Cisco Catalyst 3560-X Series Скачать руководство пользователя страница 1

Страница: 1 / 1538

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408

526-4000

800 553-NETS (6387)

Fax: 408

527-0883

Catalyst 3750-X and 3560-X Switch
Software Configuration Guide

Cisco IOS Release 15.0(2)SE and Later
November 2013

Text Part Number: OL-25303-03

Содержание Catalyst 3560-X Series

Страница 1: ...sman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 3750 X and 3560 X Switch Software Configuration Guide Cisco IOS Release 15 0 2 SE and Later November 2013 Text Part Number OL 25303 03 ...

Страница 2: ...XPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILI...

Страница 3: ...f show and more Commands 1 9 Accessing the CLI 1 9 Understanding Cisco Configuration Engine Software 1 1 Understanding Cisco IOS Agents 1 5 Configuring Cisco IOS Agents 1 6 Displaying CNS Configuration 1 14 Understanding the Boot Process 1 1 Assigning Switch Information 1 2 Checking and Saving the Running Configuration 1 16 Modifying the Startup Configuration 1 18 Scheduling a Reload of the Softwa...

Страница 4: ...ess with RADIUS 1 17 Controlling Switch Access with Kerberos 1 39 Configuring the Switch for Local Authentication and Authorization 1 43 Configuring the Switch for Secure Shell 1 44 Configuring the Switch for Secure Socket Layer HTTP 1 48 Configuring the Switch for Secure Copy Protocol 1 54 Understanding IEEE 802 1x Port Based Authentication 1 1 Configuring 802 1x Authentication 1 37 Displaying 80...

Страница 5: ...onfiguring VLAN Trunks 1 14 Configuring VMPS 1 25 Understanding VTP 1 1 Configuring VTP 1 8 Monitoring VTP 1 18 Understanding Voice VLAN 1 1 Configuring Voice VLAN 1 3 Displaying Voice VLAN 1 7 Understanding Private VLANs 1 1 Configuring Private VLANs 1 6 Monitoring Private VLANs 1 15 Understanding IEEE 802 1Q Tunneling 1 1 Configuring IEEE 802 1Q Tunneling 1 4 Understanding Layer 2 Protocol Tunne...

Страница 6: ... 18 Displaying IP Source Guard Information 1 26 Understanding DHCP Server Port Based Address Allocation 1 26 Configuring DHCP Server Port Based Address Allocation 1 27 Displaying DHCP Server Port Based Address Allocation 1 29 Understanding Dynamic ARP Inspection 1 1 Configuring Dynamic ARP Inspection 1 5 Displaying Dynamic ARP Inspection Information 1 14 Understanding IGMP Snooping 1 2 Configuring...

Страница 7: ... Understanding SPAN and RSPAN 1 1 Understanding Flow Based SPAN 1 11 Configuring SPAN and RSPAN 1 12 Configuring FSPAN and FRSPAN 1 24 Displaying SPAN RSPAN FSPAN and FRSPAN Status 1 28 Understanding RMON 1 1 Configuring RMON 1 2 Displaying RMON Status 1 6 Understanding System Message Logging 1 1 Configuring System Message Logging 1 2 Configuring Smart Logging 1 14 Displaying the Logging Configura...

Страница 8: ...23 Configuring Link State Tracking 1 25 Understanding TelePresence E911 IP Phone Support 1 1 Configuring TelePresence E911 IP Phone Support 1 2 Understanding IP Routing 1 2 Steps for Configuring Routing 1 5 Configuring IP Addressing 1 6 Enabling IP Unicast Routing 1 20 Configuring RIP 1 20 Configuring OSPF 1 27 Configuring EIGRP 1 37 Configuring BGP 1 45 Configuring ISO CLNS Routing 1 66 Configuri...

Страница 9: ...figuring Advanced PIM Features 1 35 Configuring Optional IGMP Features 1 38 Configuring Optional Multicast Routing Features 1 44 Configuring Basic DVMRP Interoperability Features 1 49 Configuring Advanced DVMRP Interoperability Features 1 54 Monitoring and Maintaining IP Multicast Routing 1 63 Information About Implementing IPv6 Multicast 1 1 Implementing IPv6 Multicast 1 12 Understanding MSDP 1 1...

Страница 10: ...stency Check Routines 1 26 Using On Board Failure Logging 1 26 Troubleshooting Tables 1 29 Understanding Online Diagnostics 1 1 Configuring Online Diagnostics 1 1 Running Online Diagnostic Tests 1 4 Working with the Flash File System 1 1 Working with Configuration Files 1 9 Working with Software Images 1 25 Access Control Lists 1 1 Archive Commands 1 2 ARP Commands 1 2 Boot Loader Commands 1 2 Deb...

Страница 11: ...t 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Multicast 1 13 NetFlow Commands 1 13 Network Address Translation NAT Commands 1 13 QoS 1 14 RADIUS 1 14 SNMP 1 14 Spanning Tree 1 15 VLAN 1 15 VTP 1 15 ...

Страница 12: ...Contents 10 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 13: ...Contents 11 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 14: ...Contents 12 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 15: ...Contents 13 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 16: ...Contents 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 17: ...Contents 15 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 18: ...Contents 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 19: ...Contents 17 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 20: ...Contents 18 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 21: ...Contents 19 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 22: ...Contents 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 23: ...Contents 21 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 24: ...Contents 22 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 25: ...Contents 23 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 26: ...Contents 24 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 27: ...Contents 25 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 28: ...Contents 26 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 29: ...Contents 27 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 30: ...Contents 28 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 31: ...Contents 29 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 32: ...Contents 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 33: ...Contents 31 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 34: ...Contents 32 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 35: ...Contents 33 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 36: ...Contents 34 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 37: ...Contents 35 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 38: ...Contents 36 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Страница 39: ...co IOS commands see the Cisco IOS Master Command List All Releases from the Cisco IOS Software Releases 15 0 Mainline Master Index page on Cisco com http www cisco com en US products ps10591 products_product_indices_list html This guide does not provide detailed information on the GUIs for the embedded device manager or for Cisco Network Assistant hereafter referred to as Network Assistant that yo...

Страница 40: ... materials not contained in this manual Caution Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Related Publications Documents with complete information about the switch are available from these Cisco com sites Catalyst 3750 X http www cisco com en US products ps10745 tsd_products_support_series_home html Catalyst 3560 X http w...

Страница 41: ...tports Configuration Guide Cisco EnergyWise IOS Configuration Guide Getting Started with Cisco Network Assistant Release Notes for Cisco Network Assistant Information about Cisco SFP and SFP modules is available from this Cisco com site http www cisco com en US products hw modules ps5455 prod_installation_guides_list html SFP compatibility matrix documents are available from this Cisco com site ht...

Страница 42: ...56 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Preface ...

Страница 43: ...port contract This image supports the IP Base and LAN Base feature sets Customers with a service contract receive a universal image with or without payload encryption which includes the LAN Base IP Base and IP Services feature sets On switches running payload encryption images management and data traffic can be encrypted On switches running nonpayload encryption images only management traffic such...

Страница 44: ...ts enhancement to enable auto QoS on a CDP capable Cisco digital media player Auto Smartport features in Cisco IOS Release 15 0 1 SE with improved device classification capabilities and accuracy increased device visibility and enhanced macro management The device classifier is enabled by default and can classify devices based on DHCP options IP Base feature set Provides Layer 2 and basic Layer 3 f...

Страница 45: ...ter and to identify link information between switches Monitoring real time status of a switch or multiple switches from the LEDs on the front panel images The system redundant power system RPS system and port LED colors on the images are similar to those used on the physical LEDs Cisco StackWise Plus technology on Catalyst 3750 X switches for Connecting up to nine switches through their StackWise ...

Страница 46: ...matic generation of the imagelist file configurable file repository hostname changes transparent connection of the director to client and USB storage for image and seed configuration Smart Install enhancements in Cisco IOS Release 12 2 58 SE including the ability to manually change a client switch health state from denied to allowed or hold for on demand upgrades to remove selected clients from th...

Страница 47: ...or IGMP devices IGMP snooping for efficiently forwarding multimedia and multicast traffic IGMP report suppression for sending only one IGMP report per multicast router query to the multicast devices supported only for IGMPv1 or IGMPv2 queries IGMP snooping querier support to configure switch to generate periodic IGMP General Query messages IIGMP Helper to allow the switch to forward a host request...

Страница 48: ...rk Assistant is a network management application that can be downloaded from Cisco com You use it to manage a single switch a cluster of switches or a community of devices For more information about Network Assistant see Getting Started with Cisco Network Assistant available on Cisco com CLI The Cisco IOS software supports desktop and multilayer switching features You can access the CLI by connect...

Страница 49: ...s from a TFTP server Address Resolution Protocol ARP for identifying a switch through its IP address and its corresponding MAC address Unicast MAC address filtering to drop packets with specific source or destination MAC addresses Configurable MAC address scaling that allows disabling MAC address learning on a VLAN to limit the size of the MAC address table Disabling MAC address learning on a VLAN...

Страница 50: ...ement Protocol SNMP can be configured over IPv6 transport so that an IPv6 host can send SNMP queries and receive SNMP notifications from a device running IPv6 IPv6 supports stateless autoconfiguration to manage link subnet and site addressing changes such as management of host and mobile IP addresses IETF IP MIB and IP FORWARD MIB RFC4292 and RFC4293 updates to support the IP version 6 IPv6 only a...

Страница 51: ...es IEEE 802 1s Multiple Spanning Tree Protocol MSTP for grouping VLANs into a spanning tree instance and for providing multiple forwarding paths for data traffic and load balancing and rapid per VLAN Spanning Tree plus rapid PVST based on the IEEE 802 1w Rapid Spanning Tree Protocol RSTP for rapid convergence of the spanning tree by immediately changing root and designated ports to the forwarding ...

Страница 52: ...g VLAN 1 to be disabled on any individual VLAN trunk link With this feature enabled no user traffic is sent or received on the trunk The switch CPU continues to send and receive control protocol frames Private VLANs to address VLAN scalability problems to provide a more controlled IP address allocation and to allow Layer 2 ports to be isolated from other ports on the switch Port security on a PVLA...

Страница 53: ...ionality to be authenticated using a web browser Password protected access read only and read write access to management interfaces device manager Network Assistant and the CLI for protection against unauthorized configuration changes Multilevel security for a choice of security level notification and resulting actions Static MAC addressing for ensuring security Protected port option for restricti...

Страница 54: ...DA to allow both a data device and a voice device such as an IP phone Cisco or non Cisco to independently authenticate on the same IEEE 802 1x enabled switch port VLAN assignment for restricting IEEE 802 1x authenticated users to a specified VLAN Support for VLAN assignment on a port configured for multi auth mode The RADIUS server assigns a VLAN to the first host to authenticate on the port and s...

Страница 55: ...ssion Control Software Configuration Guide IEEE 802 1x inaccessible authentication bypass For information about configuring this feature see the Configuring Inaccessible Authentication Bypass and Critical Voice VLAN section on page 1 63 Authentication authorization and accounting AAA down policy for a NAC Layer 2 IP validation of a host if the AAA server is not available when the posture validatio...

Страница 56: ...ith MAC move the switch treats the reappearance of the same MAC address on another port in the same way as a completely new MAC address Support for 3DES and AES with version 3 of the Simple Network Management Protocol SNMPv3 This release adds support for the 168 bit Triple Data Encryption Standard 3DES and the 128 bit 192 bit and 256 bit Advanced Encryption Standard AES encryption algorithms to SN...

Страница 57: ...n a QoS domain and with a port bordering another QoS domain Trusted boundary for detecting the presence of a Cisco IP Phone trusting the CoS value received and ensuring port security Policing Traffic policing policies on the switch port for managing how much of the port bandwidth should be allocated to a specific traffic flow If you configure multiple class maps for a hierarchical policy map each ...

Страница 58: ...ature set Full OSPF requires the IP Services feature set Starting with Cisco IOS Release 12 2 55 SE the IP Base feature set supports OSPF for routed access to enable customers to extend Layer 3 routing capabilities to the access or wiring closet Enhanced IGRP EIGRP requires the IP Services feature set Border Gateway Protocol BGP Version 4 requires the IP Services feature set IP routing between VLA...

Страница 59: ...6 which utilizes IPv6 transport communicates with IPv6 peers and advertises IPv6 routes IP unicast reverse path forwarding unicast RPF for confirming source packet IP addresses Nonstop forwarding NSF awareness to enable the Layer 3 switch to continue forwarding packets from an NSF capable neighboring router when the primary route processor RP is failing and the backup RP is taking over or when the...

Страница 60: ...d RADIUS accounting for tracking users on a network by storing the MAC addresses that the switch has learned or removed Switched Port Analyzer SPAN and Remote SPAN RSPAN for traffic monitoring on any port or VLAN SPAN and RSPAN support of Intrusion Detection Systems IDS to monitor repel and report network security violations Flow based Switch Port Analyzer FSPAN to define filters for capturing tra...

Страница 61: ... Configuring Cisco IOS IP SLAs Video Operations document at http www cisco com en US docs ios xml ios ipsla configuration 12 2se Configuring_IP_SLAs_ Video_Operations html Flexible NetFlow to monitor user defined flows collect flow statistics perform per flow policing on uplink ports and export the flow statistics to a collector device supported only on the Catalyst 3750 X and 3560 X network servi...

Страница 62: ...e specific and system and stack wide settings Note For information about assigning an IP address by using the browser based Express Setup program see the getting started guide For information about assigning an IP address by using the CLI based setup program see the hardware installation guide If you do not configure the switch at all the switch operates with these default settings Default switch ...

Страница 63: ... VLANs Default VLAN is VLAN 1 For more information see Chapter 1 Configuring VLANs VLAN trunking setting is dynamic auto DTP For more information see Chapter 1 Configuring VLANs Trunk encapsulation is negotiate For more information see Chapter 1 Configuring VLANs VTP mode is server For more information see Chapter 1 Configuring VTP VTP version is Version 1 For more information see Chapter 1 Config...

Страница 64: ...on see Chapter 1 Configuring Port Based Traffic Control CDP is enabled For more information see Chapter 1 Configuring CDP UDLD is disabled For more information see Chapter 1 Configuring UDLD SPAN and RSPAN are disabled For more information see Chapter 1 Configuring SPAN and RSPAN RMON is disabled For more information see Chapter 1 Configuring RMON Syslog messages are enabled and appear on the cons...

Страница 65: ...ndwidth available to your network users Bandwidth alone is not the only consideration when designing your network As your network traffic profiles evolve consider providing network services that can support applications for voice and data integration multimedia integration application prioritization and security Table 1 2 describes some network demands and how you can meet them Table 1 1 Increasin...

Страница 66: ...st and multicast and multimedia applications Use optional IP multicast routing to design networks better suited for multicast traffic Use MVR to continuously send multicast streams in a multicast VLAN but to isolate the streams from subscriber VLANs for bandwidth and security reasons High demand on network redundancy and availability to provide always on mission critical applications Use switch st...

Страница 67: ...ch Software Configuration Guide OL 25303 03 Chapter 1 Overview Network Configuration Examples Figure 1 1 Cost Effective Wiring Closet Si Layer 2 StackWise Plus switch stack Catalyst Gigabit Ethernet multilayer switch Gigabit server 200851 ...

Страница 68: ...st 3560 X switches in the access layer to provide Gigabit Ethernet to the desktop To prevent congestion use QoS DSCP marking priorities on these switches For high speed IP forwarding at the distribution layer connect the switches in the access layer to a Gigabit switch with routing capability or to a router The first illustration is of an isolated high performance workgroup where the Catalyst 3560...

Страница 69: ... Chapter 1 Overview Network Configuration Examples Figure 1 3 High Performance Workgroup Gigabit to the Desktop with Catalyst 3560 X Standalone Switches 200853 Access layer standalone switches Stacking capable switches 200854 Cisco 2600 router Access layer standalone switches WAN ...

Страница 70: ...of your network For high speed IP forwarding at the distribution layer connect the switches in the access layer to multilayer switches with routing capability The Gigabit interconnections minimize latency in the data flow QoS and policing on the switches provide preferential treatment for certain data streams They segment traffic streams into different paths for processing Security features on the...

Страница 71: ...work Configuration Examples Figure 1 5 Server Aggregation 86931 Si Si Si Si Si Si Campus core Catalyst 6500 switches Catalyst 4500 multilayer switches StackWise Plus switch stacks Server racks 200857 Campus core Catalyst 6500 switches StackWise switch stacks Access layer standalone switches Server racks ...

Страница 72: ...ices such as Cisco IP Phones The server farm includes a call processing server running Cisco CallManager software Cisco CallManager controls call processing routing and Cisco IP Phone features and configuration The switches are interconnected through Gigabit interfaces This network uses VLANs to logically segment the network into well defined broadcast groups and for security management Data and m...

Страница 73: ...undant power when it is also connected to an AC power source Powered devices not connected to Catalyst PoE switches must be connected to AC power sources to receive power Cisco CallManager controls call processing routing and Cisco IP Phone features and configuration Users with workstations running Cisco SoftPhone software can place receive and control calls from their PCs Using Cisco IP Phones Ci...

Страница 74: ...nonconforming traffic based on bandwidth limits are also configured on each switch stack or switch VLAN maps provide intra VLAN security and prevent unauthorized users from accessing critical pieces of the network QoS features can limit bandwidth on a per port or per user basis The switch ports are configured as either trusted or untrusted You can configure a trusted port to trust the CoS value th...

Страница 75: ...ilayer switches Cisco IP Phones with workstations IEEE 802 3af compliant powered device such as a web cam Cisco IP Phones with workstations WAN IP IP IP IP IP IP 200861 Mixed hardware stack including the Catalyst 3750G Integrated Wireless LAN Controller IEEE 802 3af compliant powered device such as a web cam Aironet wireless access points Aironet wireless access points Mixed hardware stack includi...

Страница 76: ... a Backbone Configuration Cisco 7x00 routers Catalyst 6500 multilayer switches Standalone switches Standalone switches Cisco IP Phones with workstations WAN IP IP IP IEEE 802 3af compliant powered device such as a web cam Cisco IP Phones with workstations IP IP IP 200862 IEEE 802 3af compliant powered device such as a web cam Aironet wireless access points Aironet wireless access points ...

Страница 77: ...3750 aggregation switch For more information about the Catalyst Long Reach Ethernet LRE switches see the documentation sets specific to these switches for LRE information All ports on the residential Catalyst 3750 X switches and Catalyst 2950 LRE switches if they are included are configured as IEEE 802 1Q trunks with protected port and STP root guard features enabled The protected port feature pro...

Страница 78: ...el A common wavelength used for long distance transmissions is 1550 nm The CWDM SFP modules connect to CWDM optical add drop multiplexer OADM modules over distances of up to 393 701 feet 74 5 miles or 120 km The CWDM OADM modules combine or multiplex the different CWDM wavelengths allowing them to travel simultaneously on the same fiber optic cable The CWDM OADM modules on the receiving end separa...

Страница 79: ...ections for startup information Chapter 1 Using the Command Line Interface Chapter 1 Assigning the Switch IP Address and Default Gateway To locate and download MIBs for a specific Cisco product and release use the Cisco MIB Locator http cisco com public sw center netmgmt cmtk mibs shtml 95750 Access layer Catalyst 4500 multilayer switches Eight 1 Gb s connections 8 Gb s Catalyst switches CWDM OADM...

Страница 80: ...1 38 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Overview Where to Go Next ...

Страница 81: ...rrently in Enter a question mark at the system prompt to obtain a list of commands available for each command mode When you start a session on the switch you begin in user mode often called user EXEC mode Only a limited subset of the commands are available in user EXEC mode For example most of the user EXEC commands are one time commands such as show commands which show the current configuration s...

Страница 82: ... global configuration mode enter the vlan vlan id command Switch config vlan To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file Int...

Страница 83: ...s unique This example shows how to enter the show configuration privileged EXEC command in an abbreviated form Switch show conf Table 1 2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode abbreviated command entry Obtain a list of commands that begin with a particular character string For example Switch di dir disable disconnect abbreviated command...

Страница 84: ...that you might encounter while using the CLI to configure your switch Using Configuration Logging You can log and view changes to the switch configuration You can use the Configuration Change Logging and Notification feature to track changes on a per session and per user basis The logger tracks each configuration command that is applied the user who entered the command the time that the Table 1 3 ...

Страница 85: ...and history feature is particularly useful for recalling long or complex commands or entries including access lists You can customize this feature to suit your needs as described in these sections Changing the Command History Buffer Size page 1 5 optional Recalling Commands page 1 6 optional Disabling the Command History Feature page 1 6 optional Changing the Command History Buffer Size By default...

Страница 86: ...ting Command Lines that Wrap page 1 8 optional Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it re enable it or configure a specific line to have enhanced editing These procedures are optional To globally disable enhanced editing mode enter this command in line configuration mode Switch config line no editing Table 1 4 Recalling Com...

Страница 87: ...ommand line Press Esc B Move the cursor back one word Press Esc F Move the cursor forward one word Press Ctrl T Transpose the character to the left of the cursor with the character located at the cursor Recall commands from the buffer and paste them in the command line The switch provides a buffer with the last ten items that you deleted Press Ctrl Y Recall the most recent entry in the buffer Pres...

Страница 88: ... line the line is again shifted ten spaces to the left Switch config access list 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 Switch config 101 permit tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 25 Switch config t tcp 131 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq Switch config 108 2 5 255 255 255 0 131 108 1 20 255 255 255 0 eq 45 Press Esc L Change the word at the cursor to low...

Страница 89: ...r exclude and an expression that you want to search for or filter out command begin include exclude regular expression Expressions are case sensitive For example if you enter exclude output the lines that contain output are not displayed but the lines that contain Output appear This example shows how to include in the output display only lines where the expression protocol appears Switch show inte...

Страница 90: ... session but your switch must first be configured for this type of access For more information see the Setting a Telnet Password for a Terminal Line section on page 1 6 You can use one of these methods to establish a connection with the switch Connect the switch console port to a management station or dial up modem or connect the Ethernet management port to a PC For information about connecting to...

Страница 91: ...NS Configuration page 1 14 Understanding Cisco Configuration Engine Software The Cisco Configuration Engine is network management software that acts as a configuration service for automating the deployment and management of network devices and services see Figure 1 1 Each Configuration Engine manages a group of Cisco devices switches and routers and the services that they deliver storing their con...

Страница 92: ... Service uses the CNS Event Service to send and receive configuration change events and to send success and failure notifications The configuration server is a web server that uses configuration templates and the device specific configuration information stored in the embedded standalone mode or remote server mode directory Configuration templates are text files containing static configuration inf...

Страница 93: ...que group ID device ID and event the mapping service returns a set of events on which to publish What You Should Know About the CNS IDs and Device Hostnames The Configuration Engine assumes that a unique identifier is associated with each configured switch This unique identifier can take on multiple synonyms where each synonym is unique within a particular namespace The event service uses namespac...

Страница 94: ...onnection to the event gateway and does not change even when the switch hostname is reconfigured When changing the switch hostname on the switch the only way to refresh the DeviceID is to break the connection between the switch and the event gateway Enter the no cns event global configuration command followed by the cns event global configuration command When the connection is re established the s...

Страница 95: ...the new switch and includes the TFTP server IP address the path to the bootstrap configuration file and the default gateway IP address in a unicast reply to the DHCP relay agent The DHCP relay agent forwards the reply to the switch The switch automatically configures the assigned IP address on interface VLAN 1 the default and downloads the bootstrap configuration file from the TFTP server Upon suc...

Страница 96: ... defer application of the configuration upon receipt of a write signal event The write signal event tells the switch not to save the updated configuration into its NVRAM The switch uses the updated configuration as its running configuration This ensures that the switch configuration is synchronized with other network activities before saving the configuration in NVRAM for use at the next reboot Co...

Страница 97: ...lt no configuration file Distribution switch IP helper address Enable DHCP relay agent IP routing if used as default gateway DHCP server IP address assignment TFTP server IP address Path to bootstrap configuration file on the TFTP server Default gateway IP address TFTP server A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the ...

Страница 98: ...the hostname or the IP address of the event gateway Optional For port number enter the port number for the event gateway The default port number is 11011 Optional Enter backup to show that this is the backup gateway If omitted this is the primary gateway Optional For failover time seconds enter how long the switch waits for the primary gateway route after the route to the backup gateway is establi...

Страница 99: ...guration mode and specify the name of the CNS connect template Step 3 cli config text Enter a command line for the CNS connect template Repeat this step for each command line in the template Step 4 Repeat Steps 2 to 3 to configure another CNS connect template Step 5 exit Return to global configuration mode Step 6 cns connect name retries number retry interval seconds sleep seconds timeout seconds ...

Страница 100: ...y the point to point subinterface number that is used to search for active DLCIs For interface interface type enter the type of interface For line line type enter the line type Step 8 template name name Specify the list of CNS connect templates in the CNS connect profile to be applied to the switch configuration You can specify more than one template Step 9 Repeat Steps 7 to 8 to specify more inte...

Страница 101: ...address mac address enter dns reverse to retrieve the hostname and assign it as the unique ID enter ipaddress to use the IP address or enter mac address to use the MAC address as the unique ID Optional Enter event to set the ID to be the event id value used to identify the switch Optional Enter image to set the ID to be the image id value used to identify the switch Note If both the event and imag...

Страница 102: ...e ip address syntax check Enable the Cisco IOS agent and initiate an initial configuration For hostname ip address enter the hostname or the IP address of the configuration server Optional For port number enter the port number of the configuration server The default port number is 80 Optional Enable event for configuration success failure or warning messages when the configuration is finished Opti...

Страница 103: ...ng a Partial Configuration Beginning in privileged EXEC mode follow these steps to enable the Cisco IOS agent and to initiate a partial configuration on the switch To disable the Cisco IOS agent use the no cns config partial ip address hostname global configuration command To cancel a partial configuration use the cns config cancel privileged EXEC command Command Purpose Step 1 configure terminal ...

Страница 104: ...show cns config connections Displays the status of the CNS Cisco IOS agent connections show cns config outstanding Displays information about incremental partial CNS configurations that have started but are not yet completed show cns config stats Displays statistics about the Cisco IOS agent show cns event connections Displays the status of the CNS event agent connections show cns event stats Disp...

Страница 105: ...se sections Understanding the Boot Process page 1 1 Assigning Switch Information page 1 2 Checking and Saving the Running Configuration page 1 16 Modifying the Startup Configuration page 1 18 Scheduling a Reload of the Software Image page 1 23 Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation page 1 25 Note Information in this chapter about configuring IP addresses and DHCP...

Страница 106: ...system For more information see the Recovering from a Software Failure section on page 1 2 and the Recovering from a Lost or Forgotten Password section on page 1 3 Note You can disable password recovery For more information see the Disabling Password Recovery section on page 1 5 Before you can assign switch information make sure you have connected a PC or terminal to the console port or a PC to th...

Страница 107: ... 3 Manually Assigning IP Information page 1 15 Default Switch Information Table 1 1 shows the default switch information Understanding DHCP Based Autoconfiguration DHCP provides configuration information to Internet hosts and internetworking devices This protocol consists of two components one for delivering configuration parameters from a DHCP server to a device and a mechanism for allocating net...

Страница 108: ... configuration file is present and the configuration includes the ip address dhcp interface configuration command on specific routed interfaces the DHCP client is invoked and requests the IP address information for those interfaces Figure 1 1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server Figure 1 1 DHCP Client and Server Message Exchange The client S...

Страница 109: ...er the ip address dhcp interface configuration command In this case if the client receives the DCHP hostname option from the DHCP interaction while acquiring an IP address for an interface the client accepts the DHCP hostname option and sets the flag to show that the system now has a hostname configured Understanding DHCP based Autoconfiguration and Image Update You can use the DHCP image upgrade ...

Страница 110: ...Unless you configure a timeout the DHCP based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address The auto install process stops if a configuration file cannot be downloaded or it the configuration file is corrupted Note The configuration file that is downloaded from TFTP is merged with the existing configuration in the running configuration but is not...

Страница 111: ...ver name are not found the switch might send broadcast instead of unicast TFTP requests Unavailability of other lease options does not affect autoconfiguration The switch can act as a DHCP server By default the Cisco IOS DHCP server and relay agent features are enabled on your switch but are not configured These features are not operational If your DHCP server is a Cisco device for additional info...

Страница 112: ... server name to an IP address You must configure the TFTP server name to IP address map on the DNS server The TFTP server contains the configuration files for the switch You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where the DHCP replies will retrieve them You can enter up to two DNS server IP addresses in the lease database The DNS server can...

Страница 113: ...address is reserved for the switch and provided in the DHCP reply The configuration filename is not provided two file read method The switch receives its IP address subnet mask and the TFTP server address from the DHCP server The switch sends a unicast message to the TFTP server to retrieve the network confg or cisconet cfg default configuration file If the network confg file cannot be read the sw...

Страница 114: ...server maps the TFTP server name tftpserver to IP address 10 0 0 3 Switch 1 00e0 9f1e 2001 Cisco router 111394 Switch 2 00e0 9f1e 2002 Switch 3 00e0 9f1e 2003 DHCP server DNS server TFTP server tftpserver 10 0 0 1 10 0 0 10 10 0 0 2 10 0 0 3 Switch 4 00e0 9f1e 2004 Table 1 2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key hardware address 00e0 9f1e 2001 00e0 9f1e 2002 00e...

Страница 115: ...h A reads the network confg file from the base directory of the TFTP server It adds the contents of the network confg file to its host table It reads its host table by indexing its IP address 10 0 0 21 to its hostname switcha It reads the configuration file that corresponds to its hostname for example it reads switch1 confg from the TFTP server Switches B through D retrieve their configuration fil...

Страница 116: ...text file for example autoinstall_dhcp that will be uploaded to the switch In the text file put the name of the image that you want to download for example 3750x ipservices mz 122 53 3 SE2 tar This image must be a tar and not a bin file Step 4 network network number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of...

Страница 117: ...number mask prefix length Specify the subnet network number and mask of the DHCP address pool Note The prefix length specifies the number of bits that comprise the address prefix The prefix is an alternative way of specifying the network mask of the client The prefix length must be preceded by a forward slash Step 5 default router address Specify the IP address of the default router for a DHCP cli...

Страница 118: ... path list Config file flash config text Private Config file flash private config text Enable Break no Manual Boot no HELPER path list NVRAM Config file buffer size 32768 Timeout for Config Download 300 seconds Config Download via DHCP enabled next boot enabled Switch Note You should only configure and enable the Layer 3 interface Do not assign an IP address or DHCP based autoconfiguration with a ...

Страница 119: ...ervices see Chapter 1 Administering the Switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface vlan vlan id Enter interface configuration mode and enter the VLAN to which the IP information is assigned The range is 1 to 4094 Step 3 ip address ip address subnet mask Enter the IP address and subnet mask Step 4 exit Return to global configuration mode Step 5...

Страница 120: ...ce VLAN1 ip address 172 20 137 50 255 255 255 0 no ip directed broadcast ip default gateway 172 20 137 1 snmp server community private RW snmp server community public RO snmp server community private es0 RW snmp server community public es0 RO snmp server chassis id 0x12 end To store the configuration or changes you have made to your startup configuration in flash memory enter this privileged EXEC ...

Страница 121: ...s with the stack and reloads automatically Beginning in privileged EXEC mode follow these steps to configure the NVRAM buffer size This example shows how to configure the NVRAM buffer size Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config boot buffersize 524288 Switch config end Switch show boot BOOT path list Config file flash config text Private Co...

Страница 122: ...omatically Downloading a Configuration File You can automatically download a configuration file to your switch by using the DHCP based autoconfiguration feature For more information see the Understanding DHCP Based Autoconfiguration section on page 1 3 Table 1 3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot up the syste...

Страница 123: ...igure it to manually boot up Note This command only works properly from a standalone switch Beginning in privileged EXEC mode follow these steps to configure the switch to manually boot up during the next boot cycle Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 boot config file flash file url Specify the configuration file to load during the next boot cycle For f...

Страница 124: ...e Step 4 show boot Verify your entries The boot manual global command changes the setting of the MANUAL_BOOT environment variable The next time you reboot the system the switch is in boot loader mode shown by the switch prompt To boot up the system use the boot filesystem file url boot loader command For filesystem use flash for the system board flash device For file url specify the path directory...

Страница 125: ...any environment variables are predefined and have default values Environment variables store two kinds of data Data that controls code which does not read the Cisco IOS configuration file For example the name of a boot loader helper file which extends or patches the functionality of the boot loader can be stored as an environment variable Data that controls code which is responsible for reading th...

Страница 126: ...bootable file that it can find in the flash file system boot system filesystem file url switch number all Note The switch number all keywords are supported only on Catalyst 3750 E switches Specifies the Cisco IOS image to load during the next boot cycle and the stack members on which the image is loaded This command changes the setting of the BOOT environment variable MANUAL_BOOT set MANUAL_BOOT y...

Страница 127: ...ber number of a stack member switch current stack member number renumber new stack member number Changes the member number of a stack member Note This command is supported only on Catalyst 3750 X switches SWITCH_PRIORITY set SWITCH_PRIORITY stack member number Changes the priority value of a stack member switch stack member number priority priority number Changes the priority value of a stack memb...

Страница 128: ... scheduled to take place at the specified time and date If you do not specify the month and day the reload takes place at the specified time on the current day if the specified time is later than the current time or on the next day if the specified time is earlier than the current time Specifying 00 00 schedules the reload for midnight Note Use the at keyword only if the switch system clock has be...

Страница 129: ...roceed with reload confirm To cancel a previously scheduled reload use the reload cancel privileged EXEC command Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch use the show reload privileged EXEC command It displays reload information including the time the reload is scheduled to occur a...

Страница 130: ...ification Note If you upload a corrupt or unsigned image the following message appears during boot up Image verification failed Upgrade from a switch that is in the non FIPS mode to a Cisco IOS Release 15 0 2 SE1 image in the FIPS mode Configure the fips authoriza tion key authorization key global configuration command Reload the switch for the FIPS key to be operational By default the switch auto...

Страница 131: ...erification Note If you upload a corrupt or unsigned image the following message appears during boot up WARNING Unable to determine image authentication Image is either unsigned or is signed but corrupted Downgrade from a Cisco IOS Release 15 0 2 SE1 image in FIPS mode to an older release Configure the no fips authoriza tion key authorization key global configuration command Reload the switch for ...

Страница 132: ...talyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Assigning the Switch IP Address and Default Gateway Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation ...

Страница 133: ...page 1 31 For other switch stack related information such as cabling the switches through their StackWise Plus ports and using the LEDs to display switch stack status see the hardware installation guide The Catalyst 3750 X stackable switch also supports StackPower where up to four switches can be connected with power stack cables to allow the switch power supplies to share the load across multiple...

Страница 134: ...talyst 3750 X Catalyst 3750 E and Catalyst 3750 switches supporting different features as stack members For example a stack with the Catalyst 3750 X members running the IP services feature set and the Catalyst 3750 members running the IP services software image For information about Catalyst 3750 switches see the Managing Switch Stacks chapter in the Catalyst 3750 Switch Software Configuration Gui...

Страница 135: ...s switch be the stack master Encryption features are unavailable if the stack master is running the IP base or IP services feature set and the noncryptographic software image Note In a mixed stack Catalyst 3750 or Catalyst 3750 E switches running Cisco IOS Release 12 2 53 SE and earlier could be running a noncryptographic image Catalyst 3750 X switches and Catalyst 3750 and 3750 E switches with Ci...

Страница 136: ...tting Started with Cisco Network Assistant on Cisco com Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports A switch stack always has one stack master A standalone switch is a switch stack with one stack member that also operates as the stack master You can connect one standalone switch to another Figure 1 1 on page 1 5 to create a switc...

Страница 137: ...figuration of the re elected stack master Removing powered on stack members causes the switch stack to divide partition into two or more switch stacks each with the same configuration This can cause an IP address configuration conflict in your network If you want the switch stacks to remain separate change the IP address or addresses of the newly created switch stacks If you did not intend to part...

Страница 138: ...feature set and the cryptographic software image IP base feature set and the noncryptographic software image Note In a switch stacks running the LAN base feature set all switches in the stack must run the LAN base feature set During the stack master switch election differences in start up times between the feature sets determine the stack master The switch with the shorter start up time becomes th...

Страница 139: ... period if the previous stack master rejoins the stack the stack continues to use its MAC address as the stack MAC address even if the switch is now a stack member and not a stack master If the previous stack master does not rejoin the stack during this period the switch stack takes the MAC address of the new stack master as the stack MAC address See Enabling Persistent MAC Address page 1 24 for m...

Страница 140: ...witch that you prefer to be the stack master This ensures that the switch is re elected as stack master You can change the priority value for a stack member by using the switch stack member number priority new priority value global configuration command For more information see the Setting the Stack Member Priority Value section on page 1 26 Another way to change the member priority value is by ch...

Страница 141: ... the switch stack compares the provisioned configuration with the provisioned switch Table 1 1 Results of Comparing the Provisioned Configuration with the Provisioned Switch Scenario Result The stack member numbers and the switch types match 1 If the stack member number of the provisioned switch matches the stack member number in the provisioned configuration on the stack and 2 If the switch type ...

Страница 142: ...interface configuration The switch stack then adds to its running configuration a switch stack member number provision type global configuration command that matches the new switch The stack member number of the provisioned switch is in conflict with an existing stack member The stack master assigns a new stack member number to the provisioned switch The stack member numbers and the switch types m...

Страница 143: ...e Management SDM templates All stack members use the SDM template configured on the stack master Version mismatch VM mode has priority over SDM mismatch mode If a VM mode condition and an SDM mismatch mode exist the switch stack first attempts to resolve the VM mode condition You can use the show switch privileged EXEC command to see if any stack members are in SDM mismatch mode For more informati...

Страница 144: ... the same switch stack Minor Version Number Incompatibility Among Switches Switches with the same major version number but with a different minor version number are considered partially compatible When connected to a switch stack a partially compatible switch enters version mismatch VM mode and cannot join the stack as a fully functioning member The software detects the mismatched software and tri...

Страница 145: ...the same type For example it does not automatically upgrade a switch in VM mode from IP services feature set to IP base feature set or the reverse Automatic advise auto advise occurs when the auto upgrade process cannot find appropriate stack member software to copy to the switch in VM mode This process tells you the command archive copy sw or archive download sw privileged EXEC command and the im...

Страница 146: ...11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Stacking Version Number 1 4 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW System Type 0x00000000 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Ios Image File Size 0x004BA200 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Total Image File Size 0x00818A00 Mar 11 20 36 15 038 IMAGEMGR 6 AUTO_COPY_SW Minimum Dram required 0x0...

Страница 147: ...oftware process initiated for switch number s 1 Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW Systems with incompatible software Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW have been added to the stack The Mar 1 00 04 22 537 IMAGEMGR 6 AUTO_ADVISE_SW storage devices on all of the stack Mar 1 00 04 22 537 IMAG...

Страница 148: ... they are manually changed or they are already used by another member in the same switch stack If an interface specific configuration does not exist for that member number the stack member uses its default interface specific configuration If an interface specific configuration exists for that member number the stack member uses the interface specific configuration associated with that member numbe...

Страница 149: ...LI SNMP Network Assistant and CiscoWorks network management applications You cannot manage stack members on an individual switch basis These sections provide switch stack connectivity information Connectivity to the Switch Stack Through an IP Address page 1 17 Connectivity to the Switch Stack Through an SSH Session page 1 18 Connectivity to the Switch Stack Through Console Ports or Ethernet Manage...

Страница 150: ... master through the console port of one or more stack members You can connect a PC to the stack master through the Ethernet management ports of one or more Catalyst 3750 X stack members For more information about connecting to the switch stack through Ethernet management ports see the Using the Ethernet Management Port section on page 1 26 Be careful when using multiple CLI sessions to the stack m...

Страница 151: ...the same time The stack member with the higher priority value is elected stack master Stack master election specifically determined by the configuration file Assuming that both stack members have the same priority value 1 Make sure that one stack member has a default configuration and that the other stack member has a saved nondefault configuration file 2 Restart both stack members at the same tim...

Страница 152: ...k members have the same stack member number If necessary use the switch current stack member number renumber new stack member number global configuration command 2 Restart both stack members at the same time The stack member with the higher priority value retains its stack member number The other stack member has a new stack member number Add a stack member 1 Power off the new switch 2 Through the...

Страница 153: ...nnections For configuration examples see the switch hardware installation guide The switch enables the persistent MAC address during the upgrade At least one redundant uplink is connected to the network The uplink has an active switch and a standby switch A member that has an interface with the active role is an active switch Another member that has an interface with the standby role is a standby ...

Страница 154: ... active member is reached c It then upgrades the standby members that can be reached through Stack Port 2 on the first standby member until an active member is reached After the stack is upgraded save the stack configuration in the configuration file If you want the stack to keep the original master and not elect a new one reload the stack Upgrade Sequence Examples Figure 1 4 Stack Port 1 on Membe...

Страница 155: ... Member 2 this is the upgrade sequence 1 Member 1 2 Member 2 3 Member 3 4 Member 9 5 Member 8 6 Member 7 7 Member 6 8 Member 5 9 Member 4 255140 Member 1 LACP cross stack Etherchannel Active switch Standby switch Member 2 Member 3 Member 4 Member 5 Member 6 Member 7 Member 8 Member 9 Dual attached host Network Stack Port 1 Stack Port 2 Stack Port 1 Stack Port 2 Stack Port 1 Stack Port 2 Stack Port...

Страница 156: ...oes not rejoin the stack during this period the switch stack takes the MAC address of the new stack master as the stack MAC address You can also configure stack MAC persistency so that the stack never switches to the MAC address of the new stack master Note When you enter the command to configure this feature a warning message appears containing the consequences of your configuration You should us...

Страница 157: ...p 2 stack mac persistent timer 0 time value Enable a time delay after a stack master change before the stack MAC address changes to that of the new stack master If the previous stack master rejoins the stack during this period the stack uses that MAC address as the stack MAC address Enter the command with no value to set the default delay of approximately 4 minutes We recommend that you always con...

Страница 158: ...7 optional Assigning a Stack Member Number Note This task is available only from the stack master Beginning in privileged EXEC mode follow these steps to assign a member number to a stack member This procedure is optional Setting the Stack Member Priority Value Note This task is available only from the stack master Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 sw...

Страница 159: ...urrent stack master or switch stack resets Step 3 end Return to privileged EXEC mode Step 4 reload slot stack member number Reset the stack member and apply this configuration change Step 5 show switch stack member number Verify the stack member priority value Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 show switch Display s...

Страница 160: ... 2 for the switch stack The show running config command output shows the interfaces associated with the provisioned switch Switch config switch 2 provision switch_PID Switch config end Switch show running config include switch 2 interface GigabitEthernet2 0 1 interface GigabitEthernet2 0 2 interface GigabitEthernet2 0 3 output truncated Running a Rolling Stack Update Beginning in privileged EXEC m...

Страница 161: ... assigns the other role to the member interface active Sets the interface to active standby Sets the interface to standby Note If spanning tree protocol STP is enabled set the standby role to the blocked interface By default the role is not set To configure another pair repeat Step 3 to Step 6 Step 7 end Returns to privileged EXEC mode Step 8 archive download sw rolling stack upgrade Starts the ro...

Страница 162: ...he system prompt For example the prompt for member 2 is Switch 2 and system prompt for the master is Switch Enter exit to return to the CLI session on the master Only the show and debug commands are available on a specific member Displaying Switch Stack Information To display saved configuration changes after resetting a specific member or the stack use these privileged EXEC commands Table 1 4 Com...

Страница 163: ...l members are connected through the stack ports and are in the ready state The stack is in the partial ring state when All members are connected through the stack ports but some all are not in the ready state Some members are not connected through the stack ports When you enter the switch stack member number stack port port number disable privileged EXEC command and The stack is in the full ring s...

Страница 164: ...t you might need to enter the switch 1 stack port 1 enable and the switch 4 stack port 2 enable privileged EXEC commands to bring up the link Understanding the show switch stack ports summary Output Only Port 1 on stack member 2 is disabled Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 OK 3 5...

Страница 165: ...rom the port Yes The link partner receives valid protocol messages from the port Link Active This shows if the stack port is in the same state as its link partner No The port cannot send traffic to the link partner Yes The port can send traffic to the link partner Sync OK No The link partner does not send valid protocol messages to the stack port Yes The link partner sends valid protocol messages ...

Страница 166: ...itch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 Absent None No cable No No No 1 No 1 2 OK 2 3 m Yes Yes Yes 1 No 2 1 OK 1 3 m Yes Yes Yes 1 No 2 2 OK 3 50 cm Yes Yes Yes 1 No 3 1 OK 2 50 cm Yes Yes Yes 1 No 3 2 Down None 50 cm No No No 1 No If you disconnect the stack cable from Port 2 on Switch 1 the stack ...

Страница 167: ...s Software Loopback Examples Connected Stack Cables On Port 1 on Switch 1 the port status is Down and a cable is connected On Port 2 on Switch 1 the port status is Absent and no cable is connected Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In Port Port Length OK Active OK Changes Loopback Status To LinkOK 1 1 Down None 50 Cm No No No 1 No 1 2 Absent None No c...

Страница 168: ...F00 86031805 55AAFFFF FFFFFFFF 1CE61CE6 Yes Yes No cable On a Catalyst 3750 member If at least one stack port has an connected stack cable the Loopback HW value for both stack ports is No If neither stack port has an connected stack cable the Loopback HW value for both stack ports is Yes On a Catalyst 3750 E or Catalyst 3750 X member If a stack port has an connected stack cable the Loopback HW val...

Страница 169: ...K OK Stack Port 2 0000000005 1 FF08FF00 0001FBD3 0801080B EFFFFFFF 0C100CE6 No No No cable 0000000005 2 FF08FF00 8603E4A9 5555FFFF FFFFFFFF 0C100CE6 No No 50 cm Event type RAC 0000000006 1 FF08FF00 0001FC14 08050204 EFFFFFFF 0C100CE6 No No No cable 0000000006 2 FF08FF00 8603E4A9 5555FFFF FFFFFFFF 0C100CE6 No No 50 cm Event type LINK NOT OK Stack Port 2 0000000939 1 FF08FF00 00016879 00010000 EFFFF...

Страница 170: ...9CFFFF 0C140CE4 No No 50 cm 0000009732 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type RAC 0000009733 1 FF01FF00 00015B4A 5555FFFF A49CFFFF 0C140CE4 No No 50 cm 0000009733 2 FF01FF00 86020823 AAAAFFFF 00000000 0C140CE4 No No 3 m Event type LINK NOT OK Stack Port 2 0000010119 1 FF01FF00 00010E69 25953FFF FFFFFFFF 0C140C14 No Yes No cable 0000010119 2 FF01FF00 0001D98C 81AAC7FF 0...

Страница 171: ...connection for Port 2 on Switch 1 Port 2 on Switch 1 has a port or cable problem if The In Loopback value is Yes or The Link OK Link Active or Sync OK value is No Fixing a Bad Connection Between Stack Ports Stack cables connect all members Port 2 on Switch 1 connects to Port 1 on Switch 2 This is the port status Switch show switch stack ports summary Switch Stack Neighbor Cable Link Link Sync In P...

Страница 172: ...1 40 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Managing Switch Stacks Troubleshooting Stacks ...

Страница 173: ...ters and converting a switch cluster to a community see Getting Started with Cisco Network Assistant available on Cisco com This chapter focuses on Catalyst 3750 X and 3560 X switch clusters It also includes guidelines and limitations for clusters mixed with other cluster capable Catalyst switches but it does not provide complete descriptions of the cluster features for these other switches For co...

Страница 174: ... switch as a Layer 3 router between the Layer 2 switches in the cluster network Cluster members are connected to the cluster command switch according to the connectivity guidelines described in the Automatic Discovery of Cluster Candidates and Members section on page 1 5 This section includes management VLAN considerations for the Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2950 and Cata...

Страница 175: ...ected to all other cluster member switches except the cluster command and standby command switches through a common VLAN It is redundantly connected to the cluster so that connectivity to cluster member switches is maintained It is not a command or member switch of another cluster Catalyst 3550 12 1 4 EA1 or later Member or command switch Catalyst 2970 12 1 11 AX or later Member or command switch ...

Страница 176: ...ted to every standby cluster command switch through at least one common VLAN The VLAN to each standby cluster command switch can be different The ip http server global configuration command must be configured on the switch It is connected to the cluster command switch through at least one common VLAN Note Catalyst 1900 Catalyst 2820 Catalyst 2900 XL Catalyst 2940 Catalyst 2950 and Catalyst 3500 XL...

Страница 177: ...information about CDP see Chapter 1 Configuring CDP Following these connectivity guidelines ensures automatic discovery of the switch cluster cluster candidates connected switch clusters and neighboring edge devices Discovery Through CDP Hops page 1 5 Discovery Through Non CDP Capable and Noncluster Capable Devices page 1 6 Discovery Through Different VLANs page 1 7 Discovery Through Different Man...

Страница 178: ...it cannot discover a cluster enabled device connected beyond the noncluster capable Cisco device Figure 1 2 shows that the cluster command switch discovers the switch that is connected to a third party hub However the cluster command switch does not discover the switch that is connected to a Catalyst 5000 switch Figure 1 2 Discovery Through Non CDP Capable and Noncluster Capable Devices Command de...

Страница 179: ...luster command switch through their management VLAN For information about discovery through management VLANs see the Discovery Through Different Management VLANs section on page 1 7 For more information about VLANs see Chapter 1 Configuring VLANs Note For additional considerations about VLANs in switch stacks see the Switch Clusters and Switch Stacks section on page 1 14 Figure 1 3 Discovery Throu...

Страница 180: ...use automatic discovery does not extend beyond a noncandidate device which is switch 7 Figure 1 4 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Discovery Through Routed Ports If the cluster command switch has a routed port RP configured it discovers only candidate and cluster member switches in the same VLAN as the routed port For more information about routed ...

Страница 181: ...s to the VLAN of the immediately upstream neighbor The new switch also configures its access port to belong to the VLAN of the immediately upstream neighbor The cluster command switch in Figure 1 6 belongs to VLANs 9 and 16 When new cluster capable switches join the cluster One cluster capable switch and its access port are assigned to VLAN 9 The other cluster capable switch and its access port ar...

Страница 182: ...group is the active cluster command switch AC The switch with the next highest priority is the standby cluster command switch SC The other switches in the cluster standby group are the passive cluster command switches PC If the active cluster command switch and the standby cluster command switch become disabled at the same time the passive cluster command switch with the highest priority becomes t...

Страница 183: ...e 1 13 Other Considerations for Cluster Standby Groups Note For additional considerations about cluster standby groups in switch stacks see the Switch Clusters and Switch Stacks section on page 1 14 These requirements also apply Standby cluster command switches must be the same type of switches as the cluster command switch For example if the cluster command switch is a Catalyst 3750 E or Catalyst...

Страница 184: ...d switch continually forwards cluster configuration information but not device configuration information to the standby cluster command switch This ensures that the standby cluster command switch can take over the cluster immediately after the active cluster command switch fails Automatic discovery has these limitations This limitation applies only to clusters that have Catalyst 2950 Catalyst 2960...

Страница 185: ...ster command switch fails and the standby cluster command switch takes over you must either use the standby group virtual IP address or any of the IP addresses available on the new active cluster command switch to access the cluster You can assign an IP address to a cluster capable switch but it is not necessary A cluster member switch is managed and communicates with other cluster member switches...

Страница 186: ...community strings command switch readonly community string esN where N is the member switch number command switch readwrite community string esN where N is the member switch number If the cluster command switch has multiple read only or read write community strings only the first read only and read write strings are propagated to the cluster member switch The switches support an unlimited number o...

Страница 187: ...mand switch stack All stack members should have redundant connectivity to all VLANs in the switch cluster Otherwise if a new stack master is elected stack members connected to any VLANs not configured on the new stack master lose their connectivity to the switch cluster You must change the VLAN configuration of the stack master or the stack members and add the stack members back to the switch clus...

