Page 702: ...CP or Port Aggregation Protocol PAgP Use the port type eni nni interface configuration command to configure a port as an ENI or NNI The switch must be running the metro IP access image to allow configuring of more than four ports as NNIs Each EtherChannel can consist of up to eight compatibly configured Ethernet ports All ports in each EtherChannel must be configured as either Layer 2 or Layer 3 p...

Page 703: ...broadcast and multicast packets on one link in an EtherChannel are blocked from returning on any other link of the EtherChannel Port Channel Interfaces When you create an EtherChannel a port channel logical interface is involved With Layer 2 ports use the channel group interface configuration command to dynamically create the port channel logical interface You also can use the interface port chann...

Page 704: ...ry protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports Note PAgP is only available on network node interfaces NNIs and enhanced network interfaces ENIs By using PAgP the switch learns the identity of partners capable of supporting PAgP and...

Page 705: ...is PAgP capable you can configure the switch port for nonsilent operation by using the non silent keyword If you do not specify non silent with the auto or desirable mode silent mode is assumed Use the silent mode when the switch is connected to a device that is not PAgP capable and seldom if ever sends packets An example of a silent partner is a file server or a packet analyzer that is not genera...

Page 706: ...ameter constraints For example LACP groups the ports with the same speed duplex mode native VLAN VLAN range and trunking status and type After grouping the links into an EtherChannel LACP adds the group to the spanning tree as a single switch port LACP Modes Table 34 2 shows the user configurable EtherChannel LACP modes for the channel group interface configuration command on an NNI or ENI Both th...

Page 707: ...figuration If the group is misconfigured packet loss or spanning tree loops can occur Load Balancing and Forwarding Methods EtherChannel balances the traffic load across the links in a channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel EtherChannel load balancing can use MAC addresses or IP address...

Page 708: ... source and destination IP address based forwarding when packets are forwarded to an EtherChannel they are distributed across the ports in the EtherChannel based on both the source and destination IP addresses of the incoming packet This forwarding method a combination of source IP and destination IP address based forwarding can be used if it is not clear whether source IP or destination IP addres...

Page 709: ...g page 34 17 optional Configuring the PAgP Learn Method and Priority page 34 18 optional Configuring LACP Hot Standby Ports page 34 19 optional Note Make sure that the ports are correctly configured For more information see the EtherChannel Configuration Guidelines section on page 34 10 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to al...

Page 710: ...that is disabled by using the shutdown interface configuration command is treated as a link failure and its traffic is transferred to one of the remaining ports in the EtherChannel UNIs and ENIs are disabled by default NNIs are enabled by default When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of t...

Page 711: ...able 802 1x on an EtherChannel port an error message appears and 802 1x is not enabled If EtherChannels are configured on switch interfaces remove the EtherChannel configuration from the interfaces before globally enabling 802 1x on a switch by using the dot1x system auth control global configuration command For Layer 2 EtherChannels Assign all ports in the EtherChannel to the same VLAN or configu...

Page 712: ...nnel you can configure up to eight ports of the same type and speed for the same group For a LACP EtherChannel you can configure up to 16 Ethernet ports of the same type Up to eight ports can be active and up to eight ports can be in standby mode Note If the interface is a UNI you must enter the port type eni nni interface configuration command before configuring PAgP or LACP Step 3 no shutdown En...

Page 713: ...hannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is assumed The silent setting is for connections to file servers or packet anal...

Page 714: ... put the Ethernet ports into the port channel as described in the next two sections Note The switch must be running the metro IP access image to support Layer 3 ports Creating Port Channel Logical Interfaces When configuring Layer 3 EtherChannels you should first manually create the port channel logical interface by using the interface port channel global configuration command Then you put the log...

Page 715: ...ile Step 8 Assign an Ethernet port to the Layer 3 EtherChannel For more information see the Configuring the Physical Interfaces section on page 34 15 Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify a physical port and enter interface configuration mode Valid interfaces include physical ports For a PAgP EtherChannel you...

Page 716: ... on mode a usable EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is assumed The silent setting is for connections to fil...

Page 717: ...al To return EtherChannel load balancing to the default configuration use the no port channel load balance global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 port channel load balance dst ip dst mac src dst ip src dst mac src ip src mac Configure an EtherChannel load balancing method The default is src mac Select one of these load distribu...

Page 718: ...e selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely that the port will be selected Note The switch supports address learning only on aggregate ports even though the physical port keyword is provided i...

Page 719: ...which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on which physical port the packet arrives Select physical port to connect with another switch that is a physical learner Make sure to configure the port channel load balance global configuration command to src mac as described in the Configuring EtherCha...

Page 720: ...how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 34 20 and the Configuring the LACP Port Priority section on page 34 21 Configuring the LACP System Priority You can configure the system priority for all of the EtherChannels that are enabled for LACP by using the lacp system priority global configuration command You ...

Page 721: ... that cannot be actively included in the EtherChannel are put in the hot standby state and are used only if one of the channeled ports fails Beginning in privileged EXEC mode follow these steps to configure the LACP port priority This procedure is optional To return the LACP port priority to the default value use the no lacp port priority interface configuration command Command Purpose Step 1 conf...

Page 722: ...d to a customer premises equipment CPE switch The UPE switches are connected to the provider edge PE switches in the service provider SP network Customer devices such as clients connected to the CPE switch have multiple connections to the SP network This configuration ensures that the traffic flow is balanced from the customer site to the SP and the reverse Ports connected to the CPE are referred ...

Page 723: ...terfaces can be bundled together and each downstream interface can be associated with a single group consisting of multiple upstream interfaces referred to as a link state group In a link state group the link state of the downstream interfaces is dependent on the link state of the upstream interfaces If all of the upstream interfaces in a link state group are in the link down state the associated ...

Page 724: ...ember of more than one link state group You can configure only two link state groups per switch Configuring Link State Tracking Beginning in privileged EXEC mode follow these steps to configure a link state group and to assign an interface to a group Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 link state track number Create a link state group and enable link st...

Page 725: ...d without keywords to display information about all link state groups Enter the group number to display information specific to the group Enter the detail keyword to display detailed information about the group This is an example of output from the show link state group 1 command Switch show link state group 1 Link State Group 1 Status Enabled Down This is an example of output from the show link s...

Page 726: ...34 26 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 34 Configuring EtherChannels and Link State Tracking Displaying Link State Tracking Status ...

Page 727: ...nd Reference Volume 2 of 3 Routing Protocols Release 12 2 Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Understanding IP Routing page 35 2 Steps for Configuring Routing page 35 3 Configuring IP Addressing page 35 3 Enabling IPv4 Unicast Routing page 35 17 Configuring RIP page 35 17 Configuring OSPF page 35 22 Configuring EIGRP page 35 3...

Page 728: ...to the router When Host A sends a packet to Host C in VLAN 20 Switch A forwards the packet to the router which receives the traffic on the VLAN 10 interface The router checks the routing table finds the correct outgoing interface and forwards the packet on the VLAN 20 interface to Switch B Switch B receives the packet and forwards it to Host C Types of Routing Routers and Layer 3 switches can rout...

Page 729: ...dresses assigned to them See the Assigning IP Addresses to Network Interfaces section on page 35 5 Note A Layer 3 switch can have an IP address assigned to each routed port and SVI The number of routed ports and SVIs that you can configure is not limited by software However the interrelationship between this number and the number and volume of features being implemented might have an impact on CPU...

Page 730: ...RP Timeout 14400 seconds 4 hours IP broadcast address 255 255 255 255 all ones IP classless routing Enabled IP default gateway Disabled IP directed broadcast Disabled all IP directed broadcasts are dropped IP domain Domain list No domain names defined Domain lookup Enabled Domain name Enabled IP forward protocol If a helper address is defined or User Datagram Protocol UDP flooding is configured UD...

Page 731: ...ng in privileged EXEC mode follow these steps to enable subnet zero Use the no ip subnet zero global configuration command to restore the default and disable the use of subnet zero Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 no shutdown Enable the int...

Page 732: ...In Figure 35 2 classless routing is enabled When the host sends a packet to 120 20 4 1 instead of discarding the packet the router forwards it to the best supernet route If you disable classless routing and a router receives packets destined for a subnet of a network with no network default route the router discards the packet Figure 35 2 IP Classless Routing In Figure 35 3 the router in network 1...

Page 733: ...che for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests or replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP Proxy ARP helps hosts with no routing tables learn the MAC addresses of hosts on other networks or subnets If the switch router receives an ...

Page 734: ...arp cache privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp ip address hardware address type Globally associate an IP address with a MAC hardware address in the ARP cache and specify encapsulation type as one of these arpa ARP encapsulation for Ethernet interfaces snap Subnetwork Address Protocol encapsulation for Token Ring and FDDI inter...

Page 735: ... Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 no shutdown Enable the interface if necessary By default UNIs and ENIs are disabled and NNIs are enabled Step 4 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork Address Protocol Step 5 end Return to privileged EXEC mode Step 6 show interfaces interface id Ver...

Page 736: ...ARP works as long as other routers support it Default Gateway Another method for locating routes is to define a default router or default gateway All nonlocal packets are sent to this router which either routes them appropriately or sends an IP Control Message Protocol ICMP redirect message back defining which local router the host should use The switch caches the redirect messages and forwards ea...

Page 737: ...and ENIs are disabled and NNIs are enabled Step 4 ip irdp Enable IRDP processing on the interface Step 5 ip irdp multicast Optional Send IRDP advertisements to the multicast address 224 0 0 1 instead of IP broadcasts Note This command allows for compatibility with Sun Microsystems Solaris which requires IRDP packets to be sent out as multicasts Many implementations cannot receive these multicasts ...

Page 738: ... Layer 2 devices forward broadcasts to all network segments thus propagating broadcast storms The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network In most modern IP implementations you can set the address to be used as the broadcast address The switch supports several addressing schemes for forwarding broadcast messages Enabling Directed Broadca...

Page 739: ...er address has been defined for an interface The description for the ip forward protocol interface configuration command in the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 2 lists the ports that are forwarded by default if you do not specify any UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring ...

Page 740: ...ssary By default UNIs and ENIs are disabled and NNIs are enabled Step 4 ip helper address address Enable forwarding and specify the destination address for forwarding UDP broadcast packets including BOOTP Step 5 exit Return to global configuration mode Step 6 ip forward protocol udp port nd sdns Specify which protocols the router forwards when forwarding broadcast packets Step 7 end Return to priv...

Page 741: ...me to live TTL value of the packet must be at least two A flooded UDP datagram is given the destination address specified with the ip broadcast address interface configuration command on the output interface The destination address can be set to any address so it might change as the datagram propagates through the network The source address is never changed The TTL value is decremented When a floo...

Page 742: ...erify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Table 35 2 Commands to Clear Caches Tables and Databases Command Purpose clear arp cache Clear the IP ARP cache and the fast switching cache clear host name Remove one or all entries from the hostname and the address cache clear ip route network mask Remove one or more routes from the IP r...

Page 743: ...Configuring BGP page 35 42 Configuring ISO CLNS Routing page 35 62 Configuring BFD for OSPF page 35 76 Configuring Protocol Independent Features page 35 95 optional Configuring RIP The Routing Information Protocol RIP is an interior gateway protocol IGP used in small homogeneous networks It is a distance vector routing protocol that uses broadcast User Datagram Protocol UDP data packets to exchang...

Page 744: ...he default network if a default was learned by RIP or if the router has a gateway of last resort and RIP is configured with a default metric RIP sends updates to the interfaces in specified networks If an interface s network is not specified it is not advertised in any RIP update These sections contain this configuration information Default RIP Configuration page 35 18 Configuring Basic RIP Parame...

Page 745: ...commands to take effect Step 5 neighbor ip address Optional Define a neighboring router with which to exchange routing information This step allows routing updates from RIP normally a broadcast protocol to reach nonbroadcast networks Step 6 offset list access list number name in out offset type number Optional Apply an offset list to routing metrics to increase incoming and outgoing metrics to rou...

Page 746: ... Version 2 only to advertise subnet and host routing information to classful network boundaries Step 10 no validate update source Optional Disable validation of the source IP address of incoming RIP routing updates By default the switch validates the source IP address of incoming RIP routing updates and discards the update if the source address is not valid Under normal circumstances disabling thi...

Page 747: ...echanism use the ip split horizon interface configuration command Configuring Summary Addresses To configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial up clients use the ip summary address rip interface configuration command Note If split horizon is enabled neither autosummary nor interface IP summary addresses are advertised Step ...

Page 748: ...if exit Switch config router rip Switch config router network 10 0 0 0 Switch config router neighbor 2 2 2 2 peer group mygroup Switch config router end Configuring OSPF Open Shortest Path First OSPF is an Interior Gateway Protocol IGP designed expressly for IP networks supporting IP subnetting and tagging of externally derived routing information OSPF also allows packet authentication and uses IP...

Page 749: ...figurable routing interface parameters include interface output cost retransmission interval interface transmit delay router priority router dead and hello intervals and authentication key Virtual links are supported Not so stubby areas NSSAs per RFC 1587are supported OSPF typically requires coordination among many internal routers area border routers ABRs connected to multiple areas and autonomou...

Page 750: ... is 10 and the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from other routing domains 110 OSPF database filter Disabled All outgoing link state advertisements LSAs are flooded to the interface IP OSP...

Page 751: ...low these steps to enable OSPF Virtual link No area ID or router ID defined Hello interval 10 seconds Retransmit interval 5 seconds Transmit delay 1 second Dead interval 40 seconds Authentication key no key predefined Message digest key MD5 no key predefined 1 NSF Nonstop forwarding 2 OSPF NSF awareness is enabled for IPv4 on switches running the metro IP access image Table 35 5 Default OSPF Confi...

Page 752: ... disabled and NNIs are enabled Step 4 ip ospf cost Optional Explicitly specify the cost of sending a packet on the interface Step 5 ip ospf retransmit interval seconds Optional Specify the number of seconds between link state advertisement transmissions The range is 1 to 65535 seconds The default is 5 seconds Step 6 ip ospf transmit delay seconds Optional Set the estimated number of seconds to wai...

Page 753: ...lection requires special configuration parameters You need to configure these parameters only for devices that are eligible to become the designated router or backup designated router in other words routers with a nonzero router priority value Step 11 ip ospf message digest key keyid md5 key Optional Enable MDS authentication keyid An identifier from 1 to 255 key An alphanumeric password of up to ...

Page 754: ...an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router ospf process id Configure an OSPF routing process and enter router configuration mode Step 3 neighbor ip address priority number poll interval seconds Specify an OSPF neighbor with neighbor parameters as required ip address Enter the interface IP address of the OSPF neighbor Optional priority numbe...

Page 755: ...ther keyword the interface is point to multipoint for broadcast media point to multipoint non broadcast Specify an OSPF nonbroadcast point to multipoint network point to point Specify an OSPF point to point network Step 5 exit Return to global configuration mode Step 6 router ospf process id Optional for point to multipoint required for point to multipoint nonbroadcast Configure an OSPF routing pr...

Page 756: ...Enable MD5 authentication on the area Step 5 area area id stub no summary Optional Define an area as a stub area The no summary keyword prevents an ABR from sending summary link advertisements into the stub area Step 6 area area id nssa no redistribution default information originate no summary Optional Defines an area as a not so stubby area Every router within the same area must agree that the a...

Page 757: ... calculated as ref bw divided by bandwidth where ref is 10 by default and bandwidth bw is specified by the bandwidth interface configuration command For multiple links with high bandwidth you can specify a larger number to differentiate the cost on those links Administrative distance is a rating of the trustworthiness of a routing information source an integer between 0 and 255 with a higher value...

Page 758: ...F routing domain Parameters are all optional Step 6 ip ospf name lookup Optional Configure DNS name lookup The default is disabled Step 7 ip auto cost reference bandwidth ref bw Optional Specify an address range for which a single route will be advertised Use this command only with area border routers Step 8 distance ospf inter area dist1 inter area dist2 external dist3 Optional Change the OSPF di...

Page 759: ... over other interfaces and it chooses the highest IP address among all loopback interfaces Beginning in privileged EXEC mode follow these steps to configure a loopback interface Use the no interface loopback 0 global configuration command to disable the loopback interface Step 3 timers lsa group pacing seconds Change the group pacing of LSAs Step 4 end Return to privileged EXEC mode Step 5 show ru...

Page 760: ...ncreased network width With RIP the largest possible width of your network is 15 hops Because the EIGRP metric is large enough to support thousands of hops the only barrier to expanding the network is the transport layer hop counter EIGRP increments the transport control field only when an IP packet has traversed 15 routers and the next hop to the destination was learned through EIGRP Table 35 6 S...

Page 761: ...packets quickly when there are unacknowledged packets pending The DUAL finite state machine handles the decision process for all route computations It tracks all routes advertised by all neighbors and uses the distance information known as a metric to select efficient loop free paths DUAL selects routes to be inserted into a routing table based on feasible successors A successor is a neighboring r...

