Cisco AIM-VPN - DES/3DES VPN Data Encryption AIM Module Скачать руководство пользователя страница 83 | Manualshive

Страница: 83 / 246

background image

16- and 36-Port Ethernet Switch Module for Cisco 2600 Series, Cisco 3600 Series, and Cisco 3700 Series

Configuration Tasks

83

Cisco IOS Release 12.2(2)XT, 12.2(8)T, and 12.2(15)ZJ

Use the no access-list access-list-number global configuration command to delete the entire access list.
You cannot delete individual ACEs from numbered access lists.

After an ACL is created, any additions (possibly entered from the terminal) are placed at the end of the
list. You can add ACEs to an ACL, but deleting any ACE deletes the entire ACL.

Note

When creating an ACL, remember that, by default, the end of the access list contains an implicit deny
statement for all packets if it did not find a match before reaching the end.

After creating an ACL, you must apply it to an interface, as described in the

“Applying the ACL to an

Interface” section on page 85

.

Creating Named Standard and Extended ACLs

You can identify IP ACLs with an alphanumeric string (a name) rather than a number. You can use named
ACLs to configure more IP access lists on a switch than if you use numbered access lists. If you identify
your access list with a name rather than a number, the mode and command syntax are slightly different.
However, not all commands that use IP access lists accept a named ACL.

Note

The name you give to a standard ACL or extended ACL can also be a number in the supported range
of access list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended
IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you
can delete individual entries from a named list.

Consider these guidelines and limitations before configuring named ACLs:

•

A standard ACL and an extended ACL cannot have the same name.

•

Numbered ACLs are also available, as described in the

“Creating Standard and Extended IP ACLs”

section on page 78

.

«
...
81
82
83
84
85
...
»

Содержание AIM-VPN - DES/3DES VPN Data Encryption AIM Module

Страница 1: ... Feature Overview page 2 Supported Platforms page 45 Supported Standards MIBs and RFCs page 45 Prerequisites page 46 Configuration Tasks page 46 Configuration Examples for the 16 and 36 Port Ethernet Switch Module page 130 Command Reference page 157 Glossary page 242 Release Modification 12 2 2 XT This feature was introduced on the Cisco 2600 series Cisco 3600 series and Cisco 3700 series routers ...

Страница 2: ...network module requires a double wide slot An optional power module can also be added to provide inline power for IP telephones The 16 and 36 port Ethernet switch network modules support the following Layer 2 Ethernet Interfaces page 2 Switch Virtual Interfaces page 5 Routed Ports page 5 VLAN Trunk Protocol page 5 EtherChannel page 7 802 1x Port Based Authentication page 8 Spanning Tree Protocol p...

Страница 3: ...need to communicate the switch forwards frames from one interface to the other at wire speed to ensure that each session receives full bandwidth To switch frames between interfaces efficiently the switch maintains an address table When a frame enters the switch it associates the MAC address of the sending station with the interface on which it was received Building the Address Table The Ethernet s...

Страница 4: ...ree loops might result Inconsistencies detected by a Cisco switch mark the line as broken and block traffic for the specific VLAN Disabling spanning tree on the VLAN of an 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops Cisco recommends that you leave spanning tree enabled on the VLAN of an 802 1Q trunk or that you disable spannin...

Страница 5: ...ports by putting the interface into Layer 3 mode with the no switchport interface configuration command Then assign an IP address to the port enable routing and assign routing protocol characteristics by using the ip routing and router protocol global configuration commands Caution Entering a no switchport interface configuration command shuts the interface down and then reenables it which might g...

Страница 6: ...E 802 1Q encapsulation VTP maps VLANs dynamically across multiple LAN types with unique names and internal index associations Mapping eliminates excessive device administration required from network administrators VTP Modes You can configure a switch to operate in any one of these VTP modes Server In VTP server mode you can create modify and delete VLANs and specify other configuration parameters ...

Страница 7: ...etwork All switches in a VTP domain must run the same VTP version You must configure a password on each switch in the management domain when in secure mode A VTP version 2 capable switch can operate in the same VTP domain as a switch running VTP version 1 provided that VTP version 2 is disabled on the VTP version 2 capable switch VTP version 2 is disabled by default Do not enable VTP version 2 on ...

Страница 8: ...Channel to the same VLAN or configure them as trunks An EtherChannel supports the same allowed range of VLANs on all interfaces in a trunking Layer 2 EtherChannel If the allowed range of VLANs is not the same the interfaces do not form an EtherChannel Interfaces with different Spanning Tree Protocol STP port path costs can form an EtherChannel as long they are otherwise compatibly configured Setti...

Страница 9: ... Access Control Server version 3 0 RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients Switch edge switch or wireless access point controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client and the authen...

Страница 10: ...lient are dropped If the client does not receive an EAP request identity frame after three attempts to start authentication the client transmits frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated For more information see the Ports in Authorized and Unauthorized States section on page 11 When the clie...

Страница 11: ... by the client to authenticate The switch cannot provide authentication services to the client through the interface auto enables 802 1x and causes the port to begin in the unauthorized state allowing only EAPOL frames to be sent and received through the port The authentication process begins when the link state of the port changes from down to up or when an EAPOL start frame is received The switc...

Страница 12: ...instance of STP runs on each configured VLAN provided that you do not manually disable STP You can enable and disable STP on a per VLAN basis When you create fault tolerant internetworks you must have a loop free path between all nodes in a network The spanning tree algorithm calculates the best loop free path throughout a switched Layer 2 network Switches send and receive spanning tree frames at ...

Страница 13: ...orward the frame but instead uses the information in the frame to calculate a BPDU and if the topology changes initiate a BPDU transmission A BPDU exchange results in the following One switch is elected as the root switch The shortest distance to the root switch is calculated for each switch based on the path cost A designated bridge for each LAN segment is selected This is the switch closest to t...

Страница 14: ...witch using spanning tree exists in one of the following five states Blocking The Layer 2 interface does not participate in frame forwarding Listening First transitional state after the blocking state when spanning tree determines that the Layer 2 interface should participate in frame forwarding Learning The Layer 2 interface prepares to participate in frame forwarding Forwarding The Layer 2 inter...

Страница 15: ...warding state the following process occurs 1 The Layer 2 interface is put into the listening state while it waits for protocol information that suggests that it should go to the blocking state 2 The Layer 2 interface waits for the forward delay timer to expire moves the Layer 2 interface to the learning state and resets the forward delay timer 3 In the learning state the Layer 2 interface continue...

Страница 16: ...the listening state A port always enters the blocking state following switch initialization Figure 5 Interface 2 in Blocking State A Layer 2 interface in the blocking state performs as follows Discards frames received from the attached segment Discards frames switched from another interface for forwarding Does not incorporate end station location into its address database There is no learning on a...

Страница 17: ... the listening state performs as follows Discards frames received from the attached segment Discards frames switched from another interface for forwarding Does not incorporate end station location into its address database There is no learning at this point so there is no address database update Receives BPDUs and directs them to the system module Receives processes and transmits BPDUs received fr...

Страница 18: ... learning state performs as follows Discards frames received from the attached segment Discards frames switched from another interface for forwarding Incorporates end station location into its address database Receives BPDUs and directs them to the system module Receives processes and transmits BPDUs received from the system module Receives and responds to network management messages Filtering dat...

Страница 19: ...g state performs as follows Forwards frames received from the attached segment Forwards frames switched from another Layer 2 interface for forwarding Incorporates end station location information into its address database Receives BPDUs and directs them to the system module Processes BPDUs received from the system module Receives and responds to network management messages Filtering database Frame...

Страница 20: ...ncorporate end station location into its address database There is no learning so there is no address database update Does not receive BPDUs Does not receive BPDUs for transmission from the system module MAC Address Allocation The MAC address allocation manager has a pool of MAC addresses that are used as the bridge IDs for the VLAN spanning trees In Table 3 you can view the number of VLANs allowe...

Страница 21: ...e possible priority range is 0 to 255 configurable in increments of 4 the default is 128 Cisco IOS software uses the port priority value when the interface is configured as an access port and uses VLAN port priority values when the interface is configured as a trunk port Spanning Tree Port Cost The spanning tree port path cost default value is derived from the media speed of an interface In the ev...

Страница 22: ...lternate paths to the root switch If the inferior BPDU arrives on the root port all blocked ports become alternate paths to the root switch If the inferior BPDU arrives on the root port and there are no blocked ports the switch assumes that it has lost connectivity to the root switch causes the maximum aging time on the root to expire and becomes the root switch according to normal STP rules If th...

Страница 23: ...ding a path from Switch B to Switch A This switchover takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 11 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 11 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a shared medium topology as shown in Fig...

Страница 24: ...verlapping sets of SPAN source interfaces or VLANs Only switched interfaces can be configured as SPAN sources or destinations on the same network module SPAN sessions do not interfere with the normal operation of the switch You can enable or disable SPAN sessions with command line interface CLI or SNMP commands When enabled a SPAN session might become active or inactive based on various events or ...

Страница 25: ...ite had occurred in which case the packets would be different Note Monitoring of VLANs is not supported SPAN Configuration Guidelines and Restrictions Follow these guidelines and restrictions when configuring SPAN Enter the no monitor session session number command with no other parameters to clear the SPAN session number EtherChannel interfaces can be SPAN source interfaces they cannot be SPAN de...

Страница 26: ...ts can access different parts of a network or to decide which types of traffic are forwarded or blocked at switch interfaces For example you can allow e mail traffic to be forwarded but not Telnet traffic ACLs can be configured to block inbound traffic An ACL contains an ordered list of access control entries ACEs Each ACE specifies permit or deny and a set of conditions the packet must satisfy in...

Страница 27: ...o on are considered to match the fragment regardless of what the missing Layer 4 information might have been Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information Consider access list 102 configured with these commands applied to three fragmented packets Switch config access list 102 permit tcp any host 10 1 1 1 eq smtp Switch config acces...

Страница 28: ...g Access Control Parameters Before configuring ACLs on the Ethernet switch network module you must have a thorough understanding of the Access Control Parameters ACPs ACPs are referred to as masks in the switch CLI commands and output Each ACE has a mask and a rule The Classification Field or mask is the field of interest on which you want to perform an action The specific values associated with a...

Страница 29: ...eters section on page 28 The following example shows the same mask in an ACL Switch config ip access list extended acl2 Switch config ext nacl permit tcp 10 1 1 1 0 0 0 0 any eq 80 Switch config ext nacl permit tcp 20 1 1 1 0 0 0 0 any eq 23 In this example the first ACE permits all the TCP packets coming from the host 10 1 1 1 with a destination TCP port number of 80 The second ACE permits all TC...