Страница 188: ...ter must have that same public profile Before you add an LRE switch to a cluster make sure that you assign it the same public profile used by other LRE switches in the cluster A cluster can have a mix of LRE switches that use different private profiles Using the CLI to Manage Switch Clusters You can configure cluster member switches from the CLI by first logging into the cluster command switch Ent...

Страница 189: ...nabled you can enable it as described in the Configuring SNMP section on page 1 6 On Catalyst 1900 and Catalyst 2820 switches SNMP is enabled by default When you create a cluster the cluster command switch manages the exchange of messages between cluster member switches and an SNMP application The cluster software on the cluster command switch appends the cluster member switch number esN where N i...

Страница 190: ...are Configuration Guide OL 25303 03 Chapter 1 Clustering Switches Using SNMP to Manage Switch Clusters Figure 1 8 SNMP Management for a Cluster Trap T r a p T r a p Command switch Trap 1 Trap 2 Trap 3 Member 1 Member 2 Member 3 33020 SNMP Manager ...

Страница 191: ...d Prompt page 1 7 Creating a Banner page 1 10 Managing the MAC Address Table page 1 12 Managing the ARP Table page 1 24 Managing the System Time and Date You can manage the system time and date on your switch using automatic configuration such as the Network Time Protocol NTP or manual configuration methods Note For complete syntax and usage information for the commands used in this section see th...

Страница 192: ... packet per minute is necessary to synchronize two devices to within a millisecond of one another NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source A stratum 1 time server has a radio or atomic clock directly attached a stratum 2 time server receives its time through NTP from a stratum 1 time server and so on A device running NTP aut...

Страница 193: ...switches Switch B and Switch F respectively Figure 1 1 Typical NTP Network Configuration If the network is isolated from the Internet Cisco s implementation of NTP allows a device to act as if it is synchronized through NTP when in fact it has learned the time by using other means Other devices then synchronize to that device through NTP When multiple sources of time are available NTP is always co...

Страница 194: ...Specific Interface section of the Implementing NTPv4 in IPv6 chapter of the Cisco IOS IPv6 Configuration Guide Release 12 4T For details about configuring NTPv4 see the Implementing NTPv4 in IPv6 chapter of the Cisco IOS IPv6 Configuration Guide Release 12 4T Configuring Time and Date Manually If no other source of time is available you can manually configure the time and date after the system is ...

Страница 195: ... not authoritative blank Time is authoritative Time is authoritative but NTP is not synchronized Configuring the Time Zone Beginning in privileged EXEC mode follow these steps to manually configure the time zone Command Purpose Step 1 clock set hh mm ss day month year or clock set hh mm ss month day year Manually set the system clock using one of these formats For hh mm ss specify the time in hour...

Страница 196: ...le shows how to specify that summer time starts on the first Sunday in April at 02 00 and ends on the last Sunday in October at 02 00 Switch config clock summer time PDT recurring 1 Sunday April 2 00 last Sunday October 2 00 Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose S...

Страница 197: ...ter than symbol is appended The prompt is updated whenever the system name changes If you are accessing a stack member through the stack master you must use the session stack member number privileged EXEC command The stack member number range is from 1 through 9 When you use this command the stack member number is appended to the system prompt For example Switch 2 is the prompt in privileged EXEC ...

Страница 198: ...ed database with which you can map hostnames to IP addresses When you configure DNS on your switch you can substitute the hostname for the IP address with all IP commands such as ping telnet connect and related Telnet support operations IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain Domain names are pieced together with periods as the delimi...

Страница 199: ...e Define a default domain name that the software uses to complete unqualified hostnames names without a dotted decimal domain name Do not include the initial period that separates an unqualified name from the domain name At boot time no domain name is configured however if the switch configuration comes from a BOOTP or Dynamic Host Configuration Protocol DHCP server then the default domain name mi...

Страница 200: ...mmand Displaying the DNS Configuration To display the DNS configuration information use the show running config privileged EXEC command Creating a Banner You can configure a message of the day MOTD and a login banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns The login banner also ...

Страница 201: ...ple shows the banner that appears from the previous configuration Unix telnet 172 2 5 4 Trying 172 2 5 4 Connected to 172 2 5 4 Escape character is This is a secure site Only authorized users are allowed For access contact technical support User Access Verification Password Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 banner motd c message c Specify the message ...

Страница 202: ...es these types of addresses Dynamic address a source MAC address that the switch learns and then ages when it is not in use Static address a manually entered unicast address that does not age and that is not lost when the switch resets The address table lists the destination MAC address the associated VLAN ID and port number associated with the address and the type static or dynamic Note For compl...

Страница 203: ...t and adding the address and its associated port number to the address table As stations are added or removed from the network the switch updates the address table adding new dynamic addresses and aging out those that are not in use The aging interval is globally configured on a standalone switch or on the switch stack However the switch maintains an address table for each VLAN and STP can acceler...

Страница 204: ...on all stack members When a switch joins a switch stack that switch receives the addresses for each VLAN learned on the other stack members When a stack member leaves the switch stack the remaining stack members age out or remove all addresses learned by the former stack member Default MAC Address Table Configuration Table 1 2 shows the default MAC address table configuration Changing the Address ...

Страница 205: ...y storing the MAC address change activity When the switch learns or removes a MAC address an SNMP notification trap can be sent to the NMS If you have many users coming and going from the network you can set a trap interval time to bundle the notification traps to reduce network traffic The MAC notification history table stores MAC address activity for each port for which the trap is set MAC addre...

Страница 206: ...command For notification type use the mac notification keyword Step 3 snmp server enable traps mac notification change Enable the switch to send MAC address change notification traps to the NMS Step 4 mac address table notification change Enable the MAC address change notification feature Step 5 mac address table notification change interval value history size value Enter the trap interval time an...

Страница 207: ...added on the specified port Switch config snmp server host 172 20 10 10 traps private mac notification Switch config snmp server enable traps mac notification change Switch config mac address table notification change Switch config mac address table notification change interval 123 Switch config mac address table notification change history size 100 Switch config interface gigabitethernet1 0 2 Swi...

Страница 208: ...ation an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server host host addr traps informs version 1 2c 3 community string notification type Specify the recipient of the trap message For host addr specify the name or addres...

Страница 209: ... message For host addr specify the name or address of the NMS Specify traps the default to send SNMP traps to the host Specify informs to send SNMP informs to the host Specify the SNMP version to support Version 1 the default is not available with informs For community string specify the string to send with the notification operation Though you can set this string by using the snmp server host com...

Страница 210: ...ary VLAN you should also configure the same static MAC address in all associated VLANs Static MAC addresses configured in a private VLAN primary or secondary VLAN are not replicated in the associated VLAN For more information about private VLANs see Chapter 1 Configuring Private VLANs Beginning in privileged EXEC mode follow these steps to add a static address To remove static entries from the add...

Страница 211: ...ets with that MAC address depending on which command was entered last The second command that you entered overrides the first command For example if you enter the mac address table static mac addr vlan vlan id interface interface id global configuration command followed by the mac address table static mac addr vlan vlan id drop command the switch drops packets with the specified MAC address as a s...

Страница 212: ...isable MAC address learning on a single VLAN ID for example no mac address table learning vlan 223 or on a range of VLAN IDs for example no mac address table learning vlan 1 20 15 We recommend that you disable MAC address learning only in VLANs with two ports If you disable MAC address learning on a VLAN with more than two ports every packet entering the switch is flooded in that VLAN domain You c...

Страница 213: ...nter global configuration mode Step 2 no mac address table learning vlan vlan id Disable MAC address learning on the specified VLAN or VLANs You can specify a single VLAN ID or a range of VLAN IDs separated by a hyphen or comma Valid VLAN IDs s are 1 to 4094 The VLAN cannot be an internal VLAN Step 3 end Return to privileged EXEC mode Step 4 show mac address table learning vlan vlan id Verify the ...

Страница 214: ...ia or MAC addresses and the VLAN ID Using an IP address ARP finds the associated MAC address When a MAC address is found the IP MAC address association is stored in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by t...

Страница 215: ...twork You can select a template to provide maximum system usage for some functions for example use the default template to balance resources and use the access template to obtain maximum ACL usage The switch SDM templates allocate system hardware resources for different uses You can select SDM templates for IP Version 4 IPv4 to optimize these features on switches running the IP Base or IP Services...

Страница 216: ... routes and the switch must be running the default template The table represents approximate hardware boundaries set when a template is selected If a section of a hardware resource is full all processing overflow is sent to the CPU seriously impacting switch performance In mixed stack scenarios with Catalyst 3750 3560 and Catalyst 3750 E 3560 E switches the default template will be enabled with IP...

Страница 217: ...sic Layer 2 ACLs and QoS for IPv6 on the switch With the indirect IPv4 and IPv6 routing template introduced in Cisco IOS Release 12 2 58 SE the switch supports more IPv6 indirect routes for deployments that do not need much direct IPv6 host route connectivity Compared to the dual IPv4 and IPv6 routing template the indirect IPv4 and IPv6 routing template also provides more unicast MAC addresses and...

Страница 218: ...M 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE 2d23h SDM 6 MISMATCH_ADVISE System 2 is incompatible with the SDM 2d23h SDM 6 MISMATCH_ADVISE template currently running on the stack and 2d23h SDM 6 MISMATCH_ADVISE will not function unless the stack is 2d23h SDM 6 MISMATCH_ADVISE downgraded Issuing the following commands 2d23h SDM 6 MISMATCH_ADVISE will downgrade the stack to use a smaller 2d23h SD...

Страница 219: ...feature set Although visible in the command line help the LAN Base feature set does not support the routing templates On switches running the LAN Base feature set none of the routing values shown for the templates are valid Beginning with Cisco IOS Release 12 2 58 SE the LAN Base feature set supports configuration of 16 static IPv4 routes on SVIs Use the default template when configuring static ro...

Страница 220: ...ccess default dual ipv4 and ipv6 default routing vlan indirect ipv4 and ipv6 routing routing vlan Specifies the SDM template to be used on the switch The keywords have these meanings access Maximizes system resources for ACLs default Provides balance to all functions dual ipv4 and ipv6 Specifies a template that supports both IPv4 and IPv6 routing default Balances IPv4 and IPv6 Layer 2 and Layer 3 ...

Страница 221: ...m prefer access default dual ipv4 and ipv6 default vlan indirect ipv4 and ipv6 routing routing vlan privileged EXEC command Note On switches running the LAN Base feature set routing values shown in all templates are not valid This is an example of output from the show sdm prefer command that displays the template in use Switch show sdm prefer The current template is desktop default template The se...

Страница 222: ...e current template is desktop IPv4 and IPv6 routing template The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs number of unicast mac addresses 1 5K number of IPv4 IGMP groups multicast routes 1K number of IPv4 unicast routes 2 75K number of directly connected IPv4 hosts 1 5K number of indirect IPv4 routes 1 25K numb...

Страница 223: ... XPS 2200 can provide backup power to connected devices that experience a power supply failure or in a Catalyst 3750 X power stack it can supply additional power to the power stack budget For more information about the XPS 2000 see the configuration notes on Cisco com http www cisco com en US docs switches power_supplies xps2200 software configuration note ol24 241 html The XPS 2200 power ports an...

Страница 224: ...ackPower Modes page 1 2 Power Priority page 1 3 Load Shedding page 1 4 StackPower Modes A power stack can run in one of two modes configured by using the command line interface In power sharing mode the default all input power is available to be used for power loads The total available power in all switches in the power stack up to four is treated as a single large power supply with power availabl...

Страница 225: ... PoE ports on a switch You set port priority at the interface level for powered devices connected to a PoE port by entering the power inline port priority high low interface configuration command By default all ports are low priority This command is visible only on PoE ports Note Although the power inline port priority high low command is visible on the Catalyst 3560 X switch PoE ports it has no e...

Страница 226: ...igured priority but occurs very quickly to prevent hardware damage caused by loss of power If a switch is shut down because of load shedding the output of the show stack power privileged EXEC command still includes the MAC address of the shut down switch as a neighbor switch even though the switch is down This command output shows the StackPower topology even if there is not enough power to power ...

Страница 227: ...es in the power stack Switch show stack power Power stack name Powerstack1 Stack mode Power sharing Switch 1 Power budget 206 Low port priority value 17 High port priority value 16 Switch priority value 2 Port A status Not shut Port B status Not shut Neighbor on port A 0022 bdcf ab00 Neighbor on port B 0022 bdd0 4380 Switch 2 Power budget 206 Low port priority value 12 High port priority value 11 ...

Страница 228: ...by the time priority 1 devices were reached The output from the show stack power load shedding order command shows the order in which devices would shut down in the event of load shedding Switch show stack power load shedding order powerstack 1 Power Stack Stack Stack Total Rsvd Alloc Unused Num Num Name Mode Topolgy Pwr W Pwr W Pwr W Pwr W SW PS Powerstack 1 SP PS Ring 2880 34 473 2373 2 4 Priori...

Страница 229: ...d as a backup in case of power supply failure Switch config stack power stack power1 Switch config stackpower mode redundant Switch config stackpower exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 stack power stack power stack name Enter the stack power stack name and enter power stack configuration mode The name can be up to 31 characters Step 3 mode power s...

Страница 230: ...switch number Enter the stack member number of the switch in the power stack and enter switch stack power configuration mode The range is from 1 to 9 Note Only four switches can belong to the same power stack Step 3 stack power stack name Enter the name of the power stack to which the switch belongs The name can be up to 31 characters If you do not enter a name and no other switches in the power s...

Страница 231: ...ig if power inline port priority high Switch config if exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter the interface ID of the port in the stack and enter interface configuration mode The interface must be a PoE port Step 3 power inline port priority high low Set the power priority of the port to high or low Powered devices connect...

Страница 232: ...1 10 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Catalyst 3750 X StackPower Configuring Cisco StackPower ...

Страница 233: ... Typically you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port connect from outside the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security ...

Страница 234: ...word protection restricts access to a network or network device Privilege levels define what commands users can enter after they have logged into a network device Note For complete syntax and usage information for the commands used in this section see the Cisco IOS Security Command Reference Release 12 4 These sections contain this configuration information Default Password and Privilege Level Con...

Страница 235: ... any privilege level you specify We recommend that you use the enable secret command because it uses an improved encryption algorithm If you configure the enable secret command it takes precedence over the enable password command the two commands cannot be in effect simultaneously Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 enable password password Define a new...

Страница 236: ...nfiguration mode Step 2 enable password level level password encryption type encrypted password or enable secret level level password encryption type encrypted password Define a new password or change an existing password for access to privileged EXEC mode or Define a secret password which is saved using a nonreversible encryption method Optional For level the range is from 0 to 15 Level 1 is norm...

Страница 237: ...boot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When the switch is returned to the default system configuration you can download the saved files to the switch by using the Xmodem proto...

Страница 238: ...e switch If you have defined privilege levels you can also assign a specific privilege level with associated rights and privileges to each username and password pair Command Purpose Step 1 Attach a PC or workstation with emulation software to the switch console port or attach a PC to the Ethernet management port The default data characteristics of the console port are 9600 8 1 no parity You might ...

Страница 239: ...nformation Setting the Privilege Level for a Command page 1 8 Changing the Default Privilege Level for Lines page 1 9 Logging into and Exiting a Privilege Level page 1 9 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 username name privilege level password encryption type password Enter the username privilege level and password for each user For name specify the us...

Страница 240: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 privilege mode level level command Set the privilege level for a command For mode enter configure for global configuration mode exec for EXEC mode interface for interface configuration mode or line for line configuration mode For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges Level 15 is t...

Страница 241: ...g into and Exiting a Privilege Level Beginning in privileged EXEC mode follow these steps to log in to a specified privilege level and to exit to a specified privilege level Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 line vty line Select the virtual terminal line on which to restrict access Step 3 privilege level level Change the default privilege level for th...

Страница 242: ...CS Operation page 1 12 Configuring TACACS page 1 12 Displaying the TACACS Configuration page 1 17 Understanding TACACS TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS services are maintained in a database on a TACACS daemon typically running on a UNIX or Windows NT workstation You should have access to and should config...

Страница 243: ...ontrol session duration or protocol support You can also enforce restrictions on what commands a user can execute with the TACACS authorization feature Accounting Collects and sends information used for billing auditing and reporting to the TACACS daemon Network managers can use the accounting facility to track user activity for a security audit or to provide information for user billing Accountin...

Страница 244: ...formation After authentication the user undergoes an additional authorization phase if authorization has been enabled on the switch Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the TACACS daemon is again contacted and it returns an ACCEPT or REJECT authorization response If an ACCEPT response is returne...

Страница 245: ...host maintaining TACACS server and optionally set the encryption key Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 tacacs server host hostname port integer timeout integer key string Identify the IP host or hosts maintaining a TACACS server Enter this command multiple times to create a list of preferred hosts The software searches for hosts in the order in which ...

Страница 246: ... named method list explicitly defined A defined method list overrides the default method list A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to...

Страница 247: ...y using the enable password global configuration command group tacacs Uses TACACS authentication Before you can use this authentication method you must configure the TACACS server For more information see the Identifying the TACACS Server Host and Setting the Authentication Key section on page 1 13 line Use the line password for authentication Before you can use this authentication method you must...

Страница 248: ...ters that restrict a user s network access to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Note Authorization is bypassed for authenticated users who log in through ...

Страница 249: ...he router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Displaying the TACACS Configuration To display TACACS server statistics use the show tacacs privileged EXEC command Controlling Switch Access with RADIUS This section describes how to enable and configure the RADIUS which provides detailed accounting information and flexible ...

Страница 250: ...ss security Networks with multiple vendor access servers each supporting RADIUS For example access servers from several vendors use a single RADIUS server based security database In an IP based network with multiple vendors access servers dial in users are authenticated through a RADIUS server that has been customized to work with the Kerberos security system Turnkey network security environments ...

Страница 251: ...ety of services RADIUS generally binds a user to one service model Figure 1 2 Transitioning from RADIUS to TACACS Services RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server these events occur 1 The user is prompted to enter a username and password 2 The username and encrypted password are sent over the network to the RADIUS se...

Страница 252: ...US Change of Authorization CoA extensions defined in RFC 5176 that are typically used in a pushed model and allow for the dynamic reconfiguring of sessions from external authentication authorization and accounting AAA or policy servers Beginning with Cisco IOS Release 12 2 52 SE the switch supports these per session CoA requests Session reauthentication Session termination Session termination with...

Страница 253: ...e 1 2 shows the IETF attributes are supported for this feature Table 1 3 shows the possible values for the Error Cause attribute Table 1 2 Supported IETF Attributes Attribute Number Attribute Name 24 State 31 Calling Station ID 44 Acct Session ID 80 Message Authenticator 101 Error Cause Table 1 3 Error Cause Values Value Explanation 201 Residual Session Context Removed 202 Invalid EAP Packet Ignor...

Страница 254: ... match the session the switch returns a Disconnect NAK or CoA NAK with the Invalid Attribute Value error code attribute For disconnect and CoA requests targeted to a particular session any one of the following session identifiers can be used Calling Station ID IETF attribute 31 which should contain the MAC address Audit Session ID Cisco vendor specific attribute Accounting Session ID IETF attribut...

Страница 255: ...t with an unknown identity or posture joins the network and is associated with a restricted access authorization profile such as a guest VLAN A reauthentication request allows the host to be placed in the appropriate authorization group when its credentials are known To initiate session authentication the AAA server sends a standard CoA Request message which contains a Cisco vendor specific attrib...

Страница 256: ...e re transmitted command as a new command Session Termination There are three types of CoA requests that can trigger session termination A CoA Disconnect Request terminates the session without disabling the host port This command causes re initialization of the authenticator state machine for the specified host but does not restrict that host s access to the network To restrict a host s access to ...

Страница 257: ...d in a standard CoA Request message that contains the following new VSA Cisco Avpair subscriber command bounce host port Because this command is session oriented it must be accompanied by one or more of the session identification attributes described in the Session Identification section on page 1 22 If the session cannot be located the switch returns a CoA NAK message with the Session Context Not...

Страница 258: ... Configuring RADIUS This section describes how to configure your switch to support RADIUS At a minimum you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication You can optionally define method lists for RADIUS authorization and accounting A method list defines the sequence and methods to be used to authenticate to authorize or to...

Страница 259: ...e same RADIUS server are configured for the same service for example accounting the second host entry configured acts as a fail over backup to the first one Using this example if the first host entry fails to provide accounting services the RADIUS 4 RADIUS_DEAD message appears and then the switch tries the second host entry configured on the same device for accounting services The RADIUS host entr...

Страница 260: ... the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retransmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key st...

Страница 261: ...erformed and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence ...

Страница 262: ...he RADIUS server For more information see the Identifying the RADIUS Server Host section on page 1 27 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the user...

Страница 263: ...ference Release 12 4 Defining AAA Server Groups You can configure the switch to use AAA server groups to group existing server hosts for authentication You select a subset of the configured server hosts and use them for a particular service The server group is used with a global server host list which lists the IP addresses of the selected server hosts Server groups also can include multiple host ...

Страница 264: ...ansmit value is set with the radius server host command the setting of the radius server retransmit global configuration command is used Optional For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note The key is a text string that must match the encryption key used on the RADIUS server Always configure the key as...

Страница 265: ...r Privileged Access and Network Services AAA authorization limits the services available to a user When AAA authorization is enabled the switch uses information retrieved from the user s profile which is in the local user database or on the security server to configure the user s session The user is granted access to a requested service only if the information in the user profile allows it You can...

Страница 266: ... record which is the default condition In some situations users might be prevented from starting a session on the console or terminal connection until after the system reloads which can take more than 3 minutes To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Step 3 aaa authori...

Страница 267: ...ttributes The full set of features available for TACACS authorization can then be used for RADIUS For example this AV pair activates Cisco s multiple named ip address pools feature during IP authorization during PPP IPCP address assignment cisco avpair ip addr pool first Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server key string Specify the shared sec...

Страница 268: ...ged EXEC mode follow these steps to configure the switch to recognize and use VSAs For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Release 12 4 Configuring the Switch for Vendor Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies ...

Страница 269: ...hese steps to configure CoA on a switch This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 radius server host hostname ip address non standard Specify the IP address or hostname of the remote RADIUS server host and identify that it is using a vendor proprietary implementation of RADIUS Step 3 radius server key string Specify the shared secre...

Страница 270: ... switch uses for RADIUS clients The client must match all the configured attributes for authorization Step 8 ignore session key Optional Configure the switch to ignore the session key For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com Step 9 ignore server key Optional Configure the switch to ignore the server key For more inf...

Страница 271: ... the Security Server Protocols chapter of the Cisco IOS Security Command Reference Release 12 4 Note In the Kerberos configuration examples and in the Cisco IOS Security Command Reference Release 12 4 the trusted third party can be a switch that supports Kerberos that is configured as a network security server and that can authenticate users by using the Kerberos protocol Understanding Kerberos Ke...

Страница 272: ...ce credentials Kerberos credentials verify the identity of a user or service If a network service decides to trust the Kerberos server that issued a ticket it can be used in place of re entering a username and password Credentials have a default lifespan of eight hours Instance An authorization level label for Kerberos principals Most Kerberos principals are of the form user REALM for example smit...

Страница 273: ...ver A daemon that is running on a network host Users and network services register their identity with the Kerberos server Network services query the Kerberos server to authenticate to other network services KEYTAB3 A password that a network service shares with the KDC In Kerberos 5 and later Kerberos versions the network service authenticates an encrypted service credential by using the KEYTAB to...

Страница 274: ...about how to authenticate to a KDC see the Obtaining a TGT from a KDC section in the Security Server Protocols chapter of the Cisco IOS Security Configuration Guide Release 12 4 Authenticating to Network Services This section describes the third layer of security through which a remote user must pass The user with a TGT must now authenticate to the network services in a Kerberos realm For instruct...

Страница 275: ...tabase The default keyword applies the local user database authentication to all ports Step 4 aaa authorization exec local Configure user AAA authorization check the local database and allow the user to run an EXEC shell Step 5 aaa authorization network local Configure user AAA authorization for all network related service requests Step 6 username name privilege level password encryption type pass...

Страница 276: ...nctions the same in IPv6 as in IPv4 For IPv6 SSH supports IPv6 addresses and enables secure encrypted connections with remote IPv6 nodes over an IPv6 transport Note For complete syntax and usage information for the commands used in this section see the command reference for this release and the Secure Shell Commands section of the Other Security Features chapter of the Cisco IOS Security Command R...

Страница 277: ...SSH client are supported only on DES 56 bit and 3DES 168 bit data encryption software The switch supports the Advanced Encryption Standard AES encryption algorithm with a 128 bit key 192 bit key or 256 bit key However symmetric cipher AES to encrypt the keys is not supported Configuring SSH This section has this configuration information Configuration Guidelines page 1 45 Setting Up the Switch to ...

Страница 278: ...e information see the Configuring the Switch for Local Authentication and Authorization section on page 1 43 Beginning in privileged EXEC mode follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair This procedure is required if you are configuring the switch as an SSH server To delete the RSA key pair use the crypto key zeroize rsa global configuration com...

Страница 279: ...econds This parameter applies to the SSH negotiation phase After the connection is established the switch uses the default time out values of the CLI based sessions By default up to five simultaneous encrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns to the def...

Страница 280: ...nd Client with SSL 3 0 feature description for Cisco IOS Release 12 2 15 T Understanding Secure HTTP Servers and Clients On a secure HTTP connection data to and from an HTTP server is encrypted before being sent over the Internet HTTP with SSL encryption provides a secure connection to allow such functions as configuring a switch from a Web browser Cisco s implementation of the secure HTTP server ...

Страница 281: ... or client is automatically generated If the switch is not configured with a hostname and a domain name a temporary self signed certificate is generated If the switch reboots any temporary self signed certificate is lost and a new temporary new self signed certificate is assigned If the switch has been configured with a host and domain name a persistent self signed certificate is generated This ce...

Страница 282: ... with RSA Public Key Cryptography MD2 MD5 RC2 CBC RC4 DES CBC and DES EDE3 CBC For the best possible encryption you should use a client browser that supports 128 bit encryption such as Microsoft Internet Explorer Version 5 5 or later or Netscape Communicator Version 4 76 or later The SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites as it does not offer 128 bi...

Страница 283: ...igure a CA trustpoint Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 hostname hostname Specify the hostname of the switch required only if you have not previously configured a hostname The hostname is required for security keys and certificates Step 3 ip domain name domain name Specify the IP domain name of the switch required only if you have not previously confi...

Страница 284: ...A Use the same name used in Step 5 Step 12 crypto ca enroll name Obtain the certificate from the specified CA trustpoint This command requests a signed certificate for each RSA key pair Step 13 end Return to privileged EXEC mode Step 14 show crypto ca trustpoints Verify the configuration Step 15 copy running config startup config Optional Save your entries in the configuration file Command Purpose...

Страница 285: ...tificate and to authenticate the client certificate connection Note Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Step 8 ip http path path name Optional Set a base HTTP path for HTML files The path specifies the location of the HTTP server files on the local system usually located in system flash memory Step 9 ip http access class acces...

Страница 286: ...tocol that provides a secure replacement for the Berkeley r tools Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip http client secure trustpoint name Optional Specify the CA trustpoint to be used if the remote HTTP server requests client authentication Using this command assumes that you have already configured a CA trustpoint by using the previous procedure The ...

Страница 287: ... the password into the copy command You must enter the password when prompted Information About Secure Copy To configure the Secure Copy feature you should understand these concepts The behavior of SCP is similar to that of remote copy rcp which comes from the Berkeley r tools suite except that SCP relies on SSH for security SCP also requires that authentication authorization and accounting AAA au...

Страница 288: ...1 56 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Switch Based Authentication Configuring the Switch for Secure Copy Protocol ...

Страница 289: ...ckets These switches operate as access layer switches in the Cisco TrustSec network Cisco IOS Release 15 0 1 SE supports SXP version 2 syslog messages and SNMP support for SXP For more information about Cisco TrustSec see the Cisco TrustSec Switch Configuration Guide at this URL http www cisco com en US docs switches lan trustsec configuration guide trustsec html The sections on SXP define the cap...

Страница 290: ...1x Multiple Authentication Mode page 1 12 802 1x Readiness Check page 1 15 802 1x Authentication with Per User ACLs page 1 17 802 1x Authentication with Guest VLAN page 1 21 802 1x Authentication with Restricted VLAN page 1 22 802 1x Authentication with Inaccessible Authentication Bypass page 1 23 802 1x Critical Voice VLAN Configuration page 1 24 802 1x Authentication with Downloadable ACLs and R...

Страница 291: ...cation Protocol EAP extensions is the only supported authentication server It is available in Cisco Secure Access Control Server Version 3 0 or later RADIUS operates in a client server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients Switch edge switch or wireless access point controls the physical access to the network based on...

Страница 292: ...e the client MAC address for authorization If the client MAC address is valid and the authorization succeeds the switch grants the client access to the network If the client MAC address is invalid and the authorization fails the switch assigns the client to a guest VLAN that provides limited services if a guest VLAN is configured If the switch gets an invalid identity from an 802 1x capable client...

Страница 293: ...nnectivity is lost during re authentication When the ReAuthenticate action is set the attribute value is RADIUS Request the session is not affected during re authentication You manually re authenticate the client by entering the dot1x re authenticate interface interface id privileged EXEC command 281594 Client identity is invalid All authentication servers are down All authentication servers are d...

Страница 294: ...equest identity frame after three attempts to start authentication the client sends frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated For more information see the Ports in Authorized and Unauthorized States section on page 1 10 When the client supplies its identity the switch begins its role as the ...

Страница 295: ...the MAC authentication bypass process and stops 802 1x authentication Figure 1 4 shows the message exchange during MAC authentication bypass Figure 1 4 Message Exchange During MAC Authentication Bypass Authentication Manager In Cisco IOS Release 12 2 46 SE and earlier you could not use the same authorization methods including CLI commands and messages on this switch and also on other network devic...

Страница 296: ...ter VLAN assignment VLAN assignment Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 MAC authentication bypass VLAN assignment Per user ACL Filter ID attribute Downloadable ACL2 Redirect URL2 VLAN assignment VLAN assignment Per user ACL2 Filter Id attribute2 Downloadable ACL2 Redirect URL2 Per user ACL2 Filter Id ...

Страница 297: ...lier 802 1x commands Table 1 2 Authentication Manager Commands and Earlier 802 1x Commands The authentication manager commands in Cisco IOS Release 12 2 50 SE or later The equivalent 802 1x commands in Cisco IOS Release 12 2 46 SE and earlier Description authentication control direction both in dot1x control direction both in Enable 802 1x authentication with the wake on LAN WoL feature and config...

Страница 298: ...y If the port is configured as a voice VLAN port the port allows VoIP traffic and 802 1x protocol packets before the client is successfully authenticated Note CDP bypass is not supported and may cause a port go into err disabled state If a client that does not support 802 1x authentication connects to an unauthorized 802 1x port the switch requests the client s identity In this situation the clien...

Страница 299: ...t If no response is received from the server after the specified number of attempts authentication fails and network access is not granted When a client logs off it sends an EAPOL logoff message causing the switch port to change to the unauthorized state If the link state of a port changes from up to down or if an EAPOL logoff frame is received the port returns to the unauthorized state 802 1x Aut...

Страница 300: ... authorized for all clients to be granted network access If the port becomes unauthorized re authentication fails or an EAPOL logoff message is received the switch denies network access to all of the attached clients In this topology the wireless access point is responsible for authenticating the clients attached to it and it also acts as a client to the switch Figure 1 5 Multiple Host Mode Exampl...

Страница 301: ...e and the server is not reachable all authorized hosts are reinitialized in the configured VLAN For more information about critical authentication mode and the critical VLAN see the 802 1x Authentication with Inaccessible Authentication Bypass section on page 1 23 For more information see the Configuring the Host Mode section on page 1 47 MAC Move When a MAC address is authenticated on one switch ...

Страница 302: ...he authentication manager initiates the authentication process for the new MAC address If the authentication manager determines that the new host is a voice host the original voice host is removed If a port is in open authentication mode any new MAC address is immediately added to the MAC address table For more information see the Enabling MAC Replace section on page 1 52 802 1x Accounting The 802...

Страница 303: ... You can use this feature to determine if the devices connected to the switch ports are 802 1x capable You use an alternate authentication such as MAC authentication bypass or web authentication for the devices that do not support 802 1x functionality Table 1 3 Accounting AV Pairs Attribute Number AV Pair Name START INTERIM STOP Attribute 1 User Name Always Always Always Attribute 4 NAS IP Address...

Страница 304: ... All packets sent from or received on this port belong to this VLAN If 802 1x authentication is enabled but the VLAN information from the RADIUS server is not valid authorization fails and configured VLAN remains in use This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error Configuration errors could include specifying a VLAN for a routed port a m...

Страница 305: ...x port it retrieves the ACL attributes based on the user identity and sends them to the switch The switch applies the attributes to the 802 1x port for the duration of the user session The switch removes the per user ACL configuration when the session is over if authentication fails or if a link down condition occurs The switch does not save RADIUS specified ACLs in the running configuration When ...

Страница 306: ...figure per user ACLs Enable AAA authentication Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server Enable 802 1x authentication Configure the user profile and VSAs on the RADIUS server Configure the 802 1x port for single host mode Note Per user ACLs are supported only in single host mode 802 1x Authentication with Downloadable ACLs and Red...

Страница 307: ...l traffic Policies are enforced with IP address insertion to prevent security breaches Web authentication is subject to the auth default ACL OPEN To control access for hosts with no authorization policy you can configure a directive The supported values for the directive are open and default When you configure the open directive all traffic is allowed The default directive subjects traffic to the ...

Страница 308: ...r attribute The name is the ACL name The number is the version number for example 3f783768 If a downloadable ACL is configured for a client on the authentication server a default port ACL on the connected client switch port must also be configured If the default ACL is configured on the switch and the Cisco Secure ACS sends a host access policy to the switch it applies the policy to traffic from t...

Страница 309: ...witch is trying to authorize an 802 1x capable voice device and the AAA server is unavailable the authorization attempt fails but the detection of the EAPOL packet is saved in the EAPOL history When the AAA server becomes available the switch authorizes the voice device However the switch no longer allows other devices access to the guest VLAN To prevent this situation use one of these command seq...

Страница 310: ...ning tree blocking state With this feature you can configure the switch port to be in the restricted VLAN after a specified number of authentication attempts the default value is 3 attempts The authenticator counts the failed authentication attempts for the client When this count exceeds the configured maximum number of authentication attempts the port moves to the restricted VLAN The failed attem...

Страница 311: ...l VLAN To support this inaccessible bypass on multiple authentication multiauth ports use the authentication event server dead action reinitialize vlan vlan id command When a new host tries to connect to the critical port that port is reinitialized and all the connected hosts are moved to the user specified access VLAN This command is supported on all host modes Authentication Results The behavior...

Страница 312: ... compatible with voice VLAN but the RADIUS configured or user specified access VLAN and the voice VLAN must be different Remote Switched Port Analyzer RSPAN Do not configure an RSPAN VLAN as the RADIUS configured or user specified access VLAN for inaccessible authentication bypass In a switch stack the stack master checks the status of the RADIUS servers by sending keepalive packets When the statu...

Страница 313: ...N for a port by entering the switchport voice vlan vlan id interface configuration command This feature is supported in multidomain and multi auth host modes Although you can enter the command when the switch in single host or multi host mode the command has no effect unless the device changes to multidomain or multi auth host mode Beginning in privileged EXEC mode follow these steps to configure ...

Страница 314: ...t Disables testing on the RADIUS server authentication port For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server Note Always configure the key as the last item in the radius server host command syntax because leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in the key...

Страница 315: ...igure the RADIUS server to send a VLAN group name for a user The VLAN group name can be sent as part of the response to the user You can search for the selected VLAN group name among the VLAN group names that you configured by using the switch CLI If the VLAN group name is found the corresponding VLANs under this VLAN group name are searched to find the least populated VLAN Load balancing is achie...

Страница 316: ...od set to the default of five seconds A voice VLAN port becomes active when there is a link and the device MAC address appears after the first CDP message from the IP phone Cisco IP phones do not relay CDP messages from other devices As a result if several IP phones are connected in series the switch recognizes only the one directly connected to it When IEEE 802 1x authentication is enabled on a v...

Страница 317: ... 1x authentication times out while waiting for an EAPOL response from the client the switch tries to authorize the client by using MAC authentication bypass When the MAC authentication bypass feature is enabled on an IEEE 802 1x port the switch uses the MAC address as the client identity The authentication server has a database of client MAC addresses that are allowed network access After detectin...

Страница 318: ...an assign a client to a private VLAN Network admission control NAC Layer 2 IP validation This feature takes effect after an IEEE 802 1x port is authenticated with MAC authentication bypass including hosts in the exception list Network Edge Access Topology NEAT MAB and NEAT are mutually exclusive You cannot enable MAB when NEAT is enabled on an interface and you cannot enable NEAT when MAB is enabl...

Страница 319: ...ic according to the access control list ACL defined on the port After the host is authenticated the policies configured on the RADIUS server are applied to that host You can configure open authentication with these scenarios Single host mode with open authentication Only one user is allowed network access before and after authentication MDA mode with open authentication Only one user in the voice ...

Страница 320: ...unted towards the port security MAC address limit You can use dynamic VLAN assignment from a RADIUS server only for data devices MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect to devices that do not support IEEE 802 1x authentication For more information see the MAC Authentication Bypass section on page 1 41 When a data or a voice device is detect...

Страница 321: ...dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes If authentication fails the supplicant port opens Entering the no dot1x supplicant controlled transient global configuration command opens the supplicant port during the authenticatio...

Страница 322: ...d configurations on the authenticator switch port and to change the port mode from access to trunk For more information see the Auto Smartports Configuration Guide for this release For more information see the Configuring an Authenticator and a Supplicant Switch with NEAT section on page 1 69 Voice Aware 802 1x Security You use the voice aware 802 1x security feature to configure the switch to dis...

Страница 323: ...sionID 160000050000000B288508E5 1w0d AUTHMGR 7 RESULT Authentication result success from mab for client 0000 0000 0203 on Interface Fa4 0 4 AuditSessionID 160000050000000B288508E5 The session ID is used by the NAD the AAA server and other report analyzing applications to identify the client The ID appears automatically No configuration is required Device Sensor Device Sensor uses protocols such as...

Страница 324: ...TLV changes that is when a previously received TLV is received with a different value Device Sensor port security protects the switch from consuming memory and failing during deliberate or unintentional denial of service DoS type attacks Guidelines Device Sensor limits the maximum number of device monitoring sessions to 32 per port In the case of lack of activity from hosts the age session limit i...

Страница 325: ...tication Number page 1 51 optional Enabling MAC Move page 1 52 optional Enabling MAC Replace page 1 52 Configuring 802 1x Accounting page 1 53 optional Configuring Device Sensor page 1 54 optional Configuring a Guest VLAN page 1 60 optional Configuring a Restricted VLAN page 1 62 optional Configuring Inaccessible Authentication Bypass and Critical Voice VLAN page 1 63 optional Configuring 802 1x A...

Страница 326: ...authorized state Quiet period 60 seconds number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Retransmission time 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Maximum retransmission number 2 times number of times that the switch...

Страница 327: ...appears and the port mode is not changed Dynamic ports A port in dynamic mode can negotiate with its neighbor to become a trunk port If you try to enable 802 1x authentication on a dynamic port an error message appears and 802 1x authentication is not enabled If you try to change the mode of an 802 1x enabled port to dynamic an error message appears and the port mode is not changed Dynamic access ...

Страница 328: ...e 802 1x authentication on a private VLAN port but do not configure IEEE 802 1x authentication with port security a voice VLAN a guest VLAN a restricted VLAN or a per user ACL on private VLAN ports You can configure any VLAN except an RSPAN VLAN private VLAN or a voice VLAN as an 802 1x guest VLAN The guest VLAN feature is not supported on internal VLANs routed ports or trunk ports it is supported...

Страница 329: ... use MAC authentication bypass to re authorize the port If the port is in the authorized state the port remains in this state until re authorization occurs Maximum Number of Allowed Devices Per Port This is the maximum number of devices allowed on an 802 1x enabled port In single host mode only one device is allowed on the access VLAN If the port is also configured with a voice VLAN an unlimited n...

Страница 330: ... the voice aware 802 1x security feature on the switch to disable only the VLAN on which a security violation occurs whether it is a data or voice VLAN You can use this feature in IP phone deployments where a PC is connected to the IP phone A security violation found on the data VLAN results in the shutdown of only the data VLAN The traffic on the voice VLAN flows through the switch without interr...

Страница 331: ...isable detect privileged EXEC command Configuring 802 1x Violation Modes You can configure an 802 1x port so that it shuts down generates a syslog error or discards packets from a new device when a device connects to an 802 1x enabled port the maximum number of allowed about devices have been authenticated on the port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Страница 332: ...aa authentication dot1x default method1 Create an 802 1x authentication method list To create a default list that is used when a named list is not specified in the authentication command use the default keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports For method1 enter the group radius keywords to use the list of ...

Страница 333: ...ep 4 dot1x system auth control Enable 802 1x authentication globally on the switch Step 5 aaa authorization network default group radius Optional Configure the switch to use user RADIUS authorization for all network related service requests such as per user ACLs or VLAN assignment Note For per user ACLs single host mode must be configured This setting is the default Step 6 radius server host ip ad...

Страница 334: ...nsmission and encryption key values for all RADIUS servers by using the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server retransmit and the radius server key global configuration commands For more information see the Configuring Settings for All RADIUS Servers section on page 1 35 Command Purpos...

Страница 335: ...t control auto Switch config if authentication host mode multi host Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to which multiple hosts are indirectly attached and enter interface configuration mode Step 3 authentication host mode multi auth multi domain multi host single host Allow multiple hosts clients on an 802 1x aut...

Страница 336: ...uthentication timer interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication periodic Enable periodic re authentication of the client which is disabled by default Note The default value is 3600 seconds To change the value of t...

Страница 337: ...en tries again The authentication timer inactivity interface configuration command controls the idle period A failed authentication of the client might occur because the client provided an invalid password You can provide a faster response time to the user by entering a number smaller than the default Beginning in privileged EXEC mode follow these steps to change the quiet period This procedure is...

Страница 338: ... request identity frame from the client before resending the request Switch config if authentication timer reauthenticate 60 Setting the Switch to Client Frame Retransmission Number In addition to changing the switch to client retransmission time you can change the number of times that the switch sends an EAP request identity frame assuming no response is received to the client before restarting t...

Страница 339: ...e steps to set the re authentication number This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 dot1x max reauth req count Set the number of times that the switch sends an EAP request identity frame to the client before restarting the authen...

Страница 340: ...e follow these steps to enable MAC replace on an interface This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 authentication mac move permit Enable MAC move on the switch Step 3 end Return to privileged EXEC mode Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configu...

Страница 341: ...nterim update messages and time stamps To turn on these functions enable logging of Update Watchdog packets from this AAA client in your RADIUS server Network Configuration tab Next enable CVS RADIUS Accounting in your RADIUS server System Configuration tab Beginning in privileged EXEC mode follow these steps to configure 802 1x accounting after AAA is enabled on your switch This procedure is opti...

Страница 342: ...tatus type and powernet event type types 28 and 29 LLDP filter organizationally specific type 127 DHCP filter message type type 53 Enabling Accounting Augmentation page 1 54 Creating a Cisco Discovery Protocol Filter page 1 55 Creating an LLDP Filter page 1 56 Creating a DHCP Filter page 1 56 Applying a Protocol Filter to the Device Sensor Output page 1 57 Tracking TLV Changes page 1 58 Verifying ...

Страница 343: ...es the generation of additional accounting events when new sensor data is detected Step 3 end Example Switch config end Returns to privileged EXEC mode Command Purpose Step 1 configure terminal Example Switch configure terminal Enters global configuration mode Step 2 device sensor filter list cdp list tlv list name Example Switch config device sensor filter list cdp list cdp list Creates a TLV lis...

Страница 344: ...ist tlv list name Example Switch config device sensor filter list lldp list lldp list Creates a TLV list and enters LLDP sensor configuration mode where you can configure individual TLVs Step 3 tlv name tlv name number tlv number Example Switch config sensor cdplist tlv number 10 Adds individual LLDP TLVs to the TLV list You can delete the TLV list without individually removing TLVs from the list ...

Страница 345: ...ommand Step 4 end Example Switch config end Returns to privileged EXEC mode Command Purpose Command Purpose Step 1 configure terminal Example Switch configure terminal Enters global configuration mode Step 2 device sensor filter spec cdp dhcp lldp exclude all list list name include list list name Example Switch config device sensor filter spec cdp include list list1 Applies a specific protocol fil...

Страница 346: ...type 16 00 1A 00 10 00 00 00 01 00 00 00 00 FF FF FF FF cdp 22 mgmt address type 17 00 16 00 11 00 00 00 01 01 01 CC 00 04 09 1B 65 0E Command Purpose Step 1 configure terminal Example Switch configure terminal Enters global configuration mode Step 2 device sensor notify all changes Example Switch config device sensor notify all changes Enables client notifications and accounting events for all TL...

Страница 347: ...rload 3 34 01 03 dhcp 60 class identifier 11 3C 09 64 6F 63 73 69 73 31 2E 30 dhcp 55 parameter request list 8 37 06 01 42 06 03 43 96 dhcp 61 client identifier 27 3D 19 00 63 69 73 63 6F 2D 30 30 31 63 2E 30 66 37 34 2E 38 34 38 30 2D 56 6C 31 dhcp 57 max message size 4 39 02 04 80 Device 000f f7a7 234f on port GigabitEthernet2 1 Proto Type Name Len Value cdp 22 mgmt address type 8 00 16 00 08 00...

Страница 348: ...N clients that are not 802 1x capable are put into the guest VLAN when the server does not receive a response to its EAP request identity frame Clients that are 802 1x capable but that fail authentication are not granted network access The switch supports guest VLANs in single host or multiple hosts mode Beginning in privileged EXEC mode follow these steps to configure a guest VLAN This procedure ...

Страница 349: ... authorize vlan vlan id interface configuration command The port returns to the unauthorized state This example shows how to enable VLAN 2 as an 802 1x guest VLAN Switch config interface gigabitethernet2 0 2 Switch config if authentication event no response action authorize vlan 2 Step 7 show authentication interface interface id Verify your entries Step 8 copy running config startup config Option...

Страница 350: ...xample shows how to enable VLAN 2 as an 802 1x restricted VLAN Switch config interface gigabitethernet2 0 2 Switch config if authentication event fail action authorize 2 You can configure the maximum number of authentication attempts allowed before a user is assigned to the restricted VLAN by using the authentication event retry retry count interface configuration command The range of allowable au...

Страница 351: ...ne is put in the configured voice VLAN for the port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode For the supported port types see the 802 1x Authentication Configuration Guidelines section on page 1 39 Step 3 switchport mode access or switchport mode private vlan host...

Страница 352: ...The range for the UDP port number is from 0 to 65536 The default is 1646 auth port udp port Specify the UDP port for the RADIUS authentication server The range for the UDP port number is from 0 to 65536 The default is 1645 Note You should configure the UDP port for the RADIUS accounting server and the UDP port for the RADIUS authentication server to nondefault values test username name Enable auto...

Страница 353: ...naccessible authentication bypass eapol Specify that the switch sends an EAPOL Success message when the switch successfully authenticates the critical port recovery delay milliseconds Set the recovery delay period during which the switch waits to re initialize a critical port when a RADIUS server that was unavailable becomes available The range is from 1 to 10000 milliseconds The default is 1000 m...

Страница 354: ...tication control direction both in Enable 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional both Sets the port as bidirectional The port cannot receive packets from or send packets to the host By default the port is bidirectional in Sets the port as unidirectional The port can send packets to the host but cannot receive packe...

Страница 355: ...t Group Name Vlans Mapped eng dept 10 switch show dot1x vlan group all Group Name Vlans Mapped eng dept 10 hr dept 20 This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added switch config vlan group eng dept vlan list 30 switch config show vlan group eng dept Group Name Vlans Mapped eng dept 10 30 This example shows how to remove a VLAN from a VLAN grou...

Страница 356: ...NAC Layer 2 802 1x validation Switch configure terminal Switch config interface gigabitethernet2 0 1 Switch config if authentication periodic Switch config if authentication timer reauthenticate Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication event ...

Страница 357: ...ntrol auto Switch config if dot1x pae authenticator Switch config if spanning tree portfast trunk Beginning in privileged EXEC mode follow these steps to configure a switch as a supplicant Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cisp enable Enable CISP Step 3 interface interface id Specify the port to be configured and enter interface configuration mode Ste...

Страница 358: ... password Create a password for the new username Step 6 dot1x supplicant force multicast Force the switch to send only multicast EAPOL packets when it receives either unicast or multicast packets This also allows NEAT to work on the supplicant switch in all host modes Step 7 dot1x supplicant controlled transient Optional Configure the switch to block traffic exiting the supplicant port during the ...

Страница 359: ...ication and the client IP address addition to the IP device tracking table The switch then applies the downloadable ACL to the port Beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip device tracking Sets the ip device tracking table Step 3 aaa new model Enables AAA Step 4 aaa authorization network default local group radius Sets th...

Страница 360: ... Optional Enters log to cause an informational logging message about the packet that matches the entry to be sent to the console Step 3 interface interface id Enter interface configuration mode Step 4 ip access group acl id in Configure the default ACL on the port in the input direction Note The acl id is an access list name or number Step 5 exit Returns to global configuration mode Step 6 aaa new...

Страница 361: ... debug radius accounting privileged EXEC command to confirm the RADIUS attribute 32 For more information about this command see the Cisco IOS Debug Command Reference Release 12 4 This example shows how to globally enable VLAN ID based MAC authentication on a switch Switch config terminal Enter configuration commands one per line End with CNTL Z Switch config mab request format attribute 32 vlan ac...

Страница 362: ...py running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 authentication control direction both in Optional Configure the port control as unidirectional or bidirectional Step 4 authenticat...

Страница 363: ...xy auth proxy banner C My Switch C Switch config end For more information about the ip auth proxy auth proxy banner command see the Authentication Proxy Commands section of the Cisco IOS Security Command Reference on Cisco com Disabling 802 1x Authentication on the Port You can disable 802 1x authentication on the port by using the no dot1x pae interface configuration command Beginning in privileg...

Страница 364: ...and To display the 802 1x administrative and operational status for the switch use the show dot1x all details statistics summary privileged EXEC command To display the 802 1x administrative and operational status for a specific port use the show dot1x interface interface id privileged EXEC command Beginning with Cisco IOS Release 12 2 55 SE you can use the no dot1x logging verbose global configura...

Страница 365: ...he LAN base image All downlink ports on the switch can run Cisco TrustSec MACsec link layer switch to switch security Cisco TrustSec and Cisco SAP are meant only for switch to switch links and are not supported on switch ports connected to end hosts such as PCs or IP phones MKA is meant for switch to host facing links and is not supported on switch to switch links Host facing links typically use f...

Страница 366: ...2 1x REV The MKA Protocol extends 802 1x to allow peer discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data exchanged by the peers The EAP framework implements MKA as a newly defined EAP over LAN EAPOL packet EAP authentication produces a master session key MSK shared by both partners in the data exchange Entering the EAP session ID generates a sec...

Страница 367: ...se after the first successful client authentication is not required for other clients Virtual ports represent an arbitrary identifier for a connectivity association and have no meaning outside the MKA Protocol A virtual port corresponds to a separate logical port ID Valid port IDs for a virtual port are 0x0002 to 0xFFFF Each virtual port receives a unique secure channel identifier SCI based on the...

Страница 368: ... or closed based on a single authentication If one user the primary secured client services client host is authenticated the same level of network access is provided to any host connected to the same port If a secondary host is a MACsec supplicant it cannot be authenticated and traffic would no flow A secondary host that is a non MACsec host can send traffic to the network without authentication b...

Страница 369: ...s Pairwise CAKs Derived 32 Pairwise CAK Rekeys 31 Group CAKs Generated 0 Group CAKs Received 0 SA Statistics SAKs Generated 32 SAKs Rekeyed 31 SAKs Received 0 SAK Responses Received 32 MKPDU Statistics MKPDUs Validated Rx 580 Distributed SAK 0 Distributed CAK 0 MKPDUs Transmitted 597 Distributed SAK 32 Distributed CAK 0 MKA Error Counter Totals Bring up Failures 0 Reauthentication Failures 0 SAK F...