Page 762: ...sion unit size of the route in bytes 0 or any positive integer Distance Internal distance 90 External distance 170 EIGRP log neighbor changes Disabled No adjacency changes logged IP authentication key chain No authentication provided IP authentication mode No authentication provided IP bandwidth percent 50 percent IP hello interval For low speed nonbroadcast multiaccess NBMA networks 60 seconds al...

Page 763: ...d other steps are optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router eigrp autonomous system Enable an EIGRP routing process and enter router configuration mode The AS number identifies the routes to other EIGRP routers and is used to tag routing information Step 3 network network number Associate networks with an EIGRP routing process EIGRP sends upda...

Page 764: ...p bandwidth percent eigrp percent Optional Configure the percentage of bandwidth that can be used by EIGRP on an interface The default is 50 percent Step 5 ip summary address eigrp autonomous system number address mask Optional Configure a summary aggregate address for a specified interface not usually necessary if auto summary is enabled Step 6 ip hello interval eigrp autonomous system number sec...

Page 765: ... eigrp autonomous system md5 Enable MD5 authentication in IP EIGRP packets Step 5 ip authentication key chain eigrp autonomous system key chain Enable authentication of IP EIGRP packets Step 6 exit Return to global configuration mode Step 7 key chain name of chain Identify a key chain and enter key chain configuration mode Match the name configured in Step 4 Step 8 key number In key chain configur...

Page 766: ...uting at the access layer to eliminate the need for other types of routing advertisements If you try to configure multi VRF CE and EIGRP stub routing at the same time the configuration is not allowed Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes and a router that has a stub peer does not query that peer The stub router depends on ...

Page 767: ...p 4 eigrp stub receive only connected static summary Configure a remote router as an EIGRP stub router The keywords have these meanings Enter receive only to set the router as a receive only neighbor Enter connected to advertise connected routes Enter static to advertise static routes Enter summary to advertise summary routes Step 5 end Return to privileged EXEC mode Step 6 show ip eigrp neighbor ...

Page 768: ...pdates run internal BGP IBGP and routers that belong to different autonomous systems and that exchange BGP updates run external BGP EBGP Most configuration commands are the same for configuring EBGP and IBGP The difference is that the routing updates are exchanged either between autonomous systems EBGP or within an AS IBGP Figure 35 5 shows a network that is running both EBGP and IBGP Figure 35 5 ...

Page 769: ...tion including information about the list of AS paths with other BGP systems This information can be used to determine AS connectivity to prune routing loops and to enforce AS level policy decisions A router or switch running Cisco IOS does not select or use an IBGP route unless it has a route available to the next hop router and it has received synchronization from an IGP unless IGP synchronizati...

Page 770: ...erything else that has not been permitted Format Cisco default format 32 bit number BGP confederation identifier peers Identifier None configured Peers None identified BGP Fast external fallover Enabled BGP local preference 100 The range is 0 to 4294967295 with the higher value preferred BGP network None specified no backdoor route advertised BGP route dampening Disabled by default When enabled Ha...

Page 771: ...for BGP neighbor Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defined Private AS number removal Disabled Route maps None applied to a peer Send community attributes None sent to neighbors Shutdown or soft reconfiguration Not enabled Timers keepalive 60 seconds holdtime 180 seconds Update source ...

Page 772: ...l neighbors The private AS numbers are from 64512 to 65535 You can configure external neighbors to remove private AS numbers from the AS path by using the neighbor remove private as router configuration command Then when an update is passed to an external neighbor if the AS path includes private AS numbers these numbers are dropped If your AS must pass traffic through it from another AS to a third...

Page 773: ... connection For IBGP the IP address can be the address of any of the router interfaces Step 6 neighbor ip address peer group name remove private as Optional Remove private AS numbers from the AS path in outbound routing updates Step 7 no synchronization Optional Disable synchronization between BGP and an IGP Step 8 no auto summary Optional Disable automatic network summarization By default when a ...

Page 774: ...ter ID is the highest IP address on that router or the highest loopback interface Each time the table is updated with new information the table version number increments A table version number that continually increments means that a route is flapping causing continual routing updates For exterior protocols a reference to an IP network from the network router configuration command controls only wh...

Page 775: ...ft Resets Type of Reset Advantages Disadvantages Hard reset No memory overhead The prefixes in the BGP IP and FIB tables provided by the neighbor are lost Not recommended Outbound soft reset No configuration no storing of routing table updates Does not reset inbound routing table updates Dynamic inbound soft reset Does not clear the BGP session and cache Does not require storing of routing table u...

Page 776: ...ated in routing updates By default the weight attribute is 32768 for paths that the router originates and zero for other paths You can use access lists route maps or the neighbor weight router configuration command to set weights 3 Prefer the route with the highest local preference Local preference is part of the routing update and exchanged among routers in the same AS The default value of the lo...

Page 777: ...294967295 The lowest value is the most desirable Step 7 bgp bestpath med missing as worst Optional Configure the switch to consider a missing MED as having a value of infinity making the path without a MED value the least desirable path Step 8 bgp always compare med Optional Configure the switch to compare MEDs for paths from neighbors in different autonomous systems By default MED comparison is o...

Page 778: ... 107 for information about the distribute list command You can use route maps on a per neighbor basis to filter updates and to modify various attributes A route map can be applied to either inbound or outbound updates Only the routes that pass the route map are sent or accepted in updates On both inbound and outbound updates matching is supported based on AS path community and network numbers Auto...

Page 779: ... an AS number and enter router configuration mode Step 3 neighbor ip address peer group name distribute list access list number name in out Optional Filter BGP routing updates to or from neighbors as specified in an access list Note You can also use the neighbor prefix list router configuration command to filter updates but you cannot use both commands to configure the same BGP peer Step 4 neighbo...

Page 780: ... list Beginning in privileged EXEC mode follow these steps to create a prefix list or to add an entry to a prefix list To delete a prefix list and all of its entries use the no ip prefix list list name global configuration command To delete an entry from a prefix list use the no ip prefix list seq seq value global configuration command To disable automatic generation of sequence numbers use the no...

Page 781: ...oups of communities to use in a match clause of a route map As with an access list a series of community lists can be created Statements are checked until a match is found As soon as one statement is satisfied the test is concluded To set the COMMUNITIES attribute and match clauses based on communities see the match community list and set community route map configuration commands in the Using Rou...

Page 782: ...neighbor shutdown router configuration command Beginning in privileged EXEC mode use these commands to configure BGP peers Step 7 ip bgp community new format Optional Display and parse BGP communities in the format AA NN A BGP community is displayed in a two part format 2 bytes long The Cisco default community format is in the format NNAA In the most recent RFC for BGP a community takes the form A...

Page 783: ... to a BGP peer The same password must be configured on both BGP peers or the connection between them is not made Step 16 neighbor ip address peer group name route map map name in out Optional Apply a route map to incoming or outgoing routes Step 17 neighbor ip address peer group name send community Optional Specify that the COMMUNITIES attribute be sent to the neighbor at this IP address Step 18 n...

Page 784: ...nd Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the AS and the atomic aggregate attribute is set to indicate that information might be missing Step 4 agg...

Page 785: ...because another method is used to pass learned routes to neighbors When you configure an internal BGP peer to be a route reflector it is responsible for passing IBGP learned routes to a set of IBGP neighbors The internal peers of the route reflector are divided into two groups client peers and nonclient peers all the other routers in the autonomous system A route reflector reflects routes between ...

Page 786: ...ssed route that is up is advertised again Dampening is not applied to routes that are learned by IBGP This policy prevents the IBGP peers from having a higher penalty for routes external to the AS Beginning in privileged EXEC mode use these commands to configure BGP route dampening Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter B...

Page 787: ...flapping The statistics are deleted when the route is not suppressed and is stable Step 7 show ip bgp dampened paths Optional Display the dampened routes including the time remaining before they are suppressed Step 8 clear ip bgp flap statistics regexp regexp filter list list address mask longer prefix Optional Clear BGP flap statistics to make it less likely that a route will be dampened Step 9 c...

Page 788: ...sing schemes is in the definition of area addresses Both use the system ID for Level 1 routing routing within an area However they differ in the way addresses are specified for area routing An ISO IGRP NSAP address includes three separate fields for routing the domain area and system ID An IS IS address includes two fields a single continuous area field comprising the domain and area fields and th...

Page 789: ...vel 2 routing You can configure additional router instances which are automatically treated as Level 1 areas You must configure the parameters for each instance of the IS IS routing process individually For IS IS multiarea routing you can configure only one process to perform Level 2 routing although you can define up to 29 Level 1 areas for each Cisco unit If Level 2 routing is configured on any ...

Page 790: ...tion throttling timers Maximum interval between two consecutive occurrences 5 seconds Initial LSP generation delay 50 ms Hold time between the first and second LSP generation 5000 ms LSP maximum lifetime without a refresh 1200 seconds 20 minutes before t he LSP packet is deleted LSP refresh interval Send LSP refreshes every 900 seconds 15 minutes Maximum LSP packet size 1497 bytes NSF1 Awareness E...

Page 791: ...cify a name for a NET and for an address Step 5 is type level 1 level 1 2 level 2 only Optional You can configure the router to act as a Level 1 station router a Level 2 area router for multi area routing or both the default level 1 act as a station router only level 1 2 act as both a station router and an area router level 2 act as an area router only Step 6 exit Return to global configuration mo...

Page 792: ...if clns router isis Switch config router exit Router C Switch config clns routing Switch config router isis Switch config router net 49 0001 0000 0000 000c 00 Switch config router exit Switch config interface gigabitethernet0 1 Switch config if ip router isis Switch config if clns router isis Switch config interface gigabitethernet0 2 Switch config if ip router isis Switch config if clns router is...

Page 793: ... ignore lsp errors Optional Configure the router to ignore LSPs with internal checksum errors instead of purging the LSPs This command is enabled by default corrupted LSPs are dropped To purge the corrupted LSPs enter the no ignore lsp errors router configuration command Step 6 area password password Optional Configure the area authentication password which is inserted in Level 1 station router le...

Page 794: ...itial SFP calculation after a topology change in milliseconds The range is 1 to 10000 the default is 5500 spf second wait the holdtime between the first and second SFP calculation in milliseconds The range is 1 to 10000 the default is 5500 Step 14 prc interval prc max wait prc initial wait prc second wait Optional Sets IS IS partial route computation PRC throttling timers prc max wait the maximum ...

Page 795: ...etermine the hold time sent in IS IS hello packets The hold time determines how long a neighbor waits for another hello packet before declaring the neighbor down This determines how quickly a failed link or neighbor is detected so that routes can be recalculated Change the hello multiplier in circumstances where hello packets are lost frequently and IS IS adjacencies are failing unnecessarily You ...

Page 796: ...pute the hello interval based on the hello multiplier so that the resulting hold time is 1 second seconds the range is from 1 to 65535 The default is 10 seconds Step 6 isis hello multiplier multiplier level 1 level 2 Optional Specify the number of IS IS hello packets a neighbor must miss before the router should declare the adjacency as down The range is from 3 to 1000 The default is 3 Using a sma...

Page 797: ... at least one area in common If there is no area in common a Level 2 adjacency is established This is the default level 2 a Level 2 adjacency is established If the neighbor router is a Level 1 router no adjacency is established Step 12 isis password password level 1 level 2 Optional Configure the authentication password for an interface By default authentication is disabled Specifying Level 1 or L...

Page 798: ...ntervals If the neighbor is not directly connected BFD neighbor registration is rejected Figure 35 6 shows a simple network with two routers running OSPF and BFD When OSPF discovers a neighbor 1 it sends a request to the BFD process to initiate a BFD neighbor session with the neighbor OSPF router 2 establishing the BFD neighbor session 3 show clns filter set Display filter sets show clns interface...

Page 799: ...to 3000 ms Failure rate detection can be faster in BFD echo mode which is enabled by default when you configure BFD session In this mode the switch sends echo packets from the BFD software layer and the BFD neighbor responds to the echo packets through its fast switching layer The echo packets do not reach the BFD neighbor software layer but are reflected back over the forwarding path for failure ...

Page 800: ... for HSRP is enabled by default Asynchronous BFD echo mode is enabled when a BFD session is configured Default BFD Configuration Guidelines The switch supports a maximum of 28 BFD sessions at one time To run BFD on a switch Configure basic BFD interval parameters on each interface over which you want to run BFD sessions Enable routing on the switch You can configure BFD without enabling routing bu...

Page 801: ...nterface for a BFD session and enter interface configuration mode Only physical interfaces support BFD Step 3 no shutdown Enable the interface if necessary User network interfaces UNIs and enhanced network interfaces ENIs are disabled by default network node interfaces NNIs are enabled by default Step 4 no switchport Remove the interface from Layer 2 configuration mode Step 5 ip address ip address...

Page 802: ... interfaces To disable OSPF BFD on all interfaces enter the no bfd all interfaces router configuration command To disable it on an interface enter the no ip osfp bfd or the ip ospf bfd disable interface configuration command on the interface If you want to run OSPF BFD on only one or a few interfaces you can enter the ip ospf bfd interface configuration command on those interfaces instead of enabl...

Page 803: ...t be running on all devices participating in BFD You can enable BFD support for IS IS by enabling it globally on all IS IS interfaces or by enabling it on one or more interfaces Configuring BFD for IS IS Globally Beginning in privileged EXEC mode follow these steps to configure IS IS BFD globally and to optionally disable it on specific interfaces Command Purpose Step 1 configure terminal Enter gl...

Page 804: ...BFD globally on all interfaces associated with the IS IS routing process Step 4 exit Optional Return to global configuration mode if you want to disable BFD on one or more IS IS interfaces Step 5 interface interface id Optional Specify an interface and enter interface configuration mode Step 6 ip router isis Optional Enable IPv4 IS IS routing on the interface Step 7 isis bfd disable Optional Disab...

Page 805: ...erfaces Beginning in privileged EXEC mode follow these steps follow these to configure EIGRP BFD Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp as tag Specify a BGP autonomous system and enter router configuration mode Step 3 neighbor ip address fall over bfd Enable BFD support for fallover on the BFD neighbor Step 4 end Return to privileged EXEC mode S...

Page 806: ...e BFD sessions on other interfaces you must disable and reenable it globally by entering the no standby bfd all interfaces global configuration command followed by the standby bfd all interfaces global configuration command Step 5 end Return to privileged EXEC mode Step 6 show bfd neighbors detail Verify the configuration Step 7 copy running config startup config Optional Save your entries in the ...

Page 807: ...h supports multiple VPN routing forwarding multi VRF instances in customer edge CE devices multi VRF CE With Multi VRF CE a service provider can support two or more VPNs with overlapping IP addresses Note The switch does not use Multiprotocol Label Switching MPLS to support VPNs For information about MPLS VRF refer to the Cisco IOS Switching Services Configuration Guide Release 12 2 Understanding ...

Page 808: ... required to maintain VPN routes for those VPNs to which it is directly attached eliminating the need for the PE to maintain all of the service provider VPN routes Each PE router maintains a VRF for each of its directly connected sites Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in the same VPN Each VPN is mapped to a specified VRF After...

Page 809: ... network When the switch receives a packet from a VPN the switch looks up the routing table based on the input policy label number When a route is found the switch forwards the packet to the PE When the ingress PE receives a packet from the CE it performs a VRF lookup When a route is found the router adds a corresponding MPLS label to the packet and sends it to the MPLS network When an egress PE r...

Page 810: ...35 8 multiple virtual Layer 3 interfaces are connected to the multi VRF CE device The switch supports configuring VRF by using physical ports VLAN SVIs or a combination of both The SVIs can be connected through an access port or a trunk port A customer can use multiple VLANs as long as they do not overlap with those of other customers A customer s VLANs are mapped to a specific routing table ID th...

Page 811: ...l Enter global configuration mode Step 2 ip routing Enable IP routing Step 3 ip vrf vrf name Name the VRF and enter VRF configuration mode Step 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an AS number and an arbitrary number xxx y or an IP address and arbitrary number A B C D y Step 5 route target export import both route target ext community Create...

Page 812: ...ess Resolution Protocol ARP entries for specific VRFs These services are VRF Aware ARP Ping Simple Network Management Protocol SNMP Hot Standby Router Protocol HSRP Unicast Reverse Path Forwarding uRPF Syslog Traceroute FTP and TFTP User Interface for ARP Beginning in privileged EXEC mode follow these steps to configure VRF aware services for ARP For complete syntax and usage information for the c...

Page 813: ...tep 3 snmp server engineID remote host vrf vpn instance engine id string Configure a name for the remote SNMP engine on a switch Step 4 snmp server host host vrf vpn instance traps community Specify the recipient of an SNMP trap operation and specify the VRF table to be used for sending SNMP traps Step 5 snmp server host host vrf vpn instance informs community Specify the recipient of an SNMP info...

Page 814: ...terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 4 ip vrf forwarding vrf name Configure VRF on the interface Step 5 ip address ip address Enter the IP address for the interface Step 6 ip ...