Страница 30: ...r using 6 bits from the deprecated IP type of service ToS field to carry the classification class information Classification can also be carried in the Layer 2 frame These special bits in the Layer 2 frame or a Layer 3 packet are described here and shown in Figure 14 Prioritization values in Layer 2 frames Layer 2 802 1Q frame headers have a 2 byte Tag Control Information field that carries the Co...

Страница 31: ...Ethernet switch network module can function as a Layer 2 switch connected to a Layer 3 router When a packet enters the Layer 2 engine directly from a switch port it is placed into one of four queues in the dynamic 32 MB shared memory buffer The queue assignment is based on the dot1p value in the packet Any voice bearer packets that come in from the Cisco IP phones on the voice VLAN are automatical...

Страница 32: ...interface basis No support exists for classifying packets at the VLAN or the switched virtual interface level You specify which fields in the frame or packet that you want to use to classify incoming traffic Classification Based on QoS ACLs You can use IP standard or IP extended ACLs to define a group of packets with the same characteristics class In the QoS context the permit and deny actions in ...

Страница 33: ...raffic The class map defines the criteria used to match against a specific traffic flow to further classify it the criteria can include matching the access group defined by the ACL If you have more than one type of traffic that you want to classify you can create another class map and use a different name After a packet is matched against the class map criteria you further classify it through the ...

Страница 34: ...ort to trust CoS Layer 2 802 1Q frame headers carry the CoS value in the three most significant bits of the Tag Control Information field CoS values range from 0 for low priority to 7 for high priority The trust DSCP configuration is meaningless for non IP traffic If you configure a port with this option and non IP traffic is received the switch assigns the default port CoS value and classifies tr...

Страница 35: ...S uses the configurable DSCP to CoS map to derive a CoS value from the internal DSCP value The CoS to DSCP and DSCP to CoS map have default values that might or might not be appropriate for your network For configuration information see the Configuring CoS Maps section on page 96 Maximum Number of VLAN and Multicast Groups The maximum number is less than or equal to 242 The number of VLANs is dete...

Страница 36: ... change occurs the IGMP snooping learned multicast groups from this port on the VLAN are deleted In the IP multicast source only environment the switch learns the IP multicast group from the IP multicast data stream and only forwards traffic to the multicast router ports Immediate Leave Processing IGMP snooping Immediate Leave processing allows the switch to remove an interface that sends a leave ...

Страница 37: ...e entry as shown in Table 7 that includes the port numbers of Host 1 and the router Figure 16 Initial IGMP Join Message Note that the switch architecture allows the CPU to distinguish IGMP information packets from other packets for the multicast group The switch recognizes the IGMP packets through its filter engine This prevents the CPU from becoming overloaded with multicast frames The entry in t...

Страница 38: ...t by the router or they can send a leave message When the switch receives a leave message from a host it sends out a group specific query to determine if any devices behind that interface are interested in traffic for the specific multicast group If after a number of queries the router processor receives no reports from a VLAN it removes the group for the VLAN from its multicast forwarding table G...

Страница 39: ...ample When global storm control is enabled the switch monitors packets passing from an interface to the switching bus and determines if the packet is unicast multicast or broadcast The switch monitors the number of broadcast multicast or unicast packets received within the 1 second time interval and when a threshold for one type of traffic is reached that type of traffic is dropped This threshold ...

Страница 40: ...tion attempting to access the port is different from any of the MAC addresses specified for that port Alternatively you can use port security to filter traffic destined to or received from a specific host based on the host MAC address Ethernet Switching in Cisco AVVID Architecture This section describes the Ethernet switching capabilities of the Ethernet switch network module which is designed to ...

Страница 41: ...ns out of space the port transmits a special packet that requests remote ports to delay sending packets for a period of time This special packet is called a pause frame Using Flow Control Keywords Table 9 describes guidelines for using different configurations of the send and receive keywords with the set port flowcontrol command Table 9 Gigabit Ethernet Flow Control Keyword Functions Configuratio...

Страница 42: ...of network interfaces on a switch Bridge groups cannot be used to identify traffic switched within the bridge group outside the switch on which they are defined Bridge groups on the same switch function as distinct bridges that is bridged traffic and bridge protocol data units BPDUs cannot be exchanged between different bridge groups on a switch An interface can be a member of only one bridge grou...

Страница 43: ...ace Range Specification feature makes configuration easier for these reasons Identical commands can be entered once for a range of interfaces rather than being entered separately for each interface Interface ranges can be saved as macros Restrictions The following functions are not supported in this release CGMP client CGMP fast leave Dynamic ports Dynamic access ports Secure ports Dynamic trunk p...

Страница 44: ...es and Cisco 3700 series routers refer to these documents Cisco 2600 Series Modular Routers Quick Start Guide Cisco 2600 Series Hardware Installation Guide Quick Start Guides for Cisco 3600 series routers Cisco 3600 Series Hardware Installation Guide Quick start guides for Cisco 3700 series routers Hardware installation documents for Cisco 3700 series WAN Interface Card Hardware Installation Guide...

Страница 45: ...e Navigator at http www cisco com go fn You must have an account on Cisco com If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions that appear Supported Standards MIBs and RFCs Standards 802 1d 802 1p 802 1q 802 1x MIBs RFC 1213 IF MIB RFC 2037 ENTITY MIB CISCO CDP MIB CISCO IMAGE MIB CISCO FLASH MIB OLD CISCO CH...

Страница 46: ...ion complete the following tasks before configuring this feature Configure IP routing For more information on IP routing refer to the Cisco IOS IP Configuration Guide Release 12 2 Set up the call agents For more information on setting up call agents refer to the documentation that accompanies the call agents used in your network configuration Configuration Tasks See the following sections for conf...

Страница 47: ...tures optional Configuring an Ethernet Interface as a Layer 2 Trunk optional Configuring an Ethernet Interface as a Layer 2 Access optional Configuring a Range of Interfaces To configure a range of interfaces use the interface range command in global configuration mode Command Purpose Step 1 Router config interface range vlan vlan id vlan id ethernet fastethernet macro macro name slot interface in...

Страница 48: ...nterface as a Layer 2 Trunk page 50 Configuring an Ethernet Interface as a Layer 2 Access page 52 Interface Speed and Duplex Configuration Guidelines When configuring an interface speed and duplex mode note these guidelines If both ends of the line support autonegotiation Cisco highly recommends the default autonegotiation settings If one interface supports autonegotiation and the other end does n...

Страница 49: ...ifying Interface Speed and Duplex Mode Configuration Step 1 Use the show interfaces command to verify the interface speed and duplex mode configuration for an interface Router show interfaces fastethernet 1 4 FastEthernet1 4 is up line protocol is down Hardware is Fast Ethernet address is 0000 0000 0c89 bia 0000 0000 0c89 MTU 1500 bytes BW 100000 Kbit DLY 100 usec reliability 255 255 txload 1 255 ...

Страница 50: ...Trunk To configure an Ethernet interface as a Layer 2 trunk use the following commands beginning in global configuration mode Note Ports do not support Dynamic Trunk Protocol DTP Ensure that the neighboring switch is set to a mode that will not send DTP Command Purpose Step 1 Router config if description string Adds a description for an interface Command Purpose Step 1 Router config interface ethe...

Страница 51: ...abled Administrative Mode static access Operational Mode static access Administrative Trunking Encapsulation dot1q Operational Trunking Encapsulation native Negotiation of Trunking Disabled Access Mode VLAN 1 default Trunking Native Mode VLAN 1 default Trunking VLANs Enabled ALL Pruning VLANs Enabled 2 1001 Protected false Unknown unicast blocked false Unknown multicast blocked false Broadcast Sup...

Страница 52: ... interfaces ethernet fastethernet slot port switchport Configuring VLANs This section describes how to configure the VLANs on the Ethernet switch network modules and it contains the following sections Configuring VLANs optional Deleting a VLAN from the Database optional Command Purpose Step 1 Router config interface ethernet fastethernet slot port Selects the interface to configure Step 2 Router c...

Страница 53: ... Trans1 Trans2 1 enet 100001 1500 1002 1003 1002 fddi 101002 1500 1 1003 1003 tr 101003 1500 1005 0 srb 1 1002 1004 fdnet 101004 1500 1 ibm 0 0 1005 trnet 101005 1500 1 ibm 0 0 Router Deleting a VLAN from the Database When you delete a VLAN from a switch that is in VTP server mode the VLAN is removed from all switches in the VTP domain When you delete a VLAN from a switch that is in VTP transparen...

Страница 54: ... 1005 trnet default active Router Configuring VLAN Trunking Protocol This section describes how to configure the VLAN Trunking Protocol VTP on the Ethernet switch network module and contains the following sections Configuring the VTP Server page 54 Configuring a VTP Client page 55 Disabling VTP VTP Transparent Mode page 55 Configuring VTP version 2 page 55 Configuring the VTP Server When a switch ...

Страница 55: ...uring VTP version 2 To enable VTP version 2 use the following commands beginning in privileged EXEC mode Command Purpose Step 1 Router vlan database Enters VLAN configuration mode Step 2 Router vlan vtp server Configures the switch as a VTP server Step 3 Router vlan vtp domain domain name Defines the VTP domain name which can be up to 32 characters long Step 4 Router vlan vtp password password val...

Страница 56: ...ng Removing an EtherChannel page 59 Configuring Layer 2 EtherChannels Port Channel Logical Interfaces To configure Layer 2 EtherChannels configure the Ethernet interfaces with the channel group command which creates the port channel logical interface Note Cisco IOS software creates port channel interfaces for Layer 2 EtherChannels when you configure Layer 2 Ethernet interfaces with the channel gro...

Страница 57: ... Port channel Po2 GC 0x00020001 Port indx 1 Load 0x55 Flags S Device is sending Slow hello C Device is in Consistent state A Device is in Auto mode P Device learns on physical port Timers H Hello timer is running Q Quit timer is running S Switching timer is running I Interface timer is running Local information Hello Partner PAgP Learning Group Port Flags State Timers Interval Count Priority Metho...

Страница 58: ...annel Load Balancing To configure EtherChannel load balancing use the following commands in global configuration mode Note For new load balancing to take affect the EtherChannel must be first configured to the default configuration Verifying EtherChannel Load Balancing Step 1 Use the show etherchannel load balance command to verify Layer 2 EtherChannel load balancing Router show etherchannel load ...

Страница 59: ...orts Router Configuring 802 1x Authentication This section describes how to configure 802 1x port based authentication on the Ethernet switch network module Understanding the Default 802 1x Configuration page 60 Enabling 802 1x Authentication page 61 Configuring the Switch to RADIUS Server Communication page 62 Enabling Periodic Reauthentication page 63 Changing the Quiet Period page 64 Changing t...