Страница 370: ...icy relay policy Switch config mka policy replay policy Switch config mka policy replay protection window size 300 Switch config mka policy end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mka policy policy name Identify an MKA policy and enter MKA policy configuration mode The maximum policy name length is 16 characters Step 3 replay protection window size fram...

Страница 371: ...ure the session with MACsec if the peer is available If not set the default is should secure Step 9 authentication port control auto Enable 802 1x authentication on the port The port changes to the authorized or unauthorized state based on the authentication exchange between the switch and the client Step 10 authentication violation protect Configure the port to drop unexpected incoming MAC addres...

Страница 372: ...nterface gigabitethernet1 0 25 Interface GigabitEthernet1 0 25 MAC Address 001b 2140 ec3c IP Address 1 1 1 103 User Name ms1 Status Authz Success Domain DATA Security Policy Must Secure ß New Security Status Secured ß New Oper host mode multi domain Oper control dir both Authorized By Authentication Server Vlan Policy 10 Session timeout 3600s server Remaining 3567s Timeout action Reauthenticate Id...

Страница 373: ...ption Between MACsec capable devices packets are encrypted on egress from the sending device decrypted on ingress to the receiving device and in the clear within the devices This feature is only available between 802 1AE capable devices Network Device Admission Control NDAC NDAC is an authentication process by which each network device in the TrustSec domain can verify the credentials and trustwor...

Страница 374: ... other TrustSec configurations Beginning in privilege EXEC mode follow these steps to configure Cisco TrustSec credentials To delete the Cisco TrustSec credentials enter the clear cts credentials privileged EXEC command This example shows how to create Cisco TrustSec credentials Switch cts credentials id trustsec password mypassword CTS device ID and password have been inserted in the local keysto...

Страница 375: ...AN base service image If you select GCM without the required license the interface is forced to a link down state Beginning in privilege EXEC mode follow these steps to configure Cisco TrustSec switch to switch link layer security with 802 1x Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Note Enters interface configuration mode Step 3 cts ...

Страница 376: ...c Encryption software license from Cisco If you select GCM without the required license the interface is forced to a link down state These protection levels are supported when you configure SAP pairwise master key sap pmk SAP is not configured no protection sap mode list gcm encrypt gmac no encap protection desirable but not mandatory sap mode list gcm encrypt gmac confidentiality preferred and in...

Страница 377: ...ration mode options gcm encrypt Authentication and encryption Note Select this mode for MACsec authentication and encryption if your software license supports MACsec encryption gmac Authentication no encryption no encap No encapsulation null Encapsulation no authentication or encryption Note If the interface is not capable of data link encryption no encap is the default and the only available SAP ...

Страница 378: ...tication dot1x default group cts radius Switch config aaa authentication network cts radius group radius Switch config aaa session id common Switch config cts authorization list cts radius Switch config dot1x system auth control Switch config interface gi1 1 2 Switch config if switchport trunk encapsulation dot1q Switch config if switchport mode trunk Switch config if cts dot1x Switch config if ct...

Страница 379: ...nk encapsulation dot1q Switch config if switchport mode trunk Switch config if shutdown Switch config if cts manual Switch config if cts dot1x sap pmk 033445AABBCCDDEEFF mode list gcm encrypt gmac Switch config if cts dot1x no propagate sgt Switch config if cts dot1x exit Switch config if exit Switch config radius server vsa send authentication Switch config end Switch cts credentials id cts 72 pa...

Страница 380: ...1 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring MACsec Encryption Configuring Cisco TrustSec MACsec ...

Страница 381: ...interfaces Layer 3 interfaces are not supported on switches running the LAN base feature set When you initiate an HTTP session web based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users The users enter their credentials which the web based authentication feature sends to the authentication authorization and accounting AAA server for authenticat...

Страница 382: ...h Controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client and the authentication server requesting identity information from the client verifying that information with the authentication server and relaying a response to the client Figure 1 1 shows the roles of these devices in a network Figure 1 1 Web...

Страница 383: ... password and the switch sends the entries to the authentication server If the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success page is sent to the user If the authentication fails the switch sends the login fail page The user retries the login If the maximum number of attempts fails the switch sends the login expi...

Страница 384: ...red You create a banner by using the ip admission auth proxy banner http global configuration command The default banner Cisco Systems and Switch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page as shown in Figure 1 2 Figure 1 2 Authentication Successful Banner You can also customize the banner as shown in Figure 1 3 Add a switch rout...

Страница 385: ...d Web Banner If you do not enable a banner only the username and password dialog boxes appear in the web authentication login screen and no banner appears when you log into the switch as shown in Figure 1 4 Figure 1 4 Login Screen With No Banner For more information see the Cisco IOS Security Command Reference and the Configuring a Web Authentication Local Banner section on page 1 16 ...

Страница 386: ...a hidden password or to confirm that the same page is not submitted twice The CLI command to redirect users to a specific URL is not available when the configured login form is enabled The administrator should ensure that the redirection is configured in the web page If the CLI command redirecting users to specific URL after authentication occurs is entered and then the command configuring web pag...

Страница 387: ...ge 1 7 LAN Port IP page 1 8 Gateway IP page 1 8 ACLs page 1 8 Context Based Access Control page 1 8 802 1x Authentication page 1 8 EtherChannel page 1 8 Port Security You can configure web based authentication and port security on the same port Web based authentication authenticates the port and port security manages network access for all MAC addresses including that of the client You can then li...

Страница 388: ...on host policy ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface the ACL is applied to the host traffic only after the web based authentication host policy is applied For Layer 2 web based authentication you must configure a port ACL PACL as the default access policy for ingress traffic from hosts connected to the port After authentication the web based authentication host policy...

Страница 389: ...ture You can configure web based authentication only on access ports Web based authentication is not supported on trunk ports EtherChannel member ports or dynamic trunk ports You must configure the default ACL on the interface before configuring web based authentication Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface You cannot authenticate hosts on Layer 2 ...

Страница 390: ...rver page 1 13 Configuring the Web Based Authentication Parameters page 1 15 Removing Web Based Authentication Cache Entries page 1 16 Configuring the Authentication Rule and Interfaces This example shows how to enable web based authentication on Fast Ethernet port 5 1 Switch config ip admission name webauth1 proxy http Switch config interface fastethernet 5 1 Switch config if ip admission webauth...

Страница 391: ... authentication login default group tacacs Switch config aaa authorization auth proxy default group tacacs Configuring Switch to RADIUS Server Communication RADIUS security servers identification Host name Host IP address Host name and specific UDP port numbers IP address and specific UDP port numbers Command Purpose Step 1 aaa new model Enables AAA functionality Step 2 aaa authentication login de...

Страница 392: ...tion key values for all RADIUS servers by using with the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server transmit and the radius server key global configuration commands For more information see the Cisco IOS Security Configuration Guide Release 12 4 and the Cisco IOS Security Command Reference...

Страница 393: ...ip http secure secure command the login page is always in HTTPS secure HTTP even if the user sends an HTTP request Customizing the Authentication Proxy Web Pages Specifying a Redirection URL for Successful Login Customizing the Authentication Proxy Web Pages You can configure web authentication to display four substitute HTML pages to the user in place of the switch default HTML pages during web b...

Страница 394: ...sername and password and must show them as uname and pwd The custom login page should follow best practices for a web form such as page timeout hidden password and prevention of redundant submissions This example shows how to configure custom authentication proxy web pages Switch config ip admission proxy http login page file flash login htm Switch config ip admission proxy http success page file ...

Страница 395: ...y webpage not configured HTTP Authentication success redirect to URL http www cisco com Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch list is disabled Authentication Proxy Max HTTP process is 7 Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Con...

Страница 396: ...to remove the web based authentication session for the client at the IP address 209 165 201 1 Switch clear ip auth proxy cache 209 165 201 1 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip admission auth proxy banner http banner text file path Enable the local banner Optional Create a custom banner by entering C banner text C where C is a delimiting character or...

Страница 397: ... to view only the global web based authentication status Switch show authentication sessions This example shows how to view the web based authentication settings for gigabit interface 3 27 Switch show authentication sessions interface gigabitethernet 3 27 Command Purpose Step 1 show authentication sessions interface type slot port Displays the web based authentication settings type fastethernet gi...

Страница 398: ...1 18 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Web Based Authentication Displaying Web Based Authentication Status ...

Страница 399: ...ure Cisco Trustsec on the switch see the Cisco TrustSec Switch Configuration Guide at the following URL http www cisco com en US docs switches lan trustsec configuration guide trustsec html Release notes for Cisco TrustSec General Availability releases are at the following URL http www cisco com en US docs switches lan trustsec release notes rn_cts_crossplat html Additional information about the C...

Страница 400: ...orthiness of its peer device NDAC utilizes an authentication framework based on IEEE 802 1X port based authentication and uses EAP FAST as its EAP method Successful authentication and authorization in NDAC process results in Security Association Protocol negotiation for IEEE 802 1AE encryption Security Group Access Control List SGACL A Security Group Access Control List SGACL associates a Security...

Страница 401: ...TrustSec enforcement is supported only on up to eight VLANs on a VLAN trunk link If there are more than eight VLANs configured on a VLAN trunk link and Cisco TrustSec enforcement is enabled on those VLANs the switch ports on those VLAN trunk links will be error disabled The switch can assign SGT and apply corresponding SGACL to end hosts based on SXP listening only if the end hosts are Layer2 adja...

Страница 402: ...1 4 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Cisco TrustSec Configuration Guidelines and Limitations ...

Страница 403: ...nfiguring the System MTU page 1 43 Configuring the Power Supplies page 1 46 Configuring the Cisco RPS 2300 in a Mixed Stack page 1 46 Configuring the Cisco eXpandable Power System XPS 2200 page 1 48 Monitoring and Maintaining the Interfaces page 1 51 Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the online...

Страница 404: ... VLAN Trunking Protocol VTP learns of its existence from a neighbor on a trunk or when a user creates a VLAN VLANs can be formed with ports across the stack To configure VLANs use the vlan vlan id global configuration command to enter VLAN configuration mode The VLAN configurations for normal range VLANs VLAN IDs 1 to 1005 are saved in the VLAN database If VTP is version 1 or 2 to configure extend...

Страница 405: ...Chapter 1 Configuring VLANs For more information about tunnel ports see Chapter 1 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling Access Ports An access port belongs to and carries the traffic of only one VLAN unless it is configured as a voice VLAN port Traffic is received and sent in native formats with no VLAN tagging Traffic arriving on an access port is assumed to belong to the VLAN as...

Страница 406: ...TP learns of a new enabled VLAN that is not in the allowed list for a trunk port the port does not become a member of the VLAN and no traffic for the VLAN is forwarded to or from the port For more information about trunk ports see Chapter 1 Configuring VLANs Tunnel Ports Tunnel ports are used in IEEE 802 1Q tunneling to segregate the traffic of customers in a service provider network from other cu...

Страница 407: ...re set supports static routing and the Routing Information Protocol RIP Starting with Cisco IOS Release 12 2 58 E the LAN Base feature set supports 16 user configured static routes on SVIs For full Layer 3 routing or for fallback bridging you must enable the IP Services feature set on the standalone switch or the active switch Switch Virtual Interfaces A switch virtual interface SVI represents a V...

Страница 408: ...ces comes up when the first switch port belonging to the corresponding VLAN link comes up and is in STP forwarding state The default action when a VLAN has multiple ports is that the SVI goes down when all ports in the VLAN go down You can use the SVI autostate exclude feature to configure a port so that it is not included in the SVI line state up an down calculation For example if the only active...

Страница 409: ... can insert a 10 Gigabit Ethernet network module a 1 Gigabit Ethernet network module or a blank module A 10 Gigabit Ethernet interface operates only in full duplex mode The interface can be configured as a switched or routed port For more information about the Cisco TwinGig Converter Module see the switch hardware installation guide and your transceiver module documentation Power over Ethernet Por...

Страница 410: ...r classification For more information see the standard IEEE 802 3at The PoE standard increases the maximum power that can be drawn by a powered device from 15 4 W per port to 30 W per port The UPoE feature provides the capability to source up to 60 W of power 2 x 30 W over both signal and spare pairs of the RJ 45 Ethernet cable by using the Layer 2 power negotiation protocols such as CDP or LLDP A...

Страница 411: ...d Power via MDA TLVs for negotiating power up to 30 W Cisco prestandard devices and Cisco IEEE powered devices can use CDP or the IEEE 802 3at power via MDI power negotiation mechanism to request power levels up to 30 W Note The initial allocation for Class 0 Class 3 and Class 4 powered devices is 15 4 W When a device starts up and uses CDP or LLDP to send a request for more than 15 4 W it can be ...

Страница 412: ... allowed on the port If the IEEE class maximum wattage of the powered device is greater than the configured maximum value the switch does not provide power to the port If the switch powers a powered device but the powered device later requests through CDP messages more than the configured maximum value the switch removes power to the port The power that was allocated to the powered device is recla...

Страница 413: ...power to the port or the switch can generate a syslog message and update the LEDs the port LED is now blinking amber while still providing power to the device based on the switch configuration By default power usage policing is disabled on all PoE ports If error recovery from the PoE error disabled state is enabled the switch automatically takes the PoE port out of the error disabled state after t...

Страница 414: ...e sum of the rated power consumption of the powered device and the worst case power loss over the cable The actual amount of power consumed by a powered device on a PoE port is the cutoff power value plus a calibration factor of 500 mW 0 5 W The actual cutoff value is approximate and varies from the configured value by a percentage of the configured value For example if the configured cutoff power...

Страница 415: ...ing CDP or LLDP and the enddevice requests for power to be enabled on the spare pair When the spare pair is powered the enddevice can negotiate up to 60 W of power from the switch using CDP or LLDP Enabling Power on Signal Spare Pairs If the enddevice is PoE capable on both signal and spare pairs but does not support the CDP or LLDP extensions required for UPoE a 4 pair forced mode configuration a...

Страница 416: ...module are labeled Te1 Gi2 and Te2 Gi4 These ports can operate at either 1 Gigabit per second or 10 Gigabits per second They are identified in software as gigabitethernet x 1 2 and x 1 4 and tengigabitethernet x 1 1 and x 1 2 with x being the switch number on Catalyst 3750 X stacks The Catalyst 3560 X switch port numbers are the same with no switch number Network Services Module The Catalyst 3750 ...

Страница 417: ...0 X Switch When the IP services feature set is running on the switch or the active switch the switch uses two methods to forward traffic between interfaces routing and fallback bridging If the IP base feature set is on the switch or the active switch only basic routing static routing and RIP is supported Whenever possible to maintain high performance forwarding is done by the switch hardware Howev...

Страница 418: ...d device must include a terminal emulation application When the switch detects a valid USB connection to a powered on device that supports host functionality such as a PC input from the RJ 45 console is immediately disabled and input from the USB console is enabled Removing the USB connection immediately reenables input from the RJ 45 console connection An LED on the switch shows which console con...

Страница 419: ...his point no switches in the stack allow a USB console to have input A log entry shows when a console cable is attached If a USB console cable is connected to switch 2 it is prevented from providing input Mar 1 00 34 27 498 USB_CONSOLE 6 CONFIG_DISALLOW Console media type USB is disallowed by system configuration media type remains RJ45 switch stk 2 This example reverses the previous configuration...

Страница 420: ...a type reverted to RJ45 At this point the only way to reactivate the USB console is to disconnect and reconnect the cable When the USB cable on the switch has been disconnected and reconnected a log similar to this appears Mar 1 00 48 28 640 USB_CONSOLE 6 MEDIA_USB Console media type is USB USB Type A Port The USB Type A port provides access to external Cisco USB flash devices also known as thumb ...

Страница 421: ...evice Host Controller 1 Address 0x1 Device Configured YES Device Supported YES Description STEC USB 1GB Manufacturer STEC Version 1 0 Serial Number STI 3D508232204731 Device Handle 0x1010000 USB Version Compliance 2 0 Class Code 0x0 Subclass Code 0x0 Protocol 0x0 Vendor ID 0x136b Product ID 0x918 Max Packet Size of Endpoint Zero 64 Number of Configurations 1 Speed High Selected Configuration 1 Sel...

Страница 422: ...X switches module number and switch port number and enter interface configuration mode Type Gigabit Ethernet gigabitethernet or gi for 10 100 1000 Mb s Ethernet ports 10 Gigabit Ethernet tengigabitethernet or te for 10 000 Mb s or small form factor pluggable SFP module Gigabit Ethernet interfaces gigabitethernet or gi Stack member number The number that identifies the switch within the stack The s...

Страница 423: ...face tengigabitethernet1 0 1 To configure 10 Gigabit Ethernet port on stack member 3 enter this command Switch config interface tengigabitethernet3 0 1 If the switch has SFP modules the port numbers continue consecutively To configure the first SFP module port on stack member 1 with 16 10 100 1000 ports enter this command Switch config interface gigabitethernet1 0 25 Procedures for Configuring Int...

Страница 424: ...ese steps beginning in privileged EXEC mode When using the interface range global configuration command note these guidelines Valid entries for port range vlan vlan ID vlan ID where the VLAN ID is 1 to 4094 gigabitethernet module first port last port for 3560 X switches where the module is always 0 Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface range po...

Страница 425: ...mmand The show running config privileged EXEC command displays the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used with the interface range command All interfaces defined in a range must be the same type all Gigabit Ethernet ports all 10 Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can enter multiple ranges in a comma...

Страница 426: ...ethernet stack member module first port last port for 3750 X switches where the module is always 0 gigabitethernet stack member module first port last port where the module is always 0 tengigabitethernet stack member module first port last port where the module is always 0 port channel port channel number port channel number where the port channel number is 1 to 48 Note When you use the interface ...

Страница 427: ...ys the configured VLAN interfaces VLAN interfaces not displayed by the show running config command cannot be used as interface ranges All interfaces defined as in a range must be the same type all Gigabit Ethernet ports all 10 Gigabit Ethernet ports all EtherChannel ports or all VLANs but you can combine multiple interface types in a macro This example shows how to define an interface range named ...

Страница 428: ...d Switch configure terminal Switch config no define interface range enet_list Switch config end Switch show run include define Switch Using the Ethernet Management Port This section has this information Understanding the Ethernet Management Port page 1 26 Supported Features on the Ethernet Management Port page 1 28 Configuring the Ethernet Management Port page 1 29 TFTP and the Ethernet Management...

Страница 429: ...ve link is from the active switch a Catalyst 3750 E or Catalyst 3750 X switch to the PC If the active switch fails and the elected active switch is not a Catalyst 3750 E or Catalyst 3750 X switch switch 2 the active link can be from a stack member to the PC Figure 1 3 Connecting a Switch Stack to a PC By default the Ethernet management port is enabled The switch cannot route packets from the Ether...

Страница 430: ...raffic between these ports cannot be sent or received If this happens data packet loops occur between the ports which disrupt the switch and network operation To prevent the loops configure route filters to avoid routes between the Ethernet management port and the network ports Supported Features on the Ethernet Management Port The Ethernet management port supports these features Express Setup onl...

Страница 431: ... fastethernet 0 privileged EXEC command TFTP and the Ethernet Management Port Use the commands in Table 1 2 when using TFTP to download or upload a configuration file to the boot loader Table 1 2 Boot Loader Commands Command Description arp ip_address Displays the currently cached ARP1 table when this command is entered without the ip_address parameter Enables ARP to associate a MAC address with t...

Страница 432: ...s in Layer 3 mode you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode This shuts down the interface and then reenables it which might generate messages on the device to which the interface is connected When you put an interface that is in Layer 3 mode into Layer 2 mode the previous configuration information related to the affe...

Страница 433: ... auto half and full However Gigabit Ethernet ports operating at 1000 Mb s do not support half duplex mode For SFP module ports the speed and duplex CLI options change depending on the SFP module type The 1000BASE x where x is BX CWDM LX SX and ZX SFP module ports support the nonegotiate keyword in the speed interface configuration command Duplex options are not supported Port blocking unknown mult...

Страница 434: ... and Duplex Parameters To set the speed and duplex mode for a physical interface follow these steps beginning in privileged EXEC mode Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface interface id Specifies the physical interface to be configured and enter interface configuration mode Step 3 speed 10 100 1000 auto 10 100 1000 nonegotiate This command is no...

Страница 435: ...ort experiences congestion and cannot receive any more traffic it notifies the other port by sending a pause frame to stop sending until the condition clears Upon receipt of a pause frame the sending device stops sending any data packets which prevents any loss of data packets during the congestion period Note Catalyst 3750 X or 3560 X ports can receive but not send pause frames You use the flowco...

Страница 436: ...itch config if flowcontrol receive on Switch config if end Configuring Auto MDIX on an Interface When automatic medium dependent interface crossover auto MDIX is enabled on an interface the interface automatically detects the required cable connection type straight through or crossover and configures the connection appropriately When connecting switches without the auto MDIX feature you must use s...

Страница 437: ... powered devices on a port Catalyst 3750 X switches also support StackPower which allows switch power supplies to share the load across multiple systems in a stack by connecting up to four switches with power stack cables See Chapter 1 Configuring Catalyst 3750 X StackPower for information on StackPower Table 1 4 Link Conditions and Auto MDIX Settings Local Side Auto MDIX Remote Side Auto MDIX Wit...

Страница 438: ...rface id Specifies the physical port to be configured and enter interface configuration mode Step 3 power inline auto max max wattage never static max max wattage Configures the PoE mode on the port The keywords have these meanings auto Enables powered device detection If enough power is available automatically allocate power to the PoE port after device detection This is the default setting Optio...

Страница 439: ...tional devices You can then extend the switch power budget and use it more effectively Caution You should carefully plan your switch power budget enable the power monitoring feature and make certain not to oversubscribe the power supply Note When you manually configure the power budget you must also consider the power loss over the cable between the switch and the powered device When you enter the...

Страница 440: ...s chapter of the software configuration guide for this release To enable policing of the real time power consumption of a powered device connected to a PoE port follow these steps beginning in privileged EXEC mode Step 5 show power inline consumption default Displays the power consumption status Step 6 copy running config startup config Optional Saves your entries in the configuration file Command...

Страница 441: ...enable error detection for the PoE error disabled cause by using the errdisable detect cause inline power global configuration command You can also enable the timer to recover from the PoE error disabled state by using the errdisable recovery cause inline power interval interval global configuration command Generate a syslog message while still providing power to the port Enter the power inline po...

Страница 442: ...N ID following the interface vlan global configuration command To delete an SVI use the no interface vlan global configuration command You cannot delete interface VLAN 1 Note When you create an SVI it does not become active until it is associated with a physical port For information about assigning Layer 2 ports to VLANs see Chapter 1 Configuring VLANs When configuring SVIs you can also configure ...

Страница 443: ...re can support the VLANs are created but the routed ports are shut down and the switch sends a message that this was due to insufficient hardware resources All Layer 3 interfaces require an IP address to route traffic This procedure shows how to configure an interface as a Layer 3 interface and how to assign an IP address to an interface Note If the physical port is in Layer 2 mode the default you...

Страница 444: ...and not excluded to keep the SVI state up You can use this command to exclude the monitoring port status when determining the status of the SVI To exclude a port from SVI state change calculations follow these steps beginning in privileged EXEC mode This example shows how to configure an access or trunk port in an SVI to be excluded from the line state status calculation Switch configure terminal ...

Страница 445: ...t in these cases When you enter the system mtu command on a Catalyst 3750 X or 3560 X switch In a mixed stack when you enter the system mtu jumbo command for the Fast Ethernet ports on a Catalyst 3750 member When you enter the system mtu routing command on a switch on which only Layer 2 ports are configured Note This command is not supported on switches running the LAN base feature set When you us...

Страница 446: ...mbo MTU value in bytes 2 2 The system routing MTU value is the applied value not the configured value Mixed hardware stack Use the system mtu bytes command which takes effect only on Catalyst 3750 members 1 The range is from 1500 to 1998 bytes Use the system mtu jumbo bytes command The range is from 1500 to 9000 bytes Use the system mtu routing bytes command The range is from 1500 to the system MT...

Страница 447: ...ws the response when you try to set Gigabit Ethernet interfaces to an out of range number Switch config system mtu jumbo 25000 Invalid input detected at marker Step 4 system mtu bytes Optional In a mixed hardware stack change the MTU size for all Fast Ethernet interfaces on the Catalyst 3750 members The range is 1500 to 1998 bytes the default is 1500 bytes Note This command does not apply to Catal...

Страница 448: ...ge an RPS 2300 connected to a Catalyst 3750 E switch in the stack Note The Catalyst 3750 X and 3560 X switches do not have RPS connectors These switches can be connected to an XPS 2200 expandable power supply not available at this time The Catalyst 3750 X switch also has stack power connectors See Chapter 1 Configuring Catalyst 3750 X StackPower for information on stack power Command Purpose Step ...

Страница 449: ...ultiple switches connected to the RPS 2300 need power the RPS 2300 provides power to the switches with the highest priority If the RPS 2300 still has power available it can then provide power to the switches with lower priorities To configure and manage the RPS 2300 follow these steps beginning in user EXEC mode Command Purpose Step 1 power rps switch number name string serialnumber Specifies the ...

Страница 450: ...upplies can operate in redundant power supply RPS mode or stack power SP mode For more information about the XPS 2000 see the configuration notes http preview cisco com en US docs switches power_supplies xps2200 software configuration note ol 24241 html Step 2 power rps switch number port rps port id mode active standby Specifies the mode of the RPS 2300 port The keywords have these meanings switc...

Страница 451: ...lnumber Configures a name for the XPS 2200 system name Enter a name for the XPS 2000 port The name can have up to 20 characters serialnumber Use the serial number of the XPS 2200 as the system name The switch number appears only on Catalyst 3750 X switches and represents the switch number in the data stack a value from 1 to 9 Step 3 power xps switch number port name hostname serialnumber Configure...

Страница 452: ...h connected to the port This is the default When a Catalyst 3560 X switch or Catalyst 3750 X switch running the LAN base image is connected the mode is RPS When a Catalyst 3750 X switch is connected the mode is stack power SP role RPS The XPS acts as a back up if the switch power supply fails At least one RPS power supply must be in RPS mode for this configuration The switch number appears only on...

Страница 453: ...page 1 53 Command Purpose Step 1 power xps switch number supply A B mode rps sp Sets the XPS power supply mode supply A B Selects the power supply to configure Power supply A is on the left labeled PS1 and power supply B PS2 is on the right mode rps Sets the power supply mode to RPS to back up connected switches This is the default setting for power supply A PS1 mode sp Sets the power supply mode ...

Страница 454: ...yst 3750 3560 2970 or 2960 switches RPS 2300 or Cisco RPS 675 Redundant Power System also referred to as the RPS 675 show env rps detail Optional Displays the details about the RPSs that are connected to the switch or switch stack show env rps switch switch number Optional Displays the RPSs that are connected to each switch in the stack or to the specified switch The range is 1 to 9 depending on t...

Страница 455: ...h all dynamic routing protocols The interface is not mentioned in any routing updates show interfaces transceiver properties Optional Displays temperature voltage or amount of current on the interface show interfaces interface id transceiver properties detail module number Displays physical and operational status about an SFP module show running config interface interface id Displays the running c...

Страница 456: ...t the interface To verify that an interface is disabled enter the show interfaces privileged EXEC command A disabled interface is shown as administratively down in the display Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 interface vlan vlan id gigabitethernet interface id port channel port channel number Selects the interface to be configured Step 3 shutdown Sh...

Страница 457: ...Understanding VLANs A VLAN is a switched network that is logically segmented by function project team or application without regard to the physical locations of the users VLANs have the same attributes as physical LANs but you can group end stations even if they are not physically located on the same LAN segment Any switch port can belong to a VLAN and unicast broadcast and multicast packets are f...

Страница 458: ...onfiguring Layer 3 Interfaces section on page 1 40 Note If you plan to configure many VLANs on the switch and to not enable routing you can use the sdm prefer vlan global configuration command to set the Switch Database Management sdm feature to the VLAN template which configures system resources to support the maximum number of unicast MAC addresses For more information on the SDM templates see C...

Страница 459: ...not want VTP to globally propagate information set the VTP mode to transparent To participate in VTP there must be at least one trunk port on the switch or the switch stack connected to a trunk port of a second switch or switch stack Trunk ISL or IEEE 802 1Q A trunk port is a member of all VLANs by default including extended range VLANs but membership can be limited by configuring the allowed VLAN...

Страница 460: ... dat file is stored in flash memory on the stack master Stack members have a vlan dat file that is consistent with the stack master Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan dat file If you want to modify the VLAN configuration use the commands described in these sections and in the command reference for this release To change the VTP confi...

Страница 461: ...AN page 1 9 Assigning Static Access Ports to a VLAN page 1 9 Token Ring VLANs Although the switch does not support Token Ring connections a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches Switches running VTP Version 2 advertise information about these Token Ring VLANs Token Ring TrBRF VLANs Token Ring TrCRF VLANs ...

Страница 462: ...t of spanning tree instances You can prevent this possibility by setting allowed lists on the trunk ports of switches that have used up their allocation of spanning tree instances If the number of VLANs on the switch exceeds the number of supported spanning tree instances we recommend that you configure the IEEE 802 1s Multiple STP MSTP on your switch to map multiple VLANs to a single spanning tre...

Страница 463: ...uration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode or domain name in the startup configuration does not match the VLAN database the domain name and VTP mode and configuration for the VLAN IDs 1 to 1005 use the VLAN database information In VTP versions 1 and 2 if VTP mode is server the domain name and VLAN configuration for VLAN IDs 1 to 1...

Страница 464: ...and Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan vlan id Enter a VLAN ID and enter VLAN configuration mode Enter a new VLAN ID to create a VLAN or enter an existing VLAN ID to modify that VLAN Note The available VLAN ID range for this command is 1 to 4094 For information about adding VLAN IDs greater than 1005 extended range VLANs see the Configuring Extended Range...

Страница 465: ...associated with the VLAN and thus inactive until you assign them to a new VLAN Beginning in privileged EXEC mode follow these steps to delete a VLAN on the switch Assigning Static Access Ports to a VLAN You can assign a static access port to a VLAN without having VTP globally propagate VLAN configuration information by disabling VTP VTP transparent mode If you are assigning a port on a cluster mem...

Страница 466: ... stored in the VLAN database but because VTP mode is transparent they are stored in the switch running configuration file and you can save the configuration in the startup configuration file by using the copy running config startup config privileged EXEC command Extended range VLANs created in VTP version 3 are stored in the VLAN database Note Although the switch supports 4094 VLAN IDs see the Sup...

Страница 467: ... is enabled by default on extended range VLANs but you can disable it by using the no spanning tree vlan vlan id global configuration command When the maximum number of spanning tree instances are on the switch spanning tree is disabled on any newly created VLANs If the number of VLANs on the switch exceeds the maximum number of spanning tree instances we recommend that you configure the IEEE 802 ...

Страница 468: ...t VLAN configuration mode and the extended range VLAN is not created In VTP version 1 and 2 extended range VLANs are not saved in the VLAN database they are saved in the switch running configuration file You can save the extended range VLAN configuration in the switch startup configuration file by using the copy running config startup config privileged EXEC command VTP version 3 saves extended ran...

Страница 469: ...ps to release a VLAN ID that is assigned to an internal VLAN and to create an extended range VLAN with that ID Step 7 show vlan id vlan id Verify that the VLAN has been created Step 8 copy running config startup config Save your entries in the switch startup configuration file To save extended range VLAN configurations you need to save the VTP transparent mode configuration and the extended range ...

Страница 470: ...on mode and return to global configuration mode Step 9 interface interface id Specify the interface ID for the routed port that you shut down in Step 4 and enter interface configuration mode Step 10 no shutdown Re enable the routed port It will be assigned a new internal VLAN ID Step 11 end Return to privileged EXEC mode Step 12 copy running config startup config Save your entries in the switch st...

Страница 471: ...e Table 1 4 You can set an interface as trunking or nontrunking or to negotiate trunking with the neighboring interface To autonegotiate trunking the interfaces must be in the same VTP domain Trunk negotiation is managed by the Dynamic Trunking Protocol DTP which is a Point to Point Protocol However some internetworking devices might forward DTP frames improperly which could cause misconfiguration...

Страница 472: ... Makes the interface actively attempt to convert the link to a trunk link The interface becomes a trunk interface if the neighboring interface is set to trunk desirable or auto mode switchport mode trunk Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link The interface becomes a trunk interface even if the neighboring interface is not a ...

Страница 473: ...802 1Q trunk is the same on both ends of the trunk link If the native VLAN on one end of the trunk is different from the native VLAN on the other end spanning tree loops might result Disabling spanning tree on the native VLAN of an IEEE 802 1Q trunk without disabling spanning tree on every VLAN in the network can potentially cause spanning tree loops We recommend that you leave spanning tree enabl...

Страница 474: ...all trunks in the group must have the same configuration When a group is first created all ports follow the parameters set for the first port to be added to the group If you change the configuration of one of these parameters the switch propagates the setting you entered to all ports in the group allowed VLAN list STP port priority for each VLAN STP Port Fast setting trunk status if one port in a ...

Страница 475: ... VLANs from the allowed list Step 3 switchport trunk encapsulation isl dot1q negotiate Configure the port to support ISL or IEEE 802 1Q encapsulation or to negotiate the default with the neighboring interface for encapsulation type You must configure each end of the link with the same encapsulation type Step 4 switchport mode dynamic auto desirable trunk Configure the interface as a Layer 2 trunk ...

Страница 476: ...es a member of the enabled VLAN When VTP detects a new VLAN and the VLAN is not in the allowed list for a trunk port the trunk port does not become a member of the new VLAN Beginning in privileged EXEC mode follow these steps to modify the allowed list of a trunk To return to the default allowed VLAN list of all VLANs use the no switchport trunk allowed vlan interface configuration command This ex...

Страница 477: ... information about IEEE 802 1Q configuration issues see the IEEE 802 1Q Configuration Considerations section on page 1 17 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Select the trunk port for which VLANs should be pruned and enter interface configuration mode Step 3 switchport trunk pruning vlan add except none remove vlan list vlan vlan ...

Страница 478: ...the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN The trunk port with the higher priority lower values for a VLAN is forwarding traffic for that VLAN The trunk port with the lower priority higher values for the same VLAN remains in ...

Страница 479: ...A Switch B Trunk 2 VLANs 3 6 priority 16 VLANs 8 10 priority 128 Trunk 1 VLANs 8 10 priority 16 VLANs 3 6 priority 128 Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A Step 2 vtp domain domain name Configure a VTP administrative domain The domain name can be 1 to 32 characters Step 3 vtp mode server Configure Switch A as the VTP server Step 4 end Return to priv...

Страница 480: ...cond port in the switch or switch stack Step 14 Repeat Steps 7 through 11on Switch B to configure the trunk ports that connect to the trunk ports configured on Switch A Step 15 show vlan When the trunk links come up VTP passes the VTP and VLAN information to Switch B Verify that Switch B has learned the VLAN configuration Step 16 configure terminal Enter global configuration mode on Switch A Step ...

Страница 481: ...s 2 through 5 on a second interface in Switch A for a Catalyst 3560 X switch or in the Switch A stack for a Catalyst 3750 X switch Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries In the display make sure that the interfaces are configured as trunk ports Step 9 show vlan When the trunk links come up Switch A receives the VTP information from the other switch...

Страница 482: ... or not the server is in open or secure mode In secure mode the server shuts down the port when an illegal host is detected In open mode the server simply denies the host access to the port If the port is currently unassigned that is it does not yet have a VLAN assignment the VMPS provides one of these responses If the host is allowed on the port the VMPS sends the client a vlan assignment respons...

Страница 483: ...link goes down on a dynamic access port the port returns to an isolated state and does not belong to a VLAN Any hosts that come online through the port are checked again through the VQP with the VMPS before the port is assigned to a VLAN Dynamic access ports can be used for direct host connections or they can connect to a network A maximum of 20 MAC addresses are allowed per port on the switch A d...

Страница 484: ... Configuring the VMPS Client You configure dynamic VLANs by using the VMPS server The switch can be a VMPS client it cannot be a VMPS server Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client Note If the VMPS is being defined for a cluster of switches enter the address on the command switch Beginning in privileged EXEC mode fol...

Страница 485: ...ort VLAN membership assignments that the switch has received from the VMPS Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS You can set the number of minutes after which reconfirmation occurs If you are configuring a member switch in a cluster this parameter must be equal to or greater than the reconfirmation setting on...

Страница 486: ...ery the secondary VMPS VMPS domain server the IP address of the configured VLAN membership policy servers The switch sends queries to the one marked current The one marked primary is the primary server VMPS Action the result of the most recent reconfirmation attempt A reconfirmation attempt can occur automatically when the reconfirmation interval expires or you can force it by entering the vmps re...

Страница 487: ...S shuts down the port to prevent the host from connecting to the network More than 20 active hosts reside on a dynamic access port To re enable a disabled dynamic access port enter the shutdown interface configuration command followed by the no shutdown interface configuration command VMPS Configuration Example Figure 1 5 shows a network with a VMPS server switch and VMPS client switches with dyna...

Страница 488: ...6500 series Secondary VMPS Server 3 172 20 26 150 172 20 26 151 Catalyst 6500 series switch A 172 20 26 152 Switch C Ethernet segment Trunk link 172 20 26 153 172 20 26 154 172 20 26 155 172 20 26 156 172 20 26 157 172 20 26 158 172 20 26 159 Client switch I Client switch B End station 2 End station 1 TFTP server Dynamic access port Dynamic access port Switch J Switch D Switch E Switch F Switch G ...

Страница 489: ... incorrect VLAN type specifications and security violations Before you create VLANs you must decide whether to use VTP in your network Using VTP you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network Without VTP you cannot send information about VLANs to other switches VTP is designed to work i...

Страница 490: ...n consists of one switch or several interconnected switches or switch stacks under the same administrative responsibility sharing the same VTP domain name A switch can be in only one VTP domain You make global VLAN configuration changes for the domain By default the switch is in the VTP no management domain state until it receives an advertisement for a domain over a trunk link a link that carries...

Страница 491: ... configure a supported switch or switch stack to be in one of the VTP modes listed in Table 1 1 Table 1 1 VTP Modes VTP Mode Description VTP server In VTP server mode you can create modify and delete VLANs and specify other configuration parameters such as the VTP version for the entire VTP domain VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchron...

Страница 492: ... 2 or version 3 transparent switches do forward VTP advertisements that they receive from other switches through their trunk interfaces You can create modify and delete VLANs on a switch in VTP transparent mode In VTP versions 1 and 2 the switch must be in VTP transparent mode when you create extended range VLANs VTP version 3 also supports creating extended range VLANs in client or server mode Se...

Страница 493: ...n 2 transparent switch forwards a message only when the domain name matches Consistency Checks In VTP version 2 VLAN consistency checks such as VLAN names and values are performed only when you enter new information through the CLI or SNMP Consistency checks are not performed when new information is obtained from a VTP message or when information is read from NVRAM If the MD5 digest on a received ...

Страница 494: ...all VTP instances for that port are disabled You cannot set VTP to off for the MST database and on for the VLAN database on the same port When you globally set VTP mode to off it applies to all the trunking ports in the system However you can specify on or off on a per VTP instance basis For example you can configure the switch as a VTP server for the VLAN database but with VTP off for the MST dat...

Страница 495: ...omain Making VLANs pruning eligible or pruning ineligible affects pruning eligibility for those VLANs on that trunk only not on all switches in the VTP domain See the Enabling VTP Pruning section on page 1 16 VTP pruning takes effect several seconds after you enable it VTP pruning does not prune traffic from VLANs that are pruning ineligible VLAN 1 and VLANs 1002 to 1005 are always pruning ineligi...

Страница 496: ...ster All VTP updates are carried across the stack When VTP mode is changed in a switch in the stack the other switches in the stack also change VTP mode and the switch VLAN database remains consistent VTP version 3 functions the same on a standalone switch or a stack except when the switch stack is the primary server for the VTP database In this case the MAC address of the stack master is used as ...

Страница 497: ...selected as follows If the VTP mode is transparent in the startup configuration and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file the VLAN database is ignored cleared and the VTP and VLAN configurations in the startup configuration file are used The VLAN database revision number remains unchanged in the VLAN database If the VTP mode...

Страница 498: ...ion When you configure a VTP domain password the management domain does not function properly if you do not assign a management domain password to each switch in the domain VTP Version Follow these guidelines when deciding which VTP version to implement All switches in a VTP domain must have the same domain name but they do not need to run the same VTP version A VTP version 2 capable switch can op...

Страница 499: ...gions can only communicate in transparent mode over a VTP version 1 or version 2 region Devices that are only VTP version 1 capable cannot interoperate with VTP version 3 devices Configuration Requirements When you configure VTP you must configure a trunk port so that the switch can send and receive VTP advertisements to and from other switches in the domain For more information see the Configurin...

Страница 500: ... the switch resets and boots up in VTP server mode the default VTP version 3 supports extended range VLANs If extended VLANs are configured you cannot convert from VTP version 3 to VTP version 2 If you configure the switch for VTP client mode the switch does not create the VLAN database file vlan dat If the switch is then powered off it resets the VTP configuration to the default To keep the VTP c...

Страница 501: ...sparent off vlan mst unknown Configure the switch for VTP mode client server transparent or off Optional Configure the database vlan the VLAN database is the default if none are configured mst the multiple spanning tree MST database unknown an unknown database type Step 4 vtp password password Optional Set the password for the VTP domain The password can be 8 to 64 characters If you configure a VT...

Страница 502: ...64 characters Optional hidden Enter hidden to ensure that the secret key generated from the password string is saved in the nvam vlan dat file If you configure a takeover by configuring a VTP primary server you are prompted to reenter the password Optional secret Enter secret to directly configure the password The secret password must contain 32 hexadecimal characters Step 3 end Return to privileg...

Страница 503: ...xist no private VLANs exist and no hidden password was configured Caution VTP version 1 and VTP version 2 are not interoperable on switches in the same VTP domain Do not enable VTP version 2 unless every switch in the VTP domain supports version 2 In TrCRF and TrBRF Token ring environments you must enable VTP version 2 or VTP version 3 for Token Ring VLAN switching to function properly For Token R...

Страница 504: ...iguring VTP on a Per Port Basis With VTP version 3 you can enable or disable VTP on a per port basis You can enable VTP only on ports that are in trunk mode Incoming and outgoing VTP traffic are blocked not forwarded Beginning in privileged EXEC mode follow these steps to enable VTP on a port To disable VTP on the interface use the no vtp interface configuration command Switch config interface gig...

Страница 505: ...to disable VTP on the switch and then to change its VLAN information without affecting the other switches in the VTP domain Command Purpose Step 1 show vtp status Check the VTP configuration revision number If the number is 0 add the switch to the VTP domain If the number is greater than 0 follow these steps a Write down the domain name b Write down the configuration revision number c Continue wit...

Страница 506: ... Display counters about VTP messages that have been sent and received show vtp devices conflict Display information about all VTP version 3 devices in the domain Conflicts are VTP version 3 devices with conflicting primary servers The show vtp devices command does not display information when the switch is in transparent or off mode show vtp interface interface id Display VTP status and configurat...

Страница 507: ...s connected to a Cisco 7960 IP Phone the phone sends voice traffic with Layer 3 IP precedence and Layer 2 class of service CoS values which are both set to 5 by default Because the sound quality of an IP phone call can deteriorate if the data is unevenly sent the switch supports quality of service QoS based on IEEE 802 1p CoS QoS uses classification and scheduling to send network traffic from the ...

Страница 508: ...d no Layer 2 CoS priority value Note In all configurations the voice traffic carries a Layer 3 IP precedence value the default is 5 for voice traffic and 3 for voice control traffic Cisco IP Phone Data Traffic The switch can also process tagged data traffic traffic in IEEE 802 1Q or IEEE 802 1p frame types from the device attached to the access port on the Cisco IP Phone see Figure 1 1 You can con...

Страница 509: ...Ns The configuration of voice VLANs is not required on trunk ports The voice VLAN should be present and active on the switch for the IP phone to correctly communicate on the voice VLAN Use the show vlan privileged EXEC command to see if the VLAN is present listed in the display If the VLAN is not listed see Chapter 1 Configuring VLANs for information on how to create the voice VLAN Do not configur...

Страница 510: ...diness Check section on page 1 41 for more information Note If you enable IEEE 802 1x on an access port on which a voice VLAN is configured and to which a Cisco IP Phone is connected the phone loses connectivity to the switch for up to 30 seconds Protected port See the Configuring Protected Ports section on page 1 6 for more information A source or destination port for a SPAN or RSPAN session Secu...

Страница 511: ...e configuring the port trust state you must first globally enable QoS by using the mls qos global configuration command Step 4 switchport voice detect cisco phone full duplex vlan vlan id dot1p none untagged Configure how the Cisco IP Phone carries voice traffic detect Configure the interface to detect and recognize a Cisco IP phone cisco phone When you initially implement the switchport voice det...

Страница 512: ...l duplex Cisco IP Phone Switch config if switchport voice detect cisco phone full duplex full duplex full duplex keyword Switch config if end This example shows how to disable switchport voice detect on a Cisco IP Phone Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitethernet 1 0 1 Switch config if no switchport voice detect cisco ...

Страница 513: ...lay voice VLAN configuration for an interface use the show interfaces interface id switchport privileged EXEC command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface connected to the Cisco IP Phone and enter interface configuration mode Step 3 switchport priority extend cos value trust Set the priority of data traffic re...

Страница 514: ...1 8 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Voice VLAN Displaying Voice VLAN ...

Страница 515: ...standing Private VLANs The private VLAN feature addresses two problems that service providers face when using VLANs Scalability When running the IP base or IP services feature set the switch supports up to 1005 active VLANs If a service provider assigns one VLAN per customer this limits the numbers of customers the service provider can support To enable IP routing each VLAN is assigned a subnet ad...

Страница 516: ...d with the primary VLAN Isolated An isolated port is a host port that belongs to an isolated secondary VLAN It has complete Layer 2 separation from other ports within the same private VLAN except for the promiscuous ports Private VLANs block all traffic to isolated ports except traffic from promiscuous ports Traffic received from an isolated port is forwarded only to promiscuous ports Community A ...

Страница 517: ...tside the private VLAN You can use private VLANs to control access to end stations in these ways Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2 For example if the end stations are servers this configuration prevents Layer 2 communication between the servers Configure interfaces connected to default gateways and selected end station...

Страница 518: ...s in the network the Layer 2 databases in these switches are not merged This can result in unnecessary flooding of private VLAN traffic on those switches Note When configuring private VLANs on the switch always use the default Switch Database Management SDM template to balance system resources between unicast routes and Layer 2 entries If another SDM template is configured use the sdm prefer defau...

Страница 519: ...erface SVI represents the Layer 3 interface of a VLAN Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs Configure Layer 3 VLAN interfaces SVIs only for primary VLANs You cannot configure Layer 3 VLAN interfaces for secondary VLANs SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN If you try to configur...

Страница 520: ...3 Tasks for Configuring Private VLANs To configure a private VLAN perform these steps Step 1 Set VTP mode to transparent Step 2 Create the primary and secondary VLANs and associate them See the Configuring and Associating VLANs in a Private VLAN section on page 1 10 Note If the VLAN is not created already the private VLAN configuration process creates it Step 3 Configure interfaces to be isolated ...

Страница 521: ... the devices are running VTP version 3 You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs Extended VLANs VLAN IDs 1006 to 4094 can belong to private VLANs A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it An isolated or community VLAN can have only one primary VLAN associated with it Although a private VLAN contains more than one...

Страница 522: ...osts can communicate with each other at Layer 3 Private VLANs support these Switched Port Analyzer SPAN features You can configure a private VLAN port as a SPAN source port You can use VLAN based SPAN VSPAN on primary isolated and community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic Private VLAN Port Configuration Follow these guidelines when configuring pri...

Страница 523: ...Communication Protocol WCCP You can configure IEEE 802 1x port based authentication on a private VLAN port but do not configure 802 1x with port security voice VLAN or per user ACL on private VLAN ports A private VLAN host or promiscuous port cannot be a SPAN destination port If you configure a SPAN destination port as a private VLAN port the port becomes inactive If you configure a static MAC add...

Страница 524: ...01 and 1006 to 4094 Step 7 private vlan isolated Designate the VLAN as an isolated VLAN Step 8 exit Return to global configuration mode Step 9 vlan vlan id Optional Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN The VLAN ID range is 2 to 1001 and 1006 to 4094 Step 10 private vlan community Designate the VLAN as a community VLAN Step 11 exit Return to glo...

Страница 525: ...ty VLANs to associate them in a private VLAN and to verify the configuration Switch configure terminal Switch config vlan 20 Switch config vlan private vlan primary Switch config vlan exit Switch config vlan 501 Switch config vlan private vlan isolated Switch config vlan exit Switch config vlan 502 Switch config vlan private vlan community Switch config vlan exit Switch config vlan 503 Switch conf...

Страница 526: ...VLAN 1 default Trunking Native Mode VLAN 1 default Administrative Native VLAN tagging enabled Voice VLAN none Administrative private vlan host association 20 501 Administrative private vlan mapping none Administrative private vlan trunk native VLAN none Administrative private vlan trunk Native VLAN tagging enabled Administrative private vlan trunk encapsulation dot1q Administrative private vlan tr...

Страница 527: ...ber of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it Switch configure terminal Switch config interface gigabitethernet1 0 2 Switch config if switchport mode private vlan promiscuous Switch config if switchport private vlan mapping 20 add 501 503 Switch config if end Use the show vlan private vlan or the show interface status privileged EXEC command to display primary and secondar...

Страница 528: ..._list to clear the mapping between secondary VLANs and the primary VLAN This example shows how to map the interfaces of VLANs 501and 502 to primary VLAN 10 which permits routing of secondary VLAN ingress traffic from private VLANs 501 to 502 Switch configure terminal Switch config interface vlan 10 Switch config if private vlan mapping 501 502 Switch config if end Switch show interfaces private vl...

Страница 529: ...imary Secondary Type Ports 10 501 isolated Gi2 0 1 Gi3 0 1 Gi3 0 2 10 502 community Gi2 0 11 Gi3 0 1 Gi3 0 4 10 503 non operational Table 1 1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces including the VLANs to which they belongs show vlan private vlan type Display the private VLAN information for the switch or switch stack show interface...

Страница 530: ...1 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Private VLANs Monitoring Private VLANs ...

Страница 531: ...d in this chapter see the command reference for this release This chapter contains these sections Understanding IEEE 802 1Q Tunneling page 1 1 Configuring IEEE 802 1Q Tunneling page 1 4 Understanding Layer 2 Protocol Tunneling page 1 8 Configuring Layer 2 Protocol Tunneling page 1 11 Monitoring and Maintaining Tunneling Status page 1 19 Understanding IEEE 802 1Q Tunneling Business customers of ser...

Страница 532: ... 1Q tagged with the appropriate VLAN ID The the tagged packets remain intact inside the switch and when they exit the trunk port into the service provider network they are encapsulated with another layer of an IEEE 802 1Q tag called the metro tag that contains the VLAN ID that is unique to the customer The original customer IEEE 802 1Q tag is preserved in the encapsulated packet Therefore packets ...

Страница 533: ... by other customers and the VLAN numbering space used by the service provider network At the outbound tunnel port the original VLAN numbers on the customer s network are recovered It is possible to have multiple levels of tunneling and tagging but the switch supports only one level in this release If traffic coming from a customer network is not tagged native VLAN frames these packets are bridged ...

Страница 534: ...its MTUs are explained in these next sections Native VLANs When configuring IEEE 802 1Q tunneling on an edge switch you must use IEEE 802 1Q trunk ports for sending packets into the service provider network However packets going through the core of the service provider network can be carried through IEEE 802 1Q trunks ISL trunks or nontrunking links When IEEE 802 1Q trunks are used in these core s...

Страница 535: ...The default system MTU for traffic on the switch is 1500 bytes You can configure Fast Ethernet ports on the Catalyst 3750 members in the mixed hardware switch stack to support frames larger than 1500 bytes by using the system mtu global configuration command You can configure 10 Gigabit and Gigabit Ethernet ports to support frames larger than 1500 bytes by using the system mtu jumbo global configu...