Page 815: ...that interface To specify the source IP address for FTP connections use the ip ftp source interface show mode command To use the address of the interface where the connection is made use the no form of this command To specify the IP address of an interface as the source address for TFTP connections use the ip tftp source interface show mode command To return to the default use the no form of this ...

Page 816: ...ibute information from the BGP network to the OSPF network Step 5 network network number area area id Define a network address and mask on which OSPF runs and the area ID for that network address Step 6 end Return to privileged EXEC mode Step 7 show ip ospf process id Verify the configuration of the OSPF network Step 8 copy running config startup config Optional Save your entries in the configurat...

Page 817: ...ther customer switches are not included but would be similar The example also includes commands for configuring traffic to Switch A for a Catalyst 6000 or Catalyst 6500 switch acting as a PE router Figure 35 9 Multi VRF CE Configuration Example Configuring Switch A On Switch A enable routing and configure VRF Switch configure terminal Enter configuration commands one per line End with CNTL Z Switc...

Page 818: ...if no ip address Switch config if exit Switch config interface fastethernet0 8 Switch config if no shutdown Switch config if switchport access vlan 208 Switch config if no ip address Switch config if exit Switch config interface fastethernet0 11 Switch config if no shutdown Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if no ip address S...

Page 819: ...uter af neighbor 38 0 0 3 remote as 100 Switch config router af neighbor 38 0 0 3 activate Switch config router af network 8 8 1 0 mask 255 255 255 0 Switch config router af end Configuring Switch D Switch D belongs to VPN 1 Configure the connection to Switch A by using these commands Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switc...

Page 820: ...if ip address 3 3 1 3 255 255 255 0 Router config if exit Router config interface Loopback2 Router config if ip vrf forwarding v2 Router config if ip address 3 3 2 3 255 255 255 0 Router config if exit Router config interface gigabitthernet0 10 Router config if encapsulation dot1q 10 Router config if ip vrf forwarding v1 Router config if ip address 38 0 0 3 255 255 255 0 Router config if exit Rout...

Page 821: ...ting Information page 35 99 Configuring Policy Based Routing page 35 103 Filtering Routing Information page 35 106 Managing Authentication Keys page 35 108 Configuring Cisco Express Forwarding Cisco Express Forwarding CEF is a Layer 3 IP switching technology used to optimize network performance CEF implements an advanced IP look up and forwarding algorithm to deliver maximum Layer 3 switching perf...

Page 822: ... 3 interfaces Entering the no ip route cache cef interface configuration command disables CEF for traffic that is being forwarded by software This command does not affect the hardware forwarding path Disabling CEF and using the debug ip packet detail privileged EXEC command can be useful to debug software forwarded traffic To enable CEF on an interface for the software forwarding path use the ip r...

Page 823: ...r defined routes that cause packets moving between a source and a destination to take a specified path Static routes can be important if the router cannot build a route to a particular destination and are useful for specifying a gateway of last resort to which all unroutable packets are sent Beginning in privileged EXEC mode follow these steps to configure a static route Use the no ip route prefix...

Page 824: ...e are removed from the IP routing table When the software can no longer find a valid next hop for the address specified as the forwarding router s address in a static route the static route is also removed from the IP routing table Specifying Default Routes and Networks A router might not be able to learn the routes to all other networks To provide complete routing capability you can use some rout...

Page 825: ... multiple routing protocols simultaneously and it can redistribute information from one routing protocol to another Redistributing information from one routing protocol to another applies to all supported IP based routing protocols You can also conditionally control the redistribution of routes between routing domains by defining enhanced packet filters or route maps between the two domains The ma...

Page 826: ...ow these steps to configure a route map for redistribution Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 route map map tag permit deny sequence number Define any route maps used to control redistribution and enter route map configuration mode map tag A meaningful name for the route map The redistribute router configuration command uses this name to reference this...

Page 827: ...el 1 2 stub area backbone Set the level for routes that are advertised into the specified area of the routing domain The stub area and backbone are OSPF NSSA and backbone areas Step 17 set metric metric value Set the metric value to give the redistributed routes for EIGRP only The metric value is an integer from 294967295 to 294967295 Step 18 set metric bandwidth delay reliability loading mtu Set ...

Page 828: ...ode is in effect Step 21 set weight Set the BGP weight for the routing table The value can be from 1 to 65535 Step 22 end Return to privileged EXEC mode Step 23 show route map Display all route maps configured or only the one specified to verify configuration Step 24 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 confi...

Page 829: ...on based routing is performed For PBR route map statements marked as deny are not supported For more information about configuring route maps see the Using Route Maps to Redistribute Routing Information section on page 35 99 You can use standard IP ACLs to specify match criteria for a source address or extended IP ACLs to specify match criteria based on an application a protocol type or an end sta...

Page 830: ... enabled on an interface The number of TCAM entries used by PBR depends on the route map itself the ACLs used and the order of the ACLs and route map entries Policy based routing based on packet length IP precedence and TOS set interface set default next hop or set default interface are not supported Policy maps with no valid set actions or with set action set to Don t Fragment are not supported E...

Page 831: ...he source and destination IP address that is permitted by one or more standard or extended access lists Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address If you do not specify a match command the route map applies to all packets Step 4 set ip next hop ip address ip address Specify the action to take on the packets that match the criteria Set next...

Page 832: ...ormation is neither sent nor received through the specified router interface In networks with many interfaces to avoid having to manually set them as passive you can set all interfaces to be passive by default by using the passive interface default router configuration command and manually setting interfaces where adjacencies are desired Beginning in privileged EXEC mode follow these steps to conf...

Page 833: ...list router configuration command to avoid processing certain routes listed in incoming updates This feature does not apply to OSPF Beginning in privileged EXEC mode follow these steps to control the advertising or processing of routing updates Use the no distribute list in router configuration command to change or cancel a filter To cancel suppression of network advertisements in updates use the ...

Page 834: ...rotocol section to see how to enable authentication for that protocol To manage authentication keys define a key chain identify the keys that belong to the key chain and specify how long each key is valid Each key has its own key identifier specified with the key number key chain configuration command which is stored locally The combination of the key identifier and the interface associated with t...

Page 835: ...the key can be received The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 6 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can b...

Page 836: ...Monitoring and Maintaining the IP Network show ip route supernets only Display supernets show ip cache Display the routing table used to switch IP traffic show route map map name Display all route maps configured or only the one specified Table 35 17 Commands to Clear IP Routes or Display Route Status continued Command Purpose ...

Page 837: ...he procedures Understanding IPv6 section on page 36 1 Configuring IPv6 section on page 36 8 Displaying IPv6 section on page 36 22 Understanding IPv6 IPv4 users can move to IPv6 and receive services such as end to end security quality of service QoS and globally unique addresses The IPv6 address space reduces the need for private addresses and Network Address Translation NAT processing by border ro...

Page 838: ...ersion only once in each address 2031 0 130F 09C0 080F 130B For more information about IPv6 address formats address types and the IPv6 packet header see the Implementing IPv6 Addressing and Basic Connectivity chapter of Cisco IOS IPv6 Configuration Library on Cisco com In the Information About Implementing Basic Connectivity for IPv6 chapter these sections apply to the switch IPv6 Address Formats ...

Page 839: ...y a global routing prefix a subnet ID and an interface ID Current global unicast address allocation uses the range of addresses that start with binary value 001 2000 3 Addresses with a prefix of 2000 3 001 through E000 3 111 must have 64 bit interface identifiers in the extended unique identifier EUI 64 format Link local unicast addresses can be automatically configured on any interface by using t...

Page 840: ...he switch CPU is not unnecessarily burdened while it is in the process of obtaining the next hop forwarding information to route an IPv6 packet The switch drops any additional IPv6 packets whose next hop is the same neighbor that the switch is actively trying to resolve This drop avoids further load on the CPU Default Router Preference The switch supports IPv6 default router preference DRP an exte...

Page 841: ... com Dual IPv4 and IPv6 Protocol Stacks You must use the dual IPv4 and IPv6 template to allocate hardware memory usage to both IPv4 and IPv6 protocols Figure 36 1 shows a router forwarding both IPv4 and IPv6 traffic through the same interface based on the IP packet and destination addresses Figure 36 1 Dual IPv4 and IPv6 Support on an Interface Use the dual IPv4 and IPv6 switch database management...

Page 842: ...e manually configured and define an explicit route between two networking devices Static routes are useful for smaller networks with only one path to an outside network or to provide security for certain types of traffic in a larger network For more information about static routes see the Implementing Static Routes for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com RIP for I...

Page 843: ...nnections can be made For more information see the Managing Cisco IOS Applications over IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Unsupported IPv6 Unicast Routing Features IPv6 policy based routing IPv6 virtual private network VPN routing and forwarding VRF table support Support for IPv6 routing protocols multiprotocol Border Gateway Protocol BGP and Intermediate System...

Page 844: ...n headers are forwarded in software In IPv4 these packets are routed in software but bridged in hardware In addition to the normal SPAN and RSPAN limitations defined in the software configuration guide these limitations are specific to IPv6 packets When you send RSPAN IPv6 routed packets the source MAC address in the SPAN output packet might be incorrect When you send RSPAN IPv6 routed packets the...

Page 845: ...e the prefix the network portion of the address To forward IPv6 traffic on an interface you must configure a global IPv6 address on that interface Configuring an IPv6 address on an interface automatically configures a link local address and activates IPv6 for the interface The configured interface automatically joins these required multicast groups for that link solicited node multicast group FF02...

Page 846: ...guration mode and specify the Layer 3 interface to configure The interface can be a physical interface a switch virtual interface SVI or a Layer 3 EtherChannel Step 7 no switchport Remove the interface from Layer 2 configuration mode if it is a physical interface Step 8 ipv6 address ipv6 prefix prefix length eui 64 or ipv6 address ipv6 address link local or ipv6 enable Specify a global IPv6 addres...

Page 847: ...ss es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements l...

Page 848: ...hat the template takes effect Beginning in privileged EXEC mode follow these steps to configure a Layer 3 interface to support both IPv4 and IPv6 and to enable IPv6 routing Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sdm prefer dual ipv4 and ipv6 default routing vlan Select an SDM template that supports IPv4 and IPv6 default Set the switch to the default templa...

Page 849: ...92 168 99 1 244 244 244 0 Switch config if ipv6 address 2001 0DB8 c18 1 64 eui 64 Switch config if end Configuring DHCP for IPv6 Address Assignment Default DHCPv6 Address Assignment Configuration page 36 13 DHCPv6 Address Assignment Configuration Guidelines page 36 14 Enabling the DHCPv6 Server Function page 36 14 Enabling the DHCPv6 Client Function page 36 16 Default DHCPv6 Address Assignment Con...

Page 850: ...ode and define the name for the IPv6 DHCP pool The pool name can be a symbolic string such as Engineering or an integer such as 0 Step 3 address prefix IPv6 prefix lifetime t1 t1 infinite Optional Specify an address prefix for address assignment This address must be in hexadecimal using 16 bit values between colons lifetime t1 t1 Specify a time interval in seconds that an IPv6 address prefix remai...

Page 851: ...hows how to configure a pool called 350 with vendor specific options Switch configure terminal Step 9 interface interface id Enter interface configuration mode and specify the interface to configure Step 10 ipv6 dhcp server poolname automatic rapid commit preference value allow hint Enable the DHCPv6 server function on an interface poolname Optional User defined name for the IPv6 DHCP pool The poo...

Page 852: ...v6 address dhcp rapid commit This document describes only the DHCPv6 address assignment For more information about configuring the DHCPv6 client server or relay agent functions see the Implementing DHCP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages...

Page 853: ...pv6 cef global configuration command To reenable IPv6 CEF use the ipv6 cef global configuration command You can verify the IPv6 state by entering the show ipv6 cef privileged EXEC command For more information about configuring CEF see the Implementing IPv6 Addressing and Basic Connectivity chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Configuring Static Routing for IPv6 Before c...

Page 854: ...lways specify the IPv6 address of the next hop or ensure that the specified prefix is assigned to the link specifying a link local address as the next hop You can optionally specify the IPv6 address of the next hop to which packets are sent Note You must specify an interface id when using a link local address as the next hop The link local next hop must be an adjacent router administrative distanc...

Page 855: ...optional steps to configure IPv6 RIP Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 router rip name Configure an IPv6 RIP routing process and enter router configuration mode for the process Step 3 maximum paths number paths Optional Define the maximum number of equal cost routes that IPv6 RIP can support The range is from 1 to 64 and the default is 4 routes S...

Page 856: ...ollow these guidelines Be careful when changing the defaults for IPv6 commands Doing so might adversely affect OSPF for the IPv6 network Before you enable IPv6 OSPF on an interface you must Enable routing by using the ip routing global configuration command Enable the forwarding of IPv6 packets by using the ipv6 unicast routing global configuration command Enable IPv6 on Layer 3 interfaces on whic...

Page 857: ... status to advertise and to generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for this summary route which is used during OSPF SPF calculation to determine the shortest paths to the destination The...

Page 858: ...on selected interfaces to make them active EIGRP IPv6 does not need to be configured on a passive interface For more configuration procedures see the Implementing EIGRP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Displaying IPv6 For complete syntax and usage information on these commands see the Cisco IOS command reference publications Table 36 2 Commands for Monitori...

Page 859: ...77 Vlan7 3FFE C000 0 1 64 attached to Vlan1 3FFE C000 0 1 20B 46FF FE2F D940 128 receive 3FFE C000 0 7 64 attached to Vlan7 Table 36 3 Commands for Displaying EIGRP IPv6 Information Command Purpose show ipv6 eigrp as number interface Display information about interfaces configured for EIGRP IPv6 show ipv6 eigrp as number neighbor Display the neighbors discovered by EIGRP IPv6 show ipv6 eigrp as nu...

Page 860: ...11 GigabitEthernet0 12 Redistribution None This is an example of the output from the show ipv6 rip privileged EXEC command Switch show ipv6 rip RIP process fer port 521 multicast group FF02 9 pid 190 Administrative distance is 120 Maximum paths is 16 Updates every 30 seconds expire after 180 Holddown lasts 0 seconds garbage collect after 120 Split horizon is on poison reverse is off Default routes...

Page 861: ... 46FF FE2F D900 128 0 0 via Loopback10 output truncated This is an example of the output from the show ipv6 traffic privileged EXEC command Switch show ipv6 traffic IPv6 statistics Rcvd 1 total 1 local destination 0 source routed 0 truncated 0 format errors 0 hop count exceeded 0 bad header 0 unknown option 0 bad source 0 unknown protocol 0 not a router 0 fragments 0 total reassembled 0 reassembly...

Page 862: ...IPv6 0 echo request 0 echo reply 0 group query 0 group report 0 group reduce 0 router solicit 9944 router advert 0 redirects 84 neighbor solicit 84 neighbor advert UDP statistics Rcvd 0 input 0 checksum errors 0 length errors 0 no port 0 dropped Sent 26749 output TCP statistics Rcvd 0 input 0 checksum errors Sent 0 output 0 retransmitted ...

Page 863: ... template on the switch You select the template by entering the sdm prefer dual ipv4 and ipv6 default routing vlan global configuration command For related information see these chapters For more information about SDM templates see Chapter 6 Configuring SDM Templates For information about IPv6 on the switch seeChapter 36 Configuring IPv6 Unicast Routing For information about ACLs on the switch see...

Page 864: ...eived on ports to which a port ACL is applied are filtered by the port ACL Routed IP packets received on other ports are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SVI packets received on the ports to which a port ACL is applied are filtered by the port ACL Outgoing routed IPv6 packets are filtered by the router ACL Other pack...

Page 865: ...rted on the platform When you apply the ACL to an interface that requires hardware forwarding physical ports or SVIs the switch determines whether or not the ACL can be supported on the interface If not the ACL attachment is rejected If an ACL is applied to an interface and you attempt to add an access control entry ACE with an unsupported keyword the switch does not allow the ACE to be added to t...

Page 866: ... Each ACL must have a unique name an error message appears if you try to use a name that is already configured You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface If you use the wrong command to attach an ACL for example an IPv4 command to attach an IPv6 ACL you receive an error message You cannot use MAC ACLs to filter I...

Page 867: ...d using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix prefix length argument ...

Page 868: ...routing sequence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that the operator port port number or name must be a UDP port number or name and the established parameter is not valid for UDP Step 3d deny permit icmp source ipv6 prefix prefix length any host...

Page 869: ...ginning in privileged EXEC mode follow these steps to control access to an interface Use the no ipv6 traffic filter access list name interface configuration command to remove an access list from an interface This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface Switch config interface gigabitethernet 0 3 Switch config if no switchport Switch config if ipv...

Page 870: ...ny any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 access lists configured on the switch or switch stack Switch show ipv6 access list IPv6 access list inbound permit tcp any any eq bgp 8 matches sequence 10 permit tcp any any eq telnet 15 matches sequence 20 permit udp any ...