Страница 60: ... attempts 3600 seconds Quiet period 60 seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before retransmitting the request Maximum retransmission number 2 times number of times that...

Страница 61: ...thentication To enable 802 1x port based authentication you must enable AAA and specify the authentication method list A method list describes the sequence and authentication methods to be queried to authenticate a user The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process ...

Страница 62: ...host entries on the same RADIUS server are configured for the same service for example authentication the second host entry configured acts as the fail over backup to the first one The RADIUS host entries are tried in the order that they were configured Beginning in privileged EXEC mode follow these steps to configure the RADIUS server parameters on the switch This procedure is required Step 4 int...

Страница 63: ...cted to individual ports Beginning in privileged EXEC mode follow these steps to enable periodic reauthentication of the client and to configure the number of seconds between reauthentication attempts Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 radius server host hostname ip address auth port port number key string Configures the RADIUS server parameters on th...

Страница 64: ...ty frame from the switch with an EAP response identity frame If the switch does not receive this response it waits a set period of time known as the retransmission time and then retransmits the frame Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 dot1x re authentication Enables periodic reauthentication of the client which is disabled by default Step 3 dot1x time...

Страница 65: ...ks or specific behavioral problems with certain clients and authentication servers Beginning in privileged EXEC mode follow these steps to set the switch to client frame retransmission number To return to the default retransmission number use the no dot1x max req global configuration command Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 dot1x timeout tx period s...

Страница 66: ...show dot1x statistics privileged EXEC command To display 802 1x statistics for a specific interface use the show dot1x statistics interface interface id privileged EXEC command To display the 802 1x administrative and operational status for the switch use the show dot1x privileged EXEC command To display the 802 1x administrative and operational status for a specific interface use the show dot1x i...

Страница 67: ...verify spanning tree configuration Router show spanning tree vlan 200 VLAN200 is executing the ieee compatible Spanning Tree protocol Bridge Identifier has priority 32768 address 0050 3e8d 6401 Configured hello time 2 max age 20 forward delay 15 Current root has priority 16384 address 0060 704c 7000 Root port is 264 FastEthernet5 8 cost of root path is 38 Topology change flag not set detected flag...

Страница 68: ...gure the spanning tree port cost of an interface use the following commands beginning in global configuration mode Command Purpose Step 1 Router config interface ethernet fastethernet slot port port channel port channel number Selects an interface to configure Step 2 Router config if no spanning tree port priority port priority Configures the port priority for an interface The of port priority val...

Страница 69: ...outer Configuring the Bridge Priority of a VLAN Caution Exercise care when using this command For most situations spanning tree vlan vlan id root primary and the spanning tree vlan vlan id root secondary are the preferred commands to modify the bridge priority To configure the spanning tree bridge priority of a VLAN use the following commands in global configuration mode Step 3 Router config if no...

Страница 70: ...a VLAN To configure the maximum age interval for the spanning tree use the following commands in global configuration mode Command Purpose Step 1 Router config no spanning tree vlan vlan id hello time hello time Configures the hello time of a VLAN The hello time value can be from 1 to 10 seconds Use the no form of this command to restore the defaults Step 2 Router config end Exits configuration mo...

Страница 71: ... command on a switch will set the bridge priority for VLAN 100 to 8192 causing the switch to become the root bridge for VLAN 100 Note The root switch for each instance of spanning tree should be a backbone or distribution switch Do not configure an access switch as the spanning tree primary root Use the diameter keyword to specify the Layer 2 network diameter that is the maximum number of bridge h...

Страница 72: ... for VLAN 200 does not exist Router Configuring MAC Table Manipulation Port Security Port security is implemented by providing the user with the option to make a port secure by allowing only well known MAC addresses to send in data traffic Enabling Known MAC Address Traffic page 73 Creating a Static or Dynamic Entry in the MAC Address Table page 73 Configuring Aging Timer timer page 74 Command Pur...

Страница 73: ...s Table To create a static or dynamic entry in the mac address table use the following commands beginning in privileged EXEC mode Note Only the port where the link is up will see the dynamic entry validated in the Ethernet switch network module Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router mac address table secure mac address fastethernet slot port...

Страница 74: ... timer To configure the aging timer use the following commands beginning in privileged EXEC mode Caution Cisco advises that you not change the aging timer because the Ethernet switch network module could go out of synchronization Verifying the Aging Timer Step 1 Use the show mac address table aging time command to verify the aging timer Router show mac address table aging time Mac address aging ti...

Страница 75: ... advertisements is enabled Router Enabling CDP on an Interface To enable CDP on an interface use the following command in interface configuration mode The following example shows how to enable CDP on Fast Ethernet interface 5 1 Router config interface fastethernet 5 1 Router config if cdp enable Verifying the CDP Interface Configuration Step 1 Use the show cdp interface command to verify the CDP c...

Страница 76: ...wing commands in privileged EXEC mode Configuring Switched Port Analyzer Specifying the Switched Port Analyzer Session page 77 Configuring SPAN Destinations page 77 Removing Sources or Destinations from a SPAN Session page 77 Command Purpose Router clear cdp counters Resets the traffic counters to zero Router clear cdp table Deletes the CDP table of information about neighbors Router show cdp Veri...

Страница 77: ...onfiguring SPAN Destinations To configure the destination for a SPAN session use the following command in global configuration mode Removing Sources or Destinations from a SPAN Session To remove sources or destinations from a SPAN session use the following command in global configuration mode Command Purpose Step 1 Router config monitor session session number source interface slot port vlan vlan i...

Страница 78: ...outbound rate limiting except with QoS ACLs IP packets with a header length of less than five are not be access controlled Reflexive ACLs Dynamic ACLs ICMP based filtering IGMP based filtering Creating Standard and Extended IP ACLs This section describes how to create switch IP ACLs An ACL is a sequential collection of permit and deny conditions The switch tests packets against the conditions in a...

Страница 79: ...he name of an extended IP ACL can be 100 to 199 The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list Note An attempt to apply an unsupported ACL feature to an interface produces an error message Table 11 Access List Numbers ACL Number Type Supported 1 99 IP standard access list Yes 100 199 IP extended access list Yes 200 299 Protoc...

Страница 80: ...tocol These IP protocols are supported protocol keywords are in parentheses in bold Internet Protocol ip Transmission Control Protocol tcp or User Datagram Protocol udp Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 access list access list number deny permit remark source source wildcard host source any Defines a standard IP ACL by using a source address and wild...

Страница 81: ... filtering based on the minimize monetary cost type of service TOS bit When creating ACEs in numbered extended access lists remember that after you create the list any additions are placed at the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list Table 12 Filtering Parameter ACEs Supported by Different IP Protocols Filtering Parameter TCP UDP Layer 3...

Страница 82: ...e The destination is the network or host number to which the packet is sent Defines a destination or source port The operator can be only eq equal If operator is after source source wildcard conditions match when the source port matches the defined port If operator is after destination destination wildcard conditions match when the destination port matches the defined port The port is a decimal nu...

Страница 83: ... on page 85 Creating Named Standard and Extended ACLs You can identify IP ACLs with an alphanumeric string a name rather than a number You can use named ACLs to configure more IP access lists on a switch than if you use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP acce...

Страница 84: ...s to privileged EXEC mode Step 5 show access lists number name Displays the access list configuration Step 6 copy running config startup config Optional Saves your entries in the configuration file Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 ip access list extended name access list number Defines an extended IP access list by using a name and enter access list...

Страница 85: ...ut where you put the remark so that it is clear which remark describes which permit or deny statement For example it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements For IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command to include a comment a...

Страница 86: ...steps to display access lists Configuring Quality of Service QoS Before configuring QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requirements and speed of the network Locat...

Страница 87: ...ess QoS processing Only one ACL per class map and only one match command per class map are supported The ACL can have multiple access control entries which are commands that match fields against the contents of the packet Policy maps with ACL classification in the egress direction are not supported and cannot be attached to an interface by using the service policy input policy map name interface c...

Страница 88: ...se steps to configure the port to trust the classification of the traffic that it receives 88855 Cisco router with Ethernet switch network module Trunk Trusted interface Classification of traffic performed here Catalyst 2950 wiring closet Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Enters interface configuration mode and specify the inte...

Страница 89: ...thernet LANs and if you are familiar with sophisticated QoS features and implementations Enter the cos keyword if you want ingress packets to be classified with the packet CoS values For tagged IP packets the DSCP value of the packet is modified based on the CoS to DSCP map The egress queue assigned to the packet is based on the packet CoS value Enter the dscp keyword if you want ingress packets t...

Страница 90: ...override Configures the default CoS value for the port For default cos specify a default CoS value to be assigned to a port If the port is CoS trusted and packets are untagged the default CoS value becomes the CoS value for the packet The CoS range is 0 to 7 The default is 0 Use the override keyword to override the previously configured trust state of the incoming packets and to apply the default ...

Страница 91: ...t number enter the ACL number The range is 1 to 99 and 1300 to 1999 Enter deny or permit to specify whether to deny or permit access if The source is the source address of the network or host from which the packet is being sent specified in one of three ways The 32 bit quantity in dotted decimal format The keyword any as an abbreviation for source and source wildcard of 0 0 0 0 255 255 255 255 You...

Страница 92: ... 0 source wildcard 255 255 255 255 or by using the host keyword for source 0 0 0 0 For source wildcard enter the wildcard bits by placing ones in the bit positions that you want to ignore You specify the wildcard by using dotted decimal notation by using the any keyword as an abbreviation for source 0 0 0 0 source wildcard 255 255 255 255 or by using the host keyword for source 0 0 0 0 For destina...

Страница 93: ...mand Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 access list access list number deny permit source source wildcard host source any or access list access list number deny permit remark protocol source source wildcard host source any operator port destination destination wildcard host destination any operator port Creates an IP standard or extended ACL for IP tr...

Страница 94: ...ion wildcard host destination any operator port Creates an IP standard or extended ACL for IP traffic repeating the command as many times as necessary For more information see the Classifying Traffic by Using ACLs section on page 91 Note Deny statements are not supported for QoS ACLS See the Classification Based on QoS ACLs section on page 32 for more details Step 3 policy map policy map name Crea...

Страница 95: ...ate in bits per second bps The range is 1 Mbps to 100 Mbps for 10 100 Ethernet ports and 8 Mbps to 1000 Mbps for the Gigabit capable Ethernet ports For burst byte specify the normal burst size or burst count in bytes Optional Specify the action to take when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action dscp dscp value keywords to mark down the ...

Страница 96: ...eginning in privileged EXEC mode follow these steps to modify the CoS to DSCP map To return to the default map use the no mls qos map cos dscp global configuration command Configuring the DSCP to CoS Map You use the DSCP to CoS map to map DSCP values in incoming packets to a CoS value which is used to select one of the four egress queues The Ethernet switch network modules support these DSCP value...