Страница 536: ...s access is not needed you should not configure SVIs on VLANs that include tunnel ports Fallback bridging is not supported on tunnel ports Because all IEEE 802 1Q tagged packets received from a tunnel port are treated as non IP packets if fallback bridging is enabled on VLANs that have tunnel ports configured IP packets would be improperly bridged across VLANs Therefore you must not enable fallbac...

Страница 537: ...tive dot1q native vlan tagging is enabled Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode for the interface to be configured as a tunnel port This should be the edge port in the service provider network that connects to the customer switch Valid interfaces include physical interfaces and port channel logical...

Страница 538: ...throughout the customer network propagating to all switches through the service provider Note To provide interoperability with third party vendors you can use the Layer 2 protocol tunnel bypass feature Bypass mode transparently forwards control PDUs to vendor switches that have different ways of controlling protocol tunneling You implement bypass mode by enabling Layer 2 protocol tunneling on the ...

Страница 539: ...derstanding Layer 2 Protocol Tunneling Figure 1 4 Layer 2 Protocol Tunneling CustomerXSite2 VLANs1t o100 CustomerYSite2 VLANs1t o200 CustomerYSite1 VLANs1t o200 CustomerXSite1 VLANs1t o100 VLAN30 Trunk ports SwitchA Trunk ports VLAN30 VLAN40 Service provider 101822 Trunk Asymmetriclink VLAN30 VLAN40 Trunk ports SwitchB SwitchC SwitchD Trunk ports ...

Страница 540: ...the automatic creation of EtherChannels For example in Figure 1 6 Customer A has two switches in the same VLAN that are connected through the SP network When the network tunnels PDUs switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines See the Configuring Layer 2 Tunneling for EtherChannels section on page 1 15 for instructio...

Страница 541: ...point to point network topologies it also supports PAgP LACP and UDLD protocols The switch does not support Layer 2 protocol tunneling for LLDP Caution PAgP LACP and UDLD protocol tunneling is only intended to emulate a point to point topology An erroneous configuration that sends tunneled packets to many ports could lead to a network failure When the Layer 2 PDUs that entered the service provider...

Страница 542: ...tocol tunneling configuration is distributed among all stack members Each stack member that receives an ingress packet on a local port encapsulates or decapsulates the packet and forwards it to the appropriate destination port On a single switch ingress Layer 2 protocol tunneled traffic is sent across all local ports in the same VLAN on which Layer 2 protocol tunneling is enabled In a stack packet...

Страница 543: ...access ports If you enable PAgP or LACP tunneling we recommend that you also enable UDLD on the interface for faster link failure detection Loopback detection is not supported on Layer 2 protocol tunneling of PAgP LACP or UDLD packets EtherChannel port groups are compatible with tunnel ports when the IEEE 802 1Q configuration is consistent within an EtherChannel port group If an encapsulated PDU w...

Страница 544: ...The range is 1 to 4096 The default is to have no threshold configured Note If you also set a drop threshold on this interface the shutdown threshold value must be greater than or equal to the drop threshold value Step 6 l2protocol tunnel drop threshold cdp stp vtp value Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured ...

Страница 545: ...tion Drop Threshold Threshold Counter Counter Counter Gi0 11 cdp 1500 1000 2288 2282 0 stp 1500 1000 116 13 0 vtp 1500 1000 3 67 0 pagp 0 0 0 lacp 0 0 0 udld 0 0 0 Configuring Layer 2 Tunneling for EtherChannels To configure Layer 2 point to point tunneling to facilitate the automatic creation of EtherChannels you need to configure both the SP edge switch and the customer switch Configuring the SP...

Страница 546: ...Optional Configure the threshold for packets per second accepted for encapsulation The interface drops packets if the configured threshold is exceeded If no protocol option is specified the threshold applies to each of the tunneled Layer 2 protocol types The range is 1 to 4096 The default is to have no threshold configured Note If you also set a shutdown threshold on this interface the drop thresh...

Страница 547: ... Switch config if l2protocol tunnel drop threshold point to point pagp 1000 Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if switchport access vlan 18 Switch config if switchport mode dot1q tunnel Switch config if l2protocol tunnel point to point pagp Switch config if l2protocol tunnel point to point udld Command Purpose Step 1 configure terminal Enter global con...

Страница 548: ...trunk encapsulation isl Switch config if switchport mode trunk This example shows how to configure the customer switch at Site 1 Fast Ethernet interfaces 1 2 3 and 4 are set for IEEE 802 1Q trunking UDLD is enabled EtherChannel group 1 is enabled and the port channel is shut down and then enabled to activate the EtherChannel configuration Switch config interface gigabitethernet1 0 1 Switch config ...

Страница 549: ...r l2protocol tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports show dot1q tunnel Display IEEE 802 1Q tunnel ports on the switch show dot1q tunnel interface interface id Verify if a specific interface is a tunnel port show l2protocol tunnel Display information about Layer 2 protocol tunneling ports show errdisable recovery Verify if the recovery timer from a Layer 2 pr...

Страница 550: ...1 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring IEEE 802 1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status ...

Страница 551: ...map multiple VLANs to the same spanning tree instance see Chapter 1 Configuring MSTP For information about other spanning tree features such as Port Fast UplinkFast root guard and so forth see Chapter 1 Configuring Optional Spanning Tree Features Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of ...

Страница 552: ...g tree topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root bridge in the spanning tree Backup A blocked port in a loopback configuration The switch that has all of its ports as the designated role or as the backup role is the root switch The switch that has at least one of its ports in the designated role is ...

Страница 553: ...ttached LANs for which it is the designated switch If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port it discards the BPDU If the switch is a designated switch for the LAN from which the inferior BPDU was received it sends that LAN a BPDU containing the up to date information stored for that port In this way inferior information is d...

Страница 554: ...gnated switch for each LAN segment is selected The designated switch incurs the lowest path cost when forwarding packets from that LAN to the root switch The port through which the designated switch is attached to the LAN is called the designated port Figure 1 1 Spanning Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network ...

Страница 555: ...ndary root switch and the switch priority of a VLAN For example when you change the switch priority value you change the probability that the switch will be elected as the root switch Configuring a higher value decreases the probability a lower value increases the probability For more information see the Configuring the Root Switch section on page 1 17 the Configuring a Secondary Root Switch secti...

Страница 556: ...is process occurs 1 The interface is in the listening state while spanning tree waits for protocol information to move the interface to the blocking state 2 While spanning tree waits the forward delay timer to expire it moves the interface to the learning state and resets the forward delay timer 3 In the learning state the interface continues to block frame forwarding as the switch learns end stat...

Страница 557: ... should participate in frame forwarding An interface in the listening state performs these functions Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding The interface enters the learning state from the list...

Страница 558: ...warding interfaces or link types Switch A might not be the ideal root switch By increasing the priority lowering the numerical value of the ideal switch so that it becomes the root switch you force a spanning tree recalculation to form a new topology with the ideal switch as the root Figure 1 3 Spanning Tree Topology When the spanning tree topology is calculated based on default parameters the pat...

Страница 559: ... forward packets destined for addresses between 0x0180C2000000 and 0x0180C200000F If spanning tree is enabled the CPU on the switch or on each switch in the stack receives packets destined for 0x0180C2000000 and 0x0180C2000010 If spanning tree is disabled the switch or each switch in the stack forwards those packets as unknown multicast addresses Accelerated Aging to Retain Connectivity The defaul...

Страница 560: ...uration as PVST except where noted and the switch needs only minimal extra configuration The benefit of rapid PVST is that you can migrate a large PVST install base to rapid PVST without having to learn the complexities of the MSTP configuration and without having to reprovision your network In rapid PVST mode each VLAN runs its own spanning tree instance up to the maximum supported MSTP This span...

Страница 561: ... switches running rapid PVST and switches running PVST we recommend that the rapid PVST switches and PVST switches be configured for different spanning tree instances In the rapid PVST spanning tree instances the root switch must be a rapid PVST switch In the PVST instances the root switch must be a PVST switch The PVST switches should be at the edge of the network All stack members run the same v...

Страница 562: ...as DECnet between two or more VLAN bridge domains or routed ports The VLAN bridge spanning tree allows the bridge groups to form a spanning tree on top of the individual VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree To support VLA...

Страница 563: ... page 1 14 Changing the Spanning Tree Mode page 1 15 required Disabling Spanning Tree page 1 16 optional Configuring the Root Switch page 1 17 optional Configuring a Secondary Root Switch page 1 18 optional Configuring Port Priority page 1 19 optional Configuring Path Cost page 1 21 optional Configuring the Switch Priority of a VLAN page 1 22 optional Configuring Spanning Tree Timers page 1 23 opt...

Страница 564: ...reak all the loops in the network for example at least one switch on each loop in the VLAN must be running spanning tree It is not absolutely necessary to run spanning tree on all switches in the VLAN However if you are running spanning tree only on a minimal set of switches an incautious change to the network that introduces another loop into the VLAN can result in a broadcast storm Note If you h...

Страница 565: ... a directly connected device that is running STP Changing the Spanning Tree Mode The switch supports three spanning tree modes PVST rapid PVST or MSTP By default the switch runs the PVST protocol Beginning in privileged EXEC mode follow these steps to change the spanning tree mode If you want to enable a mode that is different from the default mode this procedure is required Command Purpose Step 1...

Страница 566: ... these steps to disable spanning tree on a per VLAN basis This procedure is optional To re enable spanning tree use the spanning tree vlan vlan id global configuration command Step 6 clear spanning tree detected protocols Recommended for rapid PVST mode only If any port on the switch is connected to a port on a legacy IEEE 802 1D switch restart the protocol migration process on the entire switch T...

Страница 567: ...e 1 1 on page 1 5 Note The spanning tree vlan vlan id root global configuration command fails if the value necessary to be the root switch is less than 1 Note If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority v...

Страница 568: ...oot switches Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree vlan vlan id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root primary diameter net diameter hello time seconds Configure a switch to become the root...

Страница 569: ...tion command to select an interface to put in the forwarding state Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last For more information see the Configuring Path Cost section on page 1 21 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id root secondary diameter net diamet...

Страница 570: ...iguration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree port priority priority Configure the port priority for an interface For priority the range is 0 to 240 in increments of 16 the default is 128 Valid values are 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 and 240 All other values are rejected The lo...

Страница 571: ...ace interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces port channel port channel number Step 3 spanning tree cost cost Configure the cost for an interface If a loop occurs spanning tree uses the path cost when selecting an interface to place into the forwarding state A lower path cost rep...

Страница 572: ...rivileged EXEC mode follow these steps to configure the switch priority of a VLAN This procedure is optional To return to the default setting use the no spanning tree vlan vlan id priority global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree vlan vlan id priority priority Configure the switch priority of a VLAN For vlan id you ...

Страница 573: ... Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches Forward delay timer Controls how long each of the listening and learning states last before the interface begins forwarding Maximum age timer Controls the amount of time the switch stores protocol information received on an interface Transmit hold count Controls the number of BPDUs that can ...

Страница 574: ...ning states to the forwarding state For vlan id you can specify a single VLAN identified by VLAN ID number a range of VLANs separated by a hyphen or a series of VLANs separated by a comma The range is 1 to 4094 For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree vlan vlan id Verify your entries Step 5 copy running config startup co...

Страница 575: ...s one logical port You can clear spanning tree counters by using the clear spanning tree interface interface id privileged EXEC command For information about other keywords for the show spanning tree privileged EXEC command see the command reference for this release Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree transmit hold count value Configure th...

Страница 576: ...1 26 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring STP Displaying the Spanning Tree Status ...

Страница 577: ... provides rapid convergence of the spanning tree through explicit handshaking that eliminates the IEEE 802 1D forwarding delay and quickly transitions root ports and designated ports to the forwarding state Both MSTP and RSTP improve the spanning tree operation and maintain backward compatibility with equipment that is based on the original IEEE 802 1D spanning tree with existing Cisco proprietary...

Страница 578: ...o which MST region each switch belongs The configuration includes the name of the region the revision number and the MST VLAN to instance assignment map You configure the switch for a region by using the spanning tree mst configuration global configuration command after which the switch enters the MST configuration mode From this mode you can map VLANs to an MST instance by using the instance MST ...

Страница 579: ...thin an MST Region The IST connects all the MSTP switches in a region When the IST converges the root of the IST becomes the CIST regional root called the IST master before the implementation of the IEEE 802 1s standard as shown in Figure 1 1 on page 1 4 It is the switch within the region with the lowest switch ID and path cost to the CIST root The CIST regional root is also the CIST root if there...

Страница 580: ... 1 1 MST Regions CIST Masters and CST Root Only the CST instance sends and receives BPDUs and MST instances add their spanning tree information into the BPDUs to interact with neighboring switches and compute the final spanning tree topology Because of this the spanning tree parameters related to BPDU transmission for example hello time forward time max age and max hops are configured only on the ...

Страница 581: ...vant to the IST instance 0 Table 1 1 compares the IEEE standard and the Cisco prestandard terminology Hop Count The IST and MST instances do not use the message age and maximum age information in the configuration BPDU to compute the spanning tree topology Instead they use the path cost to the root and a hop count mechanism similar to the IP time to live TTL mechanism By using the spanning tree ms...

Страница 582: ...egion to share a segment with a port belonging to a different region creating the possibility of receiving both internal and external messages on a port The primary change from the Cisco prestandard implementation is that a designated port is not defined as boundary unless it is running in an STP compatible mode Note If there is a legacy STP switch on the segment messages are always considered ext...

Страница 583: ...gured for prestandard BPDU transmission Figure 1 2 illustrates this scenario Assume that A is a standard switch and B a prestandard switch both configured to be in the same region A is the root switch for the CIST and thus B has a root port BX on segment X and an alternate port BY on segment Y If segment Y flaps and the port on BY becomes the alternate before sending out a single prestandard BPDU ...

Страница 584: ...f the newly added switch contains a better root port for the switch stack or a better designated port for the LAN connected to the stack The newly added switch causes a topology change in the network if another switch connected to the newly added switch changes its root port or designated ports When a stack member leaves the stack spanning tree reconvergence occurs within the stack and possibly ou...

Страница 585: ...on information see the Configuring MSTP Features section on page 1 14 Port Roles and the Active Topology The RSTP provides rapid convergence of the spanning tree by assigning port roles and by learning the active topology The RSTP builds upon the IEEE 802 1D STP to select the switch with the highest switch priority lowest numerical priority value as the root switch as described in the Spanning Tre...

Страница 586: ... the old root port and immediately transitions the new root port to the forwarding state Point to point links If you connect a port to another port through a point to point link and the local port becomes a designated port it negotiates a rapid transition with the other port by using the proposal agreement handshake to ensure a loop free topology As shown in Figure 1 4 Switch A is connected to Swi...

Страница 587: ...lt setting that is controlled by the duplex setting by using the spanning tree link type interface configuration command Figure 1 4 Proposal and Agreement Handshaking for Rapid Convergence Synchronization of Port Roles When the switch receives a proposal message on one of its ports and that port is selected as the new root port the RSTP forces all other ports to synchronize with the new root infor...

Страница 588: ...uring Rapid Convergence Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802 1D BPDU format except that the protocol version is set to 2 A new 1 byte Version 1 Length field is set to zero which means that no version 1 protocol information is present Table 1 3 shows the RSTP flag fields 2 Block 9 Forward 1 Proposal 4 Agreement 6 Proposal Root port Designa...

Страница 589: ...to the blocking state but does not send the agreement message The designated port continues sending BPDUs with the proposal flag set until the forward delay timer expires at which time the port transitions to the forwarding state Processing Inferior BPDU Information If a designated port receives an inferior BPDU higher switch ID higher path cost and so forth than currently stored for the port with...

Страница 590: ... the RSTP switch is using IEEE 802 1D BPDUs on a port and receives an RSTP BPDU after the timer has expired it restarts the timer and starts using RSTP BPDUs on that port Configuring MSTP Features These sections contain this configuration information Default MSTP Configuration page 1 14 MSTP Configuration Guidelines page 1 15 Specifying the MST Region Configuration and Enabling MSTP page 1 16 requ...

Страница 591: ...time For example all VLANs run PVST all VLANs run rapid PVST or all VLANs run MSTP For more information see the Spanning Tree Interoperability and Backward Compatibility section on page 1 11 For information on the recommended trunk port configuration see the Interaction with Other Features section on page 1 18 All stack members run the same version of spanning tree all PVST rapid PVST or MSTP For ...

Страница 592: ...he Optional Spanning Tree Configuration Guidelines section on page 1 12 When the switch is in MST mode it uses the long path cost calculation method 32 bits to compute the path cost values With the long path cost calculation method these path cost values are supported Specifying the MST Region Configuration and Enabling MSTP For two or more switches to be in the same MST region they must have the ...

Страница 593: ...o an MST instance For instance id the range is 0 to 4094 For vlan vlan range the range is 1 to 4094 When you map VLANs to an MST instance the mapping is incremental and the VLANs specified in the command are added to or removed from the VLANs that were previously mapped To specify a VLAN range use a hyphen for example instance 1 vlan 1 63 maps VLANs 1 through 63 to MST instance 1 To specify a VLAN...

Страница 594: ...lowest switch priority 4096 is the value of the least significant bit of a 4 bit switch priority value as shown in Table 1 1 on page 1 5 If your network consists of switches that both do and do not support the extended system ID it is unlikely that the switch with the extended system ID support will become the root switch The extended system ID increases the switch priority value every time the VL...

Страница 595: ...s Use the same network diameter and hello time values that you used when you configured the primary root switch with the spanning tree mst instance id root primary global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root primary diameter net diameter hello time seconds Configure a switch as the root switch For ...

Страница 596: ...a port to put in the forwarding state Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last For more information see the Configuring Path Cost section on page 1 21 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst instance id root secondary diameter net diameter hello time seconds ...

Страница 597: ...st If all interfaces have the same cost value the MSTP puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel log...

Страница 598: ...ry and the spanning tree mst instance id root secondary global configuration commands to modify the switch priority Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify an interface to configure and enter interface configuration mode Valid interfaces include physical ports and port channel logical interfaces The port channel range is 1 to ...

Страница 599: ...stance a range of instances separated by a hyphen or a series of instances separated by a comma The range is 0 to 4094 For priority the range is 0 to 61440 in increments of 4096 the default is 32768 The lower the number the more likely the switch will be chosen as the root switch Priority values are 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 and 61440 All o...

Страница 600: ...ard time seconds Configure the forward time for all MST instances The forward delay is the number of seconds a port waits before changing from its spanning tree learning and listening states to the forwarding state For seconds the range is 4 to 30 the default is 15 Step 3 end Return to privileged EXEC mode Step 4 show spanning tree mst Verify your entries Step 5 copy running config startup config ...

Страница 601: ...ansitions to the forwarding state Beginning in privileged EXEC mode follow these steps to override the default link type setting This procedure is optional To return the port to its default setting use the no spanning tree link type interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 spanning tree mst max hops hop count Specify the numbe...

Страница 602: ...switch also can detect that a port is at the boundary of a region when it receives a legacy BPDU an MST BPDU Version 3 associated with a different region or an RST BPDU Version 2 However the switch does not automatically revert to the MSTP mode if it no longer receives IEEE 802 1D BPDUs because it cannot detect whether the legacy switch has been removed from the link unless the legacy switch is th...

Страница 603: ...keywords for the show spanning tree privileged EXEC command see the command reference for this release Table 1 5 Commands for Displaying MST Status Command Purpose show spanning tree mst configuration Displays the MST region configuration show spanning tree mst configuration digest Displays the MD5 digest included in the current MSTCI show spanning tree mst instance id Displays MST information for...

Страница 604: ...1 28 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring MSTP Displaying the MST Configuration and Status ...

Страница 605: ...Chapter 1 Configuring STP For information about the Multiple Spanning Tree Protocol MSTP and how to map multiple VLANs to the same spanning tree instance see Chapter 1 Configuring MSTP Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release This chapter consists of these sections Understanding Optional Spanning Tree Features p...

Страница 606: ...reating a spanning tree loop You can enable this feature by using the spanning tree portfast interface configuration or the spanning tree portfast default global configuration command Figure 1 1 Port Fast Enabled Interfaces Understanding BPDU Guard The BPDU guard feature can be globally enabled on the switch or can be enabled per port but the feature operates with some differences At the global le...

Страница 607: ...mand prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins to filter outbound BPDUs You should globally enable BPDU filtering on a switch so that hosts connected to these interfaces do not receive BPDUs If a BPDU is received on a Port Fast enabled interface the interface loses its Port...

Страница 608: ...meter is 150 packets per second However if you enter zero station learning frames are not generated so the spanning tree topology converges more slowly after a loss of connectivity Note UplinkFast is most useful in wiring closet switches at the access or edge of the network It is not appropriate for backbone devices This feature might not be useful for other types of applications UplinkFast provid...

Страница 609: ...kFast CSUF provides a fast spanning tree transition fast convergence in less than 1 second under normal network conditions across a switch stack During the fast transition an alternate redundant link on the switch stack is placed in the forwarding state without causing temporary spanning tree loops or loss of connectivity to the backbone With this feature you can have a redundant and resilient net...

Страница 610: ...ate stack root port on Switch 2 or Switch 3 and puts it into the forwarding state in less than 1 second Figure 1 5 Cross Stack UplinkFast Topology When certain link loss or spanning tree events occur described in Events that Cause Fast Convergence section on page 1 7 the Fast Uplink Transition Protocol uses the neighbor list to send fast transition requests to stack members The switch sending the ...

Страница 611: ...s under these circumstances The stack root port link fails If two switches in the stack have alternate paths to the root only one of the switches performs the fast transition The failed link which connects the stack root to the spanning tree root recovers A network reconfiguration causes a new stack root switch to be selected A network reconfiguration causes a new port on the current stack root sw...

Страница 612: ...e paths to send a root link query RLQ request The Catalyst 3750 X switch sends the RLQ request on all alternate paths to learn if any stack member has an alternate root to the root switch and waits for an RLQ reply from other switches in the network and in the stack TCatalyst 3560 X switch sends the RLQ request on all alternate paths and waits for an RLQ reply from other switches in the network Wh...

Страница 613: ...rding state providing a path from Switch B to Switch A The root switch election takes approximately 30 seconds twice the Forward Delay time if the default Forward Delay time of 15 seconds is set Figure 1 7 shows how BackboneFast reconfigures the topology to account for the failure of link L1 Figure 1 7 BackboneFast Example After Indirect Link Failure If a new switch is introduced into a shared med...

Страница 614: ... shown in Figure 1 9 You can avoid this situation by enabling root guard on SP switch interfaces that connect to switches in your customer s network If spanning tree calculations cause an interface in the customer network to be selected as the root port root guard then places the interface in the root inconsistent blocked state to prevent the customer s switch from becoming the root switch or bein...

Страница 615: ...ing designated ports and spanning tree does not send BPDUs on root or alternate ports When the switch is operating in MST mode BPDUs are not sent on nonboundary ports only if the interface is blocked by loop guard in all MST instances On a boundary port loop guard blocks the interface in all MST instances Configuring Optional Spanning Tree Features These sections contain this configuration informa...

Страница 616: ...the MSTP but the feature remains disabled inactive until you change the spanning tree mode to PVST Enabling Port Fast An interface with the Port Fast feature enabled is moved directly to the spanning tree forwarding state without waiting for the standard forward time delay Caution Use Port Fast only when connecting a single end station to an access or trunk port Enabling this feature on an interfa...

Страница 617: ...r disabled state When this happens the switch shuts down the entire port on which the violation occurred To prevent the port from shutting down you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 inte...

Страница 618: ...portfast bpduguard default global configuration command by using the spanning tree bpduguard enable interface configuration command Enabling BPDU Filtering When you globally enable BPDU filtering on Port Fast enabled interfaces it prevents interfaces that are in a Port Fast operational state from sending or receiving BPDUs The interfaces still send a few BPDUs at link up before the switch begins t...

Страница 619: ...ace configuration command Enabling UplinkFast for Use with Redundant Links UplinkFast cannot be enabled on VLANs that have been configured with a switch priority To enable UplinkFast on a VLAN with switch priority configured first restore the switch priority on the VLAN to the default value by using the no spanning tree vlan vlan id priority global configuration command Note When you enable Uplink...

Страница 620: ...ing tree uplinkfast command Enabling Cross Stack UplinkFast When you enable or disable the UplinkFast feature by using the spanning tree uplinkfast global configuration command CSUF is automatically globally enabled or disabled on nonstack port interfaces For more information see the Enabling UplinkFast for Use with Redundant Links section on page 1 15 To disable UplinkFast on the switch and all i...

Страница 621: ...therChannel guard feature use the no spanning tree etherchannel guard misconfig global configuration command You can use the show interfaces status err disabled privileged EXEC command to show which switch ports are disabled because of an EtherChannel misconfiguration On the remote device you can enter the show etherchannel summary privileged EXEC command to verify the EtherChannel configuration A...

Страница 622: ...rd You can use loop guard to prevent alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link This feature is most effective when it is configured on the entire switched network Loop guard operates only on interfaces that are considered point to point by the spanning tree Note You cannot enable both loop guard and root guard at the same time Y...

Страница 623: ...ning tree privileged EXEC command see the command reference for this release Step 3 spanning tree loopguard default Enable loop guard By default loop guard is disabled Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 1 2 Commands for Displayin...

Страница 624: ...1 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Optional Spanning Tree Features Displaying the Spanning Tree Status ...

Страница 625: ...he IP Services license REP is not supported on the LAN Base license Understanding REP One REP segment is a chain of ports connected to each other and configured with a segment ID Each segment consists of standard non edge segment ports and two user configured edge ports A switch can have no more than two ports that belong to the same segment and each segment port can have only one external neighbo...

Страница 626: ...with both edge ports located on the same switch is a ring segment In this configuration there is connectivity between the edge ports through the segment With this configuration you can create a redundant connection between any two switches in the segment Figure 1 2 REP Ring Segment REP segments have these characteristics If all ports in the segment are operational one port referred to as the alter...

Страница 627: ... port within the segment multiple port failures within the REP segment cause loss of network connectivity You should configure REP only in networks with redundancy Configuring REP in a network without redundancy causes loss of connectivity Link Integrity REP does not use an end to end polling function between edge ports to verify link integrity It implements local link failure detection The REP Li...

Страница 628: ...e on fiber interfaces is between 50 ms and 200 ms for the local segment with 200 VLANs configured Convergence for VLAN load balancing is 300 ms or less VLAN Load Balancing One edge port in the REP segment acts as the primary edge port the other as the secondary edge port It is the primary edge port that always participates in VLAN load balancing in the segment REP VLAN balancing is achieved by blo...

Страница 629: ... is configured it does not start working until triggered by either manual intervention or a link failure and recovery When VLAN load balancing is triggered the primary edge port sends out a message to alert all interfaces in the segment about the preemption When the secondary port receives the message it is reflected into the network to notify the alternate port to block the set of VLANs specified...

Страница 630: ...s to the open state forwarding all VLANs A regular segment port converted to an edge port or an edge port converted to a regular segment port does not always result in a topology change If you convert an edge port into a regular segment port VLAN load balancing is not implemented unless it has been configured For VLAN load balancing you must configure two edge ports in the segment A segment port t...

Страница 631: ... on the alternate port election operation REP ports must be Layer 2 trunk ports Be careful when configuring REP through a Telnet connection Because REP blocks all VLANs until another REP interface sends a message to unblock it you might lose connectivity to the switch if you enable REP in a Telnet session that accesses the switch through the same interface You cannot run REP and STP or REP and Fle...

Страница 632: ...ts per switch Configuring the REP Administrative VLAN To avoid the delay introduced by relaying messages in software for link failure or VLAN blocking notification during load balancing REP floods packets at the hardware flood layer HFL to a regular multicast address These messages are flooded to the whole network not just the REP segment You can control flooding of these messages by configuring a...

Страница 633: ... none STCN Propagate to none LSL PDU rx 3322 tx 1722 HFL PDU rx 32 tx 5 BPA TLV rx 16849 tx 508 BPA STCN LSL TLV rx 0 tx 0 BPA STCN HFL TLV rx 0 tx 0 EPA ELECTION TLV rx 118 tx 118 EPA COMMAND TLV rx 0 tx 0 EPA INFO TLV rx 4214 tx 4190 Configuring REP Interfaces For REP operation you need to enable it on each segment interface and identify the segment ID This step is required and must be done befo...

Страница 634: ...he same as any edge port Note Although each segment can have only one primary edge port if you configure edge ports on two different switches and enter the primary keyword on both switches the configuration is allowed However REP selects only one of these ports as the segment primary edge port You can identify the primary edge port for a segment by entering the show rep topology privileged EXEC co...

Страница 635: ...eam neighbor from an edge port The range is from 256 to 256 with negative numbers indicating the downstream neighbor from the secondary edge port A value of 0 is invalid Enter 1 to identify the secondary edge port as the alternate port See Figure 1 4 on page 1 5 for an example of neighbor offset numbering Note Because you enter this command at the primary edge port offset number 1 you would never ...

Страница 636: ...ort is the neighbor with neighbor offset number 4 After manual preemption VLANs 100 to 200 are blocked at this port and all other VLANs are blocked at the primary edge port E1 Gigabit Ethernet port 1 1 Switch configure terminal Switch conf interface gigabitethernet1 1 Switch conf if rep segment 1 edge primary Switch conf if rep block port 4 vlan 100 200 Switch conf if end Figure 1 5 Example of VLA...

Страница 637: ...onfigure terminal Enters global configuration mode Step 2 snmp mib rep trap rate value Enables the switch to send REP traps and set the number of traps sent per second The range is from 0 to 1000 The default is 0 no limit imposed a trap is sent at every occurrence Step 3 end Returns to privileged EXEC mode Step 4 show running config Displays the REP trap configuration Step 5 copy running config st...

Страница 638: ...1 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Resilient Ethernet Protocol Monitoring REP ...

Страница 639: ...s chapter see the command reference for this release The chapter consists of these sections Understanding Flex Links and the MAC Address Table Move Update page 1 1 Configuring Flex Links and MAC Address Table Move Update page 1 7 Monitoring Flex Links and the MAC Address Table Move Update page 1 14 Understanding Flex Links and the MAC Address Table Move Update This section contains this informatio...

Страница 640: ...d starts forwarding traffic to switch C When port 1 comes back up it goes into standby mode and does not forward traffic port 2 continues forwarding traffic You can also choose to configure a preemption mechanism specifying the preferred port for forwarding traffic For example in the example in Figure 1 1 you can configure the Flex Links pair with preemption mode In the scenario shown when port 1 ...

Страница 641: ...orts are learned as mrouter ports whenever either Flex Link port is learned as the mrouter port Both Flex Link ports are always part of multicast groups Though both Flex Link ports are part of the groups in normal operation mode all traffic on the backup port is blocked So the normal multicast data flow is not affected by the addition of the backup port as an mrouter port When the changeover happe...

Страница 642: ...up port which became the forwarding port Configuration Examples These are configuration examples for learning the other Flex Link port as the mrouter port when Flex Link is configured on GigabitEthernet1 0 11 and GigabitEthernet1 0 12 and output for the show interfaces switchport backup command Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interf...

Страница 643: ...ackup interface gigabitEthernet 1 0 12 multicast fast convergence command This example shows turning on this feature Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config interface gigabitEthernet 1 0 11 Switch config if switchport backup interface gigabitEthernet 1 0 12 multicast fast convergence Switch config if exit Switch show interfaces switchport b...

Страница 644: ... address of the PC has been learned on port 3 of switch C Traffic from the server to the PC is forwarded from port 3 to port 1 If the MAC address table move update feature is not configured and port 1 goes down port 2 starts forwarding traffic However for a short time switch C keeps forwarding traffic from the server to the PC through port 3 and the PC does not get the traffic because port 1 is do...

Страница 645: ...sections contain this information Configuration Guidelines page 1 7 Default Configuration page 1 8 Configuring Flex Links page 1 8 Configuring VLAN Load Balancing on Flex Links page 1 10 Configuring the MAC Address Table Move Update Feature page 1 12 Configuration Guidelines You can configure up to 16 backup links You can configure only one Flex Link backup link for any active link and it must be ...

Страница 646: ...deline to configure VLAN load balancing on the Flex Links feature For Flex Link VLAN load balancing you must choose the preferred VLANs on the backup interface You cannot configure a preemption mechanism and VLAN load balancing for the same Flex Links pair Follow these guidelines to configure MAC address table move update feature You can enable and configure this feature on the access switch to se...

Страница 647: ...tup config Optional Save your entries in the switch startup configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport ba...

Страница 648: ...t Gi1 0 1 100000 Kbit Gi1 0 2 Mac Address Move Update Vlan auto Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode follow these steps to configure VLAN load balancing on Flex Links To disable the VLAN load balancing feature use the no switchport backup interface interface id prefer vlan vlan range interface configuration command Step 7 show interface interface id switc...

Страница 649: ...f the Flex Link pair Switch show interfaces switchport backup Switch Backup Interface Pairs Active Interface Backup Interface State GigabitEthernet2 0 6 GigabitEthernet2 0 8 Active Down Backup Up Vlans Preferred on Active Interface 1 50 Vlans Preferred on Backup Interface 60 100 120 When a Flex Link interface comes up VLANs preferred on this interface are blocked on the peer interface and moved to...

Страница 650: ...witch conf end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface and enter interface configuration mode The interface can be a physical Layer 2 interface or a port channel logical interface The port channel range is 1 to 48 Step 3 switchport backup interface interface id or switchport backup interface interface id mmu prim...

Страница 651: ... unavail cnt 0 Xmt last interface None Beginning in privileged EXEC mode follow these steps to configure a switch to get and process MAC address table move update messages To disable the MAC address table move update feature use the no mac address table move update receive configuration command To display the MAC address table move update information use the show mac address table move update priv...

Страница 652: ...C commands for monitoring the Flex Links configuration and the MAC address table move update information Table 1 1 Flex Links and MAC Address Table Move Update Monitoring Commands Command Purpose show interface interface id switchport backup Displays the Flex Link backup interface configured for an interface or all the configured Flex Links and the state of each active and backup interface up or s...

Страница 653: ...age 1 1 Configuring DHCP Features page 1 8 Displaying DHCP Snooping Information page 1 16 Understanding IP Source Guard page 1 16 Configuring IP Source Guard page 1 18 Displaying IP Source Guard Information page 1 26 Understanding DHCP Server Port Based Address Allocation page 1 26 Configuring DHCP Server Port Based Address Allocation page 1 27 Displaying DHCP Server Port Based Address Allocation ...

Страница 654: ...g untrusted DHCP messages and by building and maintaining a DHCP snooping binding database also referred to as a DHCP snooping binding table For more information about this database see the Displaying DHCP Snooping Information section on page 1 16 DHCP snooping acts like a firewall between untrusted hosts and DHCP servers You use DHCP snooping to differentiate between untrusted interfaces connecte...

Страница 655: ...cannot build a complete DHCP snooping binding database When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow untrusted global configuration command the aggregation switch accepts packets with option 82 information from the edge switch The aggregation switch learns the bindings for hosts connected thr...

Страница 656: ...ver The DHCP server receives the packet If the server is option 82 capable it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the reque...

Страница 657: ...2 Suboption Packet Formats Figure 1 3 shows the packet formats for user configured remote ID and circuit ID suboptions The switch uses these packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option format remote id global configuration command and the ip dhcp snooping vlan information option format type circuit id string interface configuration command...

Страница 658: ...ing has an IP address an associated MAC address the lease time in hexadecimal format the interface to which the binding applies and the VLAN to which the interface belongs The database agent stores the bindings in a file at a configured location At the end of each entry is a checksum that accounts for all the bytes from the start of the file through all the bytes associated with the entry Each ent...

Страница 659: ...h a previous file update This is an example of a binding file 2bb4c2a1 TYPE DHCP SNOOPING VERSION 1 BEGIN 192 1 168 1 3 0003 47d8 c91f 2BB6488E Gi0 4 21ae5fbb 192 1 168 3 3 0003 44d6 c52f 2BB648EB Gi0 4 1bdb223f 192 1 168 2 3 0003 47d9 c8f1 2BB648AB Gi0 4 584a38f0 END When the switch starts and the calculated checksum value equals the stored checksum value the switch reads entries from the binding...

Страница 660: ...HCP Relay Agent page 1 11 Specifying the Packet Forwarding Address page 1 11 Enabling DHCP Snooping and Option 82 page 1 12 Enabling DHCP Snooping on Private VLANs page 1 14 Enabling the Cisco IOS DHCP Server Database page 1 14 Enabling the DHCP Snooping Binding Database Agent page 1 15 Default DHCP Configuration Table 1 1 Default DHCP Configuration Feature Default Setting DHCP server Enabled in C...

Страница 661: ...eature is not supported If a switch port is connected to a DHCP server configure a port as trusted by entering the ip dhcp snooping trust interface configuration command If a switch port is connected to a DHCP client configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command Follow these guidelines when configuring the DHCP snooping binding database Bec...

Страница 662: ...art logging see the Configuring Smart Logging section on page 1 14 Note Do not enable Dynamic Host Configuration Protocol DHCP snooping on RSPAN VLANs If DHCP snooping is enabled on RSPAN VLANs DHCP packets might not reach the RSPAN destination port Configuring the DHCP Server The switch can act as a DHCP server By default the Cisco IOS DHCP server and relay agent features are enabled on your swit...

Страница 663: ...e destination network segment Using the network address enables any DHCP server to respond to requests Beginning in privileged EXEC mode follow these steps to specify the packet forwarding address Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 service dhcp Enable the DHCP server and relay agent on your switch By default this feature is enabled Step 3 end Return to...

Страница 664: ...e VLAN as configured in Step 2 Step 9 end Return to privileged EXEC mode Step 10 show running config Verify your entries Step 11 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip dhcp snooping Enable DHCP snooping globally Step 3 ip dhcp snooping vlan vlan range...

Страница 665: ...VLAN and port identifier using a VLAN ID in the range of 1 to 4094 The default circuit ID is the port identifier in the format vlan mod port You can configure the circuit ID to be a string of 3 to 63 ASCII characters no spaces Optional Use the override keyword when you do not want the circuit ID suboption inserted in TLV format to define subscriber information Step 9 ip dhcp snooping trust Optiona...

Страница 666: ...nooping is enabled the configuration is propagated to both a primary VLAN and its associated secondary VLANs If DHCP snooping is enabled on the primary VLAN it is also configured on the secondary VLANs If DHCP snooping is already configured on the primary VLAN and you configure DHCP snooping with different settings on a secondary VLAN the configuration for the secondary VLAN does not take effect Y...

Страница 667: ...ilename tftp host filename Specify the URL for the database agent or the binding file by using one of these forms flash number filename Optional Use the number parameter to specify the stack member number of the stack master The range for number is 1 to 9 ftp user password host filename http username password hostname host ip directory image name tar rcp user host filename tftp host filename Step ...

Страница 668: ...rt ACL takes precedence over any router ACLs or VLAN maps that affect the same interface The IP source binding table has bindings that are learned by DHCP snooping or are manually configured static IP source bindings An entry in this table has an IP address its associated MAC address and its associated VLAN number The switch uses the IP source binding table only when IP source guard is enabled IPS...

Страница 669: ...ts The switch uses port security to filter source MAC addresses The interface can shut down when a port security violation occurs IP Source Guard for Static Hosts Note Do not use IPSG IP source guard for static hosts on uplink ports or trunk ports IPSG for static hosts extends the IPSG capability to non DHCP and static environments The previous IPSG used the entries created by DHCP snooping to val...

Страница 670: ... out dynamically learned IP address bindings This feature can be used with DHCP snooping Multiple bindings are established on a port that is connected to both DHCP and static hosts For example bindings are stored in both the device tracking database as well as in the DHCP snooping binding database Configuring IP Source Guard Default IP Source Guard Configuration page 1 18 IP Source Guard Configura...

Страница 671: ...that smart logging is globally enabled For more information about smart logging see the Configuring Smart Logging section on page 1 14 In a switch stack if IP source guard is configured on a stack member interface and you remove the the configuration of that switch by entering the no switch stack member number provision global configuration command the interface static bindings are removed from th...

Страница 672: ...rd for Static Hosts on a Private VLAN Host Port page 1 24 or ip verify source port security Enable IP source guard with source IP and MAC address filtering When you enable both IP source guard and port security by using the ip verify source port security interface configuration command there are two caveats The DHCP server must support option 82 or the client is not assigned an IP address The MAC ...

Страница 673: ...4 switchport mode access Configure a port as access Step 5 switchport access vlan vlan id Configure the VLAN for this port Step 6 ip verify source tracking port security Enable IPSG for static hosts with MAC address filtering Note When you enable both IP source guard and port security by using the ip verify source port security interface configuration command The DHCP server must support option 82...

Страница 674: ...ess Vlan Gi1 0 3 ip trk active 40 1 1 24 10 Gi1 0 3 ip trk active 40 1 1 20 10 Gi1 0 3 ip trk active 40 1 1 21 10 This example shows how to enable IPSG for static hosts with IP MAC filters on a Layer 2 access port to verify the valid IP MAC bindings on the interface Gi1 0 3 and to verify that the number of bindings on this interface has reached the maximum Switch configure terminal Enter configura...

Страница 675: ... 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 9 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 10 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 1 0001 0600 0000 9 GigabitEthernet1 0 2 ACTIVE 200 1 1 1 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 2 0001 0600 0000 9 GigabitEthernet1 0 2 ACTIVE 200 1 1 2 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 3 000...

Страница 676: ...ll IP device tracking host entries for all interfaces Switch show ip device tracking all count Total IP Device Tracking Host entries 5 Interface Maximum Limit Number of Entries Gi1 0 3 5 Configuring IP Source Guard for Static Hosts on a Private VLAN Host Port Note You must globally configure the ip device tracking maximum limit number interface configuration command globally for IPSG for static ho...

Страница 677: ...0 0000 0000 0305 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 21 0000 0000 0306 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 22 0000 0000 0307 200 GigabitEthernet1 0 3 ACTIVE 40 1 1 23 0000 0000 0308 200 GigabitEthernet1 0 3 ACTIVE Step 10 exit Exit VLAN configuration mode Step 11 interface fastEthernet interface id Enter interface configuration mode Step 12 switchport mode private vlan host Optional Establis...

Страница 678: ...ronments such as on a factory floor if a device fails the replacement device must be working immediately in the existing network With the current DHCP implementation there is no guarantee that DHCP would offer the same IP address to the replacement device Control monitoring and other software expect a stable IP address associated with each device If a device is replaced the address assignment shou...

Страница 679: ...pool to preconfigured reservations unreserved addresses are not offered to the client and other clients are not served by the pool you can enter the reserved only DHCP pool configuration command Enabling DHCP Server Port Based Address Allocation Beginning in privileged EXEC mode follow these steps to globally enable port based address allocation and to automatically generate a subscriber identifie...

Страница 680: ... pool use the no address ip address client id string DHCP pool configuration command To change the address pool to nonrestricted enter the no reserved only DHCP pool configuration command In this example a subscriber identifier is automatically generated and the DHCP server ignores any client identifier fields in the DHCP messages and uses the subscriber identifier instead The subscriber identifie...

Страница 681: ...otal addresses 254 Leased addresses 0 Excluded addresses 4 Pending event none 1 subnet is currently in the pool Current index IP address range Leased Excluded Total 10 1 1 1 10 1 1 1 10 1 1 254 0 4 254 1 reserved address is currently in the pool Address Client 10 1 1 7 Et1 0 For more information about configuring the DHCP server port based address allocation feature go to Cisco com and enter Cisco...

Страница 682: ...1 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring DHCP Features and IP Source Guard Displaying DHCP Server Port Based Address Allocation ...

Страница 683: ...derstanding Dynamic ARP Inspection ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address For example Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host...

Страница 684: ...It intercepts logs and discards ARP packets with invalid IP to MAC address bindings This capability protects the network from certain man in the middle attacks Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed The switch performs these activities Intercepts all ARP requests and responses on untrusted ports Verifies that each of these intercepted packets has a va...

Страница 685: ...itch bypass the security check No other validation is needed at any other place in the VLAN or in the network You configure the trust setting by using the ip arp inspection trust interface configuration command Caution Use the trust state configuration carefully Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity In Figure 1 2 assume that both Switc...

Страница 686: ...d to prevent a denial of service attack By default the rate for untrusted interfaces is 15 packets per second pps Trusted interfaces are not rate limited You can change this setting by using the ip arp inspection limit interface configuration command When the rate of incoming ARP packets exceeds the configured limit the switch places the port in the error disabled state The port remains in that st...

Страница 687: ... the Configuring the Log Buffer section on page 1 13 Configuring Dynamic ARP Inspection Default Dynamic ARP Inspection Configuration page 1 5 Dynamic ARP Inspection Configuration Guidelines page 1 6 Configuring Dynamic ARP Inspection in DHCP Environments page 1 7 required in DHCP environments Configuring ARP ACLs for Non DHCP Environments page 1 9 required in non DHCP environments Limiting the Rat...

Страница 688: ...RSPAN destination port A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match Otherwise the physical port remains suspended in the port channel A port channel inherits its trust state from the first physical port that joins the channel Consequently the trust state of the first physical port need not match the trust state of t...

Страница 689: ... logging the contents of all packets in the log buffer by default all dropped packets are sent to a NetFlow collector If you configure this feature make sure that smart logging is globally enabled For more information about smart logging see the Configuring Smart Logging section on page 1 14 Configuring Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP i...

Страница 690: ...s are logged Step 5 interface interface id Specify the interface connected to the other switch and enter interface configuration mode Step 6 ip arp inspection trust Configure the connection between the switches as trusted By default all interfaces are untrusted The switch does not check ARP packets that it receives from the other switch on the trusted interface It simply forwards the packets For u...

Страница 691: ...rmit ip host sender ip mac host sender mac log Permit ARP packets from the specified host Host 2 For sender ip enter the IP address of Host 2 For sender mac enter the MAC address of Host 2 Optional Specify log to log a packet in the log buffer when it matches the access control entry ACE Matches are logged if you also configure the matchlog keyword in the ip arp inspection vlan logging global conf...

Страница 692: ...tate The port remains in that state until you enable error disabled recovery so that ports automatically emerge from this state after a specified timeout period Step 6 ip arp inspection smartlog Specify that whatever packets are currently being logged are also smart logged By default all dropped packets are logged Step 7 interface interface id Specify the Switch A interface that is connected to Sw...

Страница 693: ...terface configuration mode Step 3 ip arp inspection limit rate pps burst interval seconds none Limit the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second The keywords have these meanings For rate pps specify an upper limit for the number of incoming packets processed pe...

Страница 694: ...ngs For src mac check the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped For dst mac check the destination MAC address in the Ethernet header against the target MAC address in ARP body This check is performe...

Страница 695: ...logs number entries and generates system messages at the configured rate For example if the interval rate is one entry per second up to five system messages are generated per second in a five member switch stack Beginning in privileged EXEC mode follow these steps to configure the log buffer This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Страница 696: ...l match matchlog log packets based on the ACE logging configuration If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access list configuration command ARP packets permitted or denied by the ACL are logged For acl match none do not log packets that match ACLs For dhcp bindings all log all packets that match DHCP bindings For dhcp bindings none do not...

Страница 697: ...r this release Table 1 3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics show ip arp inspection statistics vlan vlan range Displays statistics for forwarded dropped MAC validation failure IP validation failure ACL permitted and denied and DHCP permitted and denied packets for the s...

Страница 698: ...1 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information ...

Страница 699: ...e same function as IGMP snooping for IPv4 traffic For information about MLD snooping see Chapter 1 Configuring IPv6 MLD Snooping Note For complete syntax and usage information for the commands used in this chapter see the switch command reference for this release and the IP Multicast Routing Commands section in the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 4 This chapter co...

Страница 700: ...ich it receives an IGMP join request The switch supports IP multicast group based bridging rather than MAC addressed based groups With multicast MAC address based groups if an IP address being configured translates aliases to a previously configured MAC address or to any reserved multicast MAC addresses in the range 224 0 0 xxx the command fails Because the switch uses IP multicast groups there ar...

Страница 701: ...osts It constrains traffic to approximately the same set of ports as the IGMP snooping feature on IGMPv2 or IGMPv1 hosts Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast SSM feature Joining a Multicast Group When a host connected to the sw...

Страница 702: ...nformation in the IGMP report to set up a forwarding table entry as shown in Table 1 1 that includes the port numbers connected to Host 1and the router The switch hardware can distinguish IGMP information packets from other packets for the multicast group The information in the table tells the switching engine to send frames addressed to the 224 1 2 3 multicast IP address that are not IGMP packets...

Страница 703: ... VLAN wishes to receive multicast traffic the router continues forwarding the multicast traffic to the VLAN The switch forwards multicast group traffic only to those hosts listed in the forwarding table for that IP multicast group maintained by IGMP snooping When hosts want to leave a multicast group they can silently leave or they can send a leave message When the switch receives a leave message ...

Страница 704: ...red from 100 to 5000 milliseconds The timer can be set either globally or on a per VLAN basis The VLAN configuration of the leave time overrides the global configuration For configuration steps see the Configuring the IGMP Leave Timer section on page 1 11 IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports This feature is no...

Страница 705: ... converge if the stack master is removed Configuring IGMP Snooping IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on the content These sections contain this configuration information Default IGMP Snooping Configuration page 1 7 Enabling or Disabling IGMP Snooping page 1 8 Setting the Snooping Method page 1 8 Configuring a Multicast Router Port page 1 9 Co...

Страница 706: ...nd for the specified VLAN number Setting the Snooping Method Multicast capable router ports are added to the forwarding table for every Layer 2 multicast entry The switch learns of such ports through one of these methods Snooping on IGMP queries Protocol Independent Multicast PIM packets and Distance Vector Multicast Routing Protocol DVMRP packets Listening to Cisco Group Management Protocol CGMP ...

Страница 707: ... to alter the method in which a VLAN interface dynamically accesses a multicast router To return to the default learning method use the no ip igmp snooping vlan vlan id mrouter learn cgmp global configuration command This example shows how to configure IGMP snooping to use CGMP packets as the learning method Switch configure terminal Switch config ip igmp snooping vlan 1 mrouter learn cgmp Switch ...

Страница 708: ...Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip igmp snooping vlan vlan id mrouter interface interface id Specify the multicast router VLAN ID and the interface to the multicast router The VLAN ID range is 1 to 1001 and 1006 to 4094 The interface can be a physical interface or a port channel The port channel range is 1 to 48 Step 3 end Return to privileged EXEC ...

Страница 709: ...ediate Leave on VLAN 130 Switch configure terminal Switch config ip igmp snooping vlan 130 immediate leave Switch config end Configuring the IGMP Leave Timer Follows these guidelines when configuring the IGMP leave timer You can configure the leave time globally or on a per VLAN basis Configuring the leave time on a VLAN overrides the global setting The default leave time is 1000 milliseconds The ...

Страница 710: ...and when a port went down without sending a leave message If you set the TCN flood query count to 1 by using the ip igmp snooping tcn flood query count command the flooding stops after receiving 1 general query If you set the count to 7 the flooding until 7 general queries are received Groups are relearned based on the general queries received during the TCN event Beginning in privileged EXEC mode...

Страница 711: ...tion command Disabling Multicast Flooding During a TCN Event When the switch receives a TCN multicast traffic is flooded to all the ports until 2 general queries are received If the switch has many ports with attached hosts that are subscribed to different multicast groups this flooding might exceed the capacity of the link and cause packet loss You can use the ip igmp snooping tcn flood interface...

Страница 712: ...ooping querier supports IGMP Versions 1 and 2 When administratively enabled the IGMP snooping querier moves to the nonquerier state if it detects the presence of a multicast router in the network When it is administratively enabled the IGMP snooping querier moves to the operationally disabled state under these conditions IGMP snooping is disabled in the VLAN PIM is enabled on the SVI of the corres...