Page 871: ...r IP hosts on an IEEE 802 LAN configured with a default gateway IP address HSRP routes IP traffic without relying on the availability of any single router It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN When HSRP is configured on a network or segment it provides a virtual Media Access Control MAC a...

Page 872: ...ntrol Message Protocol ICMP redirect messages are disabled by default for the interface You can configure multiple Hot Standby groups among switches that are operating in Layer 3 to make more use of the redundant routers To do so specify a group number for each Hot Standby command group you configure for an interface For example you might configure an interface on switch 1 as an active router and ...

Page 873: ...tually exclusive HSRPv2 Version 2 of the HSRP has these features To match the HSRP group number to the VLAN ID of a subinterface HSRPv2 can use a group number from 0 to 4095 and a MAC address from 0000 0C9F F000 to 0000 0C9F FFFF HSRPv2 uses the multicast address 224 0 0 102 to send hello packets HSRPv2 and CGMP leave processing are no longer mutually exclusive and both can be enabled at the same ...

Page 874: ...ents are configured for Router B Together the configuration for Routers A and B establishes two HSRP groups For group 1 Router A is the default active router because it has the assigned highest priority and Router B is the standby router For group 2 Router B is the default active router because it has the assigned highest priority and Router A is the standby router During normal operation the two ...

Page 875: ...hport interface configuration command SVI a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface Etherchannel port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For mor...

Page 876: ...gnated address currently in use When the standby ip command is enabled on an interface and proxy ARP is enabled if the interface s Hot Standby state is active proxy ARP requests are answered using the Hot Standby group MAC address If the interface is in a different state proxy ARP responses are suppressed Beginning in privileged EXEC mode follow these steps to create or enable HSRP on a Layer 3 in...

Page 877: ...hest priority becomes the active router If priorities are equal the current active router does not change The highest number 1 to 255 represents the highest priority most likely to become the active router Step 6 standby group number ip ip address secondary Create or enable the HSRP group using its number and virtual IP address Optional group number The group number on the interface for which HSRP...

Page 878: ...rfaces that were not configured with priority values fail the default decrement is 10 and it is noncumulative When routing is first enabled for the interface it does not have a complete routing table If it is configured to preempt it becomes the active router even though it is unable to provide adequate routing services To solve this problem configure a delay time to allow the router to update its...

Page 879: ...tive router Optional group number The group number to which the command applies Optional priority Enter to set or change the group priority The range is 1 to 255 the default is 100 Optional delay Set to cause the local router to postpone taking over the active role for the number of seconds shown The range is 0 to 3600 1 hour the default is 0 no delay before taking over Use the no form of the comm...

Page 880: ...iority 110 Switch config if standby 1 preempt Switch config if standby 2 ip 10 0 0 4 Switch config if standby 2 preempt Switch config if end Router B Configuration Switch configure terminal Switch config interface gigabitethernet0 1 Switch config if no switchport Switch config if ip address 10 0 0 2 255 255 255 0 Switch config if standby 1 ip 10 0 0 3 Switch config if standby 1 preempt Switch conf...

Page 881: ... if standby 1 timers 5 15 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on which you want to set authentication Step 3 no shutdown Enable the port if necessary By default UNIs and ENIs are disabled and NNIs are enabled Step 4 standby group number authentica...

Page 882: ...leged EXEC mode use this command to display HSRP settings show standby interface id group brief detail You can display HSRP information for the whole switch for a specific interface for an HSRP group or for an HSRP group on an interface You can also specify whether to display a concise overview of HSRP information or detailed HSRP information The default display is detail If there are a large numb...

Page 883: ...ing the metro base image such as the ME 2400 support only IP SLAs responder functionality and must be configured with another device that supports full IP SLAs functionality For more information about IP SLAs see the Cisco IOS IP SLAs Configuration Guide Release 12 4T at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html For command syntax information se...

Page 884: ...ring applications like CiscoWorks Internetwork Performance Monitor IPM and other third party Cisco partner performance management products You can find more details about network management products that use Cisco IOS IP SLAs at this URL http www cisco com go ipsla Using IP SLAs can provide these benefits Service level agreement monitoring measurement and verification Network performance monitorin...

Page 885: ...esponder if required 2 Configure the required IP SLAs operation type 3 Configure any options available for the specified operation type 4 Configure threshold conditions if required 5 Schedule the operation to run then let the operation run for a period of time to gather statistics 6 Display and interpret the results of the operation using the Cisco IOS CLI or a network management system NMS system...

Page 886: ... IP SLAs operations For example a responder is not required for services that are already provided by the destination router such as Telnet or HTTP You cannot configure the IP SLAs responder on non Cisco devices and Cisco IOS IP SLAs can send operational packets only to services native to those devices Response Time Computation for IP SLAs Switches and routers can take tens of milliseconds to proc...

Page 887: ...at is visible through SNMP The pending state is also used when an operation is a reaction threshold operation waiting to be triggered You can schedule a single IP SLAs operation or a group of operations at one time You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the CISCO RTTMON MIB Scheduling the operations to run at evenly distributed times allo...

Page 888: ...not require a responder For details about configuring other operations see he Cisco IOS IP SLAs Configuration Guide at this URL http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html This section includes this information Default Configuration page 39 6 Configuration Guidelines page 39 6 Configuring the IP SLAs Responder page 39 7 Analyzing IP Service Levels by Using...

Page 889: ...jitter Type of Operation to Perform pathEcho Type of Operation to Perform pathJitter Type of Operation to Perform tcpConnect Type of Operation to Perform udpEcho IP SLAs low memory water mark 21741224 Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software based devices including some Layer 2 switches that do not support full IP SLAs functionality such as th...

Page 890: ...r operations measure this data Per direction jitter source to destination and destination to source Per direction packet loss Per direction delay one way delay Round trip delay average round trip time Because the paths for the sending and receiving of data can be different asymmetric you can use the per direction data to more readily identify where congestion or other problems are occurring in the...

Page 891: ...ge from 1 to 65535 Optional source ip ip address hostname Specify the source IP address or hostname When a source IP address or hostname is not specified IP SLAs chooses the IP address nearest to the destination Optional source port port number Specify the source port number in the range from 1 to 65535 When a port number is not specified IP SLAs chooses an available port Optional control Enable o...

Page 892: ... Configure the scheduling parameters for an individual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter...

Page 893: ...e The IP SLAs ICMP echo operation conforms to the same specifications as ICMP ping testing and the two methods result in the same response times Note This operation does not require the IP SLAs responder to be enabled Beginning in privileged EXEC mode follow these steps to configure an ICMP echo operation on the source device Command Purpose Step 1 configure terminal Enter global configuration mod...

Page 894: ...dividual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter the hour minute second in 24 hour notation an...

Page 895: ...ues including all defaults for all IP SLAs operations or a specific operation show ip sla enhanced history collection statistics distribution statistics entry number Display enhanced history statistics for collected history buckets or distribution statistics for all IP SLAs operations or a specific operation show ip sla ethernet monitor configuration entry number Display IP SLAs automatic Ethernet...

Page 896: ...39 14 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 39 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations ...

Page 897: ...or metro access image is running on the switch For more information about enhanced object tracking and the commands used to configure it see this URL http www cisco com en US products sw iosswrel ps1839 products_feature_guide09186a00801541be html The chapter includes these sections Understanding Enhanced Object Tracking page 40 1 Configuring Enhanced Object Tracking Features page 40 2 Monitoring E...

Page 898: ... are not met the IP routing state is down Beginning in privileged EXEC mode follow these steps to track the line protocol state or IP routing state of an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number interface interface id line protocol Optional Create a tracking list to track the line protocol state of an interface and enter trackin...

Page 899: ...her AND or OR operators When you measure the tracked list state by a weight threshold you assign a weight number to each object in the tracked list The state of the tracked list is determined by whether or not the threshold was met The state of each object is determined by comparing the total weight of all objects against a threshold weight for each object When you measure the tracked list by a pe...

Page 900: ...it Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list boolean and or Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 boolean Specify the state of the tracked list based on a Boolean calculation and Specify that the list is up if all objects are up or down if one or more objects are dow...

Page 901: ... two small bandwidth connections and object 3 represents one large bandwidth connection The configured down 10 value means that once the tracked object is up it will not go down until the threshold value is equal to or lower than 10 which in this example means that all connections are down Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list thre...

Page 902: ...percentage up 51 down 10 Switch config track exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list threshold percentage Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based ...

Page 903: ...up threshold is 254 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Configuring a Tracked List with a Boolean Expression section on page 40 4 For threshold weight see the Configuring a Tracked List with a Weight Threshold section on page 40 5 For threshold percentage see the Configuring a ...

Page 904: ... network performance measurement and diagnostics tool that uses active monitoring by generating traffic to measure network performance Cisco IP SLAs operations collects real time metrics that you can use for network troubleshooting design and analysis For more information about Cisco IP SLAs on the switch see Chapter 39 Configuring Cisco IOS IP SLAs Operations For IP SLAs command information see t...

Page 905: ...0 00 47 Latest operation return code over threshold Latest RTT millisecs 4 Tracked by HSRP Ethernet0 1 3 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number rtr operation number state Enter tracking configuration mode to track the state of an IP SLAs operation The object number range is from 1 to 500 The operation number range is from 1 to 214748364...

Page 906: ...tion about Cisco IP SLAs support on the switch see Chapter 39 Configuring Cisco IOS IP SLAs Operations For more information about static route object tracking see this URL http www cisco com en US docs ios 12_3 12_3x 12_3xe feature guide dbackupx html You use this process to configure static route object tracking Step 1 Configure a primary interface for static routing or for DHCP Step 2 Configure ...

Page 907: ...isco IP SLAs operation and enter IP SLA configuration mode Step 3 icmp echo destination ip address destination hostname source ipaddr ip address hostname source interface interface id Configure a Cisco IP SLAs end to end ICMP echo response time operation and enter IP SLAs ICMP echo configuration mode Step 4 timeout milliseconds Set the amount of time for which the operation waits for a response fr...

Page 908: ...umber address that is permitted by a standard or extended access list or performs policy routing on packets You can enter multiple numbers or names Step 5 set ip next hop dynamic dhcp For DHCP networks only Set the next hop to the gateway that was most recently learned by the DHCP client Step 6 set interface interface id For static routing networks only Indicate where to send output packets that p...

Page 909: ... track interface brief Display information about tracked interface objects show track ip object number brief route Display information about tracked IP route objects show track resolution Display the resolution of tracked parameters show track timers Display tracked polling interval timers Table 40 1 Commands for Displaying Tracking Information continued Command Purpose ...

Page 910: ...40 14 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 40 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...

Page 911: ... command and configuration information for CFM see the Cisco IOS feature module at this URL http www cisco com en US products ps6922 products_feature_guide09186a008066fcb8 html For E LMI configuration and commands see this URL http www cisco com en US products ps6441 products_feature_guide09186a0080690f2d html For complete syntax of the Ethernet OAM manager commands used in this chapter to configu...

Page 912: ...al information about Ethernet CFM CFM Domain page 41 2 Maintenance Points page 41 3 CFM Messages page 41 4 Crosscheck Function page 41 4 SNMP Traps page 41 4 IP SLAs Support for CFM page 41 5 CFM Domain A CFM maintenance domain is a management space on a network that is owned and operated by a single entity and defined by a set of ports internal to it but at its boundary You assign a unique mainte...

Page 913: ...municate through the relay function side not the wire side connected to the port A MEP sends and receives CFM frames through the relay function It drops all CFM frames of its level or lower that come from the wire side For CFM frames from the relay side it processes the frames at its level and drops frames at a lower level The MEP transparently forwards all CFM frames at a higher level regardless ...

Page 914: ...rted Continuity Check CC messages multicast heartbeat messages exchanged periodically between MEPs that allow MEPs to discover other MEPs within a domain and allow MIPs to discover MEPs CC messages are configured to a domain or VLAN Loopback messages unicast frames transmitted by a MEP at administrator request to verify connectivity to a particular maintenance point indicating if a destination is ...

Page 915: ...r Layer 2 You can manually configure individual Ethernet ping or jitter operations You can also configure an IP SLAs automatic Ethernet operation that queries the CFM database for all MEPs in a given maintenance domain and VLAN The operation then automatically creates individual Ethernet ping or jitter operations based on the discovered MEPs For more information about IP SLAs operation with CFM se...

Page 916: ... a maximum cache size or hold time Optional For size enter the cache size in number of entry lines The range is from 1 to 4095 the default is 100 lines Optional For hold time enter the maximum cache hold time in minutes The range is from 1 to 65535 the default is 100 minutes Step 3 ethernet cfm domain domain name level level id Define a CFM domain set the domain level and enter ethernet cfm config...

Page 917: ...Step 11 show ethernet cfm domain brief show ethernet cfm maintenance points local show ethernet cfm traceroute cache Verify the configuration Step 12 show running config Verify your entries Step 13 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ethernet cfm doma...

Page 918: ...ervice provider VLAN ID or IDs as a VLAN ID 1 to 4095 a range of VLAN IDs separated by a hyphen or a series of VLAN IDs separated by comma Note Repeat the command for different level IDs Step 9 exit Return to global configuration mode Step 10 snmp server enable traps ethernet cfm cc mep up mep down config loop cross connect Optional Enable Ethernet CFM continuity check traps Step 11 snmp server en...

Page 919: ...ee the command reference at this URL http www cisco com en US products ps6441 products_command_reference_book09186a008049739b html Step 4 mep crosscheck mpid identifier vlan vlan id mac remote MAC address Define a remote maintenance end point MEP within a maintenance domain For mpid identifier enter a maintenance end point identifier The identifier must be unique for each VLAN service instance The...

Page 920: ...guration mode Enter echo for a ping operation or jitter for a jitter operation For mpid identifier enter a maintenance endpoint identifier The identifier must be unique for each VLAN service instance The range is 1 to 8191 For domain domain name enter the CFM domain name For vlan vlan id the VLAN range is from 1 to 4095 Optional for jitter only Enter the interval between sending of jitter packets ...

Page 921: ...er Enter the IP SLAs operation number Optional ageout seconds Enter the number of seconds to keep the operation in memory when it is not actively collecting information The range is 0 to 2073600 seconds The default is 0 seconds Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optiona...

Page 922: ...r enter a maintenance endpoint identifier The range is 1 to 8191 For domain domain name enter the CFM domain name For vlan vlan id the VLAN range is from 1 to 4095 Optional Enter exclude mpids mp ids to exclude the specified maintenance endpoint identifiers Optional for jitter only Enter the interval between sending of jitter packets Optional for jitter only Enter the num frames and the number of ...

Page 923: ...y Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter the hour minute second in 24 hour notation and day of the month Enter pending to select no information collection until a start time is selected Enter now to start the operation immediately Enter after hh mm ss to show that the operation should start after the entered time has e...

Page 924: ...e the CPU must poll error counters frequently the number of required CPU cycles is proportional to the number of interfaces that must be polled Ethernet OAM has two major components The OAM client establishes and manages Ethernet OAM on a link and enables and configures the OAM sublayer During the OAM discovery phase the OAM client monitors OAM PDUs received from the remote peer and enables OAM fu...

Page 925: ... event notification OAM PDU to notify the remote OAM device when it detects problems on the link Error events include when the number of symbol errors the number of frame errors the number of frame errors within a specified number of frames or the number of error seconds within a specified period exceed a configured threshold Remote failure indication conveys a slowly deteriorating quality of an O...

Page 926: ... monitor transmit crc interface configuration or template configuration commands are visible but are not supported on the switch The commands are accepted but are not applied to an interface For a remote failure indication the switch does not generate Link Fault or Critical Event OAM PDUs However if these PDUs are received from a link partner they are processed The switch supports generating and r...

Page 927: ... on an interface Step 4 ethernet oam max rate oampdus min rate seconds mode active passive timeout seconds You can configure these optional OAM parameters Optional Enter max rate oampdus to configure the maximum number of OAM PDUs sent per second The range is from 1 to 10 Optional Enter min rate seconds to configure the minimum transmission rate in seconds when one OAM PDU is sent per second The r...

Page 928: ...e Ethernet remote loopback on the interface or set a loopback timeout period Enter supported to enable remote loopback Enter timeout seconds to set a remote loopback timeout period The range is from 1 to 10 seconds Step 4 end Return to privileged EXEC mode Step 5 ethernet oam remote loopback start stop interface interface id Turn on or turn off Ethernet OAM remote loopback on an interface Step 6 s...

Page 929: ...ames that trigger an error frame link event Enter threshold high high frames to set a high threshold in number of frames The range is 1 to 65535 The default is none Enter threshold high none to disable the high threshold if it was set This is the default Enter threshold low low frames to set a low threshold in number of frames The range is 0 to 65535 The default is 1 Enter window milliseconds to s...