Страница 97: ...n enter the to keyword For cos enter the CoS value to which the DSCP values correspond The supported DSCP values are 0 8 10 16 18 24 26 32 34 40 46 48 and 56 The CoS range is 0 to 7 Step 3 end Returns to privileged EXEC mode Step 4 show mls qos maps dscp to cos Verifies your entries Step 5 copy running config startup config Optional Saves your entries in the configuration file Table 15 Commands fo...

Страница 98: ...0 000 Watts FastEthernet1 7 auto unknown off 0 000 Watts FastEthernet1 8 auto unknown off 0 000 Watts FastEthernet1 9 auto unknown off 0 000 Watts FastEthernet1 10 auto unknown off 0 000 Watts FastEthernet1 11 auto yes on 6 400 Watts FastEthernet1 12 auto yes on 6 400 Watts FastEthernet1 13 auto no off 0 000 Watts FastEthernet1 14 auto unknown off 0 000 Watts FastEthernet1 15 auto unknown off 0 00...

Страница 99: ...Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 2 at this URL http www cisco com univercd cc td doc product software ios122 122cgcr fiprmc_r index htm To enable IP multicast routing globally Use the following command in global configuration mode Enabling IP PIM on Layer 3 Interfaces You must enable PIM on the Layer 3 interfaces before IP multicast Layer 3 switching functions on t...

Страница 100: ...22 33 44 FastEthernet6 47 H 514 68 Step 2 Router show ip mroute count IP Multicast Statistics 56 routes using 28552 bytes of memory 13 groups 3 30 average sources per group Forwarding Counts Pkt Count Pkts per second Avg Pkt Size Kilobits per second Other counts Total RPF failed Other drops OIF null rate limit etc Group 224 2 136 89 Source count 1 Group pkt count 29051 Source 132 206 72 28 32 Forw...

Страница 101: ...ute command to verify the IP multicast routing table Router show ip mroute 230 13 13 1 IP Multicast Routing Table Flags D Dense S Sparse s SSM Group C Connected L Local P Pruned R RP bit set F Register flag T SPT bit set J Join SPT M MSDP created entry X Proxy Join Timer Running A Advertised via MSDP U URD I Received Source Specific Host Report Outgoing interface flags H Hardware switched Timers U...

Страница 102: ...VLANs but it can be enabled and disabled on a per VLAN basis Global IGMP snooping overrides the per VLAN IGMP snooping capability If global snooping is disabled you cannot enable VLAN snooping If global snooping is enabled you can enable or disable snooping on a VLAN basis Beginning in privileged EXEC mode follow these steps to globally enable IGMP snooping on the Ethernet switch network module To...

Страница 103: ...enter interface configuration mode and use the no ip igmp snooping vlan vlan id immediate leave global configuration command Statically Configuring an Interface to Join a Group Ports normally join multicast groups through the IGMP report message but you can also statically configure a host on an interface Beginning in privileged EXEC mode follow these steps to add a port as a member of a multicast...

Страница 104: ...ulticast group VLAN ID user displays only the user configured multicast entries igmp snooping displays entries learned via IGMP snooping count displays only the total number of entries for the selected criteria not the actual entries Step 5 copy running config startup config Optional Saves your configuration to the startup configuration Command Purpose Command Purpose Step 1 configure terminal Ent...

Страница 105: ...roadcast level level Specifies the broadcast suppression level for an interface as a percentage of total bandwidth A threshold value of 100 percent means that no limit is placed on broadcast traffic Use the no keyword to restore the defaults Step 3 Router config no storm control multicast level level Specifies the multicast suppression level for an interface as a percentage of total bandwidth Use ...

Страница 106: ...Port Storm Control Beginning in privileged EXEC mode follow these steps to enable per port storm control Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface Enters interface configuration mode and enter the port to configure Step 3 storm control broadcast multicast unicast level level level low Configures broadcast multicast or unicast per port sto...

Страница 107: ...y traffic with the appropriate priority levels QoS policies are enforced using Layer 2 and 3 information such as 802 1p IP precedence and DSCP Note Refer to the Cisco AVVID QoS Design Guide for more information on how to implement end to end QoS as you deploy Cisco AVVID solutions To automatically configure Cisco IP phones to send voice traffic on the voice VLAN ID VVID on a per port basis see the...

Страница 108: ...still prioritize voice above data at both Layer 2 and Layer 3 Layer 3 classification is already handled because the phone sets the Type of Service ToS bits in all media streams to an IP Precedence value of 5 With Cisco CallManager Release 3 0 5 this marking changed to a Differentiated Services Code Point DSCP value of EF However to ensure that there is Layer 2 classification for admission to the m...

Страница 109: ...that need Uninterruptible Power Supply UPS power IP Addressing The recommended configuration for using multiple cables to connect IP phones to the Cisco AVVID network is to use a separate IP subnet and separate VLANs for IP telephony Managing the Ethernet Switch Network Module This section describes how to perform basic management tasks on the Ethernet switch network module with the Cisco IOS CLI ...

Страница 110: ... section describes how to assign IP information on the Ethernet switch network module The following topics are included Assigning IP Information to the Switch page 110 Specifying a Domain Name and Configuring the DNS page 111 Assigning IP Information to the Switch You can use a BOOTP server to automatically assign IP information to the switch however the BOOTP server must be set up in advance with...

Страница 111: ...r connection to the switch will be lost Specifying a Domain Name and Configuring the DNS Each unique IP address can have a host name associated with it The Cisco IOS software maintains a EC mode and related Telnet support operations This cache speeds the process of converting names to addresses Command Purpose Step 1 Router configure terminal Enters global configuration mode Step 2 Router config i...

Страница 112: ...can function as a name server to supply name information for the DNS Enabling the DNS If your network devices require connectivity with devices in networks for which you do not control name assignment you can assign device names that uniquely identify your devices within the entire internetwork The Internet s global naming scheme the DNS accomplishes this task This service is enabled by default Co...

Страница 113: ...t switch network module can forward IP voice traffic to and from the phone A detection mechanism on the Ethernet switch network module determines whether it is connected to a Cisco 7960 IP phone If the switch senses that there is no power on the circuit the switch supplies the power If there is power on the circuit the switch does not supply it You can configure the switch to never supply power to...

Страница 114: ...ion The Address Resolution Protocol ARP associates a host IP address with the corresponding media or MAC addresses and VLAN ID Taking an IP address as input ARP determines the associated MAC address Once a MAC address is determined the IP MAC address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encaps...

Страница 115: ...VLAN ID module and port number associated with the address The following shows an example of a list of addresses as they would appear in the dynamic secure or static address table Router show mac 4d01h SYS 5 CONFIG_I Configured from console by consolec Slot 0 Destination Address Address Type VLAN Destination Port 0004 272f 49de Dynamic 1 FastEthernet0 8 0004 2762 3235 Dynamic 1 FastEthernet0 3 000...

Страница 116: ... moved to a new port To configure the dynamic address table aging time use the following commands beginning in global configuration mode Verifying Aging Time Configuration Step 1 Use the show mac address table aging time command to verify configuration Router show mac address table aging time Removing Dynamic Addresses To remove a dynamic address entry follow these steps beginning in privileged EX...

Страница 117: ...rded to the port To add a secure address use the following commands beginning in privileged EXEC mode To remove a secure address use the following commands beginning in privileged EXEC mode You can remove all secure addresses by using the clear mac address table secure command in privileged EXEC mode Verifying Secure Addresses Step 1 Use the show mac address table secure command to verify configur...

Страница 118: ...ar mac address table static command in privileged EXEC mode Verifying Static Addresses Step 1 Use the show mac address table static command to verify configuration Router show mac address table static 4d01h SYS 5 CONFIG_I Configured from console by consolec Slot 0 Destination Address Address Type VLAN Destination Port 0004 272f 49de Dynamic 1 FastEthernet0 8 0004 2762 3235 Dynamic 1 FastEthernet0 ...

Страница 119: ...guring Flow Control on Gigabit Ethernet Ports To configure flow control on a Gigabit Ethernet port use the following commands in privileged mode Command Purpose Step 1 Router clear mac address table Enters to clear all MAC address tables Step 2 Router end Returns to privileged EXEC mode Command Purpose Step 1 Router config interface Gigabit slot port Enters the current Gigabit Ethernet interface b...

Страница 120: ...y CEF switching IP fast switching is not supported Note If the physical port is in Layer 2 mode the default you must enter the no switchport interface configuration command to put the interface into Layer 3 mode Entering a no switchport command disables and then reenables the interface which might generate messages on the device to which the interface is connected When you use this command to put ...

Страница 121: ...able 16 shows the default fallback bridging configuration Creating a Bridge Group To configure fallback bridging for a set of SVIs or routed ports these interfaces must be assigned to bridge groups All interfaces in the same group belong to the same bridge domain Each SVI or routed port can be assigned to only one bridge group A maximum of 31 bridge groups can be configured on the switch Table 16 ...

Страница 122: ... terminal Enters global configuration mode Step 2 bridge bridge group protocol vlan bridge Assigns a bridge group number and specify the VLAN bridge spanning tree protocol to run in the bridge group The ibm and dec keywords are not supported For bridge group specify the bridge group number The range is 1 to 255 You can create up to 31 bridge groups Frames are bridged only among interfaces in the s...

Страница 123: ...ileged EXEC mode follow these steps to configure the aging time Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 no bridge bridge group acquire Enables the switch to stop forwarding any frames for stations that it has dynamically learned through the discovery process and to limit frame forwarding to statically configured stations The switch filters all frames excep...

Страница 124: ...ault values are not suitable for your switch configuration Parameters affecting the entire spanning tree are configured with variations of the bridge global configuration command Interface specific parameters are configured with variations of the bridge group interface configuration command You can adjust spanning tree parameters by performing any of the tasks in these sections Changing the Switch...

Страница 125: ...p priority number global configuration command and set the priority to the default value To change the priority on an interface use the bridge group priority interface configuration command described in the next section Changing the Interface Priority You can change the priority for an interface When two switches tie for position as the root switch you configure an interface priority to break the ...

Страница 126: ...e range is 1 to 255 For number enter a number from 0 to 255 The lower the number the more likely that the interface on the switch will be chosen as the root The default is 128 Step 4 end Returns to privileged EXEC mode Step 5 show running config Verifies your entry Step 6 copy running config startup config Optional Saves your entry in the configuration file Command Purpose Command Purpose Step 1 c...

Страница 127: ... in privileged EXEC mode follow these steps to change the forward delay interval To return to the default setting use the no bridge bridge group forward time seconds global configuration command Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 bridge bridge group hello time seconds Specifies the interval between hello BPDUs For bridge group specify the bridge group...