Страница 713: ... supported when the query includes IGMPv3 reports IGMP report suppression is enabled by default When it is enabled the switch forwards only one IGMP report per multicast router query When report suppression is disabled all IGMP reports are forwarded to the multicast routers Step 4 ip igmp snooping querier query interval interval count Optional Set the interval between IGMP queriers The range is 1 ...

Страница 714: ...laying IGMP Snooping Information Command Purpose show ip igmp snooping vlan vlan id Display the snooping configuration information for all VLANs on the switch or for a specified VLAN Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ip igmp snooping groups count dynamic count user count Display multicast table information for ...

Страница 715: ...he other feature However if IGMP snooping and MVR are both enabled MVR reacts only to join and leave messages from multicast groups configured under MVR Join and leave messages from all other multicast groups are managed by IGMP snooping The switch CPU identifies the MVR IP multicast streams and their associated IP multicast group in the switch forwarding table intercepts the IGMP messages and mod...

Страница 716: ... switch stack is supported Receiver ports and source ports can be on different switches in a switch stack Multicast data sent on the multicast VLAN is forwarded to all MVR receiver ports across the stack When a new switch is added to a stack by default it has no receiver ports If a switch fails or is removed from the stack only those receiver ports belonging to that switch will not receive the mul...

Страница 717: ...figured time period the receiver port is removed from multicast group membership With Immediate Leave an IGMP query is not sent from the receiver port on which the IGMP leave was received As soon as the leave message is received the receiver port is removed from multicast group membership which speeds up leave latency Enable the Immediate Leave feature only on receiver ports to which a single rece...

Страница 718: ... maximum number of multicast entries MVR group addresses that can be configured on a switch that is the maximum number of television channels that can be received is 256 Because MVR on the switch uses IP multicast addresses instead of MAC multicast addresses aliased IP multicast addresses are allowed on the switch However if the switch is interoperating with Catalyst 3550 or Catalyst 3500 XL switc...

Страница 719: ... a contiguous series of MVR group addresses the range for count is 1 to 256 the default is 1 Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address Each multicast address would correspond to one television channel Step 4 mvr querytime value Optional Define the maximum time to wait for IGMP...

Страница 720: ...t be directly connected to source ports All source ports on a switch belong to the single multicast VLAN receiver Configure a port as a receiver port if it is a subscriber port and should only receive multicast data It does not receive data unless it becomes a member of the multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLAN...

Страница 721: ...n Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 1 6 Commands for Displaying MVR Information Command Purpose show mvr Displays MVR status and values for the switch whether MVR is enabled or disabled the multicast VLAN the maximum 256 and current 0 through 256 number of multicast groups the query response time and the MVR mode sh...

Страница 722: ...2 interface can join IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no relationship with the function that directs the forwarding of IP multicast traffic The filtering feature operates in the same manner whether CGMP or MVR is used to forward the multicast traffic IGMP filtering i...

Страница 723: ...figured When a profile is configured if neither the permit nor deny keyword is included the default is to deny access to the range of IP addresses Beginning in privileged EXEC mode follow these steps to create an IGMP profile To delete a profile use the no ip igmp profile profile number global configuration command To delete an IP multicast address or range of IP multicast addresses use the no ran...

Страница 724: ...pply profiles to ports that belong to an EtherChannel port group You can apply a profile to multiple interfaces but each interface can have only one profile applied to it Beginning in privileged EXEC mode follow these steps to apply an IGMP profile to a switch port To remove a profile from an interface use the no ip igmp filter profile number interface configuration command This example shows how ...

Страница 725: ...um number of IGMP groups that a Layer 2 interface can join you can configure an interface to replace the existing group with the new group for which the IGMP report was received by using the ip igmp max groups action replace interface configuration command Use the no form of this command to return to the default which is to drop the IGMP join report Follow these guidelines when configuring the IGM...

Страница 726: ... can configure the IGMP throttling action before an interface adds entries to the forwarding table Beginning in privileged EXEC mode follow these steps to configure the throttling action when the maximum number of entries is in the forwarding table To return to the default action of dropping the report use the no ip igmp max groups action interface configuration command Command Purpose Step 1 conf...

Страница 727: ...u can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface Table 1 8 Commands for Displaying IGMP Filtering and Throttling Configuration Command Purpose show ip igmp profile profile number Displays the specified IGMP profile or all the IGMP profiles defined on the switch show running config interface interface id Displays the configuration of...

Страница 728: ...1 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration ...

Страница 729: ...Configuring SDM Templates For information about IPv6 on the switch see Chapter 1 Configuring IPv6 Unicast Routing Note For complete syntax and usage information for the commands used in this chapter see the command reference for this release or the Cisco IOS documentation referenced in the procedures This chapter includes these sections Understanding MLD Snooping section on page 1 1 Configuring IP...

Страница 730: ...nhanced snooping MESS which sets up IPv6 source and destination multicast address based forwarding MLD snooping can be enabled or disabled globally or per VLAN When MLD snooping is enabled a per VLAN IPv6 multicast MAC address table is constructed in software and a per VLAN IPv6 multicast address table is constructed in software and hardware The switch then performs IPv6 multicast address based br...

Страница 731: ...sing From the received query MLD snooping builds the IPv6 multicast address database It detects multicast router ports maintains timers sets report response time learns the querier IP source address for the VLAN learns the querier port in the VLAN and maintains multicast address aging Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 t...

Страница 732: ...up within the VLAN is forwarded using this address When MLD snooping is disabled reports are flooded in the ingress VLAN When MLD snooping is enabled MLD report suppression called listener message suppression is automatically enabled With report suppression the switch forwards the first MLDv1 report received by a group to IPv6 multicast routers subsequent reports for the group are not sent to the ...

Страница 733: ...nooping tcn flood query count global configuration command The default is to send two queries The switch also generates MLDv1 global Done messages with valid link local IPv6 source addresses when the switch becomes the STP root in the VLAN or when it is configured by the user This is same as done in IGMP snooping MLD Snooping in Switch Stacks The MLD IPv6 group and MAC address databases are mainta...

Страница 734: ...u can enable both features at the same time on the switch The maximum number of multicast entries allowed on the switch or switch stack is determined by the configured SDM template The maximum number of address entries allowed for the switch or switch stack is 1000 Table 1 1 Default MLD Snooping Configuration Feature Default Setting MLD snooping Global Disabled MLD snooping per VLAN Enabled MLD sn...

Страница 735: ...outer is a Catalyst 6500 switch and you are using extended VLANs in the range 1006 to 4094 IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the Catalyst 3750 X or 3560 X switch to receive queries on the VLAN For normal range VLANs 1 to 1005 it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch To disable MLD snooping ...

Страница 736: ...eries and PIMv6 queries you can also use the command line interface CLI to add a multicast router port to a VLAN To add a multicast router port add a static connection to a multicast router use the ipv6 mld snooping vlan mrouter global configuration command on the switch Note Static connections to multicast routers are supported only on switch ports Command Purpose Step 1 configure terminal Enter ...

Страница 737: ...ve on a VLAN use the no ipv6 mld snooping vlan vlan id immediate leave global configuration command This example shows how to enable MLD Immediate Leave on VLAN 130 Switch configure terminal Switch config ipv6 mld snooping vlan 130 immediate leave Switch config exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld snooping vlan vlan id mrouter interface int...

Страница 738: ...o 7 the default is 2 The queries are sent 1 second apart Step 5 ipv6 mld snooping vlan vlan id last listener query count count Optional Set the last listener query count on a VLAN basis This value overrides the value configured globally The range is 1 to 7 the default is 0 When set to 0 the global count value is used Queries are sent 1 second apart Step 6 ipv6 mld snooping last listener query inte...

Страница 739: ...val 2000 Switch config exit Disabling MLD Listener Message Suppression MLD snooping listener message suppression is enabled by default When it is enabled the switch forwards only one MLD report per multicast router query When message suppression is disabled multiple MLD reports could be forwarded to the multicast routers Beginning in privileged EXEC mode follow these steps to disable MLD listener ...

Страница 740: ...g the switch automatically learns the interface to which a multicast router is connected These are dynamically learned interfaces Optional Enter vlan vlan id to display information for a single VLAN The VLAN ID range is 1 to 1001 and 1006 to 4094 show ipv6 mld snooping querier vlan vlan id Display information about the IPv6 address and incoming port for the most recently received MLD query message...

Страница 741: ...y known devices With CDP network management applications can learn the device type and the Simple Network Management Protocol SNMP agent address of neighboring devices running lower layer transparent protocols This feature enables applications to send SNMP queries to neighboring devices CDP runs on all media that support Subnetwork Access Protocol SNAP Because CDP runs over the data link layer onl...

Страница 742: ...DP discovers the switch stack not the individual stack members The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership such as stack members being added or removed Configuring CDP Default CDP Configuration page 1 2 Configuring the CDP Characteristics page 1 2 Disabling and Enabling CDP page 1 3 Disabling and Enabling CDP on an Interf...

Страница 743: ...uch as Cisco IP Phones regularly exchange CDP messages Disabling CDP can interrupt cluster discovery and device connectivity For more information see Chapter 1 Clustering Switches and see Getting Started with Cisco Network Assistant available on Cisco com Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp timer seconds Optional Set the transmission frequency of CD...

Страница 744: ...d may cause a port go into err disabled state Beginning in privileged EXEC mode follow these steps to disable CDP on a port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no cdp run Disable CDP Step 3 end Return to privileged EXEC mode Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP after disabling it Step 3 end ...

Страница 745: ...traffic counters to zero clear cdp table Delete the CDP table of information about neighbors show cdp Display global information such as frequency of transmissions and the holdtime for packets being sent show cdp entry entry name protocol version Display information about a specific neighbor You can enter an asterisk to display all CDP neighbors or you can enter the name of the neighbor about whic...

Страница 746: ...1 6 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring CDP Monitoring and Maintaining CDP ...

Страница 747: ...Configuring Storm Control Understanding Storm Control page 1 1 Default Storm Control Configuration page 1 3 Configuring Storm Control and Threshold Levels page 1 3 Default Protected Port Configuration page 1 6 Understanding Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicast or unicast storm on one of the physical interfaces A LAN storm occurs when p...

Страница 748: ...Cisco Discovery Protocol CDP frames are blocked However the switch does not differentiate between routing updates such as OSPF and regular multicast data traffic so both types of traffic are blocked The graph in Figure 1 1 shows broadcast traffic patterns on an interface over a given period of time The example can also be applied to multicast and unicast traffic In this example the broadcast traff...

Страница 749: ...ver because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Note Storm control is supported on physical interfaces You can also configure storm control on a...

Страница 750: ...ising threshold level for broadcast multicast or unicast traffic in bits per second up to one decimal place The port blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specify the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic...

Страница 751: ...r disabled if small frames arrive at a specified rate threshold You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled If the errdisable recovery cause small frame global configuration...

Страница 752: ...annot be forwarded between protected ports at Layer 2 only control traffic such as PIM packets is forwarded because these packets are processed by the CPU and forwarded in software All data traffic passing between protected ports must be forwarded through a Layer 3 device Forwarding behavior between a protected port and a nonprotected port proceeds as usual Because a switch stack represents a sing...

Страница 753: ... interface gigabitethernet1 0 1 Switch config if switchport protected Switch config if end Configuring Port Blocking By default the switch floods packets with unknown destination MAC addresses out of all ports If unknown unicast and multicast traffic is forwarded to a protected port there could be security issues To prevent unknown unicast or multicast traffic from being forwarded from one port to...

Страница 754: ...ck multicast Switch config if switchport block unicast Switch config if end Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port When you assign secure MAC addresses to a secure port the port does not forward packets with source addresses outside the group of defined ad...

Страница 755: ...MAC addresses These are manually configured by using the switchport port security mac address mac address interface configuration command stored in the address table and added to the switch running configuration Dynamic secure MAC addresses These are dynamically configured stored only in the address table and removed when the switch restarts Sticky secure MAC addresses These can be dynamically lea...

Страница 756: ...s are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses You are not notified that a security violation has occurred Note We do not recommend configuring the protect violation mode on a trunk port The protect mode disables learning when any VLAN reaches its maximum limit even if the port has not...

Страница 757: ... The Cisco IP phone address is learned on the voice Table 1 1 Security Violation Mode Actions Violation Mode Traffic is forwarded1 1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses Sends SNMP trap Sends syslog message Displays error message2 2 The switch returns an error message if you manually configure an address that would cause a s...

Страница 758: ...ue overwrites the previously configured value If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value the command is rejected The switch does not support port security aging of sticky secure MAC addresses Table 1 3 summarizes port security compatibility with other port based features Table 1 3 Port Security Compatibility...

Страница 759: ...ss voice Optional Set the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system This number is set by the active Switch Database Management SDM template See Chapter 1 Configuring the Switch SDM Template This number is the tot...

Страница 760: ... not reached its maximum limit restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown The interface is error ...

Страница 761: ...configured for voice VLAN configure a maximum of two secure MAC addresses Step 9 switchport port security mac address sticky Optional Enable sticky learning on the interface Step 10 switchport port security mac address sticky mac address vlan vlan id access voice Optional Enter a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC addresses ...

Страница 762: ...nd followed by the switchport port security command to re enable port security on the interface If you use the no switchport port security mac address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the no switchport port security command all secure addresses on the interface except those that were manually configured ar...

Страница 763: ...ddresses on a per port basis Beginning in privileged EXEC mode follow these steps to configure port security aging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 switchport port security aging static time time type absolute inactivity Enable or disable stati...

Страница 764: ...itch joins a stack the new switch will get the configured secure addresses All dynamic secure addresses are downloaded by the new stack member from the other stack members When a switch either the stack master or a stack member leaves the stack the remaining stack members are notified and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table Fo...

Страница 765: ...ser configured on a secure port Configuring Protocol Storm Protection Understanding Protocol Storm Protection page 1 19 Default Protocol Storm Protection Configuration page 1 20 Enabling Protocol Storm Protection page 1 20 Understanding Protocol Storm Protection When a switch is flooded with Address Resolution Protocol ARP or control packets high CPU utilization can cause the CPU to overload These...

Страница 766: ...psp global configuration command To manually re enable an error disabled virtual port use the errdisable recovery cause psp global configuration command To disable auto recovery of error disabled ports use the no errdisable recovery cause psp global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 psp arp dhcp igmp pps value Configure protocol ...

Страница 767: ...tatus and Configuration Command Purpose show interfaces interface id switchport Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show storm control interface id broadcast multicast unicast Displays storm control suppression levels set on all interfaces or the specified interface for the s...

Страница 768: ...1 22 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Port Based Traffic Control Displaying Port Based Traffic Control Settings ...

Страница 769: ...P MED and Wired Location Service page 1 5 Monitoring and Maintaining LLDP LLDP MED and Wired Location Service page 1 11 Understanding LLDP LLDP MED and Wired Location Service LLDP page 1 1 LLDP MED page 1 2 Wired Location Service page 1 3 LLDP The Cisco Discovery Protocol CDP is a device discovery protocol that runs over Layer 2 the data link layer on all Cisco manufactured devices routers bridges...

Страница 770: ... location information to the switch For information go to http www cisco com en US docs ios netmgmt configuration guide nm_cdp_discover html LLDP MED LLDP for Media Endpoint Devices LLDP MED is an extension to LLDP that operates between endpoint devices such as IP phones and network devices such as switches It specifically provides support for voice over IP VoIP applications and provides additiona...

Страница 771: ...t to send detailed inventory information about itself to the switch including information hardware revision firmware version software version serial number manufacturer name model name and asset ID TLV Location TLV Provides location information from the switch to the endpoint device The location TLV can send this information Civic location information Provides the civic address information and pos...

Страница 772: ...e if applicable Device category is specified as a wired station State is specified as new Serial number UDI Model number Time in seconds since the switch detected the association Depending on the device capabilities the switch obtains this client information at link down Slot and port that was disconnected MAC address IP address 802 1X username if applicable Device category is specified as a wired...

Страница 773: ...erface If the switchport voice vlan vlan id is already configured on an interface you can apply a network policy profile on the interface This way the interface has the voice or voice signaling VLAN network policy profile applied on the interface You cannot configure static secure MAC addresses on an interface that has a network policy profile You cannot configure a network policy profile on a pri...

Страница 774: ...rding it and the initialization delay time You can also select the LLDP and LLDP MED TLVs to send and receive Beginning in privileged EXEC mode follow these steps to configure the LLDP characteristics Note Steps 2 through 5 are optional and can be performed in any order Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 lldp run Enable LLDP globally on the switch Step...

Страница 775: ...isted in Table 1 2 Step 3 lldp reinit delay Optional Specify the delay time in seconds for LLDP to initialize on an interface The range is 2 to 5 seconds the default is 2 seconds Step 4 lldp timer rate Optional Set the sending frequency of LLDP updates in seconds The range is 5 to 65534 seconds the default is 30 seconds Step 5 lldp tlv select Optional Specify the LLDP TLVs to send or receive Step ...

Страница 776: ...ow these steps to create a network policy profile configure the policy attributes and apply it to an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface on which you are configuring an LLDP MED TLV and enter interface configuration mode Step 3 lldp med tlv select tlv Specify the TLV to enable Step 4 end Return to p...

Страница 777: ...application type vlan Specify the native VLAN for voice traffic vlan id Optional Specify the VLAN for voice traffic The range is 1 to 4094 cos cvalue Optional Specify the Layer 2 priority class of service CoS for the configured VLAN The range is 0 to 7 the default is 5 dscp dvalue Optional Specify the differentiated services code point DSCP value for the configured VLAN The range is 0 to 63 the de...

Страница 778: ...rmation civic location Specify civic location information elin location Specify emergency location information ELIN identifier id Specify the ID for the civic location string Specify the site or location information in alphanumeric format Step 3 exit Return to global configuration mode Step 4 interface interface id Specify the interface on which you are configuring the location information and ent...

Страница 779: ...attachment Specify the attachment notification interval location Specify the location notification interval interval seconds Duration in seconds before the switch sends the MSE the location or attachment updates The range is 1 to 30 the default is 30 Step 4 end Return to privileged EXEC mode Step 5 show network policy profile Verify the configuration Step 6 copy running config startup config Optio...

Страница 780: ...d the display for more detailed information show lldp traffic Display LLDP counters including the number of packets sent and received number of packets discarded and number of unrecognized TLVs show location admin tag string Display the location information for the specified administrative tag or site show location civic location identifier id Display the location information for a specific global...

Страница 781: ...UDLD detects a unidirectional link it disables the affected port and alerts you Unidirectional links can cause a variety of problems including spanning tree topology loops Modes of Operation page 1 1 Methods to Detect Unidirectional Links page 1 2 Modes of Operation UDLD supports two modes of operation normal the default and aggressive In normal mode UDLD can detect unidirectional links due to mis...

Страница 782: ...inks one of the ports is down while the other is up One of the fiber strands in the cable is disconnected In these cases UDLD disables the affected port In a point to point link UDLD hello packets can be considered as a heart beat whose presence guarantees the health of the link Conversely the loss of the heart beat means that the link must be shut down if it is not possible to re establish a bidi...

Страница 783: ... the port is disabled If UDLD in normal mode is in the advertisement or in the detection phase and all the neighbor cache entries are aged out UDLD restarts the link up sequence to resynchronize with any potentially out of sync neighbors If you enable aggressive mode when all the neighbors of a port have aged out either in the advertisement or in the detection phase UDLD restarts the link up seque...

Страница 784: ...al link if it is connected to a UDLD incapable port of another switch When configuring the mode normal or aggressive make sure that the same mode is configured on both sides of the link Caution Loop guard works only on point to point links We recommend that each end of the link has a directly connected device that is running STP Table 1 1 Default UDLD Configuration Feature Default Setting UDLD glo...

Страница 785: ...ber optic ports enable Enables UDLD in normal mode on all fiber optic ports on the switch UDLD is disabled by default An individual interface configuration overrides the setting of the udld enable global configuration command For more information about aggressive and normal modes see the Modes of Operation section on page 1 1 message time message timer interval Configures the period of time betwee...

Страница 786: ...mand enables the timer to automatically recover from the UDLD error disabled state and the errdisable recovery interval interval global configuration command specifies the time to recover from the UDLD error disabled state Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be enabled for UDLD and enter interface configuration...

Страница 787: ...Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports use the show udld interface id privileged EXEC command For detailed information about the fields in the command output see the command reference for this release ...

Страница 788: ...1 8 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring UDLD Displaying UDLD Status ...

Страница 789: ...ed to a network analyzer or other monitoring or security device SPAN copies or mirrors traffic received or sent or both on source ports or source VLANs to a destination port for analysis SPAN does not affect the switching of network traffic on the source ports or VLANs You must dedicate the destination port for SPAN use Except for traffic that is required for the SPAN or RSPAN session destination ...

Страница 790: ...within one switch all source ports or source VLANs and destination ports are in the same switch or switch stack Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis For example in Figure 1 1 all traffic on port 5 the source port is mirrored to port 10 the destination port A network analyzer on port 10 receives all network ...

Страница 791: ...B The traffic for each RSPAN session is carried over a user specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches The RSPAN traffic from the source ports or VLANs is copied into the RSPAN VLAN and forwarded over trunk ports carrying the RSPAN VLAN to a destination session monitoring the RSPAN VLAN Each RSPAN source switch must have either ports or VLANs as RSP...

Страница 792: ...re ports or one or more VLANs and send the monitored traffic to one or more destination ports A local SPAN session is an association of a destination port with source ports or source VLANs all on a single network device Local SPAN does not have separate source and destination sessions Local SPAN sessions gather a set of ingress and egress packets specified by the user and form them into a stream o...

Страница 793: ...e requirements of the RSPAN VLAN see the RSPAN VLAN section on page 1 9 Traffic monitoring in a SPAN session has these restrictions Sources can be ports or VLANs but you cannot mix source ports and source VLANs in the same session The switch supports up to two local SPAN or RSPAN source sessions You can run both a local SPAN and an RSPAN source session in the same switch or switch stack The switch...

Страница 794: ... session you can also monitor a port or VLAN for both received and sent packets This is the default The default configuration for local SPAN session ports is to send all packets untagged SPAN also does not normally monitor bridge protocol data unit BPDU packets and Layer 2 protocols such as Cisco Discovery Protocol CDP VLAN Trunk Protocol VTP Dynamic Trunking Protocol DTP Spanning Tree Protocol ST...

Страница 795: ...outed port or voice VLAN port It cannot be a destination port Source ports can be in the same or different VLANs You can monitor multiple source ports in a single session Source VLANs VLAN based SPAN VSPAN is the monitoring of the network traffic in one or more VLANs The SPAN or RSPAN source interface in VSPAN is a VLAN ID and traffic is monitored on all the ports for that VLAN VSPAN has these cha...

Страница 796: ...configuration When the SPAN destination configuration is removed the port reverts to its previous configuration If a configuration change is made to the port while it is acting as a SPAN destination port the change does not take effect until the SPAN destination configuration had been removed Note Exception When QoS is configured on the SPAN destination port QoS takes effect immediately If the por...

Страница 797: ...king Protocol VTP the VLAN ID and its associated RSPAN characteristic are propagated by VTP If you assign an RSPAN VLAN ID in the extended VLAN range 1006 to 4094 you must manually configure all intermediate switches It is normal to have multiple RSPAN VLANs in a network at the same time with each RSPAN VLAN defining a network wide RSPAN session That is multiple RSPAN source sessions anywhere in t...

Страница 798: ...If a physical port that belongs to an EtherChannel group is a destination port and the EtherChannel group is a source the port is removed from the EtherChannel group and from the list of monitored ports Multicast traffic can be monitored For egress and ingress port monitoring only a single unedited packet is sent to the SPAN destination port It does not reflect the number of times the multicast pa...

Страница 799: ... also true for an RSPAN session You can attach three types of FSPAN ACLs to the SPAN session IPv4 FSPAN ACL filters only IPv4 packets IPv6 FSPAN ACL filters only IPv6 packets MAC FSPAN ACL filters only non IP packets The security ACLs have higher priority than the FSPAN ACLs on a switch If FSPAN ACLs are applied and you later add more security ACLs that cannot fit in the hardware memory the FSPAN ...

Страница 800: ... or VLANs for each session You cannot mix source ports and source VLANs within a single SPAN session The destination port cannot be a source port a source port cannot be a destination port You cannot have two SPAN sessions using the same destination port When you configure a switch port as a SPAN destination port it is no longer a normal switch port only monitored traffic passes through the SPAN d...

Страница 801: ...ing SPAN configuration for the session For session_number the range is 1 to 66 Specify all to remove all SPAN sessions local to remove all local sessions or remote to remove all remote SPAN sessions Step 3 monitor session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port For session_number the range is 1 to 66 For inter...

Страница 802: ...0 1 Switch config end This example shows how to disable received traffic monitoring on port 1 which was configured for bidirectional monitoring Switch config no monitor session 1 source interface gigabitethernet1 0 1 rx The monitoring of traffic received on port 1 is disabled but traffic sent from this port continues to be monitored Step 4 monitor session session_number destination interface inter...

Страница 803: ...r all local remote Remove any existing SPAN configuration for the session Step 3 monitor session session_number source interface interface id vlan vlan id both rx tx Specify the SPAN session and the source port monitored port Step 4 monitor session session_number destination interface interface id encapsulation replicate ingress dot1q vlan vlan id isl untagged vlan vlan id vlan vlan id Specify the...

Страница 804: ...an 6 Switch config end Specifying VLANs to Filter Beginning in privileged EXEC mode follow these steps to limit SPAN source traffic to specific VLANs Step 5 end Return to privileged EXEC mode Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose Comm...

Страница 805: ...PAN Configuration Guidelines section on page 1 12 apply to RSPAN As RSPAN VLANs have special properties you should reserve a few VLANs across your network for use as RSPAN VLANs do not assign access ports to these VLANs You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets Specify these ACLs on the RSPAN VLAN in the RSPAN source switches Step 5 monitor sess...

Страница 806: ... trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005 Configuring a VLAN as an RSPAN VLAN First create a new VLAN to be the RSPAN VLAN for the RSPAN session You must create the RSPAN VLAN in all switches that will participate in RSPAN If the RSPAN VLAN ID is in the normal range lower than 1005 and VTP is enabled in the network you can cr...

Страница 807: ...nter a source port or source VLAN for the RSPAN session For interface id specify the source port to monitor Valid interfaces include physical interfaces and port channel logical interfaces port channel port channel number Valid port channel numbers are 1 to 48 For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN A single session can include multiple source...

Страница 808: ... configure the RSPAN source session to limit RSPAN source traffic to specific VLANs Step 6 show monitor session session_number show running config Verify the configuration Step 7 copy running config startup config Optional Save the configuration in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 no monitor session session_numb...

Страница 809: ...r session session_number destination remote vlan vlan id Specify the RSPAN session and the destination remote VLAN RSPAN VLAN For session_number enter the session number specified in Step 3 For vlan id specify the RSPAN VLAN to carry the monitored traffic to the destination port rt group a b c to specify the ports that carry RSPAN traffic Step 6 end Return to privileged EXEC mode Step 7 show monit...

Страница 810: ... an RSPAN Destination Session section on page 1 21 This procedure assumes that the RSPAN VLAN has already been configured Step 6 monitor session session_number source remote vlan vlan id Specify the RSPAN session and the source RSPAN VLAN For session_number the range is 1 to 66 For vlan id specify the source RSPAN VLAN to monitor Step 7 monitor session session_number destination interface interfac...

Страница 811: ... id Specify the SPAN session the destination port the packet encapsulation and the incoming VLAN and encapsulation For session_number enter the number defined in Step 4 In an RSPAN destination session you must use the same session number for the source RSPAN VLAN and the destination port For interface id specify the destination interface The destination interface must be a physical interface Thoug...

Страница 812: ...ts as source ports If the session has any Catalyst 3750 or Catalyst 3750 E ports as source ports the FSPAN ACL command is rejected If the session has FSPAN ACL configured any commands including Catalyst 3750 or Catalyst 3750 E ports as source ports are rejected The Catalyst 3750 or Catalyst 3750 E ports can be added as destination ports in an FSPAN session VLAN based FSPAN sessions cannot be confi...

Страница 813: ...SPAN session and the source port monitored port For session_number the range is 1 to 66 For interface id specify the source port or the source VLAN to monitor For source interface id specify the source port to monitor Only physical interfaces are valid For vlan id specify the source VLAN to monitor The range is 1 to 4094 excluding the RSPAN VLAN Note A single session can include multiple sources p...

Страница 814: ...replicates the source interface encapsulation method If not selected the default is to send packets in native form untagged Note You can use monitor session session_number destination command multiple times to configure multiple destination ports Step 5 monitor session session_number filter ip ipv6 mac access group access list number name Specify the SPAN session the types of packets to filter and...

Страница 815: ...fic both Monitor both received and sent traffic rx Monitor received traffic tx Monitor sent traffic Step 4 monitor session session_number destination remote vlan vlan id Specify the RSPAN session and the destination RSPAN VLAN For session_number enter the number defined in Step 3 For vlan id specify the source RSPAN VLAN to monitor Step 5 vlan vlan id Enter the VLAN sub mode For vlan id specify th...

Страница 816: ...PAN and RSPAN Displaying SPAN RSPAN FSPAN and FRSPAN Status Displaying SPAN RSPAN FSPAN and FRSPAN Status To display the current SPAN RSPAN FSPAN or FRSPAN configuration use the show monitor user EXEC command You can also use the show running config privileged EXEC command to display configured sessions ...

Страница 817: ...hensive network fault diagnosis planning and performance tuning information Note For complete syntax and usage information for the commands used in this chapter see the System Management Commands section in the Cisco IOS Configuration Fundamentals Command Reference Release 12 4 Understanding RMON page 1 1 Configuring RMON page 1 2 Displaying RMON Status page 1 6 Understanding RMON RMON is an Inter...

Страница 818: ...ecified interval triggers an alarm at a specified value rising threshold and resets the alarm at another value falling threshold Alarms can be used with events the alarm triggers an event which can generate a log entry or an SNMP trap Event RMON group 9 Specifies the action to take when an event is triggered by an alarm The action can be to generate a log entry or an SNMP trap Because switches sup...

Страница 819: ...rivileged EXEC mode follow these steps to enable RMON alarms and events This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner string Set an alarm on a MIB object For number specify the alarm number The range is 1 to ...

Страница 820: ...d can be triggered again Switch config rmon alarm 10 ifEntry 20 1 20 delta rising threshold 15 1 falling threshold 0 owner jjohnson The following example creates RMON event number 1 by using the rmon event command The event is defined as High ifOutErrors and generates a log entry when the event is triggered by the alarm The user jjones owns the row that is created in the event table by this comman...

Страница 821: ...llection history index buckets bucket number interval seconds owner ownername Enable history collection for the specified number of buckets and time period For index identify the RMON group of statistics The range is 1 to 65535 Optional For buckets bucket number specify the maximum number of buckets desired for the RMON collection history group of statistics The range is 1 to 65535 The default is ...

Страница 822: ...tion stats index owner ownername Enable RMON statistic collection on the interface For index specify the RMON group of statistics The range is from 1 to 65535 Optional For owner ownername enter the name of the owner of the RMON group of statistics Step 4 end Return to privileged EXEC mode Step 5 show running config Verify your entries Step 6 show rmon statistics Display the contents of the switch ...

Страница 823: ...e 1 17 Caution Logging messages to the console at a high rate can cause high CPU utilization and adversely affect how the switch operates Understanding System Message Logging By default a switch sends the output from system messages and debug privileged EXEC commands to a logging process Stack members can trigger system messages A stack member that generates a system message appends its hostname i...

Страница 824: ...stem messages by viewing the logs on a syslog server or by accessing the switch through Telnet through the console port or through the Ethernet management port In a switch stack all stack member consoles provide the same console output Configuring System Message Logging System Log Message Format page 1 2 Default System Message Logging Configuration page 1 4 Disabling Message Logging page 1 4 optio...

Страница 825: ...otocol on Interface Vlan1 changed state to down Switch 2 00 00 48 LINEPROTO 5 UPDOWN Line protocol on Interface GigabitEthernet2 0 1 changed state to down 2 Switch 2 Table 1 1 System Log Message Elements Element Description seq no Stamps log messages with a sequence number only if the service sequence numbers global configuration command is configured For more information see the Enabling and Disa...

Страница 826: ...essage Logging Message logging is enabled by default It must be enabled to send messages to any destination other than the console When enabled log messages are sent to a logging process which logs messages to designated locations asynchronously to the processes that generated the messages Beginning in privileged EXEC mode follow these steps to disable message logging This procedure is optional Ta...

Страница 827: ...e messages This procedure is optional Step 4 show running config or show logging Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging buffered size Log messages to an internal buffer on the switch or on a standalone switch or in the ...

Страница 828: ...sages and debug command output is enabled unsolicited device output appears on the console or printed after solicited device output appears or is printed Unsolicited messages and debug command output appears on the console after the prompt for user input is returned Therefore unsolicited messages and debug command output are not interspersed with solicited device output and prompts After the unsol...

Страница 829: ... line numbers is from 0 to 15 You can change the setting of all 16 vty lines at once by entering line vty 0 15 Or you can change the setting of the single vty line being used for your current connection For example to change the setting for vty line 2 enter line vty 2 When you enter this command the mode changes to line configuration Step 3 logging synchronous level severity level all limit number...

Страница 830: ...at more than one log message can have the same time stamp you can display messages with sequence numbers so that you can unambiguously see a single message By default sequence numbers in log messages are not displayed Beginning in privileged EXEC mode follow these steps to enable sequence numbers in log messages This procedure is optional Command Purpose Step 1 configure terminal Enter global conf...

Страница 831: ... global configuration command To disable logging to syslog servers use the no logging trap global configuration command Step 4 show running config Verify your entries Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging console level Limit messages logg...

Страница 832: ...ck messages displayed at the informational level This message is only for information switch functionality is not affected Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp server enable trap global configuration command you can change the level of messages sent and stored in the swi...

Страница 833: ...0 You can clear the log at any time by entering the no logging enable command followed by the logging enable command to disable and re enable logging Use the show archive log config all number end number user username session number number end number statistics provisioning privileged EXEC command to display the complete configuration log or the log for specified parameters The default is that con...

Страница 834: ...4 interface GigabitEthernet4 0 1 43 14 temi vty4 switchport mode trunk 44 14 temi vty4 exit 45 16 temi vty5 interface GigabitEthernet5 0 1 46 16 temi vty5 switchport mode trunk 47 16 temi vty5 exit Configuring UNIX Syslog Servers The next sections describe how to configure the UNIX server syslog daemon and how to define the UNIX system logging facility Logging Messages to a UNIX Syslog Daemon Befo...

Страница 835: ... Create the log file by entering these commands at the UNIX shell prompt touch var log cisco log chmod 666 var log cisco log Step 3 Make sure the syslog daemon reads the new changes kill HUP cat etc syslog pid For more information see the man syslog conf and man syslogd commands on your UNIX system Configuring the UNIX System Logging Facility When sending system log messages to an external device ...

Страница 836: ...art logging for these events DHCP snooping violations Dynamic ARP inspection violations IP source guard denied traffic ACL permitted or denied traffic To use smart logging you must first configure a NetFlow exporter that you identify when you enable smart logging For information on configuring Cisco Flexible NetFlow see the Cisco IOS Flexible NetFlow Configuration Guide Release 12 4T http www cisc...

Страница 837: ...g Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 logging smartlog Turn on the smart logging feature Step 3 logging smartlog exporter exporter_name Identify the smart log exporter You must have already configured the exporter by using the flexible NetFlow CLI If the exporter name does not exist you receive an error message By default the switch sends data to the co...

Страница 838: ...e address other than the specified address or addresses learned through DHCP snooping are denied You can enable IP source guard smart logging to send the contents of the denied packets to the NetFlow collector Beginning in privileged EXEC mode follow these steps to enable IP source guard smart logging Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip arp inspectio...

Страница 839: ...o determines the type of logging If you attach an ACL with smart log configured to a router or a VLAN the ACL is attached but smart logging does not take affect If you configure logging on an ACL attached to a Layer 2 port the logging keyword is ignored You add the smart log configuration option when you create the permit and deny conditions for an ACL This example enables smart logging on a numbe...

Страница 840: ...1 18 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring System Message Logging and Smart Logging Displaying the Logging Configuration ...

Страница 841: ...ship between the manager and the agent The SNMP agent contains MIB variables whose values the SNMP manager can request or change A manager can get a value from an agent or store a value into the agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respond to a manager s requests to get or set data An agent can send uns...

Страница 842: ...packets over the network and includes these security features Message integrity ensuring that a packet was not tampered with in transit Authentication determining that the message is from a valid source Encryption mixing the contents of a package to prevent it from being read by an unauthorized source Note To select encryption enter the priv keyword Both SNMPv1 and SNMPv2C use a community based fo...

Страница 843: ... on the HMAC MD5 or HMAC SHA algorithms SNMPv3 authPriv MD5 or SHA Data Encryption Standard DES or Advanced Encryption Standard AES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Allows specifying the User based Security Model USM with these encryption algorithms DES 56 bit encryption in addition to authentication based on the CBC DES DES 56 standard 3DES 168 bit encryption A...

Страница 844: ...write access Read write RW Gives read and write access to authorized management stations to all objects in the MIB but does not allow access to the community strings When a cluster is created the command switch manages the exchange of messages among member switches and the SNMP application The Network Assistant software appends the member switch number esN where N is the switch number to the first...

Страница 845: ...teristics that make informs more reliable than traps also consume more resources in the switch and in the network Unlike a trap which is discarded as soon as it is sent an inform request is held in memory until a response is received or the request times out Traps are sent only once but an inform might be re sent or retried several times The retries increase traffic and contribute to a higher over...

Страница 846: ...P2 module interfaces based on type and port numbers 10000 14500 Null 10501 nonstackable switches 14501 stackable switches Loopback and Tunnel 24567 1 SVI switch virtual interface 2 SFP small form factor pluggable Table 1 3 ifIndex Values continued Interface Type ifIndex Range Table 1 4 Default SNMP Configuration Feature Default Setting SNMP agent Disabled1 1 This is the default when the switch sta...

Страница 847: ...t the configuration command fails When configuring SNMP informs you need to configure the SNMP engine ID for the remote agent in the SNMP database before you can send proxy requests or informs to it If a local user is not associated with a remote host the switch does not send informs for the auth authNoPriv and the priv authPriv authentication levels Changing the value of the SNMP engine ID has im...

Страница 848: ...to configure a community string on the switch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server community string view view name ro rw access list number Configure the community string Note The symbol is used for delimiting the context information Avoid using the symbol as part of the SNMP community string when configuring this command For string specify a...

Страница 849: ...ws and you can add new users to the SNMP group Step 3 access list access list number deny permit source source wildcard Optional If you specified an IP standard access list number in Step 2 then create the list repeating the command as many times as necessary For access list number enter the access list number specified in Step 2 The deny keyword denies access if the conditions are matched The per...

Страница 850: ... priv read readview write writeview notify notifyview access access list Configure a new SNMP group on the remote device For groupname specify the name of the group Specify a security model v1 is the least secure of the possible security models v2c is the second least secure model It allows transmission of informs and integers twice the normal width v3 the most secure requires you to select an aut...

Страница 851: ...ble only when the v3 keyword is specified auth is an authentication level setting session that can be either the HMAC MD5 96 md5 or the HMAC SHA 96 sha authentication level and requires a password string auth password not to exceed 64 characters If you enter v3 you can also configure a private priv encryption algorithm and password string priv password not to exceed 64 characters priv specifies th...

Страница 852: ...anges config Generates a trap for SNMP configuration changes copy config Generates a trap for SNMP copy configuration changes cpu threshold Allow CPU related traps entity Generates a trap for SNMP entity changes envmon Generates environmental monitor traps You can enable any or all of these environmental traps fan shutdown status supply temperature flash Generates SNMP FLASH notifications In a swi...

Страница 853: ...ication type port security configure the port security trap first and then configure the port security trap rate snmp server enable traps port security snmp server enable traps port security trap rate rate rtr Generates a trap for the SNMP Response Time Reporter RTR snmp Generates a trap for SNMP type notifications for authentication cold start warm start link up or link down storm control Generat...

Страница 854: ... Internet address of the host the targeted recipient Optional Enter informs to send SNMP informs to the host Optional Enter traps the default to send SNMP traps to the host Optional Specify the SNMP version 1 2c or 3 SNMPv1 does not support informs Optional For Version 3 select authentication level auth noauth or priv For community string when version 1 or version 2c is specified enter the passwor...

Страница 855: ... informs global configuration command To disable a specific trap type use the no snmp server enable traps notification types global configuration command Step 7 snmp server trap source interface id Optional Specify the source interface which provides the IP address for the trap message This command also sets the source IP address for informs Step 8 snmp server queue length length Optional Establis...

Страница 856: ...lization rising percentage the percentage 1 to 100 of CPU resources that when exceeded for the configured interval sends a CPU threshold notification interval seconds the duration of the CPU threshold violation in seconds 5 to 86400 that when met sends a CPU threshold notification falling fall percentage the percentage 1 to 100 of CPU resources that when usage falls below this level for the config...

Страница 857: ...ftp server list access list number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list For access list number enter an IP standard access list numbered from 1 to 99 and 1300 to 1999 Step 3 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list n...

Страница 858: ...er host cisco com version 2c public This example shows how to send Entity MIB traps to the host cisco com The community string is restricted The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled The second line specifies the destination of these traps and overwrites any previous snmp server host commands for the host cisco com Switch config snmp ser...

Страница 859: ...and Reference Table 1 6 Commands for Displaying SNMP Information Feature Default Setting show snmp Displays SNMP statistics show snmp engineID local remote Displays information on the local SNMP engine and all remote engines that have been configured on the device show snmp group Displays information on each SNMP group on the network show snmp pending Displays information on pending SNMP requests ...

Страница 860: ...1 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring SNMP Displaying SNMP Status ...

Страница 861: ...mand Reference For the complete EEM document set see these documents in the Cisco IOS Network Management Configuration Guide Embedded Event Manager Overview http www cisco com en US docs ios netmgmt configuration guide nm_eem_overview html Writing Embedded Event Manager Policies Using the Cisco IOS CLI http www cisco com en US docs ios netmgmt configuration guide nm_eem_policy_cli html Writing Emb...

Страница 862: ...occurs The EEM policies then implement recovery based on the current state of the system and the actions specified in the policy for the given event Figure 1 1 Embedded Event Manager Core Event Detectors See the EEM Configuration for Cisco Integrated Services Router Platforms Guide for examples of EEM deployment Event Detectors page 1 3 Embedded Event Manager Actions page 1 4 Embedded Event Manage...

Страница 863: ... also publishes an event about an interface based on the rate of change for the entry and exit values None event detector Publishes an event when the event manager run CLI command executes an EEM policy EEM schedules and runs policies on the basis on an event specification within the policy itself An EEM policy must be manually identified and registered before the event manager run command execute...

Страница 864: ...Cisco IOS process crosses a threshold Memory utilization for a Cisco IOS process crosses a threshold Two events can be monitored at the same time and the event publishing criteria requires that one or both events cross their specified thresholds Embedded Event Manager Actions These actions occur in response to an event Modifying a named counter Publishing an application specific event Generating a...

Страница 865: ... in variables available in EEM applets Defined by Cisco and can be read only or read write The read only variables are set by the system before an applet starts to execute The single read write variable _exit_status allows you to set the exit status for policies triggered from synchronous events Cisco defined environment variables and Cisco system defined environment variables might apply to one s...

Страница 866: ...7 For complete information about configuring embedded event manager see the Cisco IOS Network Management Configuration Guide Release 12 4T Note To configure EEM you must have the IP services feature set installed on the switch Registering and Defining an Embedded Event Manager Applet Beginning in privileged EXEC mode perform this task to register an applet with EEM and to define the EEM applet usi...

Страница 867: ...l msg msg text Specify the action when an EEM applet is triggered Repeat this action to add other CLI commands to the applet Optional The priority keyword specifies the priority level of the syslog messages If selected you need to define the priority level argument For msg text the argument can be character text an environment variable or a combination of the two Step 5 end Exit applet configurati...

Страница 868: ... every hour of every day Switch config event manager environment_cron_entry 0 59 2 0 23 1 0 6 This example shows the sample EEM policy named tm_cli_cmd tcl registered as a system policy The system policies are part of the Cisco IOS image User defined TCL scripts must first be copied to flash memory Switch config event manager policy tm_cli_cmd tcl type system Displaying Embedded Event Manager Info...

Страница 869: ...witches running the IP base or IP services feature set also support Cisco TrustSec Security Group Tag SCT Exchange Protocol SXP This feature supports security group access control lists SGACLs which define ACL policies for a group of devices instead of an IP address The SXP control protocol allows tagging packets with SCTs without a hardware upgrade and runs between access layer devices at the Cis...

Страница 870: ...cess lists on a router or Layer 3 switch to provide basic security for your network If you do not configure ACLs all packets passing through the switch could be allowed onto all parts of the network You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces For example you can allow e mail traffi...

Страница 871: ... ACL Other packets are filtered by the VLAN map When an input router ACL and input port ACL exist in an switch virtual interface SVI incoming packets received on ports to which a port ACL is applied are filtered by the port ACL Incoming routed IP packets received on other ports are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SV...

Страница 872: ...s way ACLs control access to a network or to part of a network Figure 1 1 is an example of using port ACLs to control access to a network when all workstations are in the same VLAN ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network but prevent Host B from accessing the same network Port ACLs can only be applied to Layer 2 interfaces in the inbound direction ...

Страница 873: ...s the switch examines ACLs associated with features configured on a given interface However router ACLs are supported in both directions As packets enter the switch on an interface ACLs associated with all inbound features configured on that interface are examined After packets are routed and before they are forwarded to the next hop all ACLs associated with outbound features configured on the egr...

Страница 874: ... as TCP UDP and so on are considered to match the fragment regardless of what the missing Layer 4 information might have been Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information Consider access list 102 configured with these commands applied to three fragmented packets Switch config access list 102 permit tcp any host 10 1 1 1 eq smtp Sw...

Страница 875: ...ring the Switch Stack The stack master performs these ACL functions It processes the ACL configuration and propagates the information to all stack members It distributes the ACL information to any switch that joins the stack If packets must be forwarded by software for any reason for example not enough hardware resources the master switch forwards the packets only after applying ACLs on the packet...

Страница 876: ...s page 1 24 Creating Standard and Extended IPv4 ACLs This section describes IP ACLs An ACL is a sequential collection of permit and deny conditions One by one the switch tests packets against the conditions in an access list The first match determines whether the switch accepts or rejects the packet Because the switch stops testing after the first match the order of the conditions is critical If n...

Страница 877: ...s list That is any packet that matches the ACL causes an informational logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Note Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log ke...

Страница 878: ...cess list number deny permit source source wildcard log smartlog Define a standard IPv4 access list by using a source address and wildcard The access list number is a decimal number from 1 to 99 or 1300 to 1999 Enter deny or permit to specify whether to deny or permit access if conditions are matched The source is the source address of the network or host from which the packet is being sent specif...

Страница 879: ...ACL to a Terminal Line section on page 1 20 to interfaces see the Applying an IPv4 ACL to an Interface section on page 1 21 or to VLANs see the Configuring VLAN Maps section on page 1 32 Creating a Numbered Extended ACL Although standard ACLs use only source addresses for matching you can use extended ACL source and destination addresses for matching operations and optional protocol type informati...

Страница 880: ...ng Network Security with ACLs Configuring IPv4 ACLs Note The switch does not support dynamic or reflexive access lists It also does not support filtering based on the type of service ToS minimize monetary cost bit Supported parameters can be grouped into these categories TCP UDP ICMP IGMP or other IP ...

Страница 881: ... The source is the number of the network or host from which the packet is sent The source wildcard applies wildcard bits to the source The destination is the network or host number to which the packet is sent The destination wildcard applies wildcard bits to the destination Source source wildcard destination and destination wildcard can be specified as The 32 bit quantity in dotted decimal format ...

Страница 882: ...mission Control Protocol The parameters are the same as those described in Step 2a with these exceptions Optional Enter an operator and port to compare source if positioned after source source wildcard or destination if positioned after destination destination wildcard port Possible operators include eq equal gt greater than lt less than neq not equal and range inclusive range Operators require a ...

Страница 883: ...precedence tos tos fragments log log input smartlog time range time range name dscp dscp Optional Define an extended ICMP access list and the access conditions Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 2a with the addition of the ICMP message type and code parameters These optional keywords have these meanings...

Страница 884: ...s list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list Note The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers That is the name of a standard IP ACL can be 1 to 99 the name of an extended IP ACL can be 100 to 199 The advant...

Страница 885: ... end Return to privileged EXEC mode Step 5 show access lists number name Show the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip access list extended name Define an extended IPv4 access list using a name and enter access list configuration mo...

Страница 886: ...set the times and the dates or the days of the week in the time range Then enter the time range name when applying an ACL to set restrictions to the access list You can use the time range to define when the permit or deny statements in the ACL are in effect for example during a specified time period or on specified days of the week The time range keyword and argument are referenced in the named an...

Страница 887: ...tended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours Switch config access list 188 deny tcp any any time range new_year_day_2006 Switch config access list 188 permit tcp any any time range workhours Switch config end Switch show access lists Extended IP access list 188 10 deny tcp any any ti...

Страница 888: ...rmit or deny statements and some remarks after the associated statements To include a comment for IP numbered standard or extended ACLs use the access list access list number remark remark global configuration command To remove the remark use the no form of this command In this example the workstation that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed ...

Страница 889: ...ly an ACL to a Layer 3 interface and routing is not enabled on the switch the ACL only filters packets that are intended for the CPU such as SNMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces When private VLANs are configured you can apply router ACLs only on the primary VLAN SVIs The ACL is applied to both primary and secondary VLAN Layer 3 traffic Wh...

Страница 890: ...ithin a VLAN For inbound ACLs after receiving a packet the switch checks the packet against the ACL If the ACL permits the packet the switch continues to process the packet If the ACL rejects the packet the switch discards the packet For outbound ACLs after receiving and routing a packet to a controlled interface the switch checks the packet against the ACL If the ACL permits the packet the switch...

Страница 891: ...e done by software Because of the difference in packet handling capacity between hardware and software if the sum of all flows being logged both permitted flows and denied flows is of great enough bandwidth not all of the packets that are forwarded can be logged If router ACL configuration cannot be applied in hardware packets arriving in a VLAN that must be routed are routed in software but are b...

Страница 892: ...ion destination wildcard range 115 1660 permit tcp source source wildcard destination destination wildcard And if this message appears ACLMGR 2 NOVMR Cannot generate hardware representation of access list chars The flag related operators are not available To avoid this issue Move the fourth ACE before the first ACE by using ip access list resequence global configuration command permit tcp source s...

Страница 893: ... Create a standard ACL and filter traffic coming to the server from Port 1 Create an extended ACL and filter traffic coming from the server into Port 1 Figure 1 3 Using Router ACLs to Control Traffic This example uses a standard ACL to filter traffic coming into Server B from a port permitting traffic only from Accounting s source addresses 172 20 128 64 to 172 20 128 95 The ACL is applied to traf...

Страница 894: ...gigabitethernet2 0 1 Switch config if ip access group 2 in Extended ACLs In this example the first line permits any incoming TCP connections with destination ports greater than 1023 The second line permits incoming TCP connections to the Simple Mail Transfer Protocol SMTP port of host 128 88 1 2 The third line permits incoming ICMP messages for error feedback Switch config access list 102 permit t...

Страница 895: ...MP traffic denies UDP traffic from any source to the destination address range 171 69 0 0 through 179 69 255 255 with a destination port less than 1024 denies any other IP traffic and provides a log of the result Switch config ip access list extended marketing_group Switch config ext nacl permit tcp any 171 69 0 0 0 0 255 255 eq telnet Switch config ext nacl deny tcp any any Switch config ext nacl...

Страница 896: ...Do not allow Jones subnet through Switch config std nacl deny 171 69 0 0 0 0 255 255 In this example of a named ACL the Jones subnet is not allowed to use outbound Telnet Switch config ip access list extended telnetting Switch config ext nacl remark Do not allow Jones subnet to telnet out Switch config ext nacl deny tcp 171 69 0 0 0 0 255 255 any eq telnet ACL Logging Two variations of logging are...