Page 930: ...ize in number of milliseconds The range is 100 to 9000 each value is a multiple of 100 milliseconds The default is 1000 Step 8 ethernet oam link monitor receive crc threshold high high frames none low low frames window milliseconds Note Repeat this step to configure both high and low thresholds Optional Configure thresholds for monitoring ingress frames received with cyclic redundancy code CRC err...

Page 931: ...create a template for configuring a common set of options on multiple Ethernet OAM interfaces The template can be configured to monitor frame errors frame period errors frame second errors received CRS errors and symbol period errors and thresholds You can also set the template to put the interface in error disabled state if any high thresholds are exceeded These steps are optional and can be perf...

Page 932: ...es Enter threshold high none to disable the high threshold Enter threshold low low frames to set a low threshold in number of frames The range is 0 to 65535 The default is 1 Enter window milliseconds to set the a window and period of time during which frames with CRC errors are counted The range is 10 to 1800 and represents the number of milliseconds in multiples of 100 The default is 100 Step 4 e...

Page 933: ...s for the error frame period that triggers an error frame period link event Enter threshold high high frames to set a high threshold in number of frames The range is 1 to 65535 You must enter a high threshold Enter threshold high none to disable the high threshold Enter threshold low low frames to set a low threshold in number of frames The range is 0 to 65535 The default is 1 Enter window frames ...

Page 934: ...ith inward facing MEPs at the UNI E LMI relies on the OAM Ethernet Infrastructure to interwork with CFM for end to end status of Ethernet virtual connections EVCs across CFM domains Step 8 ethernet oam link monitor high threshold action error disable interface Optional Configure the switch to put an interface in an error disabled state when a high threshold for an error is exceeded Step 9 exit Ret...

Page 935: ...ide On the UPE side OAM manager defines an abstraction layer that relays data collected from OAM protocols in this case CFM running within the metro network to the E LMI switch The information flow is unidirectional from OAM manager to the E LMI but is triggered in one of two ways Synchronous data flow triggered by a request from the E LMI Asynchronous data flow triggered by OAM manager when it re...

Page 936: ... the ethernet lmi global global configuration command it is automatically enabled on all interfaces You can also enable or disable E LMI per interface to override the global configuration The E LMI command that is given last is the command that has precedence There are no EVCs EFP service instances or UNIs defined UNI bundling service is bundling with multiplexing E LMI and OAM Manager Configurati...

Page 937: ...ngth Step 6 oam protocol cfm svlan vlan id domain domain name Configure the EVC OAM protocol as CFM and identify the service provider VLAN ID S VLAN ID for the CFM domain maintenance level as configured in Steps 2 and 3 Note If the CFM domain does not exist the command is rejected and an error message appears Step 7 uni count value Optional Set the UNI count for the EVC The range is 2 to 1024 the ...

Page 938: ...ni id name Configure an Ethernet UNI ID The name should be unique for all the UNIs that are part of a given customer service instance and can be up to 64 characters in length When a UNI id is configured on a port that ID is used as the default name for all MEPs configured on the port unless a name is explicitly configured for a given MEP Note This command is required on all ports that are directly...

Page 939: ...in privileged EXEC mode follow these steps to enable for E LMI on the switch or on an interface Note that the order of the global and interface commands determines the configuration The command that is entered last has precedence Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ethernet lmi global Globally enable E LMI on all interfaces By default the switch is a PE...

Page 940: ...cfm mep crosscheck mpid 404 vlan 101 Switch config ether cfm exit Switch config ethernet cfm domain Operator_level 2 Switch config ether cfm service operator_1 vlan 101 Step 6 ethernet lmi n391 value n393 value t391 value t392 value Configure E LMI parameters for the UNI The keywords have these meanings n391 value Set the event counter on the customer equipment The counter polls the status of the ...

Page 941: ... interface However if you do not enter the ethernet lmi ce global configuration command the interface will be in PE mode by default Switch config t Switch config ethernet lmi global Switch config ethernet lmi ce Switch config exit Note For E LMI to work any VLANs used on the PE device must also be created on the CE device Create a VLAN by entering the vlan vlan id global configuration command on t...

Page 942: ...al port is set into loopback mode CFM responds by sending a port status of Test in the Port Status TLV The remote port is set into loopback mode CFM responds by sending a port status of Test in the Port Status TLV This section includes this information Configuring Ethernet OAM Interaction with CFM page 41 33 Ethernet OAM and CFM Configuration Example page 41 34 For more information about CFM and i...

Page 943: ...ep 2 ethernet cfm domain domain name level level id Define a CFM domain set the domain level and enter ethernet cfm configuration mode for the domain The maintenance level number range is 0 to 7 Step 3 service csi id vlan vlan id Define a universally unique customer service instance CSI and VLAN ID within the maintenance domain csi id String of no more than 100 characters that identifies the CSI v...

Page 944: ...onfig if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if ethernet cfm mip level 7 Switch config if ethernet cfm mep level 4 mpid 100 vlan 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Define an interface to configure as an Ethernet OAM interface and enter interface configuration mode Step 3 et...

Page 945: ...tchport trunk allowed vlan 10 Switch config if switchport mode trunk Switch config if ethernet oam remote loopback supported Switch config if ethernet oam Switch config if exit These are examples of the output showing provider edge switch port status of the configuration Port status shows as UP at both switches Switch PE1 Switch show ethernet cfm maintenance points remote MPID Level Mac Address Vl...

Page 946: ...FM and Ethernet OAM Interaction Switch PE2 Switch show ethernet cfm maintenance points remote MPID Level Mac Address Vlan PortState InGressPort Age sec Service ID 100 4 0012 00a3 3780 10 TEST Gi1 1 1 8 blue Total Remote MEPs 1 In addition if you shut down the CE1 interface that connects to PE1 the remote PE2 port will show a PortState of Down ...

Page 947: ...he switch must be running the metro IP access image Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 This chapter consists of these sections Understanding Cisco s Implementation of IP Multicast Routing page 42 1 Configuring IP Multicast Routing page 42 8 Configuring Advanced PIM Features...

Page 948: ...to join and leave multicast groups Any host regardless of whether it is a member of a group can send to a group However only the members of a group receive the message Membership in a multicast group is dynamic hosts can join and leave at any time There is no restriction on the location or number of members in a multicast group A host can be a member of more than one multicast group at a time How ...

Page 949: ...his information to perform multicast forwarding instead of maintaining a separate multicast routing table PIM is defined in RFC 2362 Protocol Independent Multicast Sparse Mode PIM SM Protocol Specification PIM is defined in these Internet Engineering Task Force IETF Internet drafts Protocol Independent Multicast PIM Motivation and Architecture Protocol Independent Multicast PIM Dense Mode Protocol...

Page 950: ...he distribution tree leaving only branches that contain receivers When a new receiver on a previously pruned branch of the tree joins a multicast group the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source When the upstream PIM DM device receives the graft message it immediately puts the interface on which the graft was received...

Page 951: ...IGRP Stub Routing section on page 35 40 The redundant PIM stub router topology is not supported The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain PIM messages are blocked and the PIM assert and designated router election mechanisms are not supported on the PIM passive interfaces Only the nonredundant access router topology i...

Page 952: ...P mapping information expires it switches to a statically configured RP that was defined with the ip pim rp address global configuration command If no statically configured RP exists the router or switch changes the group to dense mode operation Multiple RPs serve different group ranges or serve as hot backups of each other Bootstrap Router PIMv2 BSR is another method to distribute group to RP map...

Page 953: ...g RPF check on the packet as follows and shown in Figure 42 2 1 The router or multilayer switch examines the source address of the arriving multicast packet to decide whether the packet arrived on an interface that is on the reverse path back to the source 2 If the packet arrives on the interface leading back to the source the RPF check is successful and the packet is forwarded to all interfaces i...

Page 954: ...rce G joins which are shared tree states are sent toward the RP Dense mode PIM uses only source trees and use RPF as previously described Configuring IP Multicast Routing Default Multicast Routing Configuration page 42 8 Multicast Routing Configuration Guidelines page 42 9 Configuring Basic Multicast Routing page 42 10 required Configuring PIM Stub Routing page 42 12 optional Configuring Source Sp...

Page 955: ...a standards track protocol in the IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and BSR Configuration Guidelines section on page 42 10 When PIMv2 devices interoperate with PIMv1 devices Auto RP should have already been deployed A PIMv2 BSR that is also an Auto RP mapping agent automati...

Page 956: ...ultilayer switch Ensure that no PIMv1 device is on the path between the BSR and a non Cisco PIMv2 router If you have non Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches both Auto RP and a BSR are required We recommend that a Cisco PIMv2 device be both the Auto RP mapping agent and the BSR For more information see the Using Auto RP and a BSR section on...

Page 957: ...the no switchport interface configuration command An SVI a VLAN interface created by using the interface vlan vlan id global configuration command These interfaces must have IP addresses assigned to them For more information see the Configuring Layer 3 Interfaces section on page 9 22 Step 4 no shutdown Enable the port if necessary By default user network interfaces UNIs and enhanced network interf...

Page 958: ...ters Unicast EIGRP stub routing enforces this behavior You must configure unicast stub routing to assist the PIM stub router behavior For more information see the Configuring EIGRP Stub Routing section on page 35 40 Only directly connected multicast IGMP receivers and sources are allowed in the Layer 2 access domains The PIM protocol is not supported in access domains The redundant PIM stub router...

Page 959: ...led for each interface use the show ip pim interface privileged EXEC command Switch show ip pim interface Address Interface Ver Nbr Query DR DR Mode Count Intvl Prior 3 1 1 2 GigabitEthernet0 25 v2 SD 1 30 1 3 1 1 2 100 1 1 1 Vlan100 v2 P 0 30 1 100 1 1 1 10 1 1 1 GigabitEthernet0 20 v2 P 0 30 1 10 1 1 1 Use these privileged EXEC commands to display information about PIM stub configuration and sta...

Page 960: ...onsists of datagrams with an arbitrary IP unicast source address S and the multicast group address G as the IP destination address Systems receive this traffic by becoming members of the host group Membership in a host group simply requires signalling the host group through IGMP version 1 2 or 3 In SSM delivery of datagrams is based on S G channels In both SSM and ISM no signalling is required to ...

Page 961: ...ering capabilities with respect to sources A host can either signal that it wants to receive traffic from all sources sending to a group except for some specific sources called exclude mode or that it wants to receive traffic only from some specific sources sending to the group called include mode IGMPv3 can operate with both ISM and SSM In ISM both exclude and include mode reports are applicable ...

Page 962: ...M where S G state is maintained only if the source is sending traffic and receivers are joining the group If a source stops sending traffic for more than 3 minutes in PIM SM the S G state is deleted and only re established after packets from the source arrive again through the RPT Because no mechanism in PIM SSM notifies a receiver that a source is active the network must maintain the S G state in...

Page 963: ...o not already have a DNS server running you need to install one You can use a product such as Cisco Network Registrar Go to this URL for more information http www cisco com warp public cc pd nemnsw nerr index shtml SSM mapping restrictions The SSM mapping feature does not have all the benefits of full SSM Because SSM mapping takes a group join from a host and identifies this group with an applicat...

Page 964: ...ng http www cisco com en US products sw iosswrel ps5207 products_feature_guide09186a00801a6d6f html Static SSM Mapping With static SSM mapping you can configure the last hop router to use a static map to determine the sources that are sending to groups Static SSM mapping requires that you configure ACLs to define group ranges Then you can map the groups permitted by those ACLs to sources by using ...

Page 965: ...c for the TV channel Thus the server side switchover mechanism ensures that only one of the servers is actively sending video traffic for the TV channel To look up one or more source addresses for a group that includes G1 G2 G3 and G4 you must configure these DNS records on the DNS server G4 G3 G2 G1 multicast domain timeout IN A source address 1 IN A source address 2 IN A source address n Refer t...

Page 966: ...the configured SSM range Note By default this command enables DNS based SSM mapping Step 3 no ip igmp ssm map query dns Optional Disable DNS based SSM mapping Note Disable DNS based SSM mapping if you only want to rely on static SSM mapping By default the ip igmp ssm map global configuration command enables DNS based SSM mapping Step 4 ip igmp ssm map static access list source address Configure st...

Page 967: ...s6 Specify the address of one or more name servers to use for name and address resolution Step 6 Repeat Step 5 to configure additional DNS servers for redundancy if required Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 con...

Page 968: ...how to manually configure an RP If the RP for a group is learned through a dynamic mechanism such as Auto RP or BSR you need not perform this task for that RP Senders of multicast traffic announce their existence through register messages received from the source s first hop router designated router and forwarded to the RP Receivers of multicast packets use RPs to join a multicast group by using e...

Page 969: ... The access list conditions specify for which groups the device is an RP For ip address enter the unicast address of the RP in dotted decimal notation Optional For access list number enter an IP standard access list number from 1 to 99 If no access list is configured the RP is used for all groups Optional The override keyword means that if there is a conflict between the RP configured with this co...

Page 970: ... interfaces are configured in sparse mode Auto RP can still be used if all devices are configured with a manual RP address for the Auto RP groups These sections describe how to configure Auto RP Setting up Auto RP in a New Internetwork page 42 24 optional Adding Auto RP to an Existing Sparse Mode Cloud page 42 24 optional Preventing Join Messages to False RPs page 42 26 optional Filtering Incoming...

Page 971: ...the candidate RP for local groups For interface id enter the interface type and number that identifies the RP address Valid interfaces include physical ports port channels and VLANs For scope ttl specify the time to live value in hops Enter a hop count that is high enough so that the RP announce messages reach all mapping agents in the network There is no default setting The range is 1 to 255 For ...

Page 972: ... use the ip pim accept rp auto rp global configuration command This procedure is optional If all interfaces are in sparse mode use a default configured RP to support the two well known groups 224 0 1 39 and 224 0 1 40 Auto RP uses these two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ip pim ...

Page 973: ...er variable If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to ensure that no conflicts occur in the Group to RP mapping information Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necess...

Page 974: ...page 42 28 optional Defining the IP Multicast Boundary page 42 29 optional Configuring Candidate BSRs page 42 30 optional Configuring Candidate RPs page 42 31 optional For overview information see the Bootstrap Router section on page 42 6 Defining the PIM Domain Border As IP multicast becomes more widespread the chance of one PIMv2 domain bordering another PIMv2 domain is increasing Because these ...

Page 975: ...eighboring PIMv2 domain Configure the ip pim bsr border command on this interface Configure the ip pim bsr border command on this interface BSR messages Layer 3 switch Layer 3 switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessar...

Page 976: ... 6 end Return to privileged EXEC mode Step 7 show running config Verify your entries Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your switch to be a candidate BSR For interface id en...

Page 977: ...rs configure only Cisco PIMv2 routers and multilayer switches as RPs Beginning in privileged EXEC mode follow these steps to configure your switch to advertise itself as a PIMv2 candidate RP to the BSR This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be...

Page 978: ...ng agents for Auto RP For more information see the Configuring Auto RP section on page 42 24 and the Configuring Candidate BSRs section on page 42 30 For group prefixes advertised through Auto RP the PIMv2 BSR mechanism should not advertise a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the same group prefixes This preven...

Page 979: ...n 1 Verify RP mapping with the show ip pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features Understa...

Page 980: ... source At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tree 8 The...

Page 981: ...all groups Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard a...

Page 982: ...w these steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Configuring Optional IGMP Features Default IGMP Configuration page 42 37 Configuring the Switch as a Member of a Group page 42 37 optional Controlling Access to IP Multicast Groups page 42 38 optional Step 4 e...

Page 983: ... a group of which they are members Another example is the multicast trace route tools provided in the software Caution Performing this procedure might impact the CPU performance because the CPU will receive all data traffic for the group address Beginning in privileged EXEC mode follow these steps to configure the switch to be a member of a group This procedure is optional Table 42 5 Default IGMP ...

Page 984: ...t groups allowed on an interface This procedure is optional Step 4 ip igmp join group group address Configure the switch to join a multicast group By default no group memberships are defined For group address specify the multicast IP address in dotted decimal notation Step 5 end Return to privileged EXEC mode Step 6 show ip igmp interface interface id Verify your entries Step 7 copy running config...

Page 985: ...eged EXEC mode follow these steps to change the IGMP version This procedure is optional Step 6 access list access list number deny permit source source wildcard Create a standard access list For access list number specify the access list created in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify ...

Page 986: ...gister and PIM join messages toward the RP router Beginning in privileged EXEC mode follow these steps to modify the host query interval This procedure is optional To return to the default setting use the no ip igmp query interval interface configuration command Step 4 ip igmp version 1 2 Specify the IGMP version that the switch uses Note If you change to Version 1 you cannot configure the ip igmp...

Page 987: ...tly connected group members on a LAN Decreasing the value enables the switch to prune groups faster Beginning in privileged EXEC mode follow these steps to change the maximum query response time This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration m...

Page 988: ...ch itself is not a member as evidenced by lack of an L local flag in the multicast route entry Beginning in privileged EXEC mode follow these steps to configure the switch itself to be a statically connected member of a group and enable fast switching This procedure is optional To remove the switch as a member of the group use the no ip igmp static group group address interface configuration comma...