Страница 128: ...ps to disable spanning tree on an interface To reenable spanning tree on the interface use the no bridge group bridge group spanning disabled interface configuration command Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 bridge bridge group max age seconds Specifies the interval the switch waits to hear BPDUs from the root switch For bridge group specify the brid...

Страница 129: ...vileged EXEC commands in Table 17 Table 17 Fallback Bridging Commands for Monitoring and Maintaining the Network Command Purpose clear bridge bridge group Removes any learned entries from the forwarding database and clears the transmit and receive counts for any statically configured entries show bridge bridge group Displays details about the bridge group show bridge bridge group interface id addr...

Страница 130: ...s page 144 IGMP Snooping Example page 145 Storm Control Example page 147 Ethernet Switching Examples page 148 Intrachassis Stacking Example page 150 Flow Control on Gigabit Ethernet Ports Example page 151 Configuring Layer 3 Interfaces Example page 153 Fallback Bridging Example page 155 Range of Interface Examples Single Range Configuration Example page 130 Multiple Range Configuration Example pag...

Страница 131: ...hanged state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface FastEthernet5 4 changed state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface FastEthernet5 5 changed state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface GigabitEthernet1 1 changed state to up Oct 6 08 29 28 LINK 3 UPDOWN Interface GigabitEthernet1 2 changed state to up Oct 6 08 29 29 LINEPROTO 5 UPDOWN Line protocol on Interface FastEthernet5 ...

Страница 132: ...le shows how to add a description on Fast Ethernet interface 5 5 Router config interface fastethernet 5 5 Router config if description Channel group to Marketing Configuring an Ethernet Interface as a Layer 2 Trunk Example The following example shows how to configure the Fast Ethernet interface 5 8 as an 802 1Q trunk This example assumes that the neighbor interface is configured to support 802 1Q ...

Страница 133: ...ng VTP domain name to Lab_Network Router vlan vtp password WATER Setting device VLAN database password to WATER Router vlan exit APPLY completed Exiting Router VTP Client Example The following example shows how to configure the switch as a VTP client Router vlan database Router vlan vtp client Setting device to VTP CLIENT mode Router vlan exit In CLIENT state no apply attempted Exiting Router Disa...

Страница 134: ...nnel group 2 mode desirable Router config if end EtherChannel Load Balancing Example The following example shows EtherChannel being configured to use source and destination IP addresses Router configure terminal Router config port channel load balance src dst ip Router config end Router config Removing an EtherChannel Example The following example shows port channel 1 being removed Router configur...

Страница 135: ... radius server host 172 l20 39 46 auth port 1612 key rad123 Enabling Periodic Re Authentication Example The following example shows how to enable periodic reauthentication and set the number of seconds between reauthentication attempts to 4000 Switch config dot1x re authentication Switch config dot1x timeout re authperiod 4000 Changing the Quiet Period Example The following example shows how to se...

Страница 136: ...ity of an interface being configured Router configure terminal Router config interface fastethernet 5 8 Router config if spanning tree vlan 200 port priority 64 Router config if end Router The following example shows how to verify the configuration of VLAN 200 on the interface when it is configured as a trunk port Router show spanning tree vlan 200 Port 264 FastEthernet5 8 of VLAN200 is forwarding...

Страница 137: ...t of a Fast Ethernet interface Router configure terminal Router config interface fastethernet 5 8 Router config if spanning tree vlan 200 cost 17 Router config if exit Router config exit Router Bridge Priority of a VLAN The following example shows the bridge priority of VLAN 200 being configured to 33792 Router configure terminal Router config spanning tree vlan 200 priority 33792 Router config en...

Страница 138: ... tree The following example shows spanning tree being disabled on VLAN 200 Router configure terminal Router config no spanning tree vlan 200 Router config end Router Spanning Tree Root Example The following example shows the switch being configured as the root bridge for VLAN 10 with a network diameter of 4 Router configure terminal Router config spanning tree vlan 10 root primary diameter 4 Route...

Страница 139: ...thernet 5 48 Removing Sources or Destinations from a SPAN Session Example The following example shows interface Fast Ethernet 5 2 being removed as a SPAN source for SPAN session 1 Router config no monitor session 1 source interface fastethernet 5 2 Network Security and ACL Configuration Examples Creating Numbered Standard and Extended ACLs Example page 139 Creating Named Standard and Extended ACLs...

Страница 140: ...able to form TCP Telnet and SMTP connections to any host on the Internet Switch config access list 102 permit tcp any 128 88 0 0 0 0 255 255 eq 23 Switch config access list 102 permit tcp any 128 88 0 0 0 0 255 255 eq 25 Switch config interface gigabitethernet0 1 Switch config if ip access group 102 in SMTP uses TCP port 25 on one end of the connection and a random port number on the other end The...

Страница 141: ... eq telnet In this example of a numbered ACL the workstation belonging to Jones is allowed access and the workstation belonging to Smith is not allowed access Switch config access list 1 remark Permit only Jones workstation through Switch config access list 1 permit 171 69 2 88 Switch config access list 1 remark Do not allow Smith workstation through Switch config access list 1 deny 171 69 3 13 In...

Страница 142: ... access lists are not shown The following example shows how to view all access groups configured for VLAN 1 and for Gigabit Ethernet interface 0 2 Switch show ip interface vlan 1 GigabitEthernet0 2 is up line protocol is down Internet address is 10 20 30 1 16 Broadcast address is 255 255 255 255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forw...

Страница 143: ... network module installed A host is connected to the network through the Internet using a WAN link Use switch ACLs to do these Create a standard ACL and filter traffic from a specific Internet host with an address 172 20 128 64 Create an extended ACL and filter traffic to deny HTTP access to all Internet hosts but allow all other types of access Figure 21 Using Switch ACLs to Control Traffic The f...

Страница 144: ...address that does not match the ACL statements is rejected Switch config access list 1 permit 192 5 255 0 0 0 0 255 Switch config access list 1 permit 36 0 0 0 0 0 0 255 Classifying Traffic by Using Class Maps Example The following example shows how to configure the class map called class1 The class1 has one match criterion which is an ACL called 103 Switch config access list 103 permit any any tc...

Страница 145: ... values the DSCP to CoS mapping is the default Switch config mls qos map dscp cos 26 48 to 7 Switch config exit Switch show mls qos maps dscp cos Dscp cos map dscp 0 8 10 16 18 24 26 32 34 40 46 48 56 cos 0 1 1 2 2 3 7 4 4 5 5 7 7 Displaying QoS Information Example The following example shows how to display the DSCP to CoS maps Switch show mls qos maps dscp cos Dscp cos map dscp 0 8 10 16 18 24 26...

Страница 146: ...command for VLAN 1 Router show running config interface vlan 1 Building configuration Current configuration 82 bytes interface Vlan1 ip address 192 168 4 90 255 255 255 0 ip pim sparse mode end The following example shows output from the show running config interface privileged EXEC command for VLAN 2 Router show running config interface vlan 2 Building configuration Current configuration 82 bytes...

Страница 147: ...0 0 Outgoing interface list Vlan2 Forward Sparse 01 07 53 00 02 14 224 5 5 5 01 07 43 00 02 22 RP 0 0 0 0 flags DC Incoming interface Null RPF nbr 0 0 0 0 Outgoing interface list Vlan1 Forward Sparse 01 06 40 00 02 22 Vlan2 Forward Sparse 01 07 44 00 02 17 224 6 6 6 01 06 43 00 02 18 RP 0 0 0 0 flags DC Incoming interface Null RPF nbr 0 0 0 0 Outgoing interface list Vlan1 Forward Sparse 01 06 40 0...

Страница 148: ... 20 73 14 See Note below interface Vlan 50 description data vlan ip address 10 50 1 1 255 255 255 0 This configuration instructs the IP phone to generate a packet with an 802 1Q VLAN ID of 150 with an 802 1p value of 5 default for voice bearer traffic Note In a centralized CallManager deployment model the DHCP server might be located across the WAN link If so an ip helper address command pointing ...

Страница 149: ...02 1p only option when configuring the voice VLAN Using this option allows the IP phone to tag VoIP packets with a CoS of 5 on the native VLAN while all PC data traffic is sent untagged The following example shows a single subnet configuration for the Ethernet switch network module switch Router FastEthernet 5 2 description Port to IP Phone in single subnet switchport access vlan 40 switchport voi...

Страница 150: ...GigabitEthernet2 0 is up line protocol is down Internal Stacking Link Active Gi2 0 is stacked with Gi3 0 Hardware is Gigabit Ethernet address is 001b 3f2b 2c24 bia 001b 3f2b 2c24 MTU 1500 bytes BW 1000000 Kbit DLY 10 usec reliability 255 255 txload 1 255 rxload 1 255 Encapsulation ARPA loopback not set Keepalive set 10 sec Full duplex mode link type is force up media type is unknown 0 output flow ...

Страница 151: ...87 c08b 4824 MTU 1500 bytes BW 1000000 Kbit DLY 10 usec reliability 255 255 txload 1 255 rxload 1 255 Encapsulation ARPA loopback not set Keepalive set 10 sec output flow control is off input flow control is on 0 pause input 0 pause output Full duplex 1000Mb s ARP type ARPA ARP Timeout 04 00 00 Last input 00 00 01 output never output hang never Last clearing of show interface counters never Input ...

Страница 152: ...t packets with dribble condition detected 60665 packets output 6029820 bytes 0 underruns 0 output errors 0 collisions 16 interface resets 0 babbles 0 late collision 0 deferred 0 lost carrier 0 no carrier 0 output buffer failures 0 output buffers swapped out The following is sample output from the show ip interface privileged EXEC command for Gigabit Ethernet interface 0 2 Switch show ip interface ...

Страница 153: ...e gigabitethernet0 10 Switch config if no switchport Switch config if ip address 10 1 2 3 255 255 0 0 Switch config if no shutdown Switch config if end The following is sample output from the show interfaces privileged EXEC command for Gigabit Ethernet interface 0 2 Switch config show interfaces gigabitethernet0 2 GigabitEthernet0 2 is up line protocol is up Hardware is Gigabit Ethernet address is...

Страница 154: ...izon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route cache flags ...

Страница 155: ... gigabitethernet0 1 Switch config if no switchport Switch config if bridge group 10 Preventing the Forwarding of Dynamically Learned Stations Example The following example shows how to prevent the switch from forwarding frames for stations that it has dynamically learned in bridge group 10 Switch config no bridge 10 acquire Configuring the Bridge Table Aging Time Example The following example show...