Страница 897: ...255 0 1 packet 01 31 33 SEC 6 IPACCESSLOGP list ext1 denied udp 0 0 0 0 0 255 255 255 255 0 8 packets Note that all logging entries for IP ACLs start with SEC 6 IPACCESSLOG with minor variations in format depending on the kind of ACL and the access entry that has been matched This is an example of an output message when the log input keyword is entered 00 04 21 SEC 6 IPACCESSLOGDP list inputlog pe...

Страница 898: ...pe mask lsap lsap mask aarp amber dec spanning decnet iv diagnostic dsm etype 6000 etype 8042 lat lavc sca mop console mop dump msdos mumps netbios vines echo vines ip xns idp 0 65535 cos cos In extended MAC access list configuration mode specify to permit or deny any source MAC address a source MAC address with a mask or a specific host source MAC address and any destination MAC address destinati...

Страница 899: ...terface configuration command This example shows how to apply MAC access list mac1 to a port to filter packets entering the port Switch config interface gigabitethernet1 0 2 Router config if mac access group mac1 in Note The mac access group interface configuration command is only valid when applied to a physical Layer 2 interface You cannot use the command on EtherChannel port channels After rece...

Страница 900: ...ep 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN See the Creating Standard and Extended IPv4 ACLs section on page 1 8 and the Creating a VLAN Map section on page 1 34 Step 2 Enter the vlan access map global configuration command to create a VLAN ACL map entry Step 3 In access map configuration mode optionally enter an action forward the d...

Страница 901: ...rface and you apply a VLAN map to a VLAN that the port belongs to the port ACL takes precedence over the VLAN map If VLAN map configuration cannot be applied in hardware all packets in that VLAN must be bridged and routed by software You can configure VLAN maps on primary and secondary VLANs However we recommend that you configure the same VLAN maps on private VLAN primary and secondary VLANs When...

Страница 902: ...s to drop any IP packet that does not match any of the match clauses Switch config ip access list extended ip1 Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map map_1 10 Switch config access map match ip address ip1 Switch config access map action drop Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 vlan access map ...

Страница 903: ...igmp match Switch config ext nacl permit igmp any any Switch config ip access list extended tcp match Switch config ext nacl permit tcp any any Switch config ext nacl exit Switch config vlan access map drop ip default 10 Switch config access map match ip address 101 Switch config access map action forward Switch config access map exit Switch config vlan access map drop ip default 20 Switch config ...

Страница 904: ...s map match ip address tcp match Switch config access map action forward Switch config access map exit Switch config vlan access map drop all default 20 Switch config access map match mac address good hosts Switch config access map action forward Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode follow these steps to apply a VLAN map to one or more VLANs To remove the VLAN map use th...

Страница 905: ...o Host Y IP address 10 1 1 34 at Switch A and not bridge it to Switch B First define the IP access list http that permits matches any TCP traffic on the HTTP port Switch config ip access list extended http Switch config ext nacl permit tcp host 10 1 1 32 host 10 1 1 34 eq www Switch config ext nacl exit Next create VLAN access map map2 so that traffic that matches the http access list is dropped a...

Страница 906: ...p SERVER1 to VLAN 10 Step 1 Define the IP ACL that will match the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 8 host 10 1 1 100 Switch config ext nacl exit Step 2 Define a VLAN map using this ACL that w...

Страница 907: ...number of the entry within the map The sequence number range is from 0 to 65535 When you create VLAN maps with the same name numbers are assigned sequentially in increments of 10 When modifying or deleting maps you can enter the number of the map entry that you want to modify or delete Specifying the map name and optionally a number enters the access map configuration mode Step 3 action drop log S...

Страница 908: ... use VLAN maps only or a combination of router ACLs and VLAN maps You can define router ACLs on both input and output routed VLAN interfaces and you can define a VLAN map to access control the bridged traffic If a packet flow matches a VLAN map deny clause in the ACL regardless of the router ACL configuration the packet flow is denied Note When you use router ACLs with VLAN maps packets that requi...

Страница 909: ...ull flow source IP address destination IP address protocol and protocol ports It is also helpful to use don t care bits in the IP address whenever possible If you need to specify the full flow mode and the ACL contains both IP ACEs and TCP UDP ICMP ACEs with Layer 4 information put the Layer 4 ACEs at the end of the list This gives priority to the filtering of traffic based on IP addresses Example...

Страница 910: ...pplied on fallback bridged packets For bridged packets only Layer 2 ACLs are applied to the input VLAN Only non IP non ARP packets can be fallback bridged Figure 1 7 Applying ACLs on Bridged Packets VLAN 10 map Frame Input router ACL Output router ACL Routing function or fallback bridge VLAN 10 VLAN 20 Host C VLAN 10 Host A VLAN 10 VLAN 20 map Packet 101357 Frame Fallback bridge VLAN 10 Host A VLA...

Страница 911: ...t kinds of filters applied one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed The packet might be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in som...

Страница 912: ...N 20 VLAN 20 map Packet 101360 Table 1 2 Commands for Displaying Access Lists and Access Groups Command Purpose show access lists number name Display the contents of one or all current IP and MAC address access lists or a specific access list numbered or named show ip access lists number name Display the contents of all current IP access lists or a specific IP access list numbered or named show ip...

Страница 913: ...access maps or VLAN filters Use the privileged EXEC commands in Table 1 3 to display VLAN map information Table 1 3 Commands for Displaying VLAN Map Information Command Purpose show vlan access map mapname Show information about all VLAN access maps or the specified access map show vlan filter access map name vlan vlan id Show information about all VLAN filters or about a specified VLAN or VLAN ac...

Страница 914: ...1 46 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ...

Страница 915: ... to apply policy maps you configure the QoS settings such as classification queueing and scheduling the same way on physical ports and SVIs When configuring QoS on a physical port you apply a nonhierarchical policy map When configuring QoS on an SVI you apply a nonhierarchical or a hierarchical policy map Nonhierarchical policy maps are referred to as nonhierarchical single level policy maps and h...

Страница 916: ...Layer 2 frame or a Layer 3 packet are described here and shown in Figure 1 1 Prioritization bits in Layer 2 frames Layer 2 Inter Switch Link ISL frame headers have a 1 byte User field that carries an IEEE 802 1p class of service CoS value in the three least significant bits On ports configured as Layer 2 ISL trunks all traffic is in ISL frames Layer 2 802 1Q frame headers have a 2 byte Tag Control...

Страница 917: ... allocated per traffic class The behavior of an individual device when handling traffic in the DiffServ architecture is called per hop behavior If all devices along a path provide a consistent per hop behavior you can construct an end to end QoS solution Implementing QoS in your network can be a simple or complex task and depends on the QoS features offered by your internetworking devices the traf...

Страница 918: ... be taken when a packet is out of profile and determines what to do with the packet pass through a packet without modification mark down the QoS label in the packet or drop the packet For more information see the Policing and Marking section on page 1 9 Queueing evaluates the QoS label and the corresponding DSCP or CoS value to select into which of the two ingress queues to place a packet Queueing...

Страница 919: ...in Figure 1 3 Trust the CoS value in the incoming frame configure the port to trust CoS Then use the configurable CoS to DSCP map to generate a DSCP value for the packet Layer 2 ISL frame headers carry the CoS value in the 3 least significant bits of the 1 byte User field Layer 2 802 1Q frame headers carry the CoS value in the 3 most significant bits of the Tag Control Information field CoS values...

Страница 920: ...t to trust IP precedence and generate a DSCP value for the packet by using the configurable IP precedence to DSCP map The IP Version 4 specification defines the 3 most significant bits of the 1 byte ToS field as the IP precedence IP precedence values range from 0 for low priority to 7 for high priority You can also classify IP traffic based on IPv6 precedence Trust the CoS value if present in the ...

Страница 921: ...tion map Use the DSCP value to generate the QoS label Read ingress interface configuration for classification Assign DSCP identical to DSCP in packet Check if packet came with CoS label tag Use the CoS value to generate the QoS label Generate DSCP from CoS to DSCP map Use the DSCP value to generate the QoS label Yes Read next ACL Is there a match with a permit action Assign the DSCP or CoS as spec...

Страница 922: ...map is a mechanism that you use to name a specific traffic flow or class and isolate it from all other traffic The class map defines the criteria used to match against a specific traffic flow to further classify it The criteria can include matching the access group defined by the ACL or matching a specific list of DSCP or IP precedence values If you have more than one type of traffic that you want...

Страница 923: ...fies the actions on the packet These actions carried out by the marker include passing through the packet without modification dropping the packet or modifying marking down the assigned DSCP of the packet and allowing the packet to pass through The configurable policed DSCP map provides the packet with a new DSCP based QoS label For information on the policed DSCP map see the Mapping Tables sectio...

Страница 924: ...h verifies that there is enough room in the bucket If there is not enough room the packet is marked as nonconforming and the specified policer action is taken dropped or marked down How quickly the bucket fills is a function of the bucket depth burst byte the rate at which the tokens are removed rate bps and the duration of the burst above the average rate The size of the bucket imposes an upper l...

Страница 925: ...rface level of the hierarchical policy map A hierarchical policy map has two levels The first level the VLAN level specifies the actions to be taken against a traffic flow on an SVI The second level the interface level specifies the actions to be taken against the traffic on the physical ports that belong to the SVI and are specified in the interface level policy map 86835 Yes Yes No No Pass throu...

Страница 926: ...licy map only supports individual policers and does not support aggregate policers You can configure different interface level policy maps for each class defined in the VLAN level policy map See the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 1 63 for an example of a hierarchical policy map Figure 1 5 shows the policing and marking process whe...

Страница 927: ...his map by using the mls qos map policed dscp global configuration command Before the traffic reaches the scheduling stage QoS stores the packet in an ingress and an egress queue according to the QoS label The QoS label is based on the DSCP or the CoS value in the packet and selects the queue through the DSCP input and output queue threshold maps or through the CoS input and output queue threshold...

Страница 928: ...andwidth of all ports can exceed the bandwidth of the stack or internal ring ingress queues are located after the packet is classified policed and marked and before packets are forwarded into the switch fabric Because multiple ingress ports can simultaneously send packets to an egress port and cause congestion outbound queues are located after the stack or internal ring Marker Policer Marker Polic...

Страница 929: ...ull state CoS values 4 and 5 are assigned to the 60 percent threshold and CoS values 0 to 3 are assigned to the 40 percent threshold Suppose the queue is already filled with 600 frames and a new frame arrives It contains CoS values 4 and 5 and is subjected to the 60 percent threshold If this frame is added to the queue the threshold will be exceeded so the switch drops it Figure 1 8 WTD and Queue ...

Страница 930: ... per interface Each interface can be uniquely configured For more information see the Allocating Bandwidth Between the Ingress Queues section on page 1 81 the Configuring SRR Shaped Weights on Egress Queues section on page 1 88 and the Configuring SRR Shared Weights on Egress Queues section on page 1 89 Queueing and Scheduling on Ingress Queues Figure 1 9 and Figure 1 10 show the queueing and sche...

Страница 931: ...ring Drop packet Start Yes No Table 1 1 Ingress Queue Types Queue Type1 1 The switch uses two nonconfigurable queues for traffic that is essential for proper network and stack operation Function Normal User traffic that is considered to be normal priority You can configure three different thresholds to differentiate among the flows You can use the mls qos srr queue input threshold the mls qos srr ...

Страница 932: ...with which to divide the ingress buffers between the two queues by using the mls qos srr queue input buffers percentage1 percentage2 global configuration command The buffer allocation together with the bandwidth allocation control how much data can be buffered and sent before packets are dropped You allocate bandwidth as a percentage by using the mls qos srr queue input bandwidth weight1 weight2 g...

Страница 933: ... services it until it is empty before servicing the other three queues Figure 1 11 Queueing and Scheduling Flowchart for Egress Ports on Catalyst 3750 X Switches 86694 Receive packet from the stack ring Read QoS label DSCP or CoS value Determine egress queue number and threshold based on the label Are thresholds being exceeded Send the packet out the port Queue the packet Service the queue accordi...

Страница 934: ...The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue to prevent any queue or port from consuming all the buffers and depriving other queues and to control whether to grant buffer space to a requesting queue The switch detects whether the target queue has not consumed more buffers than its reserved amount under limit whether it has consumed all of ...

Страница 935: ...ace is 400 you can allocate 70 percent of it to queue 1 and 10 percent to queues 2 through 4 Queue 1 then has 280 buffers allocated to it and queues 2 through 4 each have 40 buffers allocated to them You can guarantee that the allocated buffers are reserved for a specific queue in a queue set For example if there are 100 buffers for a queue you can reserve 50 percent 50 buffers The switch returns ...

Страница 936: ...s not used in the ratio calculation The expedite queue is a priority queue and it is serviced until empty before the other queues are serviced You enable the expedite queue by using the priority queue out interface configuration command You can combine the commands described in this section to prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues by allocating a l...

Страница 937: ...behavior The switch offers best effort service to each packet regardless of the packet contents or size and sends it from a single queue When you enable auto QoS it automatically classifies traffic based on the traffic type and ingress packet label The switch uses the classification results to choose the appropriate egress queue Auto QoS supports IPv4 and IPv6 traffic when you configure the dual I...

Страница 938: ...Phone the ingress classification is set to not trust the QoS label in the packet The policing is applied to the traffic matching the policy map classification before the switch enables the trust boundary feature When you enter the auto qos voip cisco softphone interface configuration command on a port at the network edge that is connected to a device running the Cisco SoftPhone the switch uses pol...

Страница 939: ...oip generated commands that you configured on the interface before Cisco IOS Release 12 2 55 SE migrate to the enhanced commands Global values change with the migration of enhanced commands For a complete list of the generated commands that are applied to the running configuration see Table 1 5 Auto QoS Configuration Migration Auto QoS configuration migration from legacy auto QoS to enhanced auto ...

Страница 940: ...ations from the interface Global Auto QoS Configuration Table 1 5 Generated Auto QoS Configuration Description Automatically Generated Command voip Enhanced Automatically Generated Command Video Trust Classify The switch automatically enables standard QoS and configures the CoS to DSCP map maps CoS values in incoming packets to a DSCP value Switch config mls qos Switch config mls qos map cos dscp ...

Страница 941: ... Switch config mls qos srr queue input dscp map queue 1 threshold 2 9 10 11 12 13 14 15 Switch config mls qos srr queue input dscp map queue 1 threshold 3 0 1 2 3 4 5 6 7 Switch config mls qos srr queue input dscp map queue 1 threshold 3 32 Switch config mls qos srr queue input dscp map queue 2 threshold 1 16 17 18 19 20 21 22 23 Switch config mls qos srr queue input dscp map queue 2 threshold 2 3...

Страница 942: ...p queue 4 threshold 2 9 10 11 12 13 14 15 Switch config mls qos srr queue output dscp map queue 4 threshold 3 0 1 2 3 4 5 6 7 Switch config no mls qos srr queue output dscp map Switch config mls qos srr queue output dscp map queue 1 threshold 3 32 33 40 41 42 43 44 45 46 47 Switch config mls qos srr queue output dscp map queue 2 threshold 1 16 17 18 19 20 21 22 23 Switch config mls qos srr queue o...

Страница 943: ...3 Switch config no mls qos srr queue input priority queue 1 Switch config no mls qos srr queue input priority queue 2 Switch config mls qos srr queue input bandwidth 70 30 Switch config mls qos srr queue input threshold 1 80 90 Switch config mls qos srr queue input priority queue 2 bandwidth 30 The switch automatically configures the egress queue buffer sizes It configures the bandwidth and the SR...

Страница 944: ...h config class map match all AutoQoS VoIP Control Trust Switch config cmap match ip dscp cs3 af31 Switch config policy map AutoQoS Police CiscoPhone Switch config pmap class AutoQoS VoIP RTP Trust Switch config pmap c set dscp ef Switch config pmap c police 320000 8000 exceed action policed dscp transmit Switch config pmap class AutoQoS VoIP Control Trust Switch config pmap c set dscp cs3 Switch c...

Страница 945: ...onfig pmap c set dscp af21 Switch config pmap class AUTOQOS_SCAVANGER_CLASS Switch config pmap c set dscp cs1 Switch config pmap class AUTOQOS_SIGNALING_CLASS Switch config pmap c set dscp cs3 Switch config pmap class AUTOQOS_DEFAULT_CLASS Switch config pmap c set dscp default Switch config if service policy input AUTOQOS SRND4 CLASSIFY POLICY If you entered the auto qos classify police command th...

Страница 946: ...g pmap c police 32000 8000 exceed action policed dscp transmit Switch config pmap class AUTOQOS_DEFAULT_CLASS Switch config pmap c set dscp default Switch config pmap c police 10000000 8000 exceed action policed dscp transmit Switch config if service policy input AUTOQOS SRND4 CISCOPHONE POLICY This is the enhanced configuration for the auto qos voip cisco softphone command Switch config mls qos m...

Страница 947: ...nds were entered from the CLI An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands These actions occur without warning If all the generated commands are successfully applied any user entered configuration that was not overridden remains in the running configuration Any user entered configuration that was overridden...

Страница 948: ...figuration command is generated as a result of enhanced auto QoS configuration If the legacy auto qos voip commands are executed on the switch and the mls qos command is disabled the enhanced auto QoS configuration is generated Otherwise legacy auto QoS commands are executed Enabling Auto QoS For optimum QoS performance enable auto QoS on all the devices in your network Beginning in privileged EXE...

Страница 949: ...ot changed Traffic is switched in pass through mode packets are switched without any rewrites and classified as best effort without any policing auto qos video cts ip camera media player or Enable auto QoS for a video device cts A port connected to a Cisco Telepresence system ip camera A port connected to an IP camera media player A port connected to a CDP capable Cisco digital media player QoS la...

Страница 950: ...t these commands see the command reference for this release Configuring Standard QoS Before configuring standard QoS you must have a thorough understanding of these items The types of applications used and the traffic patterns on your network Traffic characteristics and needs of your network Is the traffic bursty Do you need to reserve bandwidth for voice and video streams Bandwidth requirements a...

Страница 951: ... Configuration section on page 1 37 and the Default Egress Queue Configuration section on page 1 38 Default Ingress Queue Configuration Table 1 6 shows the default ingress queue configuration when QoS is enabled Table 1 7 shows the default CoS input queue threshold map when QoS is enabled Table 1 8 shows the default DSCP input queue threshold map when QoS is enabled Table 1 6 Default Ingress Queue...

Страница 952: ...e 3 Queue 4 Buffer allocation 25 percent 25 percent 25 percent 25 percent WTD drop threshold 1 100 percent 200 percent 100 percent 100 percent WTD drop threshold 2 100 percent 200 percent 100 percent 100 percent Reserved threshold 50 percent 50 percent 50 percent 50 percent Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights absolute 1 1 A shaped weight of zero mea...

Страница 953: ...tion on page 1 40 Policing Guidelines section on page 1 41 General QoS Guidelines section on page 1 41 QoS ACL Guidelines These are the guidelines with for configuring QoS with access control lists ACLs It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS IP fragments are sent as best effort IP fragments are denoted by fields in the IP header Only one ACL per...

Страница 954: ...ierarchical policy map The switch does not support aggregate policers in hierarchical policy maps After the hierarchical policy map is attached to an SVI the interface level policy map cannot be modified or removed from the hierarchical policy map A new interface level policy map also cannot be added to the hierarchical policy map If you want these changes to occur the hierarchical policy map must...

Страница 955: ...he same nonhierarchical policy map However you cannot use the aggregate policer across different policy maps On a port configured for QoS all traffic received through the port is classified policed and marked according to the policy map attached to the port On a trunk port configured for QoS traffic in all VLANs received through the port is classified policed and marked according to the policy map...

Страница 956: ...erface level of a hierarchical policy map on an SVI Use the no mls qos vlan based interface configuration command to disable VLAN based QoS on the physical port Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS globally QoS runs with the default settings described in the Default Standard QoS Configuration section on page 1 37 the Queueing and Sched...

Страница 957: ...e page 1 44 Configuring a Trusted Boundary to Ensure Port Security page 1 45 Enabling DSCP Transparency Mode page 1 46 Configuring the DSCP Trust State on a Port Bordering Another QoS Domain page 1 47 Configuring the Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain When the packets are classified at the edge the switch port withi...

Страница 958: ...erfaces are physical ports Step 3 mls qos trust cos dscp ip precedence Configure the port trust state By default the port is not trusted If no keyword is specified the default is dscp The keywords have these meanings cos Classifies an ingress packet by using the packet CoS value For an untagged packet the port default CoS value is used The default port CoS value is 0 dscp Classifies an ingress pac...

Страница 959: ...sses the telephone and connects the PC directly to the switch Without trusted boundary the CoS labels generated by the PC are trusted by the switch because of the trusted CoS setting By contrast trusted boundary uses CDP to detect the presence of a Cisco IP Phone such as the Cisco IP Phone 7910 7935 7940 and 7960 on a switch port If the telephone is not detected the trusted boundary feature disabl...

Страница 960: ...ip dscp command the switch does not modify the DSCP field in the incoming packet and the DSCP field in the outgoing packet is the same as that in the incoming packet Note Enabling DSCP transparency does not affect the port trust settings on IEEE 802 1Q tunneling ports Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 cdp run Enable CDP globally By default CDP is enab...

Страница 961: ...transparency is still enabled Configuring the DSCP Trust State on a Port Bordering Another QoS Domain If you are administering two separate QoS domains between which you want to implement QoS features for IP traffic you can configure the switch ports bordering the domains to a DSCP trusted state as shown in Figure 1 15 Then the receiving port accepts the DSCP trusted value and avoids the classific...

Страница 962: ...n Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map The default DSCP to DSCP mutation map is a null map which maps an incoming DSCP value to the same DSCP value For dscp mutation name enter the mutation map name You can create more than one map b...

Страница 963: ...s You can classify non IP traffic by using Layer 2 MAC ACLs Note IPv6 ACLs are not supported on switches running the LAN base feature set Creating an IP Standard ACL Beginning in privileged EXEC mode follow these steps to create an IP standard ACL for IPv4 traffic Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source sour...

Страница 964: ...ng the command as many times as necessary For access list number enter the access list number The range is 100 to 199 and 2000 to 2699 Use the permit keyword to permit a certain type of traffic if the conditions are matched Use the deny keyword to deny a certain type of traffic if conditions are matched For protocol enter the name or number of an IP protocol Use the question mark to see a list of ...

Страница 965: ...IM traffic from any source to a destination group address of 224 0 0 2 with a DSCP set to 32 Switch config access list 102 permit pim any 224 0 0 2 dscp 32 Creating an IPv6 ACL Note IPv6 ACLs are not supported on switches running the LAN base feature set Beginning in privileged EXEC mode follow these steps to create an IPv6 ACL for IPv6 traffic Note Before creating IPv6 ACLs you must enable a dual...

Страница 966: ...For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator follows the source ipv6 prefix prefix length argument it must match the source port If the operator follows the destination ipv6 prefix prefix length argument it must match the destination port Optional Th...

Страница 967: ... are matched entering the command as many times as necessary For src MAC addr enter the MAC address of the host from which the packet is being sent You specify this by using the hexadecimal format H H H by using the any keyword as an abbreviation for source 0 0 0 source wildcard ffff ffff ffff or by using the host keyword for source 0 0 0 For mask enter the wildcard bits by placing ones in the bit...

Страница 968: ...ation command For more information see the Classifying Policing and Marking Traffic on Physical Ports by Using Policy Maps section on page 1 58 and the Classifying Policing and Marking Traffic on SVIs by Using Hierarchical Policy Maps section on page 1 63 Beginning in privileged EXEC mode follow these steps to create a class map and to define the match criterion to classify traffic Command Purpose...

Страница 969: ...lt is match all Note Because only one match command per class map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 1 16 for limitations when using the match all and the match any keywords Step 4 match protocol ip ipv6 Optional Specify the IP protocol to which the class map applies Use the argument ip to specify IP...

Страница 970: ...config cmap end Switch This example shows how to create a class map called class3 which matches incoming traffic with IP precedence values of 5 6 and 7 Switch config class map class3 Switch config cmap match ip precedence 5 6 7 Switch config cmap end Switch Step 5 match access group acl index or name ip dscp dscp list ip precedence ip precedence list Define the match criterion to classify traffic ...

Страница 971: ...figuration mode Step 2 class map match all class map name Create a class map and enter class map configuration mode By default no class maps are defined When you use the match protocol command only the match all keyword is supported For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Step 3 match protocol ip ipv6 ...

Страница 972: ...lass map that applies to both IPv4 and IPv6 traffic Switch config ip access list 101 permit ip any any Switch config ipv6 access list ipv6 any permit ip any any Switch config Class map cm 1 Switch config cmap match access group 101 Switch config cmap exit Switch config class map cm 2 Switch config cmap match access group name ipv6 any Switch config cmap exit Switch config Policy map pm1 Switch con...

Страница 973: ...e IP precedence to DSCP map If you want the egress DSCP value to be different than the ingress value use the set dscp new dscp policy map class configuration command If you enter or have used the set ip dscp command the switch changes this command to set dscp in its configuration You can use the set ip precedence or the set precedence policy map class configuration command to change the packet IP ...

Страница 974: ...ss map is supported the match all and match any keywords function the same See the Creating Named Standard and Extended ACLs section on page 1 16 for limitations when using the match all and the match any keywords Step 3 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode By default no policy maps are defined The default behavior o...

Страница 975: ...alue for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 1 73 Step 6 set dscp new dscp ip precedence new precedence Classify IP traffic by setting a new value in the packet For dscp new dscp enter a new DSCP v...

Страница 976: ... config pmap c police 1000000 8000 exceed action policed dscp transmit Switch config pmap c exit Switch config pmap exit Switch config interface gigabitethernet2 0 1 Switch config if service policy input flow1t This example shows how to create a Layer 2 MAC ACL with two permit statements and attach it to an ingress port The first permit statement allows traffic from the host with MAC address 0001 ...

Страница 977: ...config pmap c set dscp 4 Switch config pmap c exit Switch config pmap class cm 2 Switch config pmap c set dscp 6 Switch config pmap c exit Switch config pmap class class default Switch config pmap c set dscp 10 Switch config pmap c exit Switch config pmap exit Switch config interface G0 1 Switch config if switch mode access Switch config if service policy input pm1 Classifying Policing and Marking...

Страница 978: ...recedence value This setting appears as set ip precedence in the switch configuration If VLAN based QoS is enabled the hierarchical policy map supersedes the previously configured port based policy map The hierarchical policy map is attached to the SVI and affects all traffic in the VLAN The actions specified in the VLAN level policy map affect the traffic belonging to the SVI The police action on...

Страница 979: ...atch any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified the default is match all Note Because only one match command per class map is supported the match all and match any keywords function the same See the Creat...

Страница 980: ...all keyword to perform a logical AND of all matching statements under this class map All match criteria in the class map must be matched Optional Use the match any keyword to perform a logical OR of all matching statements under this class map One or more match criteria must be matched For class map name specify the name of the class map If neither the match all or match any keyword is specified t...

Страница 981: ...when the rates are exceeded Use the exceed action drop keywords to drop the packet Use the exceed action policed dscp transmit keywords to mark down the DSCP value by using the policed DSCP map and to send the packet For more information see the Configuring the Policed DSCP Map section on page 1 75 Step 14 exit Return to policy map configuration mode Step 15 exit Return to global configuration mod...

Страница 982: ...e ingress packet and the IP precedence to DSCP map For non IP packets that are tagged QoS derives the DSCP value by using the received CoS value for non IP packets that are untagged QoS derives the DSCP value by using the default port CoS value In either case the DSCP value is derived from the CoS to DSCP map For more information see the Configuring the CoS to DSCP Map section on page 1 73 Step 19...

Страница 983: ...ccess 101 Switch config cmap exit Switch config exit Switch Switch This example shows how to attach the new map to an SVI Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config class map cm interface 1 Switch config cmap match input gigabitethernet3 0 1 gigabitethernet3 0 2 Switch config cmap exit Switch config policy map port plcmap Switch config pmap cl...

Страница 984: ... configure a class map to match IP DSCP and IPv6 Switch config class map cm 1 Switch config cmap match ip dscp 10 Switch config cmap match protocol ipv6 Switch config cmap exit Switch config class map cm 2 Switch config cmap match ip dscp 20 Switch config cmap match protocol ip Switch config cmap exit Switch config policy map pm1 Switch config pmap class cm 1 Switch config pmap c set dscp 4 Switch...

Страница 985: ...l Enter global configuration mode Step 2 mls qos aggregate policer aggregate policer name rate bps burst byte exceed action drop policed dscp transmit Define the policer parameters that can be applied to multiple traffic classes within the same policy map By default no aggregate policer is defined For information on the number of policers supported see the Standard QoS Configuration Guidelines sec...

Страница 986: ...g cmap match access group 1 Switch config cmap exit Switch config class map ipclass2 Switch config cmap match access group 2 Switch config cmap exit Switch config policy map aggflow1 Switch config pmap class ipclass1 Step 4 policy map policy map name Create a policy map by entering the policy map name and enter policy map configuration mode For more information see the Classifying Policing and Mar...

Страница 987: ...DSCP Map page 1 73 optional Configuring the IP Precedence to DSCP Map page 1 74 optional Configuring the Policed DSCP Map page 1 75 optional unless the null settings in the map are not appropriate Configuring the DSCP to CoS Map page 1 76 optional Configuring the DSCP to DSCP Mutation Map page 1 77 optional unless the null settings in the map are not appropriate All the maps except the DSCP to DSC...

Страница 988: ...o map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic Table 1 13 shows the default IP precedence to DSCP map If these values are not appropriate for your network you need to modify them Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map cos dscp dscp1 dscp8 Modify the CoS to DSCP ma...

Страница 989: ...ow these steps to modify the policed DSCP map This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map ip prec dscp dscp1 dscp8 Modify the IP precedence to DSCP map For dscp1 dscp8 enter eight DSCP values that correspond to the IP precedence values 0 to 7 Separate each DSCP value with a space The DSCP range is 0 to 63 Step 3 end Return...

Страница 990: ...8 49 5 00 00 00 00 00 00 00 00 58 59 6 60 61 62 63 Note In this policed DSCP map the marked down DSCP values are shown in the body of the matrix The d1 column specifies the most significant digit of the original DSCP the d2 row specifies the least significant digit of the original DSCP The intersection of the d1 and d2 values provides the marked down value For example an original DSCP value of 53 ...

Страница 991: ... map a DSCP value of 08 corresponds to a CoS value of 0 Configuring the DSCP to DSCP Mutation Map If two QoS domains have different DSCP definitions use the DSCP to DSCP mutation map to translate one set of DSCP values to match the definition of another domain You apply the DSCP to DSCP mutation map to the receiving port ingress mutation at the boundary of a QoS administrative domain With ingress ...

Страница 992: ... 00 00 00 00 00 10 10 1 10 10 10 10 14 15 16 17 18 19 2 20 20 20 23 24 25 26 27 28 29 3 30 30 30 30 30 35 36 37 38 39 4 40 41 42 43 44 45 46 47 48 49 5 50 51 52 53 54 55 56 57 58 59 6 60 61 62 63 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos map dscp mutation dscp mutation name in dscp to out dscp Modify the DSCP to DSCP mutation map For dscp mutation nam...

Страница 993: ... need to perform all of the tasks in the next sections You will need to make decisions about these characteristics Which packets are assigned by DSCP or CoS value to each queue What drop percentage thresholds apply to each queue and which CoS or DSCP values map to each threshold How much of the available buffer space is allocated between the queues How much of the available bandwidth is allocated ...

Страница 994: ... to queue 1 and threshold 1 CoS value 5 is mapped to queue 2 and threshold 1 For queue id the range is 1 to 2 For threshold id the range is 1 to 3 The drop threshold percentage for threshold 3 is predefined It is set to the queue full state For dscp1 dscp8 enter up to eight values and separate each value with a space The range is 0 to 63 For cos1 cos8 enter up to eight values and separate each val...

Страница 995: ...default setting use the no mls qos srr queue input buffers global configuration command This example shows how to allocate 60 percent of the buffer space to ingress queue 1 and 40 percent of the buffer space to ingress queue 2 Switch config mls qos srr queue input buffers 60 40 Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated betw...

Страница 996: ... mls qos srr queue input priority queue queue id bandwidth weight global configuration command Then SRR shares the remaining bandwidth with both ingress queues and services them as specified by the weights configured with the mls qos srr queue input bandwidth weight1 weight2 global configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos srr qu...

Страница 997: ...xt sections You will need to make decisions about these characteristics Which packets are mapped by DSCP or CoS value to each queue and threshold ID What drop percentage thresholds apply to the queue set four egress queues per port and how much reserved and maximum memory is needed for the traffic type How much of the fixed buffer space is allocated to the queue set Does the bandwidth of the port ...

Страница 998: ... disabled and the SRR shaped and shared weights are configured the shaped mode overrides the shared mode for queue 1 and SRR services this queue in shaped mode If the egress expedite queue is disabled and the SRR shaped weights are not configured SRR services this queue in shared mode Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue Set You can guarantee the availability o...

Страница 999: ... the WTD thresholds guarantee the availability of buffers and configure the maximum memory allocation for the queue set four egress queues per port By default the WTD thresholds for queues 1 3 and 4 are set to 100 percent The thresholds for queue 2 are set to 200 percent The reserved thresholds for queues 1 2 3 and 4 are set to 50 percent The maximum thresholds for all queues are set to 400 percen...

Страница 1000: ...the maximum memory that this queue can have before packets are dropped Switch config mls qos queue set output 2 buffers 40 20 20 20 Switch config mls qos queue set output 2 threshold 2 40 60 100 200 Switch config interface gigabitethernet1 0 1 Switch config if queue set 2 Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID You can prioritize traffic by placing packets with particul...

Страница 1001: ... 4 and threshold 1 DSCP values 40 47 are mapped to queue 1 and threshold 1 By default CoS values 0 and 1 are mapped to queue 2 and threshold 1 CoS values 2 and 3 are mapped to queue 3 and threshold 1 CoS values 4 6 and 7 are mapped to queue 4 and threshold 1 CoS value 5 is mapped to queue 1 and threshold 1 For queue id the range is 1 to 4 For threshold id the range is 1 to 3 The drop threshold per...

Страница 1002: ...h is 12 5 percent Switch config interface gigabitethernet2 0 1 Switch config if srr queue bandwidth shape 8 0 0 0 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port of the outbound traffic and enter interface configuration mode Step 3 srr queue bandwidth shape weight1 weight2 weight3 weight4 Assign SRR weights to the egress queu...

Страница 1003: ... the bandwidth ratio allocated for each queue in shared mode is 1 1 2 3 4 2 1 2 3 4 3 1 2 3 4 and 4 1 2 3 4 which is 10 percent 20 percent 30 percent and 40 percent for queues 1 2 3 and 4 This means that queue 4 has four times the bandwidth of queue 1 twice the bandwidth of queue 2 and one and a third times the bandwidth of queue 3 Switch config interface gigabitethernet2 0 1 Switch config if srr ...

Страница 1004: ... your QoS solution Beginning in privileged EXEC mode follow these steps to limit the bandwidth on an egress port This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 mls qos Enable QoS on a switch Step 3 interface interface id Specify the egress port and enter interface configuration mode Step 4 priority queue out Enable the egress expedite qu...

Страница 1005: ...class maps which define the match criteria to classify traffic show mls qos Display global QoS configuration information show mls qos aggregate policer aggregate policer name Display the aggregate policer configuration show mls qos input queue Display QoS settings for the ingress queues show mls qos interface interface id buffers policers queueing statistics Display QoS information at the port lev...

Страница 1006: ...1 92 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring QoS Displaying Standard QoS Information ...

Страница 1007: ... and to a Catalyst 3750 X switch stack Note To use IPv6 you must configure the dual IPv4 and IPv6 Switch Database Management SDM template on the switch You select the template by entering the sdm prefer dual ipv4 and ipv6 default routing vlan global configuration command For related information see these chapters For more information about SDM templates see Chapter 1 Configuring SDM Templates For ...

Страница 1008: ...ace As with IPv4 ACLs IPv6 port ACLs take precedence over router ACLs When an input router ACL and input port ACL exist in an SVI packets received on ports to which a port ACL is applied are filtered by the port ACL Routed IP packets received on other ports are filtered by the router ACL Other packets are not filtered When an output router ACL and input port ACL exist in an SVI packets received on...

Страница 1009: ...supported only on switch stacks Switches support only control plane incoming IPv6 ACLs When configuring an ACL there is no restriction on keywords entered in the ACL regardless of whether or not they are supported on the platform When you apply the ACL to an interface that requires hardware forwarding physical ports or SVIs the switch checks to determine whether or not the ACL can be supported on ...

Страница 1010: ...igured or applied Interaction with Other Features and Switches If an IPv6 router ACL is configured to deny a packet the packet is not routed A copy of the packet is sent to the Internet Control Message Protocol ICMP queue to generate an ICMP unreachable message for the frame If a bridged frame is to be dropped due to a port ACL the frame is not bridged You can create both IPv4 and IPv6 ACLs on a s...

Страница 1011: ... ipv6 address or destination ipv6 address enter the source or destination IPv6 host address for which to set deny or permit conditions specified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the operator f...

Страница 1012: ...tor port number dscp value log log input neq port protocol range port protocol routing sequence value time range name Optional Define a UDP access list and the access conditions Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that the operator port port number or name must be a UDP port number or name and the established parameter is not v...

Страница 1013: ... to inbound management traffic on Layer 3 interfaces Beginning in privileged EXEC mode follow these steps to control access to an interface Step 5 show ipv6 access list Verify the access list configuration Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 in...

Страница 1014: ...w access lists privileged EXEC command The output shows all access lists that are configured on the switch or switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the output from the show ipv6 access lists privileged EXEC command The output shows only IPv6 access lists configured on the ...

Страница 1015: ...he failed link to the remaining links in the channel without intervention Note Layer 3 EtherChannels are not supported on switches running the LAN base feature set This chapter also describes how to configure link state tracking Unless otherwise noted the term switch refers to a Catalyst 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack Note For complete syntax and usage inf...

Страница 1016: ... host Each EtherChannel can consist of up to eight compatibly configured Ethernet ports All ports in each EtherChannel must be configured as either Layer 2 or Layer 3 ports The number of EtherChannels is limited to 48 For more information see the EtherChannel Configuration Guidelines section on page 1 12 The EtherChannel Layer 3 ports are made up of routed ports Routed ports are physical ports con...

Страница 1017: ...gure an EtherChannel in the on mode no negotiations take place The switch forces all compatible ports to become active in the EtherChannel The other end of the channel on the other switch must also be configured in the on mode otherwise packet loss can occur You can create an EtherChannel on a standalone switch on a single switch in the stack or on multiple switches in the stack known as cross sta...

Страница 1018: ...ber can be the same as the port channel number or you can use a new number If you use a new number the channel group command dynamically creates a new port channel With Layer 3 ports you should manually create the logical interface by using the interface port channel global configuration command followed by the no switchport interface configuration command Then you manually assign an interface to ...

Страница 1019: ...sco switches and on those switches licensed by vendors to support PAgP PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports You can use PAgP only in single switch EtherChannel configurations PAgP cannot be enabled on cross stack EtherChannels For more information see the EtherChannel Configuration Guidelines section on page 1 12 By using PAgP t...

Страница 1020: ...artner is a file server or a packet analyzer that is not generating traffic In this case running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational However the silent setting allows PAgP to operate to attach the port to a channel group and to use the port for transmission PAgP Interaction with Virtual Switches and Dual Active Detection A ...

Страница 1021: ...ble mode Link Aggregation Control Protocol The LACP is defined in IEEE 802 3ad and enables Cisco switches to manage Ethernet channels between switches that conform to the IEEE 802 3ad protocol LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports By using LACP the switch or switch stack learns the identity of partners capable of supporting LACP ...

Страница 1022: ...hout negotiations The on mode can be useful if the remote device does not support PAgP or LACP In the on mode a usable EtherChannel exists only when the switches at both ends of the link are configured in the on mode Ports that are configured in the on mode in the same channel group must have compatible port characteristics such as speed and duplex Ports that are not compatible are suspended even ...

Страница 1023: ...ncoming packet Therefore to provide load balancing packets from the same IP source address sent to different IP destination addresses could be sent on different ports in the channel But packets sent from different source IP addresses to the same destination IP address are always sent on the same port in the channel With source and destination IP address based forwarding when packets are forwarded ...

Страница 1024: ...ee detects this condition and acts accordingly Any PAgP or LACP configuration on a winning switch stack is not affected but the PAgP or LACP configuration on the losing switch stack is lost after the stack reboots With PAgP if the stack master fails or leaves the stack a new stack master is elected A spanning tree reconvergence is not triggered unless there is a change in the EtherChannel bandwidt...

Страница 1025: ...re information see the EtherChannel Configuration Guidelines section on page 1 12 Note After you configure an EtherChannel configuration changes applied to the port channel interface apply to all the physical ports assigned to the port channel interface and configuration changes applied to the physical port affect only the port where you apply the configuration Default EtherChannel Configuration T...

Страница 1026: ...one EtherChannel group Do not configure an EtherChannel in both the PAgP and LACP modes EtherChannel groups running PAgP and LACP can coexist on the same switch or on different switches in the stack Individual EtherChannel groups can run either PAgP or LACP but they cannot interoperate Do not configure a Switched Port Analyzer SPAN destination port as part of an EtherChannel Do not configure a pri...

Страница 1027: ...rChannels You configure Layer 2 EtherChannels by assigning ports to a channel group with the channel group interface configuration command This command automatically creates the port channel logical interface If you enabled PAgP on a port in the auto or desirable mode you must reconfigure it for either the on mode or the LACP mode before adding this port to a cross stack EtherChannel PAgP does not...

Страница 1028: ...k on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not specify non silent silent is...

Страница 1029: ...ports on stack member 2 and one port on stack member 3 as static access ports in VLAN 10 to channel 5 Switch configure terminal Switch config interface range gigabitethernet2 0 4 5 Switch config if range switchport mode access Switch config if range switchport access vlan 10 Switch config if range channel group 5 mode active Switch config if range exit Switch config interface gigabitethernet3 0 3 ...

Страница 1030: ...gical interface and enter interface configuration mode For port channel number the range is 1 to 48 Step 3 no switchport Put the interface into Layer 3 mode Step 4 ip address ip address mask Assign an IP address and subnet mask to the EtherChannel Step 5 end Return to privileged EXEC mode Step 6 show etherchannel channel group number detail Verify your entries Step 7 copy running config startup co...

Страница 1031: ...tches in the switch stack on Forces the port to channel without PAgP or LACP In the on mode an EtherChannel exists only when a port group in the on mode is connected to another port group in the on mode non silent Optional If your switch is connected to a partner that is PAgP capable configure the switch port for nonsilent operation when the port is in the auto or desirable mode If you do not spec...

Страница 1032: ...tchport Switch config if channel group 7 mode active Switch config if exit Configuring EtherChannel Load Balancing This section describes how to configure EtherChannel load balancing by using source based or destination based forwarding methods For more information see the Load Balancing and Forwarding Methods section on page 1 8 Beginning in privileged EXEC mode follow these steps to configure Et...

Страница 1033: ...up for all transmissions and use other ports for hot standby The unused ports in the group can be swapped into operation in just a few seconds if the selected single port loses hardware signal detection You can configure which port is always selected for packet transmission by changing its priority with the pagp port priority interface configuration command The higher the priority the more likely ...

Страница 1034: ...r global configuration mode Step 2 interface interface id Specify the port for transmission and enter interface configuration mode Step 3 pagp learn method physical port Select the PAgP learning method By default aggregation port learning is selected which means the switch sends packets to the source by using any of the ports in the EtherChannel With aggregate port learning it is not important on ...

Страница 1035: ...he LACP port priority to affect how the software selects active and standby links For more information see the Configuring the LACP System Priority section on page 1 21 and the Configuring the LACP Port Priority section on page 1 22 Configuring the LACP System Priority You can configure the system priority for all the EtherChannels that are enabled for LACP by using the lacp system priority global...

Страница 1036: ...ure is optional To return the LACP port priority to the default value use the no lacp port priority interface configuration command Displaying EtherChannel PAgP and LACP Status Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the port to be configured and enter interface configuration mode Step 3 lacp port priority priority Configure t...

Страница 1037: ... relationship known as teaming and the link is lost on the primary interface connectivity transparently changes to the secondary interface Figure 1 6 on page 1 24 shows a network configured with link state tracking To enable link state tracking create a link state group and specify the interfaces that are assigned to the link state group An interface can be an aggregation of ports an EtherChannel ...

Страница 1038: ...provides primary links to server 1 and server 2 through link state group 1 Port 1 is connected to server 1 and port 2 is connected to server 2 Port 1 and port 2 are the downstream interfaces in link state group 1 Port 5 and port 6 are connected to distribution switch 1 through link state group 1 Port 5 and port 6 are the upstream interfaces in link state group 1 141680 Network Layer 3 link Server ...

Страница 1039: ...t These are the interactions between the downstream and upstream interfaces when link state tracking is enabled If any of the upstream interfaces are in the link up state the downstream interfaces can change to or remain in the link up state If all of the upstream interfaces become unavailable link state tracking automatically puts the downstream interfaces in the error disabled state Connectivity...

Страница 1040: ...e Step 1 configure terminal Enter global configuration mode Step 2 link state track number Create a link state group and enable link state tracking For Catalyst 3560 X switches the group number can be 1 to 2 For Catalyst 3750 X switches the group number can be 1 to 10 The default is 1 Step 3 interface interface id Specify a physical interface or range of interfaces to configure and enter interface...

Страница 1041: ...tion command Displaying Link State Tracking Status Use the show link state group command to display the link state group information Enter this command without keywords to display information about all link state groups Enter the group number to display information specific to the group Enter the detail keyword to display detailed information about the group This is an example of output from the s...

Страница 1042: ...1 28 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring EtherChannels and Link State Tracking Configuring Link State Tracking ...

Страница 1043: ...ormation Understanding TelePresence E911 IP Phone Support page 1 1 Configuring TelePresence E911 IP Phone Support page 1 2 Understanding TelePresence E911 IP Phone Support You can use a Cisco IP phone as a user interface in a Cisco TelePresence System See in Figure 1 In this configuration the IP phone must always be on and available for emergency calls If the power to the codec in the Cisco TelePr...

Страница 1044: ...ugh the IP network If power to the codec fails is disrupted or if the codec fails the IP phone is still connected to the IP network and is available for emergency calls The switch forwards all CDP packets received on the ingress port to the egress port If multiple IP phones are connected to the codec through a single port on the switch only one phone communicates with it through the IP network Thi...

Страница 1045: ...igabitEthernet2 0 2 egress GigabitEthernet2 0 13 Switch show cdp forward Ingress Egress packets packets Port Port forwarded dropped Gi2 0 1 Gi2 0 12 0 0 Gi2 0 2 Gi2 0 13 0 0 Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config no cdp forward ingress gigabitethernet2 0 1 Switch config end Switch Mar 1 13 39 14 120 SYS 5 CONFIG_I Configured from console b...

Страница 1046: ... Configuration Guide OL 25303 03 Chapter 1 Configuring TelePresence E911 IP Phone Support Configuring TelePresence E911 IP Phone Support Switch show cdp forward Ingress Egress packets packets Port Port forwarded dropped Gi2 0 2 Gi2 0 13 0 0 Switch ...

Страница 1047: ...bled on the standalone switch or on the stack master Note In addition to IPv4 traffic you can also enable IP Version 6 IPv6 unicast routing and configure interfaces to forward IPv6 traffic if the switch or switch stack is running the IP base or IP services feature set For information about configuring IPv6 on the switch see Chapter 1 Configuring IPv6 Unicast Routing For more detailed IP unicast co...

Страница 1048: ...subnetwork is mapped to an individual VLAN Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local However network devices in different VLANs cannot communicate with one another without a Layer 3 device router to route traffic between the VLAN referred to as inter VLAN routing You configure one or more routers to route traffic to the appropriate destination V...

Страница 1049: ...r calculating the best routes These protocols are easy to configure and use Routers using link state protocols maintain a complex database of network topology based on the exchange of link state advertisements LSAs between routers LSAs are triggered by an event in the network which speeds up the convergence time or time required to respond to these changes Link state protocols respond quickly to t...

Страница 1050: ...rding NSF to detect a switchover to continue forwarding network traffic and to recover route information from peer devices NSF aware routers tolerate neighboring router failures After the neighbor router restarts an NSF aware router supplies information about its state and route adjacencies on request NSF capable routers support NSF When they detect a stack master change they rebuild routing infor...

Страница 1051: ...ce Note If the switch is running the LAN base feature set static routes are supported only on SVIs An EtherChannel port channel in Layer 3 mode a port channel logical interface created by using the interface port channel port channel number global configuration command and binding the Ethernet interface into the channel group For more information see the Configuring Layer 3 EtherChannels section o...

Страница 1052: ... only assign an IP address to an SVI and configure a static unicast route on the interface Other configurations are not supported Default Addressing Configuration page 1 6 Assigning IP Addresses to Network Interfaces page 1 7 Configuring Address Resolution Methods page 1 10 Routing Assistance When IP Routing is Disabled page 1 12 Configuring Broadcast Packet Handling page 1 15 Monitoring and Maint...

Страница 1053: ...s defined or User Datagram Protocol UDP flooding is configured UDP forwarding is enabled on default ports Any local broadcast Disabled Spanning Tree Protocol STP Disabled Turbo flood Disabled IP helper address Disabled IP host Disabled IRDP Disabled Defaults when enabled Broadcast IRDP advertisements Maximum interval between advertisements 600 seconds Minimum interval between advertisements 0 75 t...

Страница 1054: ... behavior is enabled on the switch when it is configured to route With classless routing if a router receives packets for a subnet of a network with no default route the router forwards the packet to the best supernet route A supernet consists of contiguous blocks of Class C address spaces used to simulate a single larger address space and is designed to relieve the pressure on the rapidly depleti...

Страница 1055: ...s Routing To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible you can disable classless routing behavior Beginning in privileged EXEC mode follow these steps to disable classless routing Host 128 20 1 0 128 20 2 0 128 20 3 0 128 20 4 1 128 0 0 0 8 128 20 4 1 IP classless 45749 128 20 0 0 Host 128 20 1 0 128 20 2 0 128 20 3 0 128 20 4 ...

Страница 1056: ...RP learns the associated MAC address and then stores the IP address MAC address association in an ARP cache for rapid retrieval Then the IP datagram is encapsulated in a link layer frame and sent over the network Encapsulation of IP datagrams and ARP requests or replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol SNAP Proxy ARP helps hosts with no routin...

Страница 1057: ...capsulation By default Ethernet ARP encapsulation represented by the arpa keyword is enabled on an IP interface You can change the encapsulation methods to SNAP if required by your network Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 arp ip address hardware address type Globally associate an IP address with a MAC hardware address in the ARP cache and specify enc...

Страница 1058: ... Discovery Protocol IRDP page 1 13 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 arp arpa snap Specify the ARP encapsulation method arpa Address Resolution Protocol snap Subnetwork Address Protocol Step 4 end Return to privileged EXEC mode Step 5 show i...

Страница 1059: ...s of detecting when the default router has gone down or is unavailable Beginning in privileged EXEC mode follow these steps to define a default gateway router when IP routing is disabled Use the no ip default gateway global configuration command to disable this function ICMP Router Discovery Protocol IRDP Router discovery allows the switch to dynamically learn about routes to other networks using ...

Страница 1060: ...th Sun Microsystems Solaris which requires IRDP packets to be sent out as multicasts Many implementations cannot receive these multicasts ensure end host ability before using this command Step 5 ip irdp holdtime seconds Optional Set the IRDP period for which advertisements are valid The default is three times the maxadvertinterval value It must be greater than maxadvertinterval and cannot be great...

Страница 1061: ...ou can set the address to be used as the broadcast address Many implementations including the one in the switch support several addressing schemes for forwarding broadcast messages Perform the tasks in these sections to enable these schemes Enabling Directed Broadcast to Physical Broadcast Translation page 1 15 Forwarding UDP Broadcast Packets and Protocols page 1 16 Establishing an IP Broadcast A...