Page 989: ...multicast group address and port for Session Announcement Protocol SAP multicast packets from SAP clients which announce their conference sessions These SAP packets contain a session description the time the session is active its IP multicast group addresses media format contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in t...

Page 990: ... can not enter or exit this interface thereby providing a firewall for multicast traffic in this address range Note Multicast boundaries and TTL thresholds control the scoping of multicast domains however TTL thresholds are not supported by the switch You should use multicast boundaries instead of TTL thresholds to limit the forwarding of multicast traffic outside of a domain or a subdomain Figure...

Page 991: ... is optional 45154 Company XYZ Engineering Marketing 239 128 0 0 16 239 0 0 0 8 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions a...

Page 992: ...ure are or suspected to be invalid You can use any of the privileged EXEC commands in Table 42 6 to clear IP multicast caches tables and databases Displaying System and Network Statistics You can display specific statistics such as the contents of IP routing tables caches and databases Note This release does not support per route statistics You can display information to learn resource utilization...

Page 993: ...e detail Display the contents of the circular cache header buffer show ip mroute group name group address source summary count active kbps Display the contents of the IP multicast routing table show ip pim interface type number count Display information about interfaces configured for PIM show ip pim neighbor type number List the PIM neighbors discovered by the switch show ip pim rp group name gro...

Page 994: ...42 48 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 42 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing ...

Page 995: ... a group to be known to all rendezvous points RPs in different domains Each PIM SM domain uses its own RPs and does not depend on RPs in other domains An RP runs MSDP over the Transmission Control Protocol TCP to discover multicast sources in other domains An RP in a PIM SM domain has an MSDP peering relationship with MSDP enabled devices in another domain The peering relationship occurs over a TC...

Page 996: ...e originating RP to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover which peer is the next hop toward the originating RP of the SA message Such a peer is called an RPF peer reverse path forwarding peer The MSDP device forwards the message to all MSDP peers other than the RPF peer For information on how to configure an MSDP peer when BGP and...

Page 997: ... 43 3 required Caching Source Active State page 43 6 optional Requesting Source Information from an MSDP Peer page 43 7 optional Controlling Source Information that Your Switch Originates page 43 8 optional Controlling Source Information that Your Switch Forwards page 43 10 optional Controlling Source Information that Your Switch Receives page 43 12 optional Configuring an MSDP Mesh Group page 43 ...

Page 998: ...f Router A is not running only then does Switch B accept SA messages from Router C This is the default behavior without a prefix list If you specify a prefix list the peer is a default peer only for the prefixes in the list You can have multiple active default peers when you have a prefix list associated with each When you do not have any prefix lists you can configure multiple default peers but o...

Page 999: ...p default peer commands with the prefix list keyword you use all the default peers at the same time for different RP prefixes This syntax is typically used in a service provider cloud that connects stub site clouds When you enter multiple ip msdp default peer commands without the prefix list keyword a single active peer accepts all SA messages If that peer fails the next configured default peer ac...

Page 1000: ...Enter global configuration mode Step 2 ip msdp cache sa state list access list number Enable the caching of source group pairs create an SA state Those pairs that pass the access list are cached For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repe...

Page 1001: ...ces in a connected PIM sparse mode domain that are sending to a group configure the switch to send SA request messages to the specified MSDP peer when a new member joins a group The peer replies with the information in its SA cache If the peer does not have a cache configured this command has no result Configuring this feature reduces join latency but sacrifices memory Beginning in privileged EXEC...

Page 1002: ...is filtered Beginning in privileged EXEC mode follow these steps to further restrict which registered sources are advertised This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp redistribute list access list name asn aspath access list number route map map Configure which S G entries from the multicast routing table are advertised in S...

Page 1003: ...command as many times as necessary or Create an IP extended access list repeating the command as many times as necessary For access list number the range is 1 to 99 for standard access lists and 100 to 199 for extended lists Enter the same number created in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protoc...

Page 1004: ...global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for groups that pass the standard access list The access list describes a multicast group address The range for the access list number is...

Page 1005: ...nly those SA messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny filters routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For...

Page 1006: ...llow these steps to establish a TTL threshold This procedure is optional To return to the default setting use the no ip msdp ttl threshold ip address name global configuration command Controlling Source Information that Your Switch Receives By default the switch receives all SA messages that its MSDP RPF peers send to it However you can control the source information that you receive from MSDP pee...

Page 1007: ... match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For access list number enter the number specified in Step 2 The deny keyword deni...

Page 1008: ...eginning in privileged EXEC mode follow these steps to create a mesh group This procedure is optional To remove an MSDP peer from a mesh group use the no ip msdp mesh group name ip address name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it an...

Page 1009: ...ers This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config V...

Page 1010: ...ode sources to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in the SA m...

Page 1011: ...ous system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message counts ...

Page 1012: ...43 18 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 43 Configuring MSDP Monitoring and Maintaining MSDP ...

Page 1013: ...mmands used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 2 Recovering from Corrupted Software By Using the Xmodem Protocol page 2 Recovering from a Lost or Forgotten Password page 3 Note Recovery procedures require that you have physical access to the switch Preventing Autonegotiation Mismatches page 8 SFP Module Security and Identificatio...

Page 1014: ...rnative break key sequence for those terminal emulators that do not support the break keys For that list see http www cisco com warp public 701 61 html how to Step 1 From your PC download the software image tar file image_filename tar from Cisco com The Cisco IOS image is stored as a bin file in a directory in the tar file For information about locating the software image files on Cisco com see th...

Page 1015: ...fter the Xmodem request appears use the appropriate command on the terminal emulation software to start the transfer and to copy the software image into flash memory Step 12 Boot the newly downloaded Cisco IOS image switch boot flash image_filename bin Step 13 Use the archive download sw privileged EXEC command to download the software image to the switch Step 14 Use the reload privileged EXEC com...

Page 1016: ...tep 1 Connect a terminal or PC with terminal emulation software to the switch console port Step 2 Set the line speed on the emulation software to 9600 baud Step 3 Power off the switch Reconnect the power cord to the switch Step 4 After the switch performs POST the switch begins the autoboot process The boot loader prompts the user for a break key character during the boot up sequence as shown in t...

Page 1017: ...the operating system software flash_init load_helper boot Step 1 Initialize the flash file system switch flash_init Step 2 If you had set the console port speed to anything other than 9600 it has been reset to that particular speed Change the emulation software line speed to match that of the switch console port Step 3 Load any helper files switch load_helper Step 4 Display the contents of flash m...

Page 1018: ... Step 11 Change the password Switch config enable secret password The secret password can be from 1 to 25 alphanumeric characters can start with a number is case sensitive and allows spaces but ignores leading spaces Step 12 Return to privileged EXEC mode Switch config exit Switch Step 13 Write the running configuration to the startup configuration file Switch copy running config startup config Th...

Page 1019: ...guration file security by preventing unauthorized users from accessing the configuration file If you enter n no the normal boot process continues as if the break key had not been pressed you cannot access the boot loader prompt and you cannot enter a new password You see the message Press Enter to continue If you enter y yes the configuration file in flash memory and the VLAN database file are del...

Page 1020: ...iguration mode enter the no shutdown command Step 10 You must now reconfigure the switch If the system administrator has the backup switch and VLAN configuration files available you should use those Preventing Autonegotiation Mismatches The IEEE 802 3ab autonegotiation protocol manages the switch settings for speed 10 100 and 1000 Mbps excluding SFP module ports and duplex half or full There are s...

Page 1021: ...the operation For more information about the errdisable recovery command see the command reference for this release If the module is identified as a Cisco SFP module but the system is unable to read vendor data information to verify its accuracy an SFP module error message is generated In this case you should remove and re insert the SFP module If it continues to fail the SFP module might be defec...

Page 1022: ...es not drop ping response packets to or from network node interfaces NNIs and no special configuration is required to enable pings to or from hosts connected to NNIs Using Ping Beginning in privileged EXEC mode use the ping command to ping another device on the network from the switch Note Ping is not supported on a UNI or ENI configured as an IEEE 802 1Q tunnel port Ping is supported on NNIs on a...

Page 1023: ... 2 switch config if no shut switch config if exit switch config int vlan 2 switch config if ip address 192 168 1 1 255 255 255 0 switch config if end switch ping 192 168 1 2 Metro IP Access Image When your switch is running the metro IP access image you can use any of these methods Apply a Layer 3 service policy to a UNI or ENI Enable IP routing globally and ping from a switch virtual interface SV...

Page 1024: ...ts in this message Switch ping 72 20 52 3 Type escape sequence to abort Sending 5 100 byte ICMP Echoes to 172 20 52 3 timeout is 2 seconds Success rate is 0 percent 0 5 Summary Keep these guidelines in mind while pinging IP routing is available only with the metro IP access image and is disabled by default To ping a host in a different IP subnetwork from the switch you must have IP routing configu...

Page 1025: ...NIs The switch can only identify the path from the source device to the destination device It cannot identify the path that a packet takes from source host to the source device or from the destination device to the destination host Layer 2 Traceroute Usage Guidelines Cisco Discovery Protocol CDP must be enabled on all the devices in the network For Layer 2 traceroute to function properly do not di...

Page 1026: ...and the VLAN IDs If an ARP entry exists for the specified IP address the switch uses the associated MAC address and identifies the physical path If an ARP entry does not exist the switch sends an ARP query and tries to resolve the IP address If the IP address is not resolved the path is not identified and an error message appears When multiple devices are attached to one port through hubs for exam...

Page 1027: ...Internet Control Message Protocol ICMP time to live exceeded message to the sender Traceroute finds the address of the first hop by examining the source address field of this message To identify the next hop traceroute sends a UDP packet with a TTL value of 2 The first router decrements the TTL field by 1 and sends the datagram to the next router The second router sees a TTL value of 1 discards th...

Page 1028: ...nter the escape sequence Ctrl X by default Simultaneously press and release the Ctrl Shift and 6 keys and then press the X key Using TDR Understanding TDR page 16 Running TDR and Displaying the Results page 17 Understanding TDR You can use the Time Domain Reflector TDR feature to diagnose and resolve cabling problems When running TDR a local device sends a signal through a cable and compares the r...

Page 1029: ...agnostics tdr interface interface id privileged EXEC command To display the results enter the show cable diagnostics tdr interface interface id privileged EXEC command For a description of the fields in the display see the command reference for this release Note TDR is supported only on the copper Ethernet 10 100 ports or on dual purpose ports configured as 10 100 100 ports by using the RJ 45 conn...

Page 1030: ...rivileged EXEC mode you can enter the undebug form of the command Switch undebug span session To display the state of each debugging option enter this command in privileged EXEC mode Switch show debugging Enabling All System Diagnostics Beginning in privileged EXEC mode enter this command to enable all system diagnostics Switch debug all Caution Because debugging output takes priority over other n...

Page 1031: ...switch command reference for this release Most of the information in the output from the command is useful mainly for technical support personnel who have access to detailed information about the switch ASICs However packet forwarding information can also be helpful in troubleshooting This is an example of the output from the show platform forward command on Gigabit Ethernet port 1 in VLAN 5 when ...

Page 1032: ...9_43A80145 00_00000000_00000000 00086 02010197 Station Descriptor F0050003 DestIndex F005 RewriteIndex 0003 Egress Asic 3 switch 1 Output Packets Packet 1 Lookup Key Used Index Hit A Data OutptACL 50_0D020202_0D010101 00_40000014_000A0000 01FFE 03000000 Port Vlan SrcMac DstMac Cos Dscpv Gi0 2 0005 0001 0001 0001 0009 43A8 0145 This is an example of the output when the packet coming in on Gigabit E...

Page 1033: ... information to the console at the time of the failure and the file is created the next time you boot the Cisco IOS image after the failure instead of while the system is failing The information in the file includes the Cisco IOS image name and version that failed a list of the processor registers and a stack trace You can provide this information to the Cisco technical support representative by u...

Page 1034: ...44 22 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 Chapter 44 Troubleshooting Using the crashinfo File ...

Page 1035: ... SNMP messages using the configured community string always provide information for VLAN 1 To obtain the BRIDGE MIB information for other VLANs for example VLAN x use this community string in the SNMP message configured community string x CISCO CABLE DIAG MIB CISCO CDP MIB CISCO CONFIG COPY MIB CISCO CONFIG MAN MIB CISCO DHCP SNOOPING MIB CISCO ENTITY FRU CONTROL MIB CISCO ENTITY SENSOR MIB CISCO ...

Page 1036: ...LAG MIB CISCO MAC NOTIFICATION MIB CISCO MEMORY POOL MIB CISCO NAC NAD MIB CISCO PAE MIB CISCO PAGP MIB CISCO PING MIB CISCO PORT QOS MIB the cportQosStats Table returns the values from the octets and packet counters depending on switch configuration CISCO PRODUCTS MIB CISCO PROCESS MIB CISCO RTTMON MIB CISCO SMI MIB CISCO STACKMAKER MIB CISCO STP EXTENSIONS MIB CISCO SYSLOG MIB CISCO TC MIB CISCO...

Page 1037: ...MON MIB RMON2 MIB SNMP FRAMEWORK MIB SNMP MPD MIB SNMP NOTIFICATION MIB SNMP TARGET MIB SNMPv2 MIB TCP MIB UDP MIB Note You can use this URL for a list of supported MIBs for Cisco products http www cisco com public sw center netmgmt cmtk mibs shtml You can access other information about MIBs and Cisco products on the Cisco web site ftp nm tac cisco com pub mib_repo Using FTP to Access the MIB File...

Page 1038: ...9 07 Appendix A Supported MIBs Using FTP to Access the MIB Files Step 4 Enter your e mail username when prompted for the password Step 5 At the ftp prompt change directories to pub mibs v1 and pub mibs v2 Step 6 Use the get MIB_filename command to obtain a copy of the MIB file ...

Page 1039: ...ndix consists of these sections Working with the Flash File System page B 1 Working with Configuration Files page B 8 Working with Software Images page B 23 Working with the Flash File System The flash file system is a single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the swi...

Page 1040: ...y in the file system in bytes Free b Amount of free memory in the file system in bytes Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM device opaque The file system is a locally generated pseudo file system for example the system or a download interface such as brimux unknown The file system is an unknown type Flags Permission for fi...

Page 1041: ...configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command To display information about files on a file system use one of the privileged EXEC commands in Table B 2 Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode follow these steps to change...

Page 1042: ...their contents cannot be recovered Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memor...

Page 1043: ... see the Working with Configuration Files section on page B 8 To copy software images either by downloading a new version or by uploading the existing one use the archive download sw or the archive upload sw privileged EXEC command For more information see the Working with Software Images section on page B 23 Deleting Files When you no longer need a file on a flash memory device you can permanentl...

Page 1044: ...password location directory tar filename tar For the RCP the syntax is rcp username location directory tar filename tar For the TFTP the syntax is tftp location directory tar filename tar The tar filename tar is the tar file to be created For flash file url specify the location on the local flash file system from which the new tar file is created You can also specify an optional list of files or d...

Page 1045: ...ir file For source url specify the source URL alias for the local file system These options are supported For the local flash file system the syntax is flash For the FTP the syntax is ftp username password location directory tar filename tar For the RCP the syntax is rcp username location directory tar filename tar For the TFTP the syntax is tftp location directory tar filename tar The tar filenam...

Page 1046: ... the switch You might want to perform this for one of these reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load...

Page 1047: ...s if you were entering the commands at the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular command than the existing config...

Page 1048: ...tch by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File By Using TFTP page B 10 Downloading the Configuration File By Using TFTP page B 11 Uploading the Configuration File By U...

Page 1049: ...ion File By Using TFTP section on page B 10 Step 3 Log into the switch through the console port or a Telnet session Step 4 Download the configuration file from the TFTP server to configure the switch Specify the IP address or hostname of the TFTP server and the name of the file to download Use one of these privileged EXEC commands copy tftp location directory filename system running config copy tf...

Page 1050: ... is specified The password set by the ip ftp password password global configuration command if the command is configured The switch forms a password named username switchname domain The variable username is the username associated with the current session switchname is the configured hostname and domain is the domain of the switch The username and password must be associated with an account on the...

Page 1051: ...u do not need to set the FTP username Include the username in the copy command if you want to specify a username for only that copy operation When you upload a configuration file to the FTP server it must be properly configured to accept the write request from the user on the switch For more information see the documentation for your FTP server Downloading a Configuration File By Using FTP Beginni...

Page 1052: ...l Switch config ip ftp username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile s...

Page 1053: ... UDP a connectionless protocol RCP uses TCP which is connection oriented To use RCP to copy files the server from or to which you will be copying files must support RCP The RCP copy commands rely on the rsh server or daemon on the remote system To copy files by using RCP you do not need to create a server for file distribution as you do with TFTP You only need to have access to a server that suppo...