Страница 156: ...g BPDU Intervals Example You can adjust BPDU intervals as described in these sections Adjusting the Interval between Hello BPDUs Example page 156 Changing the Forward Delay Interval Example page 156 Changing the Maximum Idle Interval Example page 156 Adjusting the Interval between Hello BPDUs Example The following example shows how to change the hello interval to 5 seconds in bridge group 10 Switc...

Страница 157: ...entication dot1x class class map debug dot1x debug eswilp debug ip igmp snooping debug spanning tree deny access list configuration dot1x default dot1x max req dot1x multiple hosts dot1x port control dot1x re authenticate dot1x re authentication dot1x timeout quiet period dot1x timeout re authperiod dot1x timeout tx period ip access group ip access list ip igmp snooping ip igmp snooping vlan ip ig...

Страница 158: ...e 158 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ show class map show dot1x show ip access lists show ip igmp snooping show ip igmp snooping mrouter show mls masks show mls qos interface show mls qos maps show policy map show spanning tree show storm control spanning tree backbonefast storm control switchport ...

Страница 159: ...ethods enable AAA to authenticate the client by using locally configured data For example the local and local case methods use the username and password that are saved in the Cisco IOS configuration file The enable and line methods use the enable and line passwords for authentication default Uses the listed authentication methods that follow this argument as the default list of methods when a user...

Страница 160: ...assword to provide access to the switch Use the show running config privileged EXEC command to display the configured lists of authentication methods Examples The following example shows how to enable AAA and how to create an authentication list for 802 1x This authentication first tries to contact a RADIUS server If this action returns an error the user is allowed access with no authentication Sw...

Страница 161: ... you specify in the policy map ties the characteristics for that class to the class map and its match criteria as configured by using the class map global configuration command The class command performs the same function as the class map global configuration command Use the class command when a new classification which is not shared with any other ports is needed Use the class map command when th...

Страница 162: ...ration Guide Release 12 2 Examples The following example shows how to create a policy map named policy1 When attached to the ingress port it matches all the incoming traffic defined in class1 and polices the traffic at an average rate of 1 Mbps and bursts at 131072 bytes Traffic exceeding the profile is dropped Switch config policy map policy1 Switch config pmap class class1 Switch config pmap c p...

Страница 163: ...ap command and its subcommands are used to define packet classification and marking as part of a globally named service policy applied on a per interface basis In quality of service QoS class map configuration mode these configuration commands are available exit exits from QoS class map configuration mode no removes a match statement from a class map match configures classification criteria For mo...

Страница 164: ...h is a numbered ACL Switch config access list 103 permit tcp any any eq 80 Switch config class map class1 Switch config cmap match access group 103 Switch config cmap exit You can verify your settings by entering the show class map privileged EXEC command Related Commands Command Description class Defines a traffic classification for the policy to act on by using the class map name or access group...

Страница 165: ... 1x enabled ports backend Enables debugging of the interaction between the 802 1x process and the switch Remote Authentication Dial In User Service RADIUS client besm Enables debugging of the backend state machine which is responsible for relaying authentication request between the client and the authentication server core Enables debugging of the 802 1x process which includes 802 1x initializatio...

Страница 166: ... debugging messages for the IGMP snooping services on the Ethernet switch network module being displayed Router debug eswilp igmp Related Commands dot1x Displays ESWILP 802 1x debugging messages filtermgr Displays ESWILP filter manager debugging messages fltdrv Displays ESWILP filter driver debugging messages igmp Displays ESWILP IGMP debugging messages port driver Displays ESWILP port driver debu...

Страница 167: ...d History Usage Guidelines Use the debug ip igmp snooping command to troubleshoot the IGMP snooping feature Examples The following example shows debugging messages for the IGMP snooping services being displayed Router debug ip igmp snooping IGMP snooping enabled Related Commands group Displays debugging messages related to multicast groups management Displays debugging messages related to IGMP man...

Страница 168: ...bonefast Displays debugging messages for BackboneFast events bpdu Displays debugging messages for spanning tree Bridge Protocol Data Units BPDUs bpdu opt Displays debugging messages for optimized BPDU handling config Displays debugging messages for spanning tree configuration changes etherchannel Displays debugging messages for EtherChannel support events Displays debugging messages for spanning t...

Страница 169: ...s and Cisco 3700 Series debug spanning tree 169 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ Related Commands Command Description show debugging Displays information about the types of debugging that are enabled show spanning tree Displays spanning tree state information ...

Страница 170: ... source address of the network or host from which the packet is being sent specified in one of these ways The 32 bit quantity in dotted decimal format The source wildcard applies wildcard bits to the source The keyword host followed by the 32 bit quantity in dotted decimal format as an abbreviation for source and source wildcard of source 0 0 0 0 The keyword any as an abbreviation for source and s...

Страница 171: ... IP ACL and to configure deny conditions for it Switch config ip access list extended Internetfilter Switch config ext nacl deny tcp host 190 5 88 10 any Switch config ext nacl deny tcp host 192 1 10 10 any The following is an example of a standard ACL that sets a deny conditions ip access list standard Acclist1 deny 192 5 34 0 0 0 0 255 deny 128 88 10 0 0 0 0 255 deny 36 1 1 0 0 0 0 255 operator ...

Страница 172: ... implicitly denied You can verify your settings by entering the show ip access lists or show access lists privileged EXEC command Related Commands Command Description dot1x re authenticate Controls access to an interface ip access list Defines an IP ACL permit access list configuration Sets conditions for an IP ACL show access lists Displays ACLs configured on a switch show ip access lists Display...

Страница 173: ...mand was introduced 12 2 15 ZJ This command was implemented on the following platforms Cisco 2600 series Cisco 3600 series and Cisco 3700 series routers Command Description dot1x max req Sets the maximum number of times that the switch sends an EAP request identity frame before restarting the authentication process dot1x re authentication Enables periodic reauthentication of the client dot1x timeo...

Страница 174: ... problems with certain clients and authentication servers Examples The following example shows how to set the number of times that the switch sends an EAP request identity frame to 5 before restarting the authentication process Switch config dot1x max req 5 You can verify your settings by entering the show dot1x privileged EXEC command Related Commands count Number of times that the switch sends a...

Страница 175: ...sfully authorized for all hosts to be granted network access If the port becomes unauthorized reauthentication fails or an Extensible Authentication Protocol over LAN EAPOL logoff message is received all attached clients are denied access to the network Examples The following example shows how to enable 802 1x on Fast Ethernet interface 0 1 and to allow multiple hosts Switch config interface faste...

Страница 176: ...ears and 802 1x is not enabled If you enable 802 1x on a not yet active port of an EtherChannel the port does not join the EtherChannel Switch Port Analyzer SPAN destination port You can enable 802 1x on a port that is a SPAN destination port however 802 1x is disabled until the port is removed as a SPAN destination You can enable 802 1x on a SPAN source port To globally disable 802 1x on the swit...

Страница 177: ...interface fastethernet0 1 Switch config if dot1x port control auto You can verify your settings by entering the show dot1x privileged EXEC command and checking the Status column in the 802 1x Port Summary section of the display An enabled status means the port control value is set to auto or to force unauthorized Related Commands Command Description show dot1x Displays 802 1x statistics administra...

Страница 178: ... command to reauthenticate a client without waiting for the configured number of seconds between reauthentication attempts reauthperiod and automatic reauthentication Examples The following example shows how to manually reauthenticate the device connected to Fast Ethernet interface 0 1 Switch dot1x re authenticate interface fastethernet 0 1 Starting reauthentication on FastEthernet0 1 You can veri...

Страница 179: ...eriod global configuration command Examples The following example shows how to disable periodic reauthentication of the client Switch config no dot1x re authentication The following example shows how to enable periodic reauthentication and set the number of seconds between reauthentication attempts to 4000 seconds Switch config dot1x re authentication Switch config dot1x timeout re authperiod 4000...

Страница 180: ...the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers If you want to provide a faster response time to the user enter a smaller number than the default Examples The following example shows how to set the quiet time on the switch to 30 seconds Switch config dot1x timeout qui...

Страница 181: ... change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients or authentication servers Examples The following example shows how to enable periodic reauthentication and set the number of seconds between reauthentication attempts to 4000 seconds Switch config dot1x re authentication Switch config dot1...

Страница 182: ...ms with certain clients or authentication servers Examples The following example shows how to set 60 as the number of seconds that the switch waits for a response to an EAP request identity frame from the client before retransmitting the request Switch config dot1x timeout tx period 60 You can verify your settings by entering the show dot1x privileged EXEC command Related Commands seconds Time in ...

Страница 183: ...dress the switch forwards the packet For extended ACLs after receiving the packet the switch checks the match conditions in the ACL If the conditions are matched the switch forwards the packet If the specified ACL does not exist the switch forwards all packets IP access groups can be separated on Layer 2 and Layer 3 interfaces Note For more information about configuring IP ACLs refer to the Config...

Страница 184: ... entering the show access lists or show ip access lists privileged EXEC command Related Commands Command Description deny access list configuration Configures conditions for an IP ACL ip access list Defines an IP ACL permit access list configuration Configures conditions for an IP ACL show ip access lists Displays IP ACLs configured on the switch show access lists Displays ACLs configured on the s...

Страница 185: ...he permit and deny commands to configure the permit and deny access conditions for this list The ip access list command and its subcommands are used to define packet classification and marking as part of a globally named service policy applied on a per interface basis or as an IP access group applied on a per interface basis Specifying standard or extended with the ip access list command determine...

Страница 186: ...extended Internetfilter2 Switch config ext nacl permit any 128 8 10 0 0 0 0 255 eq 80 Switch config ext nacl permit any 128 5 8 0 0 0 0 255 eq 80 Switch config ext nacl exit Note In these examples all other IP access is implicitly denied You can verify your settings by entering the show access lists or show ip access lists privileged EXEC command Related Commands Command Description deny access li...

Страница 187: ... IGMP snooping is globally disabled it disables IGMP snooping on all the existing VLAN interfaces The configuration is saved in nonvolatile RAM NVRAM Examples The following example shows how to globally enable IGMP snooping Switch config ip igmp snooping The following example shows how to globally disable IGMP snooping Switch config no ip igmp snooping You can verify your settings by entering the ...

Страница 188: ...3600 Series and Cisco 3700 Series ip igmp snooping 188 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ ip igmp snooping vlan static Configures a Layer 2 port as a member of a group show ip igmp snooping Displays the IGMP snooping configuration Command Description ...

Страница 189: ...how to enable IGMP snooping on VLAN 2 Switch config ip igmp snooping vlan 2 The following example shows how to disable IGMP snooping on VLAN 2 Switch config no ip igmp snooping vlan 2 You can verify your settings by entering the show ip igmp snooping vlan privileged EXEC command Related Commands vlan id VLAN ID value The range is from 1 to 1001 Do not enter leading zeroes Release Modification 12 0...