Страница 1062: ...s been defined for an interface The description for the ip forward protocol interface configuration command in the Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 4lists the ports that are forwarded by default if you do not specify any UDP ports If you do not specify any UDP ports when you configure the forwarding of UDP broadcasts you are configuring the router to ...

Страница 1063: ...mode Step 2 interface interface id Enter interface configuration mode and specify the Layer 3 interface to configure Step 3 ip helper address address Enable forwarding and specify the destination address for forwarding UDP broadcast packets including BOOTP Step 4 exit Return to global configuration mode Step 5 ip forward protocol udp port nd sdns Specify which protocols the router forwards when fo...

Страница 1064: ... UDP datagram is given the destination address specified with the ip broadcast address interface configuration command on the output interface The destination address can be set to any address Thus the destination address might change as the datagram propagates through the network The source address is never changed The TTL value is decremented When a flooded UDP datagram is sent out an interface ...

Страница 1065: ...d Return to privileged EXEC mode Step 4 show running config Verify your entry Step 5 copy running config startup config Optional Save your entry in the configuration file Table 1 2 Commands to Clear Caches Tables and Databases Command Purpose clear arp cache Clear the IP ARP cache and the fast switching cache clear host name Remove one or all entries from the hostname and the address cache clear i...

Страница 1066: ... Path Forwarding page 1 91 Configuring Protocol Independent Features page 1 91 optional Configuring RIP The Routing Information Protocol RIP is an interior gateway protocol IGP created for use in small homogeneous networks It is a distance vector routing protocol that uses broadcast User Datagram Protocol UDP data packets to exchange routing information The protocol is documented in RFC 1058 You c...

Страница 1067: ...0 0 0 0 network does not exist it is treated by RIP as a network to implement the default routing feature The switch advertises the default network if a default was learned by RIP or if the router has a gateway of last resort and RIP is configured with a default metric RIP sends updates to the interfaces in specified networks If an interface s network is not specified it is not advertised in any R...

Страница 1068: ...1 configure terminal Enter global configuration mode Step 2 ip routing Enable IP routing Required only if IP routing is disabled Step 3 router rip Enable a RIP routing process and enter router configuration mode Step 4 network network number Associate a network with a RIP routing process You can specify multiple network commands RIP routing updates are sent and received through interfaces only on ...

Страница 1069: ...e default is 240 seconds Step 8 version 1 2 Optional Configure the switch to receive and send only RIP Version 1 or RIP Version 2 packets By default the switch receives Version 1 and 2 but sends only Version 1 You can also use the interface commands ip rip send receive version 1 2 1 2 to control what versions are used for sending and receiving on interfaces Step 9 no auto summary Optional Disable ...

Страница 1070: ...d This feature usually optimizes communication among multiple routers especially when links are broken Note In general disabling split horizon is not recommended unless you are certain that your application requires it to properly advertise routes If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial up clients use the...

Страница 1071: ...rizon Switch config if exit Switch config router rip Switch config router network 10 0 0 0 Switch config router neighbor 2 2 2 2 peer group mygroup Switch config router end Configuring Split Horizon Routers connected to broadcast type IP networks and using distance vector routing protocols normally use the split horizon mechanism to reduce the possibility of routing loops Split horizon blocks info...

Страница 1072: ...mand Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and specify the interface to configure Step 3 ip address ip address subnet mask Configure the IP address and IP subnet Step 4 no ip split horizon Disable split horizon on the interface Step 5 end Return to privileged EXEC mode Step 6 show ip interface inte...

Страница 1073: ...ough any IP routing protocol can be redistributed into another IP routing protocol At the intradomain level this means that OSPF can import routes learned through EIGRP and RIP OSPF routes can also be exported into RIP Plain text and MD5 authentication among neighboring routers within an area is supported Configurable routing interface parameters include interface output cost retransmission interv...

Страница 1074: ...d the external route type default is Type 2 Default metric Built in automatic metric translation as appropriate for each routing protocol Distance OSPF dist1 all routes within an area 110 dist2 all routes from one area to another 110 and dist3 routes from other routing domains 110 OSPF database filter Disabled All outgoing link state advertisements LSAs are flooded to the interface IP OSPF name lo...

Страница 1075: ...s all nonlocal traffic to the distribution layer the wiring closet switch need not hold a complete routing table A best practice design where the distribution switch sends a default route to the wiring closet switch to reach interarea and external routes OSPF stub or totally stub area configuration should be used when OSPF for Routed Access is used in the wiring closet For more details see the Hig...

Страница 1076: ...F neighbors on the network without resetting the neighbor relationship Reacquire the contents of the link state database for the network After a stack master change the new master sends an OSPF NSF signal to neighboring NSF aware devices A device recognizes this signal to mean that it should not reset the neighbor relationship with the stack As the NSF capable stack master receives signals from ot...

Страница 1077: ...ation mode The process ID is an internally used identification parameter that is locally assigned and can be any positive integer Each OSPF routing process has a unique value Note OSPF for Routed Access supports only one OSPFv2 and one OSPFv3 instance with a maximum number of 200 dynamically learned routes Step 3 nsf cisco enforce global or nsf ietf restart interval seconds Optional Enable Cisco N...

Страница 1078: ...o 65535 seconds The default is 1 second Step 6 ip ospf priority number Optional Set priority to help find the OSPF designated router for a network The range is from 0 to 255 The default is 1 Step 7 ip ospf hello interval seconds Optional Set the number of seconds between hello packets sent on an OSPF interface The value must be the same for all nodes on a network The range is 1 to 65535 seconds Th...

Страница 1079: ...gure the ABR to advertise a summary route that covers all networks in the range Note The OSPF area router configuration commands are all optional Beginning in privileged EXEC mode follow these steps to configure area parameters Step 14 show ip ospf neighbor detail Display NSF awareness status of neighbor switch The output matches one of these examples Options is 0x52 LLS Options is 0x1 LR When bot...

Страница 1080: ... routing domain Domain Name Server DNS names for use in all OSPF show privileged EXEC command displays makes it easier to identify a router than displaying it by router ID or neighbor ID Default Metrics OSPF calculates the OSPF metric for an interface according to the bandwidth of the interface The metric is calculated as ref bw divided by bandwidth where ref is 10 by default and bandwidth bw is s...

Страница 1081: ...iguration mode Step 3 summary address address mask Optional Specify an address and IP subnet mask for redistributed routes so that only one summary route is advertised Step 4 area area id virtual link router id hello interval seconds retransmit interval seconds trans authentication key key message digest key keyid md5 key Optional Establish a virtual link and set its parameters See the Configuring...

Страница 1082: ... If a loopback interface is configured with an IP address OSPF uses this IP address as its router ID even if other interfaces have higher IP addresses Because loopback interfaces never fail this provides greater stability OSPF automatically prefers a loopback interface over other interfaces and it chooses the highest IP address among all loopback interfaces Beginning in privileged EXEC mode follow...

Страница 1083: ...pology change to synchronize at the same time Routers that are not affected by topology changes are not involved in recomputations Step 4 end Return to privileged EXEC mode Step 5 show ip interface Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Table 1 6 Show IP OSPF Statistics Commands Command Purpose show ip ospf...

Страница 1084: ...d not be For efficiency reliability is provided only when necessary For example on a multiaccess network that has multicast capabilities such as Ethernet it is not necessary to send hellos reliably to all neighbors individually Therefore EIGRP sends a single multicast hello with an indication in the packet informing the receivers that the packet need not be acknowledged Other types of packets such...

Страница 1085: ...efault metric Only connected routes and interface static routes can be redistributed without a default metric The metric includes Bandwidth 0 or greater kb s Delay tens of microseconds 0 or any positive number that is a multiple of 39 1 nanoseconds Reliability any number between 0 and 255 255 means 100 percent reliability Loading effective bandwidth as a number between 0 and 255 255 is 100 percent...

Страница 1086: ...SF Awareness for IPv4 When the neighboring router is NSF capable the Layer 3 switch continues to forward packets from the neighboring router during the interval between the primary Route Processor RP in a router failing and the backup RP taking over or while the primary RP is manually reloaded for a nondisruptive software upgrade This feature cannot be disabled For more information on this feature...

Страница 1087: ... at least one of the stack peer neighbors is NSF aware the stack master receives updates and rebuilds its database Each NSF aware neighbor sends an end of table EOT marker in the last update packet to mark the end of the table content The stack master recognizes the convergence when it receives the EOT marker and it then begins sending updates When the stack master has received all EOT markers fro...

Страница 1088: ...it the offset list with an access list or an interface Step 8 no auto summary Optional Disable automatic summarization of subnet routes into network level routes Step 9 ip summary address eigrp autonomous system number address mask Optional Configure a summary aggregate Step 10 end Return to privileged EXEC mode Step 11 show ip protocols Verify your entries Step 12 show ip protocols Verify your en...

Страница 1089: ...djust the hold time without consulting Cisco technical support Step 7 no ip split horizon eigrp autonomous system number Optional Disable split horizon to allow route information to be advertised by a router out any interface from which that information originated Step 8 end Return to privileged EXEC mode Step 9 show ip eigrp interface Display which interfaces EIGRP is active on and information ab...

Страница 1090: ... routes are propagated from the switch The switch responds to all queries for summaries connected routes and routing updates Any neighbor that receives a packet informing it of the stub status does not query the stub router for any routes and a router that has a stub peer does not query that peer The stub router depends on the distribution router to send the proper updates to all peers In Figure 1...

Страница 1091: ...e up of routers that operate under the same administration and that run Interior Gateway Protocols IGPs such as RIP or OSPF within their boundaries and that interconnect by using an Exterior Gateway Protocol EGP BGP Version 4 is the standard EGP for interdomain routing in the Internet The protocol is defined in RFCs 1163 1267 and 1771 You can find detailed information about BGP in Internet Routing...

Страница 1092: ...l TCP as its transport protocol specifically port 179 Two BGP speakers that have a TCP connection to each other for exchanging routing information are known as peers or neighbors In Figure 1 5 Routers A and B are BGP peers as are Routers B and C and Routers C and D The routing information is a series of AS numbers that describe the full path to the destination network BGP uses this information to ...

Страница 1093: ...es within BGP and supports the advertising of IP prefixes These sections contain this configuration information Default BGP Configuration page 1 47 Enabling BGP Routing page 1 50 Managing Routing Policy Changes page 1 52 Configuring BGP Decision Attributes page 1 54 Configuring BGP Filtering with Route Maps page 1 56 Configuring BGP Filtering by Neighbor page 1 56 Configuring Prefix Lists for BGP ...

Страница 1094: ...ng Disabled by default When enabled Half life is 15 minutes Re use is 750 10 second increments Suppress is 2000 10 second increments Max suppress time is 4 times half life 60 minutes BGP router ID The IP address of a loopback interface if one is configured or the highest IP address configured for a physical interface on the router Default information originate protocol or network redistribution Di...

Страница 1095: ...op router as next hop for BGP neighbor Disabled Password Disabled Peer group None defined no members assigned Prefix list None specified Remote AS add entry to neighbor BGP table No peers defined Private AS number removal Disabled Route maps None applied to a peer Send community attributes None sent to neighbors Shutdown or soft reconfiguration Not enabled Timers keepalive 60 seconds holdtime 180 ...

Страница 1096: ... passed to an external neighbor if the AS path includes private AS numbers these numbers are dropped If your AS will be passing traffic through it from another AS to a third AS it is important to be consistent about the routes it advertises If BGP advertised a route before all routers in the network had learned about the route through the IGP the AS might receive traffic that some routers could no...

Страница 1097: ...onnection For IBGP the IP address can be the address of any of the router interfaces Step 6 neighbor ip address peer group name remove private as Optional Remove private AS numbers from the AS path in outbound routing updates Step 7 no synchronization Optional Disable synchronization between BGP and an IGP Step 8 no auto summary Optional Disable automatic network summarization By default when a su...

Страница 1098: ...crements A table version number that continually increments means that a route is flapping causing continual routing updates For exterior protocols a reference to an IP network from the network router configuration command controls only which networks are advertised This is in contrast to Interior Gateway Protocols IGPs such as EIGRP which also use the network command to specify where to send upda...

Страница 1099: ...P and FIB tables provided by the neighbor are lost Not recommended Outbound soft reset No configuration no storing of routing table updates Does not reset inbound routing table updates Dynamic inbound soft reset Does not clear the BGP session and cache Does not require storing of routing table updates and has no memory overhead Both BGP routers must support the route refresh capability in Cisco IO...

Страница 1100: ... routing updates By default the weight attribute is 32768 for paths that the router originates and zero for other paths Routes with the largest weight are preferred You can use access lists route maps or the neighbor weight router configuration command to set weights 3 Prefer the route with the highest local preference Local preference is part of the routing update and exchanged among routers in t...

Страница 1101: ...nge is 1 to 4294967295 The lowest value is the most desirable Step 7 bgp bestpath med missing as worst Optional Configure the switch to consider a missing MED as having a value of infinity making the path without a MED value the least desirable path Step 8 bgp always compare med Optional Configure the switch to compare MEDs for paths from neighbors in different autonomous systems By default MED co...

Страница 1102: ...nd Processing in Routing Updates section on page 1 104 for information about the distribute list command You can use route maps on a per neighbor basis to filter updates and to modify various attributes A route map can be applied to either inbound or outbound updates Only the routes that pass the route map are sent or accepted in updates On both inbound and outbound updates matching is supported b...

Страница 1103: ... Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enable a BGP routing process assign it an AS number and enter router configuration mode Step 3 neighbor ip address peer group name distribute list access list number name in out Optional Filter BGP routing updates to or from neighbors as specified in an access list Note You can also use the neigh...

Страница 1104: ...eed to specify a sequence number when removing a configuration entry Show commands include the sequence numbers in their output Before using a prefix list in a command you must set up the prefix list Beginning in privileged EXEC mode follow these steps to create a prefix list or to add an entry to a prefix list To delete a prefix list and all of its entries use the no ip prefix list list name glob...

Страница 1105: ...ccept prefer or distribute to other neighbors A BGP speaker can set append or modify the community of a route when learning advertising or redistributing routes When routes are aggregated the resulting aggregate has a COMMUNITIES attribute that contains all communities from all the initial routes You can use community lists to create groups of communities to use in a match clause of a route map As...

Страница 1106: ... all the configuration information by using the neighbor shutdown router configuration command Beginning in privileged EXEC mode use these commands to configure BGP peers Step 5 set comm list list num delete Optional Remove communities from the community attribute of an inbound or outbound update that match a standard or extended community list specified by a route map Step 6 exit Return to global...

Страница 1107: ...he default is 75 percent Step 14 neighbor ip address peer group name next hop self Optional Disable next hop processing on the BGP updates to a neighbor Step 15 neighbor ip address peer group name password string Optional Set MD5 authentication on a TCP connection to a BGP peer The same password must be configured on both BGP peers or the connection between them is not made Step 16 neighbor ip add...

Страница 1108: ...ommand Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 aggregate address address mask Create an aggregate entry in the BGP routing table The aggregate route is advertised as coming from the AS and the atomic aggregate attribute is set to indicate that information might be missing Step 4...

Страница 1109: ... to all internal neighbors To prevent a routing information loop all IBGP speakers must be connected The internal neighbors do not send routes learned from internal neighbors to other internal neighbors With route reflectors all IBGP speakers need not be fully meshed because another method is used to pass learned routes to neighbors When you configure an internal BGP peer to be a route reflector i...

Страница 1110: ... available then unavailable then available then unavailable and so on When route dampening is enabled a numeric penalty value is assigned to a route when it flaps When a route s accumulated penalties reach a configurable limit BGP suppresses advertisements of the route even if the route is running The reuse limit is a configurable value that is compared with the penalty If the penalty is less than...

Страница 1111: ...Protocols Release 12 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp autonomous system Enter BGP router configuration mode Step 3 bgp dampening Enable BGP route dampening Step 4 bgp dampening half life reuse suppress max suppress route map map Optional Change the default values of route dampening factors Step 5 end Return to privileged EXEC mode Step 6...

Страница 1112: ...s not in peer groups to which the prefix has been advertised Also display prefix attributes such as the next hop and the local prefix show ip bgp cidr only Display all BGP routes that contain subnet and supernet network masks show ip bgp community community number exact Display routes that belong to the specified communities show ip bgp community list community list number exact match Display rout...

Страница 1113: ...nce of the IS IS routing process Small IS IS networks are built as a single area that includes all the routers in the network As the network grows larger it is usually reorganized into a backbone area made up of the connected set of all Level 2 routers from all areas which is in turn connected to local areas Within a local area routers know how to reach all system IDs Between areas routers know ho...

Страница 1114: ...00 ms LSP maximum lifetime without a refresh 1200 seconds 20 minutes before t he LSP packet is deleted LSP refresh interval Send LSP refreshes every 900 seconds 15 minutes Maximum LSP packet size 1497 bytes NSF Awareness1 1 NSF Nonstop Forwarding Enabled2 Allows Layer 3 switches to continue forwarding packets from a neighboring NSF capable router during hardware or software changes 2 IS IS NSF awa...

Страница 1115: ...outing on the switch Step 3 router isis area tag Enable the IS IS routing for the specified routing process and enter IS IS routing configuration mode Optional Use the area tag argument to identify the area to which the IS IS router is assigned You must enter a value if you are configuring multiple IS IS areas The first IS IS instance configured is Level 1 2 by default Later instances are automati...

Страница 1116: ...1 0000 0000 000b 00 Switch config router exit Switch config interface gigabitethernet1 0 1 Switch config if ip router isis Switch config if clns router isis Switch config interface gigabitethernet1 0 2 Switch config if ip router isis Switch config if clns router isis Switch config router exit Router C Switch config clns routing Switch config router isis Switch config router net 49 0001 0000 0000 0...

Страница 1117: ...work has a maximum transmission unit MTU size of less than 1500 bytes you can lower the LSP MTU so that routing will still occur The partition avoidance router configuration command prevents an area from becoming partitioned when full connectivity is lost among a Level1 2 border router adjacent Level 1 routers and end hosts Beginning in privileged EXEC mode follow these steps to configure IS IS pa...

Страница 1118: ...he default is to send LSP refreshes every 900 seconds 15 minutes Step 11 max lsp lifetime seconds Optional Set the maximum time that LSP packets remain in the router database without being refreshed The range is from 1 to 65535 seconds The default is 1200 seconds 20 minutes After the specified time interval the LSP packet is deleted Step 12 lsp gen interval level 1 level 2 lsp max wait lsp initial...

Страница 1119: ...er hello packet before declaring the neighbor down This determines how quickly a failed link or neighbor is detected so that routes can be recalculated Change the hello multiplier in circumstances where hello packets are lost Step 14 prc interval prc max wait prc initial wait prc second wait Optional Sets IS IS partial route computation PRC throttling timers prc max wait the maximum interval in se...

Страница 1120: ...se Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode If the interface is not already configured as a Layer 3 interface enter the no switchport command to put it into Layer 3 mode Step 3 isis metric default metric level 1 level 2 Optional Configure the metric or cost for the specified...

Страница 1121: ...mber of milliseconds between packets at which IS IS LSPs will be re sent on point to point links The range is from 0 to 65535 The default is determined by the isis lsp interval command Step 9 isis priority value level 1 level 2 Optional Configure the priority to use for designated router election The range is from 0 to 127 The default is 64 Step 10 isis circuit type level 1 level 1 2 level 2 only ...

Страница 1122: ...clear clns route Remove dynamically derived CLNS routing information show clns Display information about the CLNS network show clns cache Display the entries in the CLNS routing cache show clns es neighbors Display ES neighbor entries including the associated areas show clns filter expr Display filter expressions show clns filter set Display filter sets show clns interface interface id Display the...

Страница 1123: ...ices Customer edge CE devices provide customers access to the service provider network over a data link to one or more provider edge routers The CE device advertises the site s local routes to the router and learns the remote VPN routes from it A Catalyst 3750 X or 3560 X switch can be a CE Provider edge PE routers exchange routing information with CE devices by using static routing or a routing p...

Страница 1124: ...h are used to distinguish the VRFs during processing For each new VPN route learned the Layer 3 setup function retrieves the policy label by using the VLAN ID of the ingress port and inserts the policy label and new route to the multi VRF CE routing section If the packet is received from a routed port the port internal VLAN ID number is used if the packet is received from an SVI the VLAN number is...

Страница 1125: ... services or advanced IP services feature set enabled on your switch A switch with multi VRF CE is shared by multiple customers and each customer has its own routing table Because customers use different VRF tables the same IP addresses can be reused Overlapped IP addresses are allowed in different VPNs Multi VRF CE lets multiple customers share the same physical link between the PE and the CE Tru...

Страница 1126: ... enabled on an interface and the reverse Configuring VRFs Beginning in privileged EXEC mode follow these steps to configure one or more VRFs For complete syntax and usage information for the commands see the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 4 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 i...

Страница 1127: ...he user can ping a host in a user specified VRF ARP entries are learned in separate VRFs The user can display Address Resolution Protocol ARP entries for specific VRFs These services are VRF Aware ARP Ping Simple Network Management Protocol SNMP Hot Standby Router Protocol HSRP Unicast Reverse Path Forwarding uRPF Syslog Traceroute FTP and TFTP Note The switch does not support VRF aware services f...

Страница 1128: ...ease 12 4 Command Purpose ping vrf vrf name ip host Display the ARP table in the specified VRF Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 snmp server trap authentication vrf Enable SNMP traps for packets on a VRF Step 3 snmp server engineID remote host vrf vpn instance engine id string Configure a name for the remote SNMP engine on a switch Step 4 snmp server ...

Страница 1129: ...mation for the commands refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference Release 12 4 Step 6 standby 1 ip ip address Enable HSRP and configure the virtual IP address Step 7 end Return to privileged EXEC mode Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter inter...

Страница 1130: ...icular interface even if no VRF is configured on that interface To specify the source IP address for FTP connections use the ip ftp source interface show mode command To use the address of the interface where the connection is made use the no form of this command To specify the IP address of an interface as the source address for TFTP connections use the ip tftp source interface show mode command ...

Страница 1131: ...ode Step 4 rd route distinguisher Create a VRF table by specifying a route distinguisher Enter either an AS number and an arbitrary number xxx y or an IP address and an arbitrary number A B C D y Step 5 route target export import both route target ext community Create a list of import export or import and export route target communities for the specified VRF Enter either an AS system number and an...

Страница 1132: ...efine a network address and mask on which OSPF runs and the area ID for that network address Step 6 end Return to privileged EXEC mode Step 7 show ip ospf process id Verify the configuration of the OSPF network Step 8 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 router bgp au...

Страница 1133: ...ration Example Configuring Switch A On Switch A enable routing and configure VRF Switch configure terminal Enter configuration commands one per line End with CNTL Z Switch config ip routing Switch config ip vrf v11 Switch config vrf rd 800 1 Switch config vrf route target export 800 1 Switch config vrf route target import 800 1 Switch config vrf exit Switch config ip vrf v12 Switch config vrf rd 8...

Страница 1134: ...n Switch A VLAN 10 is used by VRF 11 between the CE and the PE VLAN 20 is used by VRF 12 between the CE and the PE VLANs 118 and 208 are used for the VPNs that include Switch F and Switch D respectively Switch config interface vlan10 Switch config if ip vrf forwarding v11 Switch config if ip address 38 0 0 8 255 255 255 0 Switch config if exit Switch config interface vlan20 Switch config if ip vrf...

Страница 1135: ...gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 208 0 0 20 255 255 255 0 Switch config if exit Switch config router ospf 101 Switch config router network 208 0 0 0 0 0 0 255 area 0 Switch config router end Configuring Switch F Switch F belongs to VPN 2 Configure the connection to Switch A by using these commands Switch configure terminal Enter configuration commands...

Страница 1136: ...capsulation dot1q 20 Router config if ip vrf forwarding v2 Router config if ip address 83 0 0 3 255 255 255 0 Router config if exit Router config router bgp 100 Router config router address family ipv4 vrf v2 Router config router af neighbor 83 0 0 8 remote as 800 Router config router af neighbor 83 0 0 8 activate Router config router af network 3 3 2 0 mask 255 255 255 0 Router config router af e...

Страница 1137: ...the Other Security Features chapter in the Cisco IOS Security Configuration Guide Release 12 4 Configuring Protocol Independent Features This section describes how to configure IP routing protocol independent features These features are available on switches running the IP base or the IP services feature set except that with the IP base feature set protocol related features are available only for ...

Страница 1138: ...or dCEF forwarding applies only to the software forwarding path that is traffic that is forwarded by the CPU CEF or distributed CEF is enabled globally by default If for some reason it is disabled you can re enable it by using the ip cef or ip cef distributed global configuration command The default configuration is CEF or dCEF enabled on all Layer 3 interfaces Entering the no ip route cache cef i...

Страница 1139: ...o change the maximum number of parallel paths installed in a routing table from the default Use the no maximum paths router configuration command to restore the default value Step 7 show cef linecard detail or show cef linecard slot number detail Display CEF related interface information on a Catalyst 3560 X switch or Display CEF related interface information on a Catalyst 3750 X switch by stack m...

Страница 1140: ...ve distance values Each dynamic routing protocol has a default administrative distance as listed in Table 1 16 If you want a static route to be overridden by information from a dynamic routing protocol set the administrative distance of the static route higher than that of the dynamic protocol Static routes that point to an interface are advertised through RIP IGRP and other dynamic routing protoc...

Страница 1141: ...ating the default for a network also might need a default of its own One way a router can generate its own default is to specify a static route to the network 0 0 0 0 through the appropriate device Beginning in privileged EXEC mode follow these steps to define a static route to a network as the static default route Use the no ip default network network number global configuration command to remove...

Страница 1142: ...ommands nothing is done other than the match Therefore you need at least one match or set command Note A route map with no set route map configuration commands is sent to the CPU which could cause high CPU utilization You can also identify route map statements as permit or deny If the statement is marked as a deny the packets meeting the match criteria are sent back through the normal forwarding c...

Страница 1143: ... access list number access list name Match a standard access list by specifying the name or number It can be an integer from 1 to 199 Step 6 match metric metric value Match the specified route metric The metric value can be an EIGRP metric with a specified value from 0 to 4294967295 Step 7 match ip next hop access list number access list name access list number access list name Match a next hop ro...

Страница 1144: ...outes for EIGRP only bandwidth Metric value or IGRP bandwidth of the route in kilobits per second in the range 0 to 4294967295 delay Route delay in tens of microseconds in the range 0 to 4294967295 reliability Likelihood of successful packet transmission expressed as a number between 0 and 255 where 255 means 100 percent reliability and 0 means no reliability loading Effective bandwidth of the rou...

Страница 1145: ...nt routing policies that allow or deny paths based on Identity of a particular end system Application Protocol You can use PBR to provide equal access and source sensitive routing routing based on interactive versus batch traffic or routing based on dedicated links For example you could transfer stock records to a corporate office on a high bandwidth high cost link for a short time while transmitt...

Страница 1146: ...details about PBR commands and keywords see the Cisco IOS IP Command Reference Volume 2 of 3 Routing Protocols Release 12 4 For a list of PBR commands that are visible but not supported by the switch see Appendix 1 Unsupported Commands in Cisco IOS Release 15 0 2 SE and Later PBR configuration is applied to the whole stack and all switches use the stack master configuration Note This software rele...

Страница 1147: ...tion maps and PBR route maps to the same interface You cannot configure DSCP transparency and PBR DSCP route maps on the same switch When you configure PBR with QoS DSCP you can set QoS to be enabled by entering the mls qos global configuration command or disabled by entering the no mls qos command When QoS is enabled to ensure that the DSCP value of the traffic is unchanged you should configure D...

Страница 1148: ...ed by one or more standard or extended access lists Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address If you do not specify a match command the route map applies to all packets Step 4 set ip next hop ip address ip address Specify the action to take on the packets that match the criteria Set next hop to which to route the packet the next hop must ...

Страница 1149: ...sent nor received through the specified router interface In networks with many interfaces to avoid having to manually set them as passive you can set all interfaces to be passive by default by using the passive interface default router configuration command and manually setting interfaces where adjacencies are desired Beginning in privileged EXEC mode follow these steps to configure passive interf...

Страница 1150: ...XEC mode follow these steps to control the advertising or processing of routing updates Use the no distribute list in router configuration command to change or cancel a filter To cancel suppression of network advertisements in updates use the no distribute list out router configuration command Filtering Sources of Routing Information Because some routing information might be more accurate than oth...

Страница 1151: ...configuration command which is stored locally The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 MD5 authentication key in use You can configure multiple keys with life times Only one authentication packet is sent regardless of how many valid keys exist The software examines the key numbers in or...

Страница 1152: ...e key can be received The start time and end time syntax can be either hh mm ss Month date year or hh mm ss date Month year The default is forever with the default start time and the earliest acceptable date as January 1 1993 The default end time and duration is infinite Step 6 send lifetime start time infinite end time duration seconds Optional Specify the time period during which the key can be ...

Страница 1153: ...nitoring and Maintaining the IP Network show ip route supernets only Display supernets show ip cache Display the routing table used to switch IP traffic show route map map name Display all route maps configured or only the one specified Table 1 17 Commands to Clear IP Routes or Display Route Status continued Command Purpose ...

Страница 1154: ...1 108 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network ...

Страница 1155: ...upport only IPv6 host functionality Unless otherwise noted the term switch refers to a Catalyst 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS documentation referenced in the procedures This chapter consists of these sections Understanding IPv6 section on page 1 1 Config...

Страница 1156: ...n the format n n n n n n n n This is an example of an IPv6 address 2031 0000 130F 0000 0000 09C0 080F 130B For easier implementation leading zeros in each field are optional This is the same address without leading zeros 2031 0 130F 0 0 9C0 80F 130B You can also use two colons to represent successive hexadecimal fields of zeros but you can use this short version only once in each address 2031 0 13...

Страница 1157: ...s The switch supports aggregatable global unicast addresses and link local unicast addresses It does not support site local unicast addresses Aggregatable global unicast addresses are IPv6 addresses from the aggregatable global unicast prefix The address structure enables strict aggregation of routing prefixes and limits the number of routing table entries in the global routing table These address...

Страница 1158: ...ocess uses ICMP messages and solicited node multicast addresses to determine the link layer address of a neighbor on the same network local link to verify the reachability of the neighbor and to keep track of neighboring routers The switch supports ICMPv6 redirect for routes with mask lengths less than 64 bits ICMP redirect is not supported for host routes or for summarized routes with mask length...

Страница 1159: ...y that enables most of the features available with FHS in IPv6 For more information see the Configuring an IPv6 Snooping Policy section on page 1 20 IPv6 First Hop Security Binding Table A database table of IPv6 neighbors connected to the switch is created from multiple sources of information For example Neighbor Discovery Protocol NDP snooping and Dynamic Host Configuration Protocol DHCP snooping...

Страница 1160: ... table requires re resolution SEARCH The feature creating the entry does not have the L2 address and requests the binding table to search for the L2 address VERIFY The L2 and Layer 3 L3 addresses are known and a duplicate address detection DAD Neighbor solicitation NS unicast message is sent to the L2 and L3 destinations to verify the addresses DOWN The interface from which the entry was learnt is...

Страница 1161: ...tch on regular basis in order to revoke network access privileges as they become inactive IPv6 Port Based Access List Support The IPv6 port based access lists PACL feature provides the ability to provide access control permit or deny on L2 switch ports for IPv6 traffic IPv6 PACLs are similar to IPv4 PACLs which provide access control on L2 switch ports for IPv4 traffic With Catalyst 3750 E 3750X 3...

Страница 1162: ...eived on ports that are not explicitly configured as facing a DHCP server or DHCP relay To use this feature configure a policy and attach it to a DHCP guard To debug DHCP guard packets use the debug ipv6 snooping dhcp guard privileged EXEC command IPv6 Source Guard A source guard programs the hardware to allow or deny traffic based on source or destination addresses It deals exclusively with data ...

Страница 1163: ...unknown or suspect For reachable or probably reachable routers NDP can either select the same router every time or cycle through the router list By using DRP you can configure an IPv6 host to prefer one router over another provided both are reachable or probably reachable For more information about DRP for IPv6 see the Implementing IPv6 Addresses and Basic Connectivity chapter in the Cisco IOS IPv...

Страница 1164: ...Pv6 packets are not supported In dual IPv4 and IPv6 environments the switch routes both IPv4 and IPv6 packets and applies IPv4 QoS in hardware The switch supports QoS for both IPv4and IPv6 traffic If you do not plan to use IPv6 do not use the dual stack template because this template results in less hardware memory capacity for each resource For more information about IPv4 and IPv6 protocol stacks...

Страница 1165: ...functions see the Implementing DHCP for IPv6 chapter in the Cisco IOS IPv6 Configuration Library on Cisco com Static Routes for IPv6 Static routes are manually configured and define an explicit route between two networking devices Static routes are useful for smaller networks with only one path to an outside network or to provide security for certain types of traffic in a larger network For more i...

Страница 1166: ...isticated SPF and LSA rate limiting method can react quickly to changes and also provide stability and protection during prolonged periods of instability For more information see the Implementing OSPFv3 chapter of the Cisco IOS IPv6 Configuration Library on Cisco com Authentication Support with IPsec To ensure that OSPF for IPv6 OSPFv3 packets are not altered and resent to the switch OSPFv3 packet...

Страница 1167: ...gement requires both IPv6 and IPv4 transports Syslog over IPv6 supports address data types for these transports SNMP and syslog over IPv6 provide these features Support for both IPv4 and IPv6 IPv6 transport for SNMP and to modify the SNMP agent to support traps for an IPv6 host SNMP and syslog related MIBs to support IPv6 addressing Configuration of IPv6 hosts as trap receivers For support over IP...

Страница 1168: ...S IS routing IPv6 packets destined to site local addresses Tunneling protocols such as IPv4 to IPv6 or IPv6 to IPv4 The switch as a tunnel endpoint supporting IPv4 to IPv6 or IPv6 to IPv4 tunneling protocols IPv6 unicast reverse path forwarding IPv6 general prefixes Limitations Because IPv6 is implemented in switch hardware some limitations occur due to the IPv6 compressed addresses in the hardwar...

Страница 1169: ...ceive the tables and create hardware IPv6 routes for forwarding The stack master also runs all IPv6 applications Note To route IPv6 packets in a stack all switches in the stack should be running the IP services feature set If a new switch becomes the stack master it recomputes the IPv6 routing tables and distributes them to the member switches While the new stack master is being elected and is res...

Страница 1170: ...ng DHCP for IPv6 Address Assignment page 1 26 Configuring IPv6 ICMP Rate Limiting page 1 30 Configuring CEF and dCEF for IPv6 page 1 30 Configuring Static Routing for IPv6 page 1 31 Configuring RIP for IPv6 page 1 32 Configuring OSPF for IPv6 page 1 33 Tuning LSA and SPF Timers for OSPFv3 Fast Convergence page 1 35 Configuring LSA and SPF Throttling for OSPFv3 Fast Convergence page 1 35 Configurin...

Страница 1171: ...ed node multicast group FF02 0 0 0 0 1 ff00 104 for each unicast address assigned to the interface this address is used in the neighbor discovery process all nodes link local multicast group FF02 1 all routers link local multicast group FF02 2 For more information about configuring IPv6 routing see the Implementing Addressing and Basic Connectivity for IPv6 chapter in the Cisco IOS IPv6 Configurat...

Страница 1172: ...s with an extended unique identifier EUI in the low order 64 bits of the IPv6 address Specify only the network prefix the last 64 bits are automatically computed from the switch MAC address This enables IPv6 processing on the interface Manually configure an IPv6 address on the interface Specify a link local address on the interface to be used instead of the link local address that is automatically...

Страница 1173: ...otocol is up IPv6 is enabled link local address is FE80 20B 46FF FE2F D940 Global unicast address es 2001 0DB8 c18 1 20B 46FF FE2F D940 subnet is 2001 0DB8 c18 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 mil...

Страница 1174: ...owed per target Optional no Negates a command or set its defaults Optional protocol all dhcp ndp Specifies which protocol should be redirected to the snooping feature for analysis The default is all To change the default use the no protocol command Optional security level glean guard inspect Specifies the level of security enforced by the feature glean Gleans addresses from messages and populates ...

Страница 1175: ...ion Step 6 show ipv6 neighbors binding Displays the binding table entries populated by the snooping policy Action or Command Purpose Step 1 enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Enters the global configuration mode Step 3 ipv6 dhcp guard policy policy name Creates a policy in global configuration mode and enters the DHCP guard policy global c...

Страница 1176: ...uration vlan id Attaches the DHCP guard policy to an interface or VLAN Step 8 show ipv6 dhcp guard policy policy name Displays the DHCP guard policy configuration Action or Command Purpose Step 1 enable Enables privileged EXEC mode Enter your password if prompted Step 2 configure terminal Enters the global configuration mode Step 3 ipv6 source guard policy policy name Specifies the source guard po...

Страница 1177: ...6 snooping limit address count 1 Switch config ipv6 snooping protocol dhcp Switch config ipv6 snooping security level glean Switch config ipv6 snooping tracking enable Switch config ipv6 snooping no trusted port Switch config ipv6 snooping exit This example shows you how to configure snooping policy Test enable data address gleaning on the policy and enable source guard where link local addresses ...

Страница 1178: ...per your needs If you enable the feature without creating a policy then the default policy configuration is applied Switch config interface GigabitEthernet1 0 9 Switch config if ipv6 nd inspection Switch config if ipv6 nd raguard Switch config if ipv6 snooping Switch config if ipv6 dhcp guard Switch config if ipv6 source guard Switch config if end OR Switch config vlan configuration 1 Switch confi...

Страница 1179: ...must reload the switch by using the reload privileged EXEC command so that the template takes effect Beginning in privileged EXEC mode follow these steps to configure a Layer 3 interface to support both IPv4 and IPv6 and to enable IPv6 routing Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Lay...

Страница 1180: ...e fastethernet1 0 11 Switch config if no switchport Switch config if ip address 192 168 99 1 244 244 244 0 Switch config if ipv6 address 2001 0DB8 c18 1 64 eui 64 Switch config if end Configuring DHCP for IPv6 Address Assignment Default DHCPv6 Address Assignment Configuration page 1 27 DHCPv6 Address Assignment Configuration Guidelines page 1 27 Enabling DHCPv6 Server Function page 1 27 Enabling D...

Страница 1181: ...n there is a stack master re election the new master switch retains the DHCPv6 configuration However the local RAM copy of the DHCP server database lease information is not retained Enabling DHCPv6 Server Function Beginning in privileged EXEC mode follow these steps to enable the DHCPv6 server function on an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2...

Страница 1182: ...suboption parameters Step 7 exit Return to DHCP pool configuration mode Step 8 exit Return to global configuration mode Step 9 interface interface id Enter interface configuration mode and specify the interface to configure Step 10 ipv6 dhcp server poolname automatic rapid commit preference value allow hint Enable DHCPv6 server function on an interface poolname Optional User defined name for the I...

Страница 1183: ...isable the DHCPv6 client function use the no ipv6 address dhcp interface configuration command To remove the DHCPv6 client request use the no ipv6 address dhcp client request interface configuration command This example shows how to acquire an IPv6 address and to enable the rapid commit option Switch config interface gigabitethernet2 0 1 Switch config if ipv6 address dhcp rapid commit This documen...

Страница 1184: ...lt but automatically enabled when you configure IPv6 routing To route IPv6 unicast packets you must first globally configure forwarding of IPv6 unicast packets by using the ipv6 unicast routing global configuration command and you must configure an IPv6 address and IPv6 processing on an interface by using the ipv6 address interface configuration command To disable IPv6 CEF or distributed CEF use t...

Страница 1185: ...precede the decimal value ipv6 address The IPv6 address of the next hop that can be used to reach the specified network The IPv6 address of the next hop need not be directly connected recursion is done to find the IPv6 address of the directly connected next hop The address must be in the form documented in RFC 2373 specified in hexadecimal using 16 bit values between colons interface id Specify di...

Страница 1186: ...e id recursive detail or show ipv6 route static updated Verify your entries by displaying the contents of the IPv6 routing table interface interface id Optional Display only those static routes with the specified interface as an egress interface recursive Optional Display only recursive static routes The recursive keyword is mutually exclusive with the interface keyword but it can be used with or ...

Страница 1187: ... the defaults might adversely affect OSPF for the IPv6 network Before you enable IPv6 OSPF on an interface you must enable routing by using the ip routing global configuration command enable the forwarding of IPv6 packets by using the ipv6 unicast routing global configuration command and enable IPv6 on Layer 3 interfaces on which you are enabling IPv6 OSPF Step 7 ipv6 rip name default information ...

Страница 1188: ...ional Set the address range status to advertise and generate a Type 3 summary link state advertisement LSA not advertise Optional Set the address range status to DoNotAdvertise The Type 3 summary LSA is suppressed and component networks remain hidden from other networks cost cost Optional Metric or cost for this summary route which is used during OSPF SPF calculation to determine the shortest path...

Страница 1189: ... Implementing OSPFv3 chapter of the Cisco IOS IPv6 Configuration Library on Cisco com Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 ipv6 router ospf process id Enables OSPFv3 router configuration mode Step 3 timers lsa arrival milliseconds Sets the minimum interval at which the software accepts the same LSA from OSPFv3 neighbors Step 4 timers pacing flood millis...

Страница 1190: ...icit router ID use the show ipv6 eigrp command to see the configured router IDs and then use the router id command As with EIGRP IPv4 you can use EIGRPv6 to specify your EIGRP IPv4 interfaces and to select a subset of those as passive interfaces Use the passive interface default command to make all interfaces passive and then use the no passive interface command on selected interfaces to make them...

Страница 1191: ...obal configuration mode Step 2 interface interface id Enter interface configuration mode and enter the Layer 3 interface on which you want to specify the standby version Step 3 standby version 1 2 Enter 2 to change the HSRP version The default is 1 Step 4 end Return to privileged EXEC mode Step 5 show standby Verify the configuration Step 6 copy running config startup config Optional Save your ent...

Страница 1192: ...mpt which means that when the local router has a higher priority than the active router it assumes control as the active router Optional group number The group number to which the command applies Optional delay Set to cause the local router to postpone taking over the active role for the shown number of seconds The range is 0 to 3600 1 hour The default is 0 no delay before taking over Optional rel...

Страница 1193: ... IPv6 static routes show ipv6 traffic Display IPv6 traffic statistics Table 1 3 Commands for Displaying EIGRP IPv6 Information Command Purpose show ipv6 eigrp as number interface Displays information about interfaces configured for EIGRP IPv6 show ipv6 eigrp as number neighbor Displays the neighbors discovered by EIGRP IPv6 show ipv6 eigrp as number traffic Displays the number of EIGRP IPv6 packet...

Страница 1194: ... Global unicast address es 3FFE C000 0 1 20B 46FF FE2F D940 subnet is 3FFE C000 0 1 64 EUI Joined group address es FF02 1 FF02 2 FF02 1 FF2F D940 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retrans...

Страница 1195: ...ents Switch command reference for this release Cisco IOS IP Command Reference Volume 1 of 3 Addressing and Services Release 12 4 http www cisco com en US docs ios 12_2 ipaddr command reference fipras_r html Hot Standby Router Protocol Version 2 feature module http www cisco com en US docs ios 12_3t 12_3t4 feature guide gthsrpv2 html This chapter consists of these sections Understanding HSRP page 1...

Страница 1196: ...er is also selected at that time Devices running HSRP send and receive multicast UDP based hello packets to detect router failure and to designate active and standby routers When HSRP is configured on an interface Internet Control Message Protocol ICMP redirect messages are automatically enabled for the interface You can configure multiple Hot Standby groups among switches and switch stacks that a...

Страница 1197: ...sive HSRPv2 Version 2 of the HSRP has these features To match the HSRP group number to the VLAN ID of a subinterface HSRPv2 can use a group number from 0 to 4095 and a MAC address from 0000 0C9F F000 to 0000 0C9F FFFF HSRPv2 uses the multicast address 224 0 0 102 to send hello packets HSRPv2 and CGMP leave processing are no longer mutually exclusive and both can be enabled at the same time HSRPv2 ...

Страница 1198: ...ration for Routers A and B establishes two HSRP groups For group 1 Router A is the default active router because it has the assigned highest priority and Router B is the standby router For group 2 Router B is the default active router because it has the assigned highest priority and Router A is the standby router During normal operation the two routers share the IP traffic load When either router ...

Страница 1199: ...delines page 1 6 Enabling HSRP page 1 6 Configuring HSRP Priority page 1 8 Configuring MHSRP page 1 10 Configuring HSRP Authentication and Timers page 1 10 Enabling HSRP Support for ICMP Redirect Messages page 1 12 Configuring HSRP Groups and Clustering page 1 12 Troubleshooting HSRP for Mixed Stacks of Catalyst 3750 X 3750 E and 3750 Switches page 1 12 Default HSRP Configuration Table 1 1 Default...

Страница 1200: ...witches HSRP for IPv4 and HSRP for IPv6 are mutually exclusive You cannot enable both at the same time HSRP groups can be configured up to 32 instances Configure only one instance of a First Hop Redundancy Protocol FHRP The switches support HSRPv1 HSRPv2 and HSRP for IPv6 When configuring group numbers for HSRPv2 and HSRP you must use group numbers in ranges that are multiples of 256 Valid ranges ...

Страница 1201: ...rsion on the interface 1 Select HSRPv1 2 Select HSRPv2 If you do not enter this command or do not specify a keyword the interface runs the default HSRP version HSRP v1 Step 4 standby group number ip ip address secondary Create or enable the HSRP group using its number and virtual IP address Optional group number The group number on the interface for which HSRP is being enabled The range is 0 to 25...

Страница 1202: ...andby priority of the configured device For each interface configured for hot standby you can configure a separate list of interfaces to be tracked The standby track interface priority interface configuration command specifies how much to decrement the hot standby priority when a tracked interface goes down When the interface comes back up the priority is incremented by the same amount When multip...

Страница 1203: ... range is 0 to 36000 seconds 1 hour the default is 0 no delay before taking over Optional delay reload Set to cause the local router to postpone taking over the active role after a reload for the number of seconds shown The range is 0 to 36000 seconds 1 hour the default is 0 no delay before taking over after a reload Optional delay sync Set to cause the local router to postpone taking over the act...

Страница 1204: ...priority 110 Switch config if standby 1 preempt Switch config if standby 2 ip 10 0 0 4 Switch config if standby 2 preempt Switch config if end Router B Configuration Switch configure terminal Switch config interface gigabitethernet1 0 1 Switch config if no switchport Switch config if ip address 10 0 0 2 255 255 255 0 Switch config if standby 1 ip 10 0 0 3 Switch config if standby 1 preempt Switch ...

Страница 1205: ... no switchport Switch config if standby 1 ip Switch config if standby 1 timers 5 15 Switch config if end Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Enter interface configuration mode and enter the HSRP interface on which you want to set authentication Step 3 standby group number authentication string Optional authentication string Enter ...

Страница 1206: ...ch and routing redundancy If you create a cluster with the same HSRP standby group name without entering the routing redundancy keyword HSRP standby routing is disabled for the group This example shows how to bind standby group my_hsrp to the cluster and enable the same HSRP group to be used for command switch redundancy and router redundancy The command can only be executed on the cluster command...

Страница 1207: ...tandby virtual mac address is 0000 0c07 ac01 Name is bbb VLAN1 Group 100 Local state is Active priority 105 may preempt Hellotime 3 holdtime 10 Next hello sent in 00 00 02 262 Hot standby IP address is 172 20 138 51 configured Active router is local Standby router is unknown expired Standby virtual mac address is 0000 0c07 ac64 Name is test Configuring VRRP VRRP is an election protocol that dynami...

Страница 1208: ...1 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring HSRP and VRRP Configuring VRRP ...

Страница 1209: ...t 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack Beginning with Cisco IOS 12 2 58 SE the switch also supports the Built in Traffic Simulator using Cisco IOS IP SLAs video operations to generate synthetic traffic for a variety of video applications such as Telepresence IPTV and IP video surveillance camera You can use the simulator tool for network assessment before deploy...

Страница 1210: ...to best reflect the metrics that an end user is likely to experience IP SLAs collects a unique subset of these performance metrics Delay both round trip and one way Jitter directional Packet loss directional Packet sequencing packet ordering Path per hop Connectivity directional Server or website download time Because Cisco IOS IP SLAs is SNMP accessible it can also be used by performance monitori...

Страница 1211: ... operation it responds with time stamp information for the source to make the calculation on performance metrics An IP SLAs operation performs a network measurement from the source device to a destination in the network using a specific protocol such as UDP Figure 1 1 Cisco IOS IP SLAs Operation To implement IP SLAs network performance measurement you need to perform these tasks 1 Enable the IP SL...

Страница 1212: ...res MD5 authentication for control messages is available for added security You do not need to enable the responder on the destination device for all IP SLAs operations For example a responder is not required for services that are already provided by the destination router such as Telnet or HTTP You cannot configure the IP SLAs responder on non Cisco devices and Cisco IOS IP SLAs can send operatio...

Страница 1213: ...h SNMP The pending state is also used when an operation is a reaction threshold operation waiting to be triggered You can schedule a single IP SLAs operation or a group of operations at one time You can schedule several IP SLAs operations by using a single command through the Cisco IOS CLI or the CISCO RTTMON MIB Scheduling the operations to run at evenly distributed times allows you to control th...

Страница 1214: ...ng other operations see he Cisco IOS IP SLAs Configuration Guide http www cisco com en US docs ios ipsla configuration guide 12_4t sla_12_4t_book html This section includes this information Default Configuration page 1 6 Configuration Guidelines page 1 6 Configuring the IP SLAs Responder page 1 7 Analyzing IP Service Levels by Using the UDP Jitter Operation page 1 8 Analyzing IP Service Levels by ...

Страница 1215: ...m jitter Type of Operation to Perform pathEcho Type of Operation to Perform pathJitter Type of Operation to Perform tcpConnect Type of Operation to Perform udpEcho IP SLAs low memory water mark 21741224 Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software based devices including some Layer 2 switches that do not support full IP SLAs functionality such as ...

Страница 1216: ...operations measure this data Per direction jitter source to destination and destination to source Per direction packet loss Per direction delay one way delay Round trip delay average round trip time Because the paths for the sending and receiving of data can be different asymmetric you can use the per direction data to more readily identify where congestion or other problems are occurring in the n...

Страница 1217: ... from 1 to 65535 Optional source ip ip address hostname Specify the source IP address or hostname When a source IP address or hostname is not specified IP SLAs chooses the IP address nearest to the destination Optional source port port number Specify the source port number in the range from 1 to 65535 When a port number is not specified IP SLAs chooses an available port Optional control Enable or ...

Страница 1218: ...onfigure the scheduling parameters for an individual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter t...

Страница 1219: ...The IP SLAs ICMP echo operation conforms to the same specifications as ICMP ping testing and the two methods result in the same response times Note This operation does not require the IP SLAs responder to be enabled Beginning in privileged EXEC mode follow these steps to configure an ICMP echo operation on the source device Command Purpose Step 1 configure terminal Enter global configuration mode ...

Страница 1220: ...vidual IP SLAs operation operation number Enter the RTR entry number Optional life Set the operation to run indefinitely forever or for a specific number of seconds The range is from 0 to 2147483647 The default is 3600 seconds 1 hour Optional start time Enter the time for the operation to begin collecting information To start at a specific time enter the hour minute second in 24 hour notation and ...

Страница 1221: ... including all defaults for all IP SLAs operations or a specific operation show ip sla enhanced history collection statistics distribution statistics entry number Display enhanced history statistics for collected history buckets or distribution statistics for all IP SLAs operations or a specific operation show ip sla ethernet monitor configuration entry number Display IP SLAs automatic Ethernet co...

Страница 1222: ...1 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations ...

Страница 1223: ...ommand Reference http www cisco com en US docs ios fnetflow command reference fnf_book html Note Not all of the Flexible NetFlow commands in the command reference are available on the switch Unsupported commands are either not visible or generate an error message if entered Understanding Flexible NetFlow With Flexible NetFlow traffic is processed and packets are classified into flows New flows are...