Page 1054: ...rsh Ensure that the switch has a route to the RCP server The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets Check connectivity to the RCP server by using the ping command If you are accessing the switch through the console or a Telnet session and you do not have a valid username make sure that the current RCP username is the one th...

Page 1055: ...ration Switch configure terminal Switch config ip rcmd remote username netadmin1 Switch config end Switch copy rcp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host2 confg OK OK Switch SYS 5 CONFIG_NV Non volatile...

Page 1056: ... of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Clearing Configuration Information You can clear the configuration information from the startup configuration If you reboot the switch with no startup configuration the switch enters the setup program so that you can reconfigure the switch with all new settings Command Purpose Step 1 Verify tha...

Page 1057: ...ack to a previous configuration These sections contain this information Understanding Configuration Replacement and Rollback page B 19 Configuration Replacement and Rollback Guidelines page B 20 Configuring the Configuration Archive page B 21 Performing a Configuration Replacement or Rollback Operation page B 22 Understanding Configuration Replacement and Rollback Archiving a Configuration page B ...

Page 1058: ...s from both the source file and the running configuration This command does not remove commands from the running configuration that are not present in the source file In contrast the configure replace target url command removes commands from the running configuration that are not present in the replacement file and adds commands to the running configuration that are not present You can use a parti...

Page 1059: ...guration archive and with the archive config command is optional but offers significant benefit for configuration rollback scenarios Before using the archive config command you must first configure the configuration archive Starting in privileged EXEC mode follow these steps to configure the configuration archive Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arch...

Page 1060: ...he command entries applied by the software parser during each pass of the configuration replacement operation The total number of passes also appears force Replace the running configuration file with the specified saved configuration file without prompting you for confirmation time seconds Specify the time in seconds within which you must enter the configure confirm command to confirm replacement ...

Page 1061: ... that you use depends on which type of server you are using The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP These improvements are possible because FTP and RCP are built on and use the TCP IP stack which is connection oriented These sections contain this configuration information Image Location on the Switch page B 23 tar File Format of ...

Page 1062: ...erver or upload the image from the switch to a TFTP server You download a switch image file from a server to upgrade the switch software You can overwrite the current image with the new one or keep the current image after a download You upload a switch image file to a server for backup purposes this uploaded image can be used for future downloads to the same or another switch of the same type Tabl...

Page 1063: ... must restart the inetd daemon after modifying the etc inetd conf and etc services files To restart the daemon either stop the inetd process and restart it or enter a fastboot command on the SunOS 4 x or a reboot command on Solaris 2 x or SunOS 5 x For more information on the TFTP daemon see the documentation for your workstation Ensure that the switch has a route to the TFTP server The switch and...

Page 1064: ...sure the TFTP server is properly configured see the Preparing to Download or Upload an Image File By Using TFTP section on page B 25 Step 2 Log into the switch through the console port or a Telnet session Step 3 archive download sw overwrite reload tftp location directory image name tar Download the image file from the TFTP server to the switch and overwrite the current image The overwrite option ...

Page 1065: ...You can upload an image from the switch to a TFTP server You can later download this image to the switch or to another switch of the same type Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw pr...

Page 1066: ...server The FTP protocol requires a client to send a remote username and password on each FTP request to a server When you copy an image file from the switch to a server by using FTP the Cisco IOS software sends the first valid username in this list The username specified in the archive download sw or archive upload sw privileged EXEC command if a username is specified The username set by the ip ft...

Page 1067: ...chive operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privileged EXEC command if you want to specify a username for that operation only When you upload an image file to the FTP se...

Page 1068: ... in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page B 28 For loc...

Page 1069: ...e manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to an FTP server Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page B 13 Step 2 Log into the switch through the console port or a Telnet session Step ...

Page 1070: ... Preparing to Download or Upload an Image File By Using RCP page B 32 Downloading an Image File By Using RCP page B 33 Uploading an Image File By Using RCP page B 35 Preparing to Download or Upload an Image File By Using RCP RCP provides another method of downloading and uploading image files between remote hosts and the switch Unlike TFTP which uses User Datagram Protocol UDP a connectionless pro...

Page 1071: ...nter the show users privileged EXEC command to view the valid username If you do not want to use this username create a new RCP username by using the ip rcmd remote username username global configuration command to be used during all archive operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used an...

Page 1072: ...oading the image unless the configuration has been changed and not been saved For username specify the username For the RCP copy request to execute successfully an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image File By Using RCP section on page B 32 For location specify the IP address of the RCP server For...

Page 1073: ...l privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using RCP You can upload an image from the switch to an RCP server You...

Page 1074: ...ge names Step 5 end Return to privileged EXEC mode Step 6 archive upload sw rcp username location directory image na me tar Upload the currently running switch image to the RCP server For username specify the username for the RCP copy request to execute an account must be defined on the network server for the remote username For more information see the Preparing to Download or Upload an Image Fil...

Page 1075: ...is not a complete list The unsupported commands are listed by software feature and command mode Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic name source destination Unsupported Global Configuration Commands acc...

Page 1076: ...ommand boot buffersize Debug Commands debug dot1x feature debug platform cli redirection main debug platform configuration debug qos Embedded Event Manager Unsupported Privileged EXEC Commands event manager update user policy policy filename group group name expression repository url location Parameters are not supported for this command event manager run policy name paramater1 paramater15 Unsuppo...

Page 1077: ...exit op gt ge eq ne lt le exit type increment rate value average factor average factor value no trigger tag HSRP Unsupported Global Configuration Commands interface Async interface BVI interface Dialer interface Group Async interface Lex interface Multilink interface Virtual Template interface Virtual Tokenring Unsupported Interface Configuration Commands mtu standby mac refresh seconds standby us...

Page 1078: ...vileged EXEC Commands clear dot1x clear eap sessions show eap Unsupported Global Configuration Command dot1x critical eapol recovery delay ms Unsupported Interface Configuration Commands dot1x auth fail max attempts number vlan vlan id dot1x control direction both in dot1x critical recovery action reinitialize vlan vlan id dot1x control direction both in dot1x mac auth bypass dot1x mac reauth req ...

Page 1079: ...itch CPU It does not display packets that are hardware switched The debug ip mpacket detail access list number group name or address command affects only packets received by the switch CPU Because most multicast packets are hardware switched use this command only when you know that the route will forward the packet to the CPU debug ip pim atm show frame relay ip rtp header compression interface ty...

Page 1080: ...e All ip dvmrp commands ip igmp helper address ip address ip multicast helper map group address broadcast broadcast address multicast address extended access list number ip multicast rate limit in out video whiteboard group list access list source list access list kbps ip multicast ttl threshold ttl value instead use the ip multicast boundary access list number interface configuration command ip m...

Page 1081: ...list ip address wildcard ip as path access list ip accounting transits count ip cef accounting per prefix non recursive ip cef traffic statistics load interval seconds update rate seconds ip flow aggregation ip flow cache ip flow export ip gratuitous arps ip local ip prefix list ip reflexive list router egp router isis router iso igrp router mobile router odr router static Unsupported Interface Co...

Page 1082: ...ion Commands All Unsupported Route Map Commands match route type for policy based routing PBR set as path tag prepend as path string set automatic tag set dampening half life reuse suppress max suppress time set default interface interface id interface id set interface interface id interface id set ip default next hop ip address ip address set ip destination ip address mask set ip precedence value...

Page 1083: ...ble static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entries for a VLAN Unsupported Global Configuration Commands mac address table aging time mac address table notification mac address table static Miscellaneous Unsupported User EXEC Commands verify Unsupported Privilege...

Page 1084: ...e consumption default wattage service compress config stack mac persistent timer track object number rtr Unsupported show platform Commands show platform ip unicast vrf compaction tcam label show platform ipv6 unicast show platform tb MSDP Unsupported Privileged EXEC Commands show access expression show exception show location show pm LINE show smf interface id show subscriber policy policy number...

Page 1085: ...QoS Unsupported Global Configuration Command priority list Unsupported Interface Configuration Command priority group Unsupported policy map Class Police Configuration Mode Command conform color class map police configuration RADIUS Unsupported Global Configuration Commands aaa authentication feature default enable aaa authentication feature default line aaa nas port extended radius server attribu...

Page 1086: ...nable informs snmp server ifindex persist Spanning Tree Unsupported Global Configuration Command spanning tree pathcost method long short spanning tree transmit hold count Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported User EXEC Commands show running config vlan show...

Page 1087: ...ation QoS 33 10 ACLs ACEs 31 2 any keyword 31 12 33 32 ACLs continued applying on multicast packets 31 38 on routed packets 31 37 on switched packets 31 37 time ranges to 31 16 to an interface 31 19 37 7 to IPv6 interfaces 37 7 to QoS 33 10 classifying traffic for QoS 33 31 comments in 31 18 compiling 31 22 defined 31 1 31 7 examples of 31 22 extended IPv4 creating 31 10 matching criteria 31 7 har...

Page 1088: ...ware 31 20 time ranges 31 16 types supported 31 2 unsupported features IPv6 37 3 unsupported features IPv4 31 6 using router ACLs with VLAN maps 31 35 ACLs continued VLAN maps configuration guidelines 31 29 configuring 31 29 active link 18 4 18 5 18 6 active links 18 2 active router 38 1 active traffic monitoring IP SLAs 39 1 address aliasing 21 2 addresses displaying the MAC address table 5 28 dy...

Page 1089: ...ation 35 8 table address resolution 5 29 managing 5 29 ASBRs 35 23 AS path filters BGP 35 52 assured forwarding DSCP 33 8 asymmetrical links and IEEE 802 1Q tunneling 13 4 attributes RADIUS vendor proprietary 7 30 vendor specific 7 29 authentication EIGRP 35 39 HSRP 38 10 local mode with AAA 7 36 NTP associations 5 4 RADIUS key 7 21 login 7 23 TACACS defined 7 11 key 7 13 login 7 14 See also port ...

Page 1090: ...onitoring 35 61 multipath support 35 50 neighbors types of 35 46 path selection 35 50 peers configuring 35 56 prefix filtering 35 54 resetting sessions 35 49 route dampening 35 60 BGP continued route maps 35 52 route reflectors 35 59 routing domain confederation 35 59 routing session with multi VRF CE 35 90 show commands 35 61 supernets 35 58 support for 1 9 Version 4 35 43 binding database DHCP s...

Page 1091: ... 23 2 defined with LLDP 24 1 described 23 1 CDP continued disabling for routing device 23 3 to 23 4 enabling and disabling on an interface 23 4 on a switch 23 3 Layer 2 protocol tunneling 13 8 monitoring 23 5 overview 23 1 support for 1 4 transmission timer and holdtime setting 23 2 updates 23 2 CEF defined 35 95 enabling 35 96 IPv6 36 17 CFM and Ethernet OAM configuring 41 33 and Ethernet OAM int...

Page 1092: ...omparisons 33 9 QoS group 33 10 classless interdomain routing See CIDR classless routing 35 6 class map match all option 33 7 match any option 33 7 class map command 33 3 class maps QoS configuring 33 34 33 35 described 33 7 class of service See CoS class selectors DSCP 33 8 clearing interfaces 9 27 CLI abbreviating commands 2 3 command modes 2 1 described 1 3 editing features enabling and disabli...

Page 1093: ...12 configuration initial defaults 1 11 configuration examples network 1 14 policy maps 33 66 QoS adding customers 33 68 adding or deleting a class 33 71 adding or deleting classification criteria 33 68 33 69 adding or deleting configured actions 33 70 changing queuing or scheduling parameters 33 70 initial 33 66 configuration files archiving B 19 clearing the startup configuration B 19 creating us...

Page 1094: ... rollback B 19 configuration settings saving 3 14 configure terminal command 9 8 configuring marking in input policy maps 33 46 configuring port based authentication violation modes 8 14 configuring small frame arrival rate 22 5 congestion avoidance QoS 33 2 33 26 congestion management QoS 33 2 33 20 connections secure remote 7 37 Connectivity Fault Management See CFM connectivity problems 44 10 4...

Page 1095: ...9 8 DNS 5 16 dynamic ARP inspection 20 5 EIGRP 35 36 E LMI and OAM 41 26 EtherChannel 34 10 Ethernet OAM 41 16 Flex Links 18 7 HSRP 38 5 IEEE 802 1Q tunneling 13 4 default configuration continued IEEE 802 1x 8 11 IGMP 42 37 IGMP filtering 21 24 IGMP snooping 21 6 IGMP throttling 21 24 initial switch information 3 3 IP addressing IP routing 35 4 IP multicast routing 42 8 IP SLAs 39 6 IP source guar...

Page 1096: ...iguration client request message exchange 3 4 configuring client side 3 3 DNS 3 7 relay device 3 7 server side 3 6 TFTP server 3 6 example 3 9 DHCP based autoconfiguration continued lease options for IP address information 3 6 for receiving the configuration file 3 6 overview 3 3 relationship to BOOTP 3 3 relay support 1 4 1 9 support for 1 3 DHCP based autoconfiguration and image update configuri...

Page 1097: ...ics 19 15 enabling 19 14 entry 19 6 renewing database 19 14 resetting delay value 19 14 timeout value 19 14 DHCP snooping binding table See DHCP snooping binding database DHCPv6 configuration guidelines 36 14 default configuration 36 13 described 36 6 enabling client function 36 16 enabling DHCPv6 server function 36 14 Differentiated Services Code Point See DSCP Diffusing Update Algorithm DUAL 35 ...

Page 1098: ...fault port type 9 7 defaults 9 18 defined 9 6 frame size 9 18 LEDs 9 7 dual purpose ports continued setting the type 9 18 duplex mode configuring 9 15 dynamic access ports characteristics 11 5 configuring 11 26 defined 9 4 dynamic addresses See addresses dynamic ARP inspection ARP cache poisoning 20 1 ARP requests described 20 1 ARP spoofing attack 20 1 clearing log buffer 20 15 statistics 20 15 c...

Page 1099: ...bling 2 6 keystrokes used 2 6 wrapped lines 2 8 EIGRP authentication 35 39 components 35 35 configuring 35 37 default configuration 35 36 definition 35 34 interface parameters configuring 35 38 EIGRP continued monitoring 35 41 stub routing 35 40 support for 1 9 EIGRP IPv6 36 6 ELIN location 24 3 E LMI and OAM Manager 41 25 CE device configuration 41 31 configuration guidelines 41 26 configuring a ...

Page 1100: ...rfaces 34 15 Layer 3 port channel logical interfaces 34 14 default configuration 34 10 described 34 2 displaying status 34 22 forwarding methods 34 7 34 17 interaction with STP 34 10 with VLANs 34 11 EtherChannel continued LACP described 34 6 displaying status 34 22 hot standby ports 34 19 interaction with other features 34 7 modes 34 6 port priority 34 21 system priority 34 20 Layer 3 interface 3...

Page 1101: ...ing with an internal VLAN ID 11 11 defined 11 1 extended system ID MSTP 15 17 STP 14 4 14 15 extended universal identifier See EUI Extensible Authentication Protocol over LAN 8 1 external BGP See EBGP external neighbors BGP 35 46 F Fast Convergence 18 3 features incompatible 22 11 FIB 35 95 fiber optic detecting unidirectional links 25 1 files copying B 4 crashinfo description 44 21 displaying the...

Page 1102: ... 18 3 get bulk request operation 29 3 get next request operation 29 3 29 4 get request operation 29 3 29 4 get response operation 29 3 global configuration mode 2 2 global leave IGMP 21 11 H hardware limitations and Layer 3 interfaces 9 23 hello time MSTP 15 23 STP 14 21 help for the command line 2 3 history changing the buffer size 2 5 described 2 4 disabling 2 5 recalling commands 2 5 history ta...

Page 1103: ... 13 6 IEEE 802 1s See MSTP IEEE 802 1w See RSTP IEEE 802 1x See port based authentication IEEE 802 3ad See EtherChannel IEEE 802 3ah Ethernet OAM discovery 41 1 IEEE 802 3z flow control 9 20 ifIndex values SNMP 29 5 IFS 1 4 IGMP configurable leave timer described 21 5 configurable leave timer procedures 21 9 configuring the switch as a member of a group 42 37 statically connected member 42 42 cont...

Page 1104: ...ling and disabling 21 7 global configuration 21 7 Immediate Leave 21 5 monitoring 21 14 querier configuration guidelines 21 12 configuring 21 12 IGMP snooping continued supported versions 21 2 support for 1 2 VLAN configuration 21 7 IGMP throttling configuring 21 27 default configuration 21 24 described 21 24 displaying action 21 28 IGP 35 22 Immediate Leave IGMP configuration guidelines 21 9 desc...

Page 1105: ...y management TLV 24 6 IP ACLs for QoS classification 33 10 implicit deny 31 9 31 13 implicit masks 31 9 IP ACLs continued named 31 14 undefined 31 20 IP addresses 128 bit 36 2 classes of 35 5 default configuration 35 4 discovering 5 29 for IP routing 35 3 IPv6 36 2 MAC address association 35 7 monitoring 35 16 IP broadcast address 35 14 ip cef distributed command 35 96 IP directed broadcasts 35 12...