Страница 190: ...in the VLAN The Immediate Leave configuration is saved in nonvolatile RAM NVRAM The Immediate Leave feature is supported only with IGMP version 2 hosts Examples The following example shows how to enable IGMP Immediate Leave processing on VLAN 1 Switch config ip igmp snooping vlan 1 immediate leave The following example shows how to disable IGMP Immediate Leave processing on VLAN 1 Switch config no...

Страница 191: ...nd Cisco 3700 Series ip igmp snooping vlan immediate leave 191 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ show ip igmp snooping Displays the IGMP snooping configuration show mac address table multicast Displays the Layer 2 multicast entries for a VLAN Command Description ...

Страница 192: ...earning method is saved in nonvolatile RAM NVRAM Static connections to multicast routers are supported only on switch ports Examples The following example shows how to configure Fast Ethernet interface 0 6 as a multicast router port Switch config ip igmp snooping vlan 1 mrouter interface fastethernet0 6 You can verify your settings by entering the show ip igmp snooping mrouter privileged EXEC comm...

Страница 193: ...3 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ ip igmp snooping vlan immediate leave Configures IGMP Immediate Leave processing ip igmp snooping vlan static Configures a Layer 2 port as a member of a group show ip igmp snooping mrouter Displays the statically and dynamically learned multicast router ports Command Description ...

Страница 194: ...ections to multicast routers are supported only on switch ports Examples The following example shows how to statically configure a host on an interface Switch config ip igmp snooping vlan 1 static 0100 5e02 0203 interface fastethernet0 6 Configuring port FastEthernet 0 6 on group 0100 5e02 0203 You can verify your settings by entering the show mac address table multicast privileged EXEC command Re...

Страница 195: ...sco 3700 Series ip igmp snooping vlan static 195 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ ip igmp snooping vlan mrouter Configures a Layer 2 port as a multicast router port show mac address table multicast Displays the Layer 2 multicast entries for a VLAN Command Description ...

Страница 196: ... Only one match command per class map is supported Note For more information about configuring IP ACLs refer to the Configuring IP Services chapter in the Cisco IOS IP Configuration Guide Release 12 2 Examples The following example shows how to classify traffic on an interface by using the access group named acl2 Switch config class map class2 Switch config cmap match access group acl2 Switch conf...

Страница 197: ...2 15 ZJ Related Commands Command Description class Defines a traffic classification for a policy to act on using the class map name or access group class map Creates a class map to be used for matching packets to the class whose name you specify dot1x re authenticate Controls access to an interface show class map Displays QoS class maps show policy map Displays QoS policy maps ...

Страница 198: ... ports Even if a port was previously set to trust DSCP or CoS this command overrides that trust state and all the incoming CoS values are assigned the default CoS value configured with the mls qos cos command If an incoming packet is tagged the CoS value of the packet is modified with the default CoS of the port at the ingress port Examples The following example shows how to configure the default ...

Страница 199: ...lue of 4 Switch config interface gigabitethernet0 1 Switch config if mls qos cos 4 Switch config if mls qos cos override You can verify your settings by entering the show mls qos interface privileged EXEC command Related Commands Command Description mls qos map Defines the CoS to DSCP map or the DSCP to CoS map mls qos trust Configures the port trust state show interface fax y switchport Displays ...

Страница 200: ...S to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to CoS values 0 to 7 Separate each DSCP value with a space The supported DSCP values are 0 8 10 16 18 24 26 32 34 40 46 48 and 56 dscp cos dscp list to cos Defines the DSCP to CoS map For dscp list enter up to 13 DSCP values separated by spaces Then enter the to keyword The supported DSCP values are 0 8 10 16 18 24 26 32 34 40 4...

Страница 201: ... value is at an ingress port the packet CoS value is set to 0 Examples The following example shows how to define the DSCP to CoS map DSCP values 16 18 24 and 26 are mapped to CoS 1 DSCP values 0 8 and 10 are mapped to CoS 0 Switch configure terminal Switch config mls qos map dscp cos 16 18 24 26 to 1 Switch config mls qos map dscp cos 0 8 10 to 0 The following example shows how to define the CoS t...

Страница 202: ... specify whether the port is trusted and which fields of the packet to use to classify traffic When a port is configured with trust DSCP and the incoming packet is a non IP packet the CoS value for the packet is set to 0 and the DSCP to CoS map is not applied If DSCP is trusted the DSCP field of the IP packet is not modified However it is still possible that the CoS value of the packet is modified...

Страница 203: ... with the configured VLAN ID of 60 egressing from the CPU to the physical port Switch config interface vlan 60 Switch config if mls qos trust dscp You can verify your settings by entering the show mls qos interface privileged EXEC command Related Commands Command Description mls qos cos Defines the default CoS value of a port or assigns the default CoS to all incoming packets on the port mls qos m...

Страница 204: ...e is the source address of the network or host from which the packet is being sent specified in one of these ways The 32 bit quantity in dotted decimal format The source wildcard applies wildcard bits to the source The keyword host followed by the 32 bit quantity in dotted decimal format as an abbreviation for source and source wildcard of source 0 0 0 0 The keyword any as an abbreviation for sour...

Страница 205: ...ended IP ACL and configure permit conditions for it Switch config ip access list extended Internetfilter2 Switch config ext nacl permit host 36 10 10 5 any Switch config ext nacl permit host 192 1 10 8 any The following is an example of a standard ACL that sets permit conditions ip access list standard Acclist1 permit 192 5 34 0 0 0 0 255 permit 128 88 10 0 0 0 0 255 permit 36 1 1 0 0 0 0 255 oper...

Страница 206: ...implicitly denied You can verify your settings by entering the show ip access lists or show access lists privileged EXEC command Related Commands Command Description deny access list configuration Sets deny conditions for an IP ACL dot1x re authenticate Controls access to an interface ip access list Defines an IP ACL show access lists Displays ACLs configured on a switch show ip access lists Displ...

Страница 207: ...igabit capable Ethernet ports To return to policy map configuration mode use the exit command To return to privileged EXEC mode use the end command bps cir bps Average traffic rate or committed information rate in bits per second bps For 10 100 ports the range is 1000000 to 100000000 and the granularity is 1 Mbps For Gigabit capable Ethernet ports the range is 8000000 to 1016000000 and the granula...

Страница 208: ...t sets the DSCP value to 46 if traffic does not exceed a 1 Mbps average rate with a burst size of 65536 bytes and drops packets if traffic exceeds these conditions Switch config policy map policy1 Switch config pmap class class1 Switch config pmap c set ip dscp 46 Switch config pmap c police 1000000 65536 exceed action drop Switch config pmap c exit You can verify your settings by entering the sho...

Страница 209: ...cription describes the policy map up to 200 characters exit exits policy map configuration mode and returns to global configuration mode no removes a previously defined policy map rename renames the policy map Note In a policy map the class named class default is not supported The switch does not filter traffic based on the policy map defined by the class class default policy map configuration com...

Страница 210: ...xamples The following example shows how to create a policy map called policy1 When attached to the ingress direction it matches all the incoming traffic defined in class1 and polices the traffic at an average rate of 1 Mbps and bursts at 65536 bytes Traffic exceeding the profile is dropped Switch config policy map policy1 Switch config pmap class class1 Switch config pmap c police 1000000 65536 ex...

Страница 211: ...s interfaces Note For more information about configuring access control lists ACLs refer to the Configuring Network Security with ACLs chapter in the Catalyst 2950 Desktop Switch Software Configuration Guide for this release Examples The following example shows how to apply plcmap1 to an ingress interface Switch config interface gigabitethernet0 1 Switch config if service policy input plcmap1 You ...

Страница 212: ...how access lists Standard IP access list testingacl permit 10 10 10 2 Standard IP access list wizard_1 1 1 2 permit 1 1 1 2 Extended IP access list 103 permit tcp any any eq www Extended IP access list CMP NAT ACL Dynamic Cluster HSRP deny ip any any Dynamic Cluster NAT permit ip any any permit ip host 10 123 222 192 any permit ip host 10 228 215 0 any permit ip host 10 245 137 0 any permit ip hos...

Страница 213: ...sco 3600 Series and Cisco 3700 Series show access lists 213 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ Related Commands Command Description ip access list Configures an IP ACL on the switch show ip access lists Displays the IP ACLs configured on a switch ...

Страница 214: ...Examples The following is sample output from the show class map test command Switch show class map test Class Map match all test id 2 Match access group name testingacl The following is sample output from the show class map command Switch show class map Class Map match all wizard_1 1 1 2 id 3 Match access group name videowizard_1 1 1 2 Class Map match all test id 2 Match access group name testinga...

Страница 215: ...00 Series show class map 215 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ Related Commands Command Description class map Creates a class map to be used for matching packets to the class whose name you specify match class map configuration Defines the match criteria to classify traffic ...

Страница 216: ...l physical ports Examples The following is sample output from the show dot1x command Switch show dot1x Global 802 1X Parameters reauth enabled no reauth period 3600 quiet period 60 tx period 30 supp timeout 30 server timeout 30 reauth max 2 max req 2 802 1X Port Summary Port Name Status Mode Authorized Gi0 1 disabled n a n a Gi0 2 enabled Auto negotiate no 802 1X Port Details 802 1X is disabled on...

Страница 217: ...rts the authentication process In the 802 1x Port Summary section of the example the Status column shows whether the port is enabled for 802 1x the dot1x port control interface configuration command is set to auto or force unauthorized The Mode column shows the operational status of the port for example if you configure the dot1x port control interface configuration command to force unauthorized b...

Страница 218: ...on command Supplicant Ethernet MAC address of the client if one exists If the switch has not discovered the client this field displays Not set Multiple Hosts Setting of the dot1x multiple hosts interface configuration command allowed or disallowed Current Identifier1 1 This field and the remaining fields in the output show internal state information For a detailed description of these state machin...

Страница 219: ...mber carried in the most recently received EAPOL frame LAST EAPOLSrc Source MAC address carried in the most recently received EAPOL frame TX EAPOL Total Number of EAPOL frames of any type that have been sent TX EAP Req Id Number of EAP request identity frames that have been sent TX EAP Req Oth Number of EAP request frames other than request identity frames that have been sent 1 EAPOL Extensible Au...

Страница 220: ...rd IP access list wizard_1 1 1 2 permit 1 1 1 2 Extended IP access list 103 permit tcp any any eq www Extended IP access list CMP NAT ACL Dynamic Cluster HSRP deny ip any any Dynamic Cluster NAT permit ip any any permit ip host 10 245 155 128 any permit ip host 10 245 137 0 any permit ip host 10 146 106 192 any permit ip host 10 216 25 128 any permit ip host 10 228 215 0 any permit ip host 10 221 ...