Страница 1224: ...flow records ISL Policy based NetFlow Cisco TrustSec monitoring Although other modules that can be installed in the Catalyst 3750 X and 3560 X have 1 Gigabit and 10 Gigabit uplink interfaces NetFlow is supported only on the network services module Configuring Flexible NetFlow These are some basic Flexible NetFlow configurations Configuring a Customized Flow Record page 1 2 Configuring the Flow Exp...

Страница 1225: ...ning in privileged EXEC mode follow these steps to configure the customized flow record Command Purpose Step 1 configure terminal Enters global configuration mode Step 2 flow record record name Creates a flow record and enters Flexible NetFlow flow record configuration mode You can also use this command to modify an existing flow record Step 3 description description Optional Creates a description...

Страница 1226: ...ch transport source port match transport destination port collect interface input snmp collect interface output snmp collect counter flows collect counter bytes collect counter packets collect timestamp sys uptime first collect timestamp sys uptime last flow record L2L4ipv6 Description User defined No of users 1 Total field space 81 bytes Fields match datalink mac source address match datalink mac...

Страница 1227: ...e Specifies the IP address or hostname of the destination system for the exporter Step 5 dscp dscp Optional Configures differentiated services code point DSCP parameters for datagrams sent by the exporter The DSCP range is from 0 to 63 The default is 0 Step 6 source interface id Optional Specifies the local interface from which the exporter uses the IP address as the source IP address for exported...

Страница 1228: ...mmand Purpose Step 1 configure terminal Enters global configuration mode Step 2 flow monitor monitor name Creates a flow monitor and enters Flexible NetFlow flow monitor configuration mode You can also use this command to modify an existing flow monitor Step 3 description description Optional Configures a description for the flow monitor Step 4 record record name Specifies the record for the flow ...

Страница 1229: ...eout 1800 secs 1800 secs Update Timeout 1800 secs Applying a Flow Monitor to an Interface Beginning in privileged EXEC mode follow these steps to apply a NetFlow monitor to an interface Step 8 Repeat step 5 to configure additional exporters Step 9 end Returns to privileged EXEC mode Step 10 show running config flow monitor monitor name Optional Verifies the flow monitor configuration Step 11 show ...

Страница 1230: ...nter in records matching IPv4 IP addresses ipv6 Enter in records matching IPv6 IP addresses Note This keyword is visible only when the dual IPv4 and IPv6 Switch Database Management SDM template is configured on the switch layer2 switched Optional Apply the flow monitor on Layer 2 switched traffic multicast Optional Apply the flow monitor on multicast traffic sampler Optional Apply the flow monitor...

Страница 1231: ...de Step 2 sampler sampler name Creates a flow monitor and enters Flexible NetFlow sampler configuration mode You can also use this command to modify an existing sampler Step 3 description description Optional Configures a description for the sampler Step 4 mode random 1 out of window size Specifies the mode and window size from which to select packets The window size range is from 2 to 32768 Note ...

Страница 1232: ...1 10 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Flexible NetFlow Configuring Flexible NetFlow ...

Страница 1233: ... not supported on switches running the LAN base feature set Unless otherwise noted the term switch refers to a Catalyst 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack The chapter includes these sections Understanding Enhanced Object Tracking page 1 1 Configuring Enhanced Object Tracking Features page 1 2 Monitoring Enhanced Object Tracking page 1 12 Understanding Enhanced...

Страница 1234: ...not met the IP routing state is down Beginning in privileged EXEC mode follow these steps to track the line protocol state or IP routing state of an interface Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track object number interface interface id line protocol Optional Create a tracking list to track the line protocol state of an interface and enter tracking con...

Страница 1235: ...her AND or OR operators When you measure the tracked list state by a weight threshold you assign a weight number to each object in the tracked list The state of the tracked list is determined by whether or not the threshold was met The state of each object is determined by comparing the total weight of all objects against a threshold weight for each object When you measure the tracked list by a pe...

Страница 1236: ... Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list boolean and or Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 boolean Specify the state of the tracked list based on a Boolean calculation and Specify that the list is up if all objects are up or down if one or more objects are down ...

Страница 1237: ...wo small bandwidth connections and object 3 represents one large bandwidth connection The configured down 10 value means that once the tracked object is up it will not go down until the threshold value is equal to or lower than 10 which in this example means that all connections are down Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list thresh...

Страница 1238: ...rcentage up 51 down 10 Switch config track exit Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 track track number list threshold percentage Configure a tracked list object and enter tracking configuration mode The track number can be from 1 to 500 threshold Specify the state of the tracked list based on a threshold percentage Specify that the threshold is based on...

Страница 1239: ...up threshold is 254 and the default down threshold is 255 Enter list to track objects grouped in a list Configure the list as described on the previous pages For boolean see the Configuring a Tracked List with a Boolean Expression section on page 1 4 For threshold weight see the Configuring a Tracked List with a Weight Threshold section on page 1 5 For threshold percentage see the Configuring a Tr...

Страница 1240: ...se for network troubleshooting design and analysis For more information about Cisco IP SLAs on the switch see Chapter 1 Configuring Cisco IOS IP SLAs Operations For IP SLAs command information see the Cisco IOS IP SLAs Command Reference Release 12 4T Object tracking of IP SLAs operations allows clients to track the output from IP SLAs objects and use this information to trigger an action Every IP ...

Страница 1241: ...lobal configuration mode Step 2 track object number rtr operation number state Enter tracking configuration mode to track the state of an IP SLAs operation The object number range is from 1 to 500 The operation number range is from 1 to 2147483647 Step 3 delay up seconds down seconds up seconds down seconds Optional Specify a period of time in seconds to delay communicating state changes of a trac...

Страница 1242: ...monitor the state of the connection to the primary gateway For more information about Cisco IP SLAs support on the switch see Chapter 1 Configuring Cisco IOS IP SLAs Operations For more information about static route object tracking see http www cisco com en US docs ios 12_3 12_3x 12_3xe feature guide dbackupx html You use this process to configure static route object tracking Step 1 Configure a p...

Страница 1243: ...co IP SLAs operation and enter IP SLA configuration mode Step 3 icmp echo destination ip address destination hostname source ipaddr ip address hostname source interface interface id Configure a Cisco IP SLAs end to end ICMP echo response time operation and enter IP SLAs ICMP echo configuration mode Step 4 timeout milliseconds Set the amount of time for which the operation waits for a response from...

Страница 1244: ... on packets You can enter multiple numbers or names Step 5 set ip next hop dynamic dhcp For DHCP networks only Set the next hop to the gateway that was most recently learned by the DHCP client Step 6 set interface interface id For static routing networks only Indicate where to send output packets that pass a match clause of a route map for policy routing Step 7 exit Exit route map configuration mo...

Страница 1245: ...pter 1 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking show track resolution Display the resolution of tracked parameters show track timers Display tracked polling interval timers Table 1 1 Commands for Displaying Tracking Information continued Command Purpose ...

Страница 1246: ...1 14 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...

Страница 1247: ...uccessive requests for the same content eliminating repetitive transmissions of identical content from servers Application engines accelerate content delivery and ensure maximum scalability and availability of content In a service provider network you can deploy the WCCP and application engine solution at the points of presence POPs In an enterprise network you can deploy the WCCP and application ...

Страница 1248: ...information the application engine forwards it to the requesting client and also caches it to fulfill future requests With WCCP the application engine cluster a series of application engines can service multiple routers or switches as shown Figure 1 1 Figure 1 1 Cisco Cache Engine and WCCP Network Configuration WCCP Message Exchange This sequence of events describes the WCCP message exchange 1 The...

Страница 1249: ...gine does not intercept the reconnection attempt In this way the application engine effectively cancels the redirection of a packet to the application engine and creates a bypass flow If the return method is Layer 2 rewrite the packets are forwarded in hardware to the target server When the server responds with the information the switch uses normal Layer 3 forwarding to return the information to ...

Страница 1250: ...CP network You can use a router group list to validate the protocol packets received from the application engine Packets matching the address in the group list are processed packets not matching the group list address are dropped To disable caching for specific clients servers or client server pairs you can use a WCCP redirect access control list ACL Packets that do not match the redirect ACL bypa...

Страница 1251: ...Before configuring WCCP on your switch make sure to follow these configuration guidelines The application engines and switches in the same service group must be in the same subnetwork directly connected to the switch that has WCCP enabled Configure the switch interfaces that are connected to the clients the application engines and the server as Layer 3 interfaces routed ports and switch virtual in...

Страница 1252: ...nterface You cannot configure WCCP and PBR on the same switch interface You cannot configure WCCP and a private VLAN PVLAN on the same switch interface Enabling the Cache Service For WCCP packet redirection to operate you must configure the switch interface connected to the client to redirect inbound packets This procedure shows how to configure these features on routed ports To configure these fe...

Страница 1253: ... the connection between the switch and the application engine By default no password is configured and no authentication is performed You must configure the same password on each application engine When authentication is enabled the switch discards messages that are not authenticated Step 3 interface interface id Specify the interface connected to the application engine or the server and enter int...

Страница 1254: ...1 Switch config interface gigabitethernet1 0 1 Switch config if no switchport Switch config if ip address 172 20 10 30 255 255 255 0 Switch config if no shutdown Switch config if ip wccp web cache group listen Switch config if exit Switch config interface gigabitethernet1 0 2 Switch config if no switchport Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if no shutdown Switch c...

Страница 1255: ...h configure terminal Switch config ip wccp web cache 80 group list 15 Switch config access list 15 permit host 171 69 198 102 Switch config access list 15 permit host 171 69 198 104 Switch config access list 15 permit host 171 69 198 106 Switch config vlan 299 Switch config vlan exit Switch config interface vlan 299 Switch config if ip address 175 20 20 10 255 255 255 0 Switch config if exit Switc...

Страница 1256: ...ntaining WCCP Command Purpose clear ip wccp web cache Removes statistics for the web cache service show ip wccp web cache Displays global information related to WCCP show ip wccp web cache detail Displays information for the switch and all application engines in the WCCP cluster show ip interface Displays status about any IP WCCP redirection commands that are configured on an interface for example...

Страница 1257: ... this feature the switch or stack master must be running the IP services feature set To use the PIM stub routing feature the switch or stack master can be running the IP base image Note Multicast routing is not supported on switches running the LAN base feature set Unless otherwise noted the term switch refers to a Catalyst 3750 X or 3560 X standalone switch and to a Catalyst 3750 X switch stack N...

Страница 1258: ...isco routers and multilayer switches connected to Layer 2 Catalyst switches to perform tasks similar to those performed by IGMP Figure 1 1 shows where these protocols operate within the IP multicast environment Figure 1 1 IP Multicast Routing Protocols According to IPv4 multicast standards the MAC destination multicast address begins with 0100 5e and is appended by the last 23 bits of the IP addre...

Страница 1259: ...ses which are class D addresses The high order bits of a Class D address are 1110 Therefore host group addresses can be in the range 224 0 0 0 through 239 255 255 255 Multicast addresses in the range 224 0 0 0 to 224 0 0 255 are reserved for use by routing protocols and other network control traffic The address 224 0 0 0 is guaranteed not to be assigned to any group IGMP packets are sent using the...

Страница 1260: ...discovery and distribution mechanism that enables routers and multilayer switches to dynamically learn the group to RP mappings Sparse mode and dense mode are properties of a group as opposed to an interface We strongly recommend sparse dense mode as opposed to either sparse mode or dense mode only PIM join and prune messages have more flexible encoding for multiple address families A more flexibl...

Страница 1261: ...s to be torn down when they are no longer needed When the number of PIM enabled interfaces exceeds the hardware capacity and PIM SM is enabled with the SPT threshold is set to infinity the switch does not create S G entries in the multicast routing table for the some directly connected interfaces if they are not already in the table The switch might not correctly forward traffic from these interfa...

Страница 1262: ...n allows the directly connected hosts to receive traffic from multicast source 200 1 1 3 See the Configuring PIM Stub Routing section on page 1 22 for more information Figure 1 2 PIM Stub Router Configuration IGMP Helper PIM stub routing moves routed traffic closer to the end user and reduces network traffic You can also reduce traffic by configuring a stub router switch with the IGMP helper featu...

Страница 1263: ...er method to distribute group to RP mapping information to all PIM routers and multilayer switches in the network It eliminates the need to manually configure RP information in every router and switch in the network However instead of using IP multicast to distribute group to RP mapping information BSR uses hop by hop flooding of special BSR messages to distribute the mapping information The BSR i...

Страница 1264: ...rrived on an interface that is on the reverse path back to the source 2 If the packet arrives on the interface leading back to the source the RPF check is successful and the packet is forwarded to all interfaces in the outgoing interface list which might not be all interfaces on the router 3 If the RPF check fails the packet is discarded Some multicast routing protocols such as DVMRP maintain a se...

Страница 1265: ...g information to make the packet forwarding decision The software does not implement the complete DVMRP However it supports dynamic discovery of DVMRP routers and can interoperate with them over traditional media such as Ethernet and FDDI or over DVMRP specific tunnels DVMRP neighbors build a route table by periodically exchanging source network routing information in route report messages The rou...

Страница 1266: ...tandby devices and are ready to take over if there is a stack master failure If the stack master fails all stack members delete their multicast routing tables The newly elected stack master starts building the routing tables and distributes them to the stack members Note If a stack master running the IP services feature set fails and if the newly elected stack master is running the IP base feature...

Страница 1267: ...IM domain PIMv1 together with the Auto RP feature can perform the same tasks as the PIMv2 BSR However Auto RP is a standalone protocol separate from PIMv1 and is a proprietary Cisco protocol PIMv2 is a standards track protocol in the IETF We recommend that you use PIMv2 The BSR mechanism interoperates with Auto RP on Cisco routers and multilayer switches For more information see the Auto RP and BS...

Страница 1268: ...prevents these messages from reaching all routers and multilayer switches in your network Therefore if your network has a PIMv1 device in it and only Cisco routers and multilayer switches it is best to use Auto RP If you have a network that includes non Cisco routers configure the Auto RP mapping agent and the BSR on a Cisco PIMv2 router or multilayer switch Ensure that no PIMv1 device is on the p...

Страница 1269: ... interface on which you want to enable multicast routing and enter interface configuration mode The specified interface must be one of the following A routed port a physical port that has been configured as a Layer 3 port by entering the no switchport interface configuration command An SVI a VLAN interface created by using the interface vlan vlan id global configuration command These interfaces mu...

Страница 1270: ...SM is the routing protocol that supports the implementation of SSM and is derived from PIM sparse mode PIM SM Internet Group Management Protocol version 3 IGMPv3 To run SSM with IGMPv3 SSM must be supported in the Cisco IOS router the host where the application is running and the application itself How SSM Differs from Internet Standard Multicast The current IP multicast infrastructure in the Inte...

Страница 1271: ...o suppress MSDP signalling registering or PIM SM shared tree operations from occurring within the SSM range Use the ip pim ssm global configuration command to configure the SSM range and to enable SSM This configuration has the following effects For groups within the SSM range S G channel subscriptions are accepted through IGMPv3 include mode membership reports PIM operations within the SSM range ...

Страница 1272: ...nce for re use of a single address within the SSM range between different applications For example an application service providing a set of television channels should even with SSM use a different group for each television S G channel This setup guarantees that multiple receivers to different channels within the same application service never experience traffic aliasing in networks that include L...

Страница 1273: ... guidelines Before you configure SSM mapping enable IP multicast routing enable PIM sparse mode and configure SSM For information on enabling IP multicast routing and PIM sparse mode see the Default Multicast Routing Configuration section on page 1 11 Before you configure static SSM mapping you must configure access control lists ACLs that define the group ranges to be mapped to source addresses F...

Страница 1274: ...r translates this report into one or more channel memberships for the well known sources associated with this group When the router receives an IGMPv1 or IGMPv2 membership report for a group the router uses SSM mapping to determine one or more source IP addresses for the group SSM mapping then translates the membership report as an IGMPv3 report and continues as if it had received an IGMPv3 report...

Страница 1275: ...side switchover mechanism One video source is active and the other backup video source is passive The passive source waits until an active source failure is detected before sending the video traffic for the TV channel Thus the server side switchover mechanism ensures that only one of the servers is actively sending video traffic for the TV channel To look up one or more source addresses for a grou...

Страница 1276: ... the configured SSM range Note By default this command enables DNS based SSM mapping Step 3 no ip igmp ssm map query dns Optional Disable DNS based SSM mapping Note Disable DNS based SSM mapping if you only want to rely on static SSM mapping By default the ip igmp ssm map global configuration command enables DNS based SSM mapping Step 4 ip igmp ssm map static access list source address Configure s...

Страница 1277: ... Specify the address of one or more name servers to use for name and address resolution Step 6 Repeat Step 5 to configure additional DNS servers for redundancy if required Step 7 end Return to privileged EXEC mode Step 8 show running config Verify your entries Step 9 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 confi...

Страница 1278: ...gured on the uplink interface of the stub router The PIM stub router does not route the transit traffic between the distribution routers Unicast EIGRP stub routing enforces this behavior You must configure unicast stub routing to assist the PIM stub router behavior For more information see the EIGRP Stub Routing section on page 1 44 Only directly connected multicast IGMP receivers and sources are ...

Страница 1279: ... pim passive Switch config if exit Switch config interface vlan100 Switch config if ip address 100 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if exit Switch config interface GigabitEthernet3 0 20 Switch config if no switchport Switch config if ip address 10 1 1 1 255 255 255 0 Switch config if ip pim passive Switch config if end To verify that PIM stub is enabled for each in...

Страница 1280: ...ol in the Internet Engineering Task Force IETF You can use auto RP BSR or a combination of both depending on the PIM version that you are running and the types of routers in your network For more information see the PIMv1 and PIMv2 Interoperability section on page 1 11 and the Auto RP and BSR Configuration Guidelines section on page 1 12 Manually Assigning an RP to Multicast Groups This section ex...

Страница 1281: ...he access list conditions specify for which groups the device is an RP For ip address enter the unicast address of the RP in dotted decimal notation Optional For access list number enter an IP standard access list number from 1 to 99 If no access list is configured the RP is used for all groups Optional The override keyword means that if there is a conflict between the RP configured with this comm...

Страница 1282: ... with a manual RP address for the Auto RP groups If routed interfaces are configured in sparse mode and you enter the ip pim autorp listener global configuration command Auto RP can still be used even if all devices are not configured with a manual RP address for the Auto RP groups These sections describe how to configure Auto RP Setting up Auto RP in a New Internetwork page 1 26 optional Adding A...

Страница 1283: ...e candidate RP for local groups For interface id enter the interface type and number that identifies the RP address Valid interfaces include physical ports port channels and VLANs For scope ttl specify the time to live value in hops Enter a hop count that is high enough so that the RP announce messages reach all mapping agents in the network There is no default setting The range is 1 to 255 For gr...

Страница 1284: ...faces are in sparse mode use a default configured RP to support the two well known groups 224 0 1 39 and 224 0 1 40 Auto RP uses these two well known groups to collect and distribute RP mapping information When this is the case and the ip pim accept rp auto rp command is configured another ip pim accept rp command accepting the RP must be configured as follows Switch config ip pim accept rp 172 10...

Страница 1285: ...pted for the group ranges supplied in the group list access list number variable If this variable is omitted the filter applies to all multicast groups If more than one mapping agent is used the filters must be consistent across all mapping agents to ensure that no conflicts occur in the Group to RP mapping information Step 3 access list access list number deny permit source source wildcard Create...

Страница 1286: ...r As IP multicast becomes more widespread the chance of one PIMv2 domain bordering another PIMv2 domain is increasing Because these two domains probably do not share the same set of RPs BSR candidate RPs and candidate BSRs you need to constrain PIMv2 BSR messages from flowing into or out of the domain Allowing these messages to leak across the domain borders could adversely affect the normal BSR e...

Страница 1287: ...tch Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched For source enter multicast addresses 224 0 1 39 and 224 0 1 40 which car...

Страница 1288: ...10 Switch config interface gigabitethernet1 0 2 Switch config if ip address 172 21 24 18 255 255 255 0 Switch config if ip pim sparse dense mode Switch config if ip pim bsr candidate gigabitethernet1 0 2 30 10 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim bsr candidate interface id hash mask length priority Configure your switch to be a candidate BSR For i...

Страница 1289: ...ration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip pim rp candidate interface id group list access list number Configure your switch to be a candidate RP For interface id specify the interface whose associated IP address is advertised as a candidate RP address Valid interfaces include physical ports port channels and VLANs Optional For group list acc...

Страница 1290: ...te BSRs as the RP mapping agents for Auto RP For more information see the Configuring Auto RP section on page 1 26 and the Configuring Candidate BSRs section on page 1 32 For group prefixes advertised through Auto RP the PIMv2 BSR mechanism should not advertise a subrange of these group prefixes served by a different set of RPs In a mixed PIMv1 and PIMv2 domain have backup RPs serve the same group...

Страница 1291: ...n 1 Verify RP mapping with the show ip pim rp hash privileged EXEC command making sure that all systems agree on the same RP for the same group 2 Verify interoperability between different versions of DRs and RPs Make sure the RPs are interacting with the DRs properly by responding with register stops and forwarding decapsulated data packets from registers Configuring Advanced PIM Features Understa...

Страница 1292: ...ource At this point data might arrive twice at Router C once encapsulated and once natively 5 When data arrives natively unencapsulated at the RP it sends a register stop message to Router A 6 By default reception of the first data packet prompts Router C to send a join message toward the source 7 When Router C receives data on S G it sends a prune message for the source up the shared tree 8 The R...

Страница 1293: ...l groups Beginning in privileged EXEC mode follow these steps to configure a traffic rate threshold that must be reached before multicast routing is switched from the source tree to the shortest path tree This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard acc...

Страница 1294: ...these steps to modify the router query message interval This procedure is optional To return to the default setting use the no ip pim query interval seconds interface configuration command Configuring Optional IGMP Features Default IGMP Configuration page 1 39 Configuring the Switch as a Member of a Group page 1 39 optional Controlling Access to IP Multicast Groups page 1 40 optional Changing the ...

Страница 1295: ...ast group pinging that group causes all these devices to respond The devices respond to ICMP echo request packets addressed to a group of which they are members Another example is the multicast trace route tools provided in the software Caution Performing this procedure might impact the CPU performance because the CPU will receive all data traffic for the group address Table 1 4 Default IGMP Confi...

Страница 1296: ...low these steps to filter multicast groups allowed on an interface This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp join group group address Configure the switch to join a multicast group By default no group memberships are d...

Страница 1297: ...tional Step 5 access list access list number deny permit source source wildcard Create a standard access list For access list number specify the access list created in Step 3 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For source specify the multicast group that hosts on the subnet can join Optional For source wildcar...

Страница 1298: ...egister and PIM join messages toward the RP router Beginning in privileged EXEC mode follow these steps to modify the host query interval This procedure is optional To return to the default setting use the no ip igmp query interval interface configuration command Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2 you can specify the period of time before the switch takes over as th...

Страница 1299: ...to the default setting use the no ip igmp query max response time interface configuration command Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip igmp querier timeout seconds Specify the IGMP query timeout The default is 60 seconds twice the query interval...

Страница 1300: ...gure the switch itself to be a statically connected member of a group and enable fast switching This procedure is optional To remove the switch as a member of the group use the no ip igmp static group group address interface configuration command Configuring Optional Multicast Routing Features These sections describe how to configure optional multicast routing features Features for Layer 2 connect...

Страница 1301: ... Step 2 interface interface id Specify the interface that is connected to the Layer 2 Catalyst switch and enter interface configuration mode Step 3 ip cgmp proxy Enable CGMP on the interface By default CGMP is disabled on all interfaces Enabling CGMP triggers a CGMP join message Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches Optional When you enter the proxy keyword ...

Страница 1302: ...on the time the session is active its IP multicast group addresses media format contact person and other information about the advertised multimedia session The information in the SAP packet is displayed in the SDR Session Announcement window Enabling sdr Listener Support By default the switch does not listen to session directory advertisements Beginning in privileged EXEC mode follow these steps ...

Страница 1303: ...t boundaries and TTL thresholds control the scoping of multicast domains however TTL thresholds are not supported by the switch You should use multicast boundaries instead of TTL thresholds to limit the forwarding of multicast traffic outside of a domain or a subdomain Figure 1 7 shows that Company XYZ has an administratively scoped boundary set for the multicast address range 239 0 0 0 8 on all r...

Страница 1304: ...ompany XYZ Engineering Marketing 239 128 0 0 16 239 0 0 0 8 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 access list access list number deny permit source source wildcard Create a standard access list repeating the command as many times as necessary For access list number the range is 1 to 99 The deny keyword denies access if the conditions are matched The permi...

Страница 1305: ...n attached networks by listening to DVMR probe messages When a DVMRP neighbor has been discovered the PIM device periodically sends DVMRP report messages advertising the unicast sources reachable in the PIM domain By default directly connected subnets and networks are advertised The device forwards multicast packets that have been forwarded by DVMRP routers and in turn forwards multicast packets t...

Страница 1306: ...e packet is being sent Optional For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore Recall that the access list is always terminated by an implicit deny statement for everything Step 3 interface interface id Specify the interface connected to the MBONE and enabled for multicast routing and enter ...

Страница 1307: ...0 0 255 255 Switch config access list 1 deny 0 0 0 0 255 255 255 255 Switch config access list 2 permit 0 0 0 0 255 255 255 255 Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP The software then sends and receives multicast packets through the tunnel This strategy enables ...

Страница 1308: ...estination ip address Specify the destination address of the tunnel interface Enter the IP address of the mrouted router Step 6 tunnel mode dvmrp Configure the encapsulation mode for the tunnel to DVMRP Step 7 ip address address mask or ip unnumbered type number Assign an IP address to the interface or Configure the interface as unnumbered Step 8 ip pim dense mode sparse mode Configure the PIM mod...

Страница 1309: ... interface gigabitethernet1 0 1 Switch config if ip address 172 16 2 1 255 255 255 0 Switch config if ip pim dense mode Switch config exit Switch config access list 1 permit 198 92 37 0 0 0 0 255 Advertising Network 0 0 0 0 to DVMRP Neighbors If your switch is a neighbor of an mrouted Version 3 6 device you can configure the software to advertise network 0 0 0 0 the default route to the DVMRP neig...

Страница 1310: ...pim 171 69 214 18 171 69 214 19 mm1 45c cisco com 1 0 pim 171 69 214 18 171 69 214 17 mm1 45a cisco com 1 0 pim Configuring Advanced DVMRP Interoperability Features Cisco routers and multilayer switches run PIM to forward multicast packets to receivers and receive multicast packets from senders It is also possible to propagate DVMRP routes into and through a PIM cloud PIM uses this information how...

Страница 1311: ...ters and multilayer switches However if there is a DVMRP capable multicast router the Cisco device can do PIM DVMRP multicast routing Beginning in privileged EXEC mode follow these steps to enable DVMRP unicast routing This procedure is optional To disable this feature use the no ip dvmrp unicast routing interface configuration command Rejecting a DVMRP Nonpruning Neighbor By default Cisco devices...

Страница 1312: ...re the switch which is a neighbor to the leaf nonpruning DVMRP machine with the ip dvmrp reject non pruners interface configuration command on the interface connected to the nonpruning machine as shown in Figure 1 9 In this case when the switch receives DVMRP probe or report message without the prune capable flag set the switch logs a syslog message and discards the message 101244 Router A Router ...

Страница 1313: ...ure is optional To disable this function use the no ip dvmrp reject non pruners interface configuration command 101245 Router A Router B RP Multicast traffic gets to receiver not to leaf DVMRP device Source router or RP Leaf nonpruning DVMRP device Configure the ip dvmrp reject non pruners command on this interface Receiver Layer 3 switch Command Purpose Step 1 configure terminal Enter global conf...

Страница 1314: ...C mode follow these steps to change the DVMRP route limit This procedure is optional To configure no route limit use the no ip dvmrp route limit global configuration command Changing the DVMRP Route Threshold By default 10 000 DVMRP routes can be received per interface within a 1 minute interval When that rate is exceeded a syslog message is issued warning that there might be a route surge occurri...

Страница 1315: ... tunnel shares the same IP address as Fast Ethernet port 1 and falls into the same Class B network as the two directly connected subnets classful summarization of these routes was not performed As a result the DVMRP router is able to poison reverse only these two routes to the directly connected subnets and is able to only RPF properly for multicast traffic sent by sources on these two Ethernet se...

Страница 1316: ...RP Report 159888 DVMRP Route Table Unicast Routing Table 10 000 Routes interface tunnel 0 ip unnumbered gigabitethernet1 0 1 interface gigabitethernet1 0 1 ip addr 176 32 10 1 255 255 255 0 ip pim dense mode interface gigabitethernet1 0 2 ip addr 176 32 15 1 255 255 255 0 ip pim dense mode Network Intf Metric Dist 176 13 10 0 24 Gi0 1 10514432 90 176 32 15 0 24 Gi0 2 10512012 90 176 32 20 0 24 Gi0...

Страница 1317: ...better paths to individual subnets inside the PIM cloud If you configure the ip dvmrp summary address interface configuration command and did not configure no ip dvmrp auto summary you get both custom and autosummaries Beginning in privileged EXEC mode follow these steps to disable DVMRP autosummarization This procedure is optional Command Purpose Step 1 configure terminal Enter global configurati...

Страница 1318: ...ommand Step 5 show running config Verify your entries Step 6 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface id Specify the interface to be configured and enter interface configuration mode Step 3 ip dvmrp metric offset in out increment Change...

Страница 1319: ...isplay information about node reachability and discover the routing path that packets of your device are taking through the network You can use any of the privileged EXEC commands in Table 1 6 to display various routing statistics Table 1 5 Commands for Clearing Caches Tables and Databases Command Purpose clear ip cgmp Clear all group entries the Catalyst switches have cached clear ip dvmrp route ...

Страница 1320: ...w ip pim neighbor type number List the PIM neighbors discovered by the switch This command is available in all software images show ip pim rp group name group address Display the RP routers associated with a sparse mode multicast group This command is available in all software images show ip rpf source address name Display how the switch is doing Reverse Path Forwarding that is from the unicast ro...

Страница 1321: ...ss Switching and Fast Switching page 1 11 Multiprotocol BGP for the IPv6 Multicast Address Family page 1 12 NSF and SSO Support In IPv6 Multicast page 1 12 Bandwidth Based CAC for IPv6 Multicast page 1 12 IPv6 Multicast Overview An IPv6 multicast group is an arbitrary group of receivers that want to receive a particular data stream This group has no physical or geographical boundaries receivers ca...

Страница 1322: ...ocol IGMP for IPv4 and MLD version 2 is based on version 3 of the IGMP for IPv4 IPv6 multicast for Cisco IOS software uses both MLD version 2 and MLD version 1 MLD version 2 is fully backward compatible with MLD version 1 described in RFC 2710 Hosts that support only MLD version 1 will interoperate with a switch running MLD version 2 Mixed LANs with both MLD version 1 and MLD version 2 hosts are l...

Страница 1323: ...owed to support the use of IPv6 multicast in the Neighbor Discovery Protocol For stateless autoconfiguration a node is required to join several IPv6 multicast groups in order to perform duplicate address detection DAD Prior to DAD the only address the reporting node has for the sending interface is a tentative one which cannot be used for communication Therefore the unspecified address must be use...

Страница 1324: ...r from the access switch In order for you to track resource consumption on a per stream basis these accounting records provide information about the multicast source and group The start record is sent when the last hop switch receives a new MLD report and the stop record is sent upon MLD leave or if the group or channel is deleted for any reason IPv6 MLD Proxy The MLD proxy feature provides a mech...

Страница 1325: ...hing all the receivers for that multicast group The process of encapsulating data packets to the RP is called registering and the encapsulation packets are called PIM register packets Designated Switch Cisco switches use PIM SM to forward multicast traffic and follow an election process to select a designated switch when there is more than one switch on a LAN segment The designated switch is respo...

Страница 1326: ...group membership You must configure the RP address on all switches including the RP switch A PIM switch can be an RP for more than one group Only one RP address can be used at a time within a PIM domain for a certain group The conditions specified by the access list determine for which groups the switch is an RP IPv6 multicast supports the PIM accept register feature which is the ability to perfor...

Страница 1327: ... RP Adv message includes the address of the advertising C RP and an optional list of group addresses and mask length fields indicating the group prefixes for which the candidacy is advertised The BSR then includes a set of these C RPs along with their corresponding group prefixes in bootstrap messages BSMs it periodically originates BSMs are distributed hop by hop throughout the domain Bidirection...

Страница 1328: ...ee 1 Receiver joins a group leaf Switch C sends a join message toward the RP 2 RP puts the link to Switch C in its outgoing interface list 3 Source sends the data Switch A encapsulates the data in the register and sends it to the RP 4 RP forwards the data down the shared tree to Switch C and sends a join message toward the source At this point data may arrive twice at Switch C once encapsulated an...

Страница 1329: ... a PIM switch finds an upstream switch for some address the result of RPF calculation is compared with the addresses in this option in addition to the PIM neighbor s address itself Because this option includes all the possible addresses of a PIM switch on that link it always includes the RPF calculation result if it refers to the PIM switch supporting this option Because of size restrictions on PI...

Страница 1330: ...uting protocols MFIB The MFIB is a platform independent and routing protocol independent library for IPv6 software Its main purpose is to provide a Cisco IOS platform with an interface with which to read the IPv6 multicast forwarding table and notifications when the forwarding table changes The information provided by the MFIB has clearly defined forwarding semantics and is designed to make it eas...

Страница 1331: ... Layer 2 frame is then rewritten with the next hop destination address and sent to the outgoing interface The RP also computes the cyclic redundancy check CRC This switching method is the least scalable method for switching IPv6 packets IPv6 multicast fast switching allows switches to provide better packet forwarding performance than process switching Information conventionally stored in a route c...

Страница 1332: ...y usable for IP unicast but not IP multicast Because of this functionality BGP routes in the IPv6 unicast RIB must be ignored in the IPv6 multicast RPF lookup A separate BGP routing table is maintained to configure incongruent policies and topologies for example IPv6 unicast and multicast by using IPv6 multicast RPF lookup Multicast RPF lookup is very similar to the IP unicast route lookup No MRIB...

Страница 1333: ... and Profile Support page 1 16 Enabling MLD Proxy in IPv6 page 1 18 Resetting the MLD Traffic Counters page 1 19 Clearing the MLD Interface Counters page 1 19 Customizing and Verifying MLD on an Interface Beginning in privileged EXEC mode follow these steps Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 multicast routing vrf vrf name Example Switch config ipv...

Страница 1334: ...conds Example Switch config if ipv6 mld query max response time 20 Configures the maximum response time advertised in MLD queries Step 7 ipv6 mld query timeout seconds Example Switch config if ipv6 mld query timeout 130 Configures the timeout value before the switch takes over as the querier for the interface Step 8 exit Example Switch config if exit Enter this command twice to exit interface conf...

Страница 1335: ...ty Step 13 debug ipv6 mld explicit group name group address Example Switch debug ipv6 mld explicit Displays information related to the explicit tracking of hosts Step 14 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 mld vrf vrf name state limit number Exam...

Страница 1336: ...ffic Resetting Authorization Status on an MLD Interface Enabling AAA Access Control for IPv6 Multicast Beginning in privileged EXEC mode follow these steps Specifying Method Lists and Enabling Multicast Accounting Perform this task to specify the method lists used for AAA authorization and accounting and how to enable multicast accounting on specified groups or channels on an interface Command Pur...

Страница 1337: ...that restrict user access to an IPv6 multicast network Step 3 aaa accounting multicast default start stop stop only broadcast method1 method2 method3 method4 Example Switch config aaa accounting multicast default Enables AAA accounting of IPv6 multicast services for billing or security purposes when you use RADIUS Step 4 interface type number Example Switch config interface FastEthernet 1 0 Specif...

Страница 1338: ...eature Step 3 ipv6 mld host proxy interface group acl Example Switch config ipv6 mld host proxy interface Ethernet 0 0 Enables the MLD proxy feature on a specified interface on an RP Step 4 show ipv6 mld host proxy interface type interface number group group address Example Switch config show ipv6 mld host proxy Ethernet0 0 Displays IPv6 MLD host proxy information Step 5 copy running config startu...

Страница 1339: ... traffic Resets all MLD traffic counters Step 2 show ipv6 mld vrf vrf name traffic Example Switch show ipv6 mld traffic Displays the MLD traffic counters Step 3 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 4 clear ipv6 mld vrf vrf name counters interface type Example Switch clear ipv6 mld counters Ethernet1 0 Clears the MLD interface ...

Страница 1340: ...able Step 6 show ipv6 pim vrf vrf name neighbor detail interface type interface number count Example Switch show ipv6 pim neighbor Displays the PIM neighbors discovered by the Cisco IOS software Step 7 show ipv6 pim vrf vrf name range list config rp address rp name Example Switch show ipv6 pim range list Displays information about IPv6 multicast range lists Step 8 show ipv6 pim vrf vrf name tunnel...

Страница 1341: ... an interface type and number and places the switch in interface configuration mode Step 5 ipv6 pim dr priority value Example Switch config if ipv6 pim dr priority 3 Configures the DR priority on a PIM switch Step 6 ipv6 pim hello interval seconds Example Switch config if ipv6 pim hello interval 45 Configures the frequency of PIM hello messages on an interface Step 7 ipv6 pim join prune interval s...

Страница 1342: ...dir Configures the address of a PIM RP for a particular group range Use of the bidir keyword means that the group range will be used for bidirectional shared tree forwarding Step 3 exit Example Switch config if exit Exits global configuration mode and returns the switch to privileged EXEC mode Step 4 show ipv6 pim vrf vrf name df interface type interface number rp address Example Switch show ipv6 ...

Страница 1343: ...ple Switch show ipv6 mrib route Displays the MRIB route information Step 4 show ipv6 pim vrf vrf name topology groupname or address sourcename or address link local route count detail Example Switch show ipv6 pim topology Displays PIM topology table information for a specific group or all groups Step 5 debug ipv6 mrib vrf vrf name client Example Switch debug ipv6 mrib client Enables debugging on M...

Страница 1344: ...rity 10 Configures a switch to be a candidate BSR Step 3 interface type number Example Switch config interface FastEthernet 1 0 Specifies an interface type and number and places the switch in interface configuration mode Step 4 ipv6 pim bsr border Example Switch config if ipv6 pim bsr border Configures a border for all BSMs of any scope on a specified interface Step 5 exit Example Switch config if...

Страница 1345: ...interface configuration mode Step 4 ipv6 pim bsr border Example Switch config if ipv6 pim bsr border Configures a border for all BSMs of any scope on a specified interface Step 5 copy running config startup config Optional Save your entries in the configuration file Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ipv6 pim vrf vrf name bsr candidate bsr ipv6 address...

Страница 1346: ... SSM mapping depending on your switch configuration If you choose to use static SSM mapping you can configure multiple static SSM mappings If multiple static SSM mappings are configured the source addresses of all matching access lists will be used Note To use DNS based SSM mapping the switch needs to find at least one correctly configured DNS server to which the switch may be directly attached St...

Страница 1347: ... name ssm map query dns Example Switch config no ipv6 mld ssm map query dns Disables DNS based SSM mapping Step 4 ipv6 mld vrf vrf name ssm map static access list source address Example Switch config ipv6 mld ssm map static SSM_MAP_ACL_2 2001 DB8 1 1 Configures static SSM mappings Step 5 exit Example Switch config if exit Exits global configuration mode and returns the switch to privileged EXEC mo...

Страница 1348: ...active Displays the active multicast streams on the switch Step 6 show ipv6 rpf vrf vrf name ipv6 prefix Example Switch show ipv6 rpf 2001 DB8 1 1 2 Checks RPF information for a given unicast host address and prefix Step 7 copy running config startup config Optional Save your entries in the configuration file Command Purpose Command Purpose Step 1 show ipv6 mfib vrf vrf name link local verbose gro...

Страница 1349: ...mary Example Switch show ipv6 mfib summary Displays summary information about the number of IPv6 MFIB entries and interfaces Step 7 debug ipv6 mfib vrf vrf name group name group address adjacency db fs init interface mrib detail nat pak platform ppr ps signal table Example Switch debug ipv6 mfib FF04 10 pak Enables debugging output on the IPv6 MFIB Step 8 copy running config startup config Optiona...

Страница 1350: ...1 30 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Implementing IPv6 Multicast Implementing IPv6 Multicast ...

Страница 1351: ... switch stack Note For complete syntax and usage information for the commands used in this chapter see the Cisco IOS IP Command Reference Volume 3 of 3 Multicast Release 12 4 This chapter consists of these sections Understanding MSDP page 1 1 Configuring MSDP page 1 3 Monitoring and Maintaining MSDP page 1 19 Understanding MSDP MSDP allows multicast sources for a group to be known to all rendezvou...

Страница 1352: ... all MSDP peers The SA message identifies the source the group the source is sending to and the address of the RP or the originator ID the IP address of the interface used as the RP address if configured Each MSDP peer receives and forwards the SA message away from the originating RP to achieve peer reverse path flooding RPF The MSDP device examines the BGP or MBGP routing table to discover which ...

Страница 1353: ...eases security because you can prevent your sources from being known outside your domain Domains with only receivers can receive data without globally advertising group membership Global source multicast routing table state is not required saving memory Configuring MSDP Default MSDP Configuration page 1 4 Configuring a Default MSDP Peer page 1 4 required Caching Source Active State page 1 6 option...

Страница 1354: ... from that peer Figure 1 2 shows a network in which default MSDP peers might be used In Figure 1 2 a customer who owns Switch B is connected to the Internet through two Internet service providers ISPs one owning Router A and the other owning Router C They are not running BGP or MBGP between them To learn about sources in the ISP s domain or in other domains Switch B at the customer site identifies...

Страница 1355: ...sages For ip address name enter the IP address or Domain Name System DNS server name of the MSDP default peer Optional For prefix list list enter the list name that specifies the peer to be the default peer only for the listed prefixes You can have multiple active default peers when you have a prefix list associated with each When you enter multiple ip msdp default peer commands with the prefix li...

Страница 1356: ...after a SA message is received by the local RP that member needs to wait until the next SA message to hear about the source This delay is known as join latency If you want to sacrifice some memory in exchange for reducing the latency of the source information you can configure the switch to cache SA messages Step 3 ip prefix list name description string seq number permit deny network length Option...

Страница 1357: ...cached For list access list number the range is 100 to 199 Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Create an IP extended access list repeating the command as many times as necessary For access list number the range is 100 to 199 Enter the same number created in Step 2 The deny keyword denies access if the conditions are mat...

Страница 1358: ...icast traffic This procedure is optional To return to the default setting use the no ip msdp sa request ip address name global configuration command This example shows how to configure the switch to send SA request messages to the MSDP peer at 171 69 1 1 Switch config ip msdp sa request 171 69 1 1 Controlling Source Information that Your Switch Originates You can control the multicast source infor...

Страница 1359: ...re which S G entries from the multicast routing table are advertised in SA messages By default only sources within the local domain are advertised Optional For list access list name enter the name or number of an IP standard or extended access list The range is 1 to 99 for standard access lists and 100 to 199 for extended lists The access list controls which local sources are advertised and to whi...

Страница 1360: ...ess if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to be applied to the source Place ones in the bit positions that you want to ignore For destination e...

Страница 1361: ...request 171 69 2 2 list 1 Switch config access list 1 permit 192 4 22 0 0 0 0 255 Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp filter sa request ip address name or ip msdp filter sa request ip address name list access list number Filter all SA request messages from the specified MSDP peer or Filter SA request messages from the specified MSDP peer for gro...

Страница 1362: ...privileged EXEC mode follow these steps to apply a filter This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp sa filter out ip address name or ip msdp sa filter out ip address name list access list number or ip msdp sa filter out ip address name route map map tag Filter all SA messages to the specified MSDP peer or To the specified pe...

Страница 1363: ...necessary For access list number enter the number specified in Step 2 The deny keyword denies access if the conditions are matched The permit keyword permits access if the conditions are matched For protocol enter ip as the protocol name For source enter the number of the network or host from which the packet is being sent For source wildcard enter the wildcard bits in dotted decimal notation to b...

Страница 1364: ... messages that its MSDP RPF peers send to it However you can control the source information that you receive from MSDP peers by filtering incoming SA messages In other words you can configure the switch to not accept them You can perform one of these actions Filter all incoming SA messages from an MSDP peer Specify an IP extended access list to pass certain source group pairs Filter based on match...

Страница 1365: ...ose SA messages that meet the match criteria in the route map map tag If all match criteria are true a permit from the route map passes routes through the filter A deny will filter routes Step 3 access list access list number deny permit protocol source source wildcard destination destination wildcard Optional Create an IP extended access list repeating the command as many times as necessary For a...

Страница 1366: ... address name global configuration command Shutting Down an MSDP Peer If you want to configure many MSDP commands for the same peer and you do not want the peer to become active you can shut down the peer configure it and later bring it up When a peer is shut down the TCP connection is terminated and is not restarted You can also shut down an MSDP session without losing configuration information f...

Страница 1367: ...s This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 ip msdp shutdown peer name peer address Administratively shut down the specified MSDP peer without losing configuration information For peer name peer address enter the IP address or name of the MSDP peer to shut down Step 3 end Return to privileged EXEC mode Step 4 show running config Ver...

Страница 1368: ...e sources to be known to the outside world Because this switch is not an RP it would not have an RP address to use in an SA message Therefore this command provides the RP address by specifying the address of the interface Beginning in privileged EXEC mode follow these steps to allow an MSDP speaker that originates an SA message to use the IP address on the interface as the RP address in the SA mes...

Страница 1369: ... system The ip msdp cache sa state command must be configured for this command to produce any output show ip msdp peer peer address name Displays detailed information about an MSDP peer show ip msdp sa cache group address source address group name source name autonomous system number Displays S G state learned from MSDP peers show ip msdp summary Displays MSDP peer status and SA message counts Tab...

Страница 1370: ...1 20 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Configuring MSDP Monitoring and Maintaining MSDP ...

Страница 1371: ... page 1 3 Fallback Bridging Overview With fallback bridging the switch bridges together two or more VLANs or routed ports essentially connecting multiple VLANs within one bridge domain Fallback bridging forwards traffic that the switch does not route and forwards traffic belonging to a nonroutable protocol such as DECnet A VLAN bridge domain is represented with switch virtual interfaces SVIs A set...

Страница 1372: ...idge table the packet is flooded on all forwarding interfaces in the bridge group A source MAC address is learned on a bridge group only when the address is learned on a VLAN the reverse is not true Any address that is learned on a stack member is learned by all switches in the stack To participate in the spanning tree algorithm by receiving and in some cases sending BPDUs on the LANs to which the...

Страница 1373: ...f stacks merge or if a switch is added to the stack any new VLANs that are part of a bridge group and become active are included in the VLAN bridge STP When a stack member fails the addresses learned from this member are deleted from the bridge group MAC address table For more information about switch stacks see Chapter 1 Managing Switch Stacks Configuring Fallback Bridging Default Fallback Bridgi...

Страница 1374: ... on the same switch if the ports are in different VLANs Beginning in privileged EXEC mode follow these steps to create a bridge group and to assign an interface to it This procedure is required Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group protocol vlan bridge Assign a bridge group number and specify the VLAN bridge spanning tree protocol to r...

Страница 1375: ...f bridge group 10 Switch config if exit Adjusting Spanning Tree Parameters You might need to adjust certain spanning tree parameters if the default values are not suitable You configure parameters affecting the entire spanning tree by using variations of the bridge global configuration command You configure interface specific parameters by using variations of the bridge group interface configurati...

Страница 1376: ... with the lowest interface value is elected Beginning in privileged EXEC mode follow these steps to change the interface priority This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group priority number Change the VLAN bridge spanning tree priority of the switch For bridge group specify the bridge group number The range is 1 to...

Страница 1377: ... 0 1 Switch config if bridge group 10 path cost 20 Adjusting BPDU Intervals Adjusting the Interval between Hello BPDUs page 1 8 optional Changing the Forward Delay Interval page 1 8 optional Changing the Maximum Idle Interval page 1 9 optional Step 5 show running config Verify your entry Step 6 copy running config startup config Optional Save your entry in the configuration file Command Purpose Co...

Страница 1378: ... activated for switching and before forwarding actually begins Beginning in privileged EXEC mode follow these steps to change the forward delay interval This procedure is optional Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 bridge bridge group hello time seconds Specify the interval between hello BPDUs For bridge group specify the bridge group number The range ...

Страница 1379: ...ted in one switching subnetwork from impacting devices in the other switching subnetwork yet still permit switching throughout the network as a whole For example when switched LAN subnetworks are separated by a WAN BPDUs can be prevented from traveling across the WAN link Beginning in privileged EXEC mode follow these steps to disable spanning tree on a port This procedure is optional Command Purp...

Страница 1380: ... by using the session stack member number global configuration command Enter the show bridge bridge group interface id mac address verbose privileged EXEC command at the stack member prompt For information about the fields in these displays see the Cisco IOS Bridging and IBM Networking Command Reference Volume 1 of 2 Release 12 4 Step 5 show running config Verify your entry Step 6 copy running con...

Страница 1381: ...or complete syntax and usage information for the commands used in this chapter see the command reference for this release and the Cisco IOS Command Summary Release 12 4 Recovering from a Software Failure page 1 2 Recovering from a Lost or Forgotten Password page 1 3 Preventing Switch Stack Problems page 1 8 Recovering from a Command Switch Failure page 1 9 Recovering from Lost Cluster Member Conne...

Страница 1382: ...ract the bin file from the tar file If you are using Windows use a zip program that can read a tar file Use the zip program to navigate to and extract the bin file If you are using UNIX follow these steps 1 Display the contents of the tar file by using the tar tvf image_filename tar UNIX command switch tar tvf image_filename tar 2 Locate the bin file and extract it by using the tar xvf image_filen...

Страница 1383: ...e flash image_filename bin file from the switch Recovering from a Lost or Forgotten Password The default configuration for the switch allows an end user with physical access to the switch to recover from a lost password by interrupting the boot process during power on and by entering a new password These recovery procedures require that you have physical access to the switch Note On these switches...

Страница 1384: ...Step 4 Reconnect the power cord to the switch or the stack master Within 15 seconds press the Mode button while the System LED is still flashing green Continue pressing the Mode button until the System LED turns briefly amber and then solid green then release the Mode button Several lines of information about the software appear with instructions informing you if the password recovery procedure ha...

Страница 1385: ... Display the contents of flash memory switch dir flash The switch file system appears Directory of flash 13 drwx 192 Mar 01 1993 22 30 48 switch_image 11 rwx 5825 Mar 01 1993 22 31 59 config text 18 rwx 720 Mar 01 1993 02 21 30 vlan dat 16128000 bytes total 10003456 bytes free Step 5 Rename the configuration file to config text old This file contains the password definition switch rename flash con...

Страница 1386: ...likely to leave your switch virtual interface in a shutdown state You can see which interface is in this state by entering the show running config privileged EXEC command To re enable the interface enter the interface vlan vlan id global configuration command and specify the VLAN ID of the shutdown interface With the switch in interface configuration mode enter the no shutdown command Step 14 Relo...

Страница 1387: ...le system appears Directory of flash 13 drwx 192 Mar 01 1993 22 30 48 switch_image 16128000 bytes total 10003456 bytes free Step 4 Boot up the system Switch boot You are prompted to start the setup program To continue with password recovery enter N at the prompt Continue with the configuration dialog yes no N Step 5 At the switch prompt enter privileged EXEC mode Switch enable Step 6 Enter global ...

Страница 1388: ... session when managing the switch stack Be careful when using multiple CLI sessions to the stack master Commands that you enter in one session are not displayed in the other sessions Therefore it is possible that you might not be able to identify the session from which you entered a command Manually assigning stack member numbers according to the placement of the switches in the stack can make it ...

Страница 1389: ...mmand capable making a note of the command switch password and cabling your cluster to provide redundant connectivity between the member switches and the replacement command switch These sections describe two solutions for replacing a failed command switch Replacing a Failed Command Switch with a Cluster Member page 1 9 Replacing a Failed Command Switch with Another Switch page 1 11 These recovery...

Страница 1390: ...ry depending