Page 1106: ...n announcement 42 43 Session Directory sdr tool described 42 43 monitoring packet rate loss 42 47 peering devices 42 47 tracing a path 42 47 multicast forwarding described 42 7 PIMv1 and PIMv2 interoperability 42 9 IP multicast routing continued reverse path check RPF 42 7 routing table deleting 42 46 displaying 42 47 RP assigning manually 42 22 configuring Auto RP 42 24 configuring PIMv2 BSR 42 2...

Page 1107: ...ual 19 19 binding table 19 19 configuration guidelines 19 20 default configuration 19 19 disabling 19 21 displaying bindings 19 22 configuration 19 22 enabling 19 20 IP source guard continued filtering source IP address 19 19 source IP and MAC address 19 19 source IP address filtering 19 19 source IP and MAC address filtering 19 19 static bindings adding 19 20 deleting 19 21 IP traceroute executin...

Page 1108: ...s 37 3 matching criteria 37 3 port 37 2 precedence 37 2 router 37 2 supported 37 2 IPv6 continued ACLs continued addresses 36 2 address formats 36 2 applications 36 5 assigning address 36 9 autoconfiguration 36 4 CEFv6 36 17 default configuration 36 9 default router preference DRP 36 4 defined 36 1 Enhanced Interior Gateway Routing Protocol EIGRP IPv6 36 6 Router ID 36 6 feature limitations 36 7 f...

Page 1109: ...e 7 32 described 7 32 KDC 7 32 operation 7 34 Kerberos continued realm 7 33 server 7 33 support for 1 7 switch as trusted third party 7 32 terms 7 33 TGT 7 34 tickets 7 32 key distribution center See KDC L l2protocol tunnel command 13 13 LACP Layer 2 protocol tunneling 13 9 See EtherChannel Layer 2 interfaces default configuration 9 12 Layer 2 packets classification 33 5 Layer 2 protocol packets a...

Page 1110: ...34 24 described 34 22 LLDP configuring 24 3 characteristics 24 4 default configuration 24 3 disabling and enabling globally 24 5 on an interface 24 5 monitoring and maintaining 24 8 overview 24 1 supported TLVs 24 2 transmission timer and holdtime setting 24 4 LLDP MED configuring 24 3 configuring TLVs 24 6 monitoring and maintaining 24 8 overview 24 1 24 2 supported TLVs 24 2 LLDP Media Endpoint ...

Page 1111: ...4 SNMP 1 4 out of band console port connection 1 4 management options CLI 2 1 CNS 4 1 overview 1 3 manual preemption REP configuring 17 13 marking action with aggregate policers 33 44 described 33 2 33 14 match command QoS for classification 33 3 33 7 guidelines 33 34 matching IPv4 ACLs 31 7 matching classifications QoS 33 7 maximum aging time MSTP 15 24 STP 14 22 maximum hop count MSTP 15 24 maxi...

Page 1112: ...yer 2 protocol tunneling 13 18 MAC address table move update 18 14 MSDP peers 43 17 multicast router interfaces 21 15 multi VRF CE 35 95 MVR 21 23 network traffic for analysis with probe 26 2 monitoring continued OAM manager 41 31 object tracking 40 12 OSPF 35 34 port blocking 22 18 protection 22 18 private VLANs 12 15 QoS 33 65 REP 17 14 RP mapping information 42 33 SFPs status 9 27 SFP status 1 ...

Page 1113: ...miting data with TTL 43 12 monitoring 43 17 restricting advertised sources 43 8 support for 1 9 MSTP boundary ports configuration guidelines 15 15 described 15 6 MSTP continued BPDU filtering described 16 3 enabling 16 8 BPDU guard described 16 3 enabling 16 7 CIST described 15 3 CIST regional root CIST root 15 5 configuration guidelines 15 15 16 6 configuring forward delay time 15 23 hello time 1...

Page 1114: ...cribed 16 4 enabling 16 10 root switch configuring 15 17 effects of extended system ID 15 17 unexpected behavior 15 17 MSTP continued shutdown Port Fast enabled port 16 3 status displaying 15 27 multicast groups Immediate Leave 21 5 leaving 21 5 static joins 21 8 multicast packets ACLs on 31 38 blocking 22 8 multicast router interfaces monitoring 21 15 multicast router ports adding 21 7 Multicast ...

Page 1115: ...ing 8 22 overview 8 9 neighbor discovery IPv6 36 4 neighbor discovery recovery EIGRP 35 35 neighbor offset numbers REP 17 4 neighbors BGP 35 56 Network Edge Access Toplogy See NEAT network management CDP 23 1 RMON 27 1 SNMP 29 1 network node interface See NNI network performance measuring with IP SLAs 39 3 network policy TLV 24 7 Network Time Protocol See NTP NNI configuring 9 14 described 9 2 pro...

Page 1116: ... purpose of 41 25 with CFM 41 25 with CFM and Ethernet OAM 41 32 OAM PDUs 41 16 OAM protocol data units 41 14 object tracking HSRP 40 7 IP SLAs 40 9 IP SLAs configuring 40 9 monitoring 40 12 Open Shortest Path First See OSPF optimizing system resources 6 1 options management 1 3 OSPF area parameters configuring 35 29 configuring 35 25 default configuration metrics 35 31 route 35 31 settings 35 24 ...

Page 1117: ...odic data collection and transfer mechanism 29 6 per port per VLAN policy maps configuration guidelines 33 48 per port per VLAN policing 33 12 33 48 per VLAN spanning tree plus See PVST PE to CE routing configuring 35 90 physical ports 9 3 PIM default configuration 42 8 dense mode overview 42 4 rendezvous point RP described 42 4 RPF lookups 42 8 displaying neighbors 42 47 enabling a mode 42 11 ove...

Page 1118: ...2 client defined 8 2 configuration guidelines 8 12 port based authentication continued configuring 802 1x authentication 8 14 host mode 8 20 manual re authentication of a client 8 17 periodic re authentication 8 17 quiet period 8 18 RADIUS server 8 17 RADIUS server parameters on the switch 8 16 switch to client frame retransmission number 8 19 8 20 switch to client retransmission time 8 18 violati...

Page 1119: ... assignments 11 11 port security aging 22 16 and private VLANs 22 17 configuration guidelines 22 11 configuring 22 12 default configuration 22 11 described 22 8 displaying 22 18 enabling 22 17 on trunk ports 22 13 sticky learning 22 9 violations 22 10 with other features 22 11 port shaping configuring 33 57 described 33 22 port shutdown response VMPS 11 24 port types 9 2 power 24 7 power managemen...

Page 1120: ...ddressing 12 4 isolated port 12 2 isolated VLANs 12 2 12 3 mapping 12 14 monitoring 12 15 ports community 12 3 configuration guidelines 12 8 configuring host ports 12 11 configuring promiscuous ports 12 13 described 11 5 isolated 12 2 promiscuous 12 2 private VLANs continued primary VLANs 12 1 12 3 promiscuous ports 12 2 secondary VLANs 12 2 subdomains 12 1 traffic in 12 5 privileged EXEC mode 2 2...

Page 1121: ...gregate policers 33 44 CBWFQ 33 54 class based shaping 33 56 class maps 33 34 general 33 30 QoS continued individual policers 33 39 input policy maps 33 38 marking 33 46 output policy maps 33 53 unconditional priority policing 33 60 WTD 33 63 configuring aggregate policers 33 44 class based shaping 33 56 classification with IP ACLs 33 31 class maps 33 34 33 35 individual policers 33 40 individual ...

Page 1122: ... 22 preconfiguration 33 29 priority policing described 33 18 priority with police 33 25 queue size 33 27 QoS continued scheduling 33 20 CBWFQ 33 21 priority queuing 33 21 traffic shaping 33 20 strict priority queuing 33 25 supported table maps 33 14 support for 1 8 table maps 33 13 traffic shaping described 33 21 unconditional priority policing 33 25 WTD 33 27 QoS groups classification 33 10 33 12...

Page 1123: ...downloading B 33 preparing the server B 32 uploading B 35 reachability tracking IP SLAs IP host 40 9 readiness check port based authentication configuring 8 13 described 8 7 8 13 reconfirmation interval VMPS changing 11 27 reconfirming dynamic VLAN membership 11 27 recovery procedures 44 1 redundancy EtherChannel 34 3 HSRP 38 1 STP backbone 14 8 path cost 11 21 port priority 11 20 reliable transpo...

Page 1124: ...9 4 restricting access NTP services 5 8 overview 7 1 passwords and privilege levels 7 2 RADIUS 7 17 TACACS 7 10 retry count VMPS changing 11 27 reverse address resolution 35 7 Reverse Address Resolution Protocol See RARP RFC 1112 IP multicast and IGMP 21 2 1157 SNMPv1 29 2 1305 NTP 5 2 1587 NSSAs 35 23 1757 RMON 27 2 1901 SNMPv2C 29 2 1902 to 1907 SNMPv2 29 2 2236 IP multicast and IGMP 21 2 2273 2...

Page 1125: ...cs 26 7 configuration guidelines 26 15 default configuration 26 9 defined 26 2 destination ports 26 6 displaying status 26 22 RSPAN continued interaction with other features 26 8 monitored ports 26 5 monitoring ports 26 6 overview 1 10 26 1 received traffic 26 4 session limits 26 10 sessions creating 26 16 defined 26 3 limiting source traffic to specific VLANs 26 21 specifying monitored ports 26 1...

Page 1126: ...essages 28 8 service policy command attaching policy maps 33 3 guidelines 33 53 using 33 38 service provider network MSTP and RSTP 15 1 service provider networks and customer VLANs 13 2 and IEEE 802 1Q tunneling 13 1 Layer 2 protocols across 13 8 Layer 2 protocol tunneling for EtherChannels 13 9 set command for QoS marking 33 19 guidelines 33 46 set request operation 29 4 severity levels defining ...

Page 1127: ...3 29 3 MIBs location of A 3 supported A 1 notifications 29 5 overview 29 1 29 4 security levels 29 3 SNMP continued setting CPU threshold notification 29 16 status displaying 29 22 system contact and location 29 17 trap manager configuring 29 14 traps described 29 3 29 5 differences from informs 29 5 disabling 29 16 enabling 29 12 enabling MAC address notification 5 23 overview 29 1 29 4 types of ...

Page 1128: ...support for 1 8 SSH configuring 7 38 cryptographic software image 7 37 described 1 4 7 37 encryption methods 7 38 user authentication methods supported 7 38 SSM address management restrictions 42 15 CGMP limitations 42 16 components 42 14 configuration guidelines 42 15 configuring 42 13 42 16 differs from Internet standard multicast 42 14 IGMP snooping 42 16 IGMPv3 42 14 IGMPv3 Host Signalling 42 ...

Page 1129: ...g 22 5 displaying 22 18 support for 1 2 thresholds 22 1 STP and REP 17 6 STP continued BPDU filtering described 16 3 disabling 16 9 enabling 16 8 BPDU guard described 16 3 disabling 16 8 enabling 16 7 BPDU message exchange 14 3 configuration guidelines 14 12 16 6 configuring forward delay time 14 22 hello time 14 21 maximum aging time 14 22 path cost 14 19 port priority 14 17 root switch 14 15 sec...

Page 1130: ...th costs 11 21 11 22 Port Fast described 16 2 enabling 16 6 port priorities 11 20 preventing root switch selection 16 4 protocols supported 14 9 redundant connectivity 14 8 STP continued root guard described 16 4 enabling 16 10 root port defined 14 3 root switch configuring 14 15 effects of extended system ID 14 4 14 15 election 14 3 unexpected behavior 14 16 status displaying 14 23 superior BPDU ...

Page 1131: ...onfiguration 28 13 enabling 28 4 facility keywords described 28 13 level keywords described 28 9 limiting messages 28 10 message format 28 2 overview 28 1 sequence numbers enabling and disabling 28 8 system message logging continued setting the display destination device 28 5 synchronizing log messages 28 6 syslog facility 1 10 time stamps enabling and disabling 28 7 UNIX syslog servers configurin...

Page 1132: ...setting a password 7 6 templates Ethernet OAM 41 21 SDM 6 2 Terminal Access Controller Access Control System Plus See TACACS terminal lines setting a password 7 6 TFTP configuration files downloading B 11 preparing the server B 10 uploading B 11 configuration files in base directory 3 7 configuring for autoconfiguration 3 6 image files deleting B 27 downloading B 26 preparing the server B 25 uploa...

Page 1133: ...ism 3 2 traps configuring MAC address notification 5 23 configuring managers 29 12 defined 29 3 enabling 5 23 29 12 notification types 29 12 overview 29 1 29 4 troubleshooting connectivity problems 44 10 44 13 44 14 detecting unidirectional links 25 1 displaying crash information 44 21 PIMv1 and PIMv2 interoperability problems 42 33 setting packet forwarding 44 19 SFP security and identification 4...

Page 1134: ...33 25 UN ENI VLANs defined 11 5 UNI configuring 9 14 described 9 2 protocol control packets on 32 1 unicast MAC address filtering and adding static addresses 5 26 and broadcast MAC addresses 5 26 and CPU packets 5 26 and multicast addresses 5 26 and router MAC addresses 5 26 configuration guidelines 5 26 described 5 26 unicast storm 22 1 unicast storm control command 22 4 unicast traffic blocking ...

Page 1135: ...lan global configuration command 11 7 11 9 VLAN ID discovering 5 29 VLAN load balancing configuration guidelines on flex links 18 8 on flex links 18 2 REP 17 4 triggering 17 5 VLAN Management Policy Server See VMPS VLAN map entries order of 31 29 VLAN maps applying 31 33 common uses for 31 33 configuration guidelines 31 29 configuring 31 29 creating 31 30 defined 31 2 31 5 denying access to a serv...

Page 1136: ...AN Trunking Protocol See VTP VLAN trunks 11 14 VMPS administering 11 28 configuration example 11 28 configuration guidelines 11 25 default configuration 11 25 description 11 23 dynamic port membership described 11 24 reconfirming 11 27 troubleshooting 11 28 mapping MAC addresses to VLANs 11 23 monitoring 11 28 VMPS continued reconfirmation interval changing 11 27 reconfirming membership 11 27 retr...

Page 1137: ...Access Switch Software Configuration Guide OL 9639 07 W weighted tail drop See WTD weight thresholds in tracked lists 40 5 WTD configuration guidelines 33 63 configuring 33 62 33 63 described 33 26 support for 1 8 X Xmodem protocol 44 2 ...

Page 1138: ...Index IN 52 Cisco ME 3400 Ethernet Access Switch Software Configuration Guide OL 9639 07 ...

Reviews:

No comments

Related manuals for ME 3400 Series

NEC Express5800/E120d-M Getting Started preview
Express5800/E120d-M
Brand: NEC Pages: 2
C&H Technologies EM405-8 Manual preview
EM405-8
Brand: C&H Technologies Pages: 46
Parkside POF 1200 A1 Operation Manual preview
POF 1200 A1
Brand: Parkside Pages: 55
Parkside POF 1200 A1 Operation And Safety Notes preview
POF 1200 A1
Brand: Parkside Pages: 34
Tandberg Data RDX QuikStation 4 Quick Start Manuals preview
RDX QuikStation 4
Brand: Tandberg Data Pages: 2
Garland INT40G2SR44 User Manual preview
INT40G2SR44
Brand: Garland Pages: 43
ZyXEL Communications PK5000Z How To Configure preview
PK5000Z
Brand: ZyXEL Communications Pages: 3
ADTRAN 239 T1 HDSL4 Installation And Maintenance Manual preview
239 T1 HDSL4
Brand: ADTRAN Pages: 20
FOR-A USF-105PS Operation Manuals preview
USF-105PS
Brand: FOR-A Pages: 37
Extreme Networks ExtremeCloud Appliance E1120 User Manual preview
ExtremeCloud Appliance E1120
Brand: Extreme Networks Pages: 219
DELTA GROUP LOYTEC LIP‑3ECTC Installation Instructions preview
LOYTEC LIP‑3ECTC
Brand: DELTA GROUP Pages: 4
Hornington WHR-HP-G300N Quick Start Manual preview
WHR-HP-G300N
Brand: Hornington Pages: 8
Aethra AF3400 Technical Specifications preview
AF3400
Brand: Aethra Pages: 2
LevelOne FEU-2410 Technical Specifications preview
FEU-2410
Brand: LevelOne Pages: 2
Muratec OFFICEBRIDGE ONLINE User Manual preview
OFFICEBRIDGE ONLINE
Brand: Muratec Pages: 220
MikroTik RBM33G Quick Manual preview
RBM33G
Brand: MikroTik Pages: 9
Asus GX-D1051 Quick Start Manual preview
GX-D1051
Brand: Asus Pages: 8
Asus GIGAX 1005B Quick Installation Manual preview
GIGAX 1005B
Brand: Asus Pages: 46

Brands by name

Popular brands

Load more brands