Страница 221: ...1 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ Related Commands Command Description access list IP extended Configures an extended ACL on the switch access list IP standard Configures a standard ACL on the switch ip access list Configures an IP ACL on the switch show access lists Displays ACLs configured on a switch ...

Страница 222: ...nabled on this Vlan IGMP snooping mrouter learn mode is pim dvmrp on this Vlan vlan 2 IGMP snooping is globally enabled IGMP snooping is enabled on this Vlan IGMP snooping immediate leave is enabled on this Vlan IGMP snooping mrouter learn mode is pim dvmrp on this Vlan vlan 3 IGMP snooping is globally enabled IGMP snooping is enabled on this Vlan IGMP snooping immediate leave is disabled on this ...

Страница 223: ... following is sample output from the show ip igmp snooping vlan 1 command Switch show ip igmp snooping vlan 1 vlan 1 IGMP snooping is globally enabled IGMP snooping is enabled on this Vlan IGMP snooping immediate leave is enabled on this Vlan IGMP snooping mrouter learn mode is pim dvmrp on this Vlan Related Commands Command Description ip igmp snooping Enables IGMP snooping ip igmp snooping vlan ...

Страница 224: ...s sample output from the show ip igmp snooping mrouter vlan 1 command Note In this example Fa0 3 is a dynamically learned router port and Fa0 2 is a configured static router port Switch show ip igmp snooping mrouter vlan 1 Vlan ports 1 Fa0 2 static Fa0 3 dynamic Related Commands vlan vlan id Optional Specifies a VLAN Valid values are 1 to 1001 Release Modification 12 0 5 2 WC 1 This command was in...

Страница 225: ...sed for QoS ACLs Use this command with the security keyword to display the ACPs used for security ACLs Note You can configure up to four ACPs QoS and security on a switch Examples The following is sample output from the show mls masks command Switch show mls masks Mask1 Type qos Fields ip sa 0 0 0 255 ip da host dest port Policymap pmap1 Interfaces Fa0 9 Gi0 1 Policymap pmap2 Interfaces Fa0 1 Fa0 ...

Страница 226: ... Series show mls masks 226 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ Related Commands Command Description ip access group Applies an IP ACL to an interface policy map Creates or modifies a policy map that can be attached to multiple interfaces and enters policy map configuration mode ...

Страница 227: ... show mls qos interface fastethernet0 1 command Switch show mls qos interface fastethernet0 1 FastEthernet0 1 trust state trust cos COS override dis default COS 0 Related Commands interface id Optional Displays QoS information for the specified interface policers Optional Displays all the policers configured on the interface their settings and the number of policers unassigned Release Modification...

Страница 228: ... Use this command with the cos dscp keyword to display the CoS to DSCP map Use this command with the dscp cos keyword to display the DSCP to CoS map Examples The following is sample output from the show mls qos maps cos dscp command Switch show mls qos maps cos dscp Cos dscp map cos 0 1 2 3 4 5 6 7 dscp 8 8 8 8 24 32 56 56 The following is sample output from the show mls qos maps dscp cos command ...

Страница 229: ... 2 8 T and 12 2 15 ZJ The following is sample output from the show mls qos maps command Switch show mls qos maps Dscp cos map dscp 0 8 10 16 18 24 26 32 34 40 46 48 56 cos 0 1 1 2 2 3 7 4 4 5 5 7 7 Cos dscp map cos 0 1 2 3 4 5 6 7 dscp 0 8 16 24 32 40 48 56 Related Commands Command Description mls qos map Defines the CoS to DSCP map and DSCP to CoS map ...

Страница 230: ...ay all policy maps configured on the switch Note In a policy map the class named class default is not supported The switch does not filter traffic based on the policy map defined by the class class default policy map configuration command Examples The following is sample output from the show policy map command Switch show policy map Policy Map wand Description this is a description Policy Map wiza...

Страница 231: ...d Switch show policy map policytest Policy Map policytest class classtest police 10000000 8192 exceed action drop The following is sample output from the show policy map policytest class classtest command Switch show policy map policytest class classtest police 10000000 8192 exceed action drop Related Commands Command Description policy map Creates or modifies a policy map that can be attached to ...

Страница 232: ...rt information bridge Optional Displays status and configuration of this switch brief Optional Specifies a brief summary of interface information inconsistentports Optional Displays inconsistent port information interface interface id Optional Specifies a list of interfaces for which spanning tree information appears Enter each interface separated by a space Ranges are not supported Valid interfac...

Страница 233: ...128 100 BLK 38 0404 0400 0001 128 22 Fa0 17 128 23 128 100 BLK 38 0404 0400 0001 128 23 Fa0 18 128 24 128 100 BLK 38 0404 0400 0001 128 24 Fa0 19 128 25 128 100 BLK 38 0404 0400 0001 128 25 Fa0 20 128 26 128 100 BLK 38 0404 0400 0001 128 26 Fa0 21 128 27 128 100 BLK 38 0404 0400 0001 128 27 Port Designated Name Port ID Prio Cost Sts Cost Bridge ID Port ID Fa0 22 128 28 128 100 BLK 38 0404 0400 000...

Страница 234: ...ed 0 The following is sample output from the show spanning tree interface fastethernet0 3 command Switch show spanning tree interface fastethernet0 3 Interface Fa0 3 port 3 in Spanning tree 1 is down Port path cost 100 Port priority 128 Designated root has priority 6000 address 0090 2bba 7a40 Designated bridge has priority 32768 address 00e0 1e9f 4abf Designated port is 3 path cost 410 Timers mess...

Страница 235: ...on by using the corresponding keyword When no option is specified the default is to display broadcast storm control information Examples The following is sample output from the show storm control broadcast command Switch show storm control broadcast Interface Filter State Upper Lower Current Fa0 1 inactive 100 00 100 00 0 00 Fa0 2 inactive 100 00 100 00 0 00 Fa0 3 inactive 100 00 100 00 0 00 Fa0 4...

Страница 236: ...e occurs before the current storm ends Related Commands Table 22 show storm control Field Descriptions Field Description Interface Displays the ID of the interface Filter State Displays the status of the filter Blocking Storm control is enabled action is filter and a storm has occurred Forwarding Storm control is enabled and a storm has not occurred Inactive Storm control is disabled Shutdown Stor...

Страница 237: ...des Global configuration Command History Usage Guidelines BackboneFast should be enabled on all of the Catalyst 2950 switches to allow for the detection of indirect link failures and to start the spanning tree reconfiguration sooner Examples The following example shows how to enable BackboneFast on the switch Switch config spanning tree backbonefast You can verify your settings by entering the sho...

Страница 238: ...ast multicast unicast Determines the type of packet storm suppression broadcast Enable broadcast storm control on the port multicast Enable multicast storm control on the port unicast Enable unicast storm control on the port level level lower level Defines the rising and falling suppression levels level Rising suppression level as a percent of total bandwidth up to two decimal places valid values ...

Страница 239: ...cified the switch blocks traffic until the traffic rate drops below this level When a multicast or unicast storm occurs and the action is to filter traffic the switch blocks all traffic broadcast multicast and unicast traffic and sends only Spanning Tree Protocol STP packets When a broadcast storm occurs and the action is to filter traffic the switch blocks only broadcast traffic Examples The foll...

Страница 240: ...s to configure the interface as a Layer 2 port Then you can enter additional switchport commands with keywords Syntax Description This command has no arguments or keywords Defaults By default all interfaces are in Layer 2 mode Command Modes Interface configuration Command History Usage Guidelines Entering the no switchport command shuts the port down and then reenables it which might generate mess...

Страница 241: ...ed ports All physical ports on such platforms are assumed to be Layer 2 switched interfaces You can verify the switchport status of an interface by entering the show running config privileged EXEC command Related Commands Command Description show interfaces switchport Displays the administrative and operational status of a switching nonrouting port including port blocking and port protection setti...

Страница 242: ...video and data CAC connection admission control Set of actions taken by each ATM switch during connection setup to determine whether a connection s requested QoS will violate the QoS guarantees for established connections CAC is also used when routing a connection request through an ATM network candidate Switch that is not part of a cluster but is eligible to join a cluster because it meets the qu...

Страница 243: ... and transparent network topology changes HSRP creates a hot standby router group with a lead router that services all packets sent to the hot standby address The lead router is monitored by other routers in the group and if it fails one of these standby routers inherits the lead position and the hot standby group address IGMP Internet Group Management Protocol Used by IP hosts to report their mul...

Страница 244: ... creating a spanning tree Bridges exchange BPDU messages with other bridges to detect loops and then remove the loops by shutting down selected bridge interfaces Refers to both the IEEE 802 1 Spanning Tree Protocol standard and the earlier Digital Equipment Corporation Spanning Tree Protocol upon which it is based The IEEE version supports bridge domains and allows the bridge to construct a loop f...

Страница 245: ... generally covers a city or suburb WFQ weighted fair queuing In QoS a flow based queuing algorithm that schedules low volume traffic first while letting high volume traffic share the remaining bandwidth This is handled by assigning a weight to each flow where lower weights are the first to be serviced WRR Weighted Round Robin Type of round robin scheduling that prevents low priority queues from be...

Страница 246: ...16 and 36 Port Ethernet Switch Module for Cisco 2600 Series Cisco 3600 Series and Cisco 3700 Series Glossary 246 Cisco IOS Release 12 2 2 XT 12 2 8 T and 12 2 15 ZJ ...

Отзывы:

Нет отзывов

Похожие инструкции для AIM-VPN - DES/3DES VPN Data Encryption AIM Module

Бренд: LAWO Страницы: 154

PG-FLEX RT FRL-752

Бренд: PairGain Страницы: 6

Бренд: Zoom Страницы: 88

Бренд: TANDBERG Страницы: 3

Бренд: Ruckus Wireless Страницы: 2

Бренд: Rosewill Страницы: 10

ConnectX-3 Pro MCX349A-XCCN

Бренд: Mellanox Technologies Страницы: 35

LonWorks Communication Module LN-01

Бренд: Delta Electronics Страницы: 1

RP614 - Web Safe Router

Бренд: NETGEAR Страницы: 16

Бренд: ACTi Страницы: 14

HFisolator 9730/26-11

Бренд: Stahl Страницы: 2

Бренд: DHD Power Cruiser Страницы: 60

Бренд: IEI Technology Страницы: 116

Бренд: Aztech Страницы: 13

Бренд: Lantech Страницы: 23

Бренд: H3C Страницы: 148

Router 3000 Series

Бренд: 3Com Страницы: 37

Бренд: Umniah Страницы: 12

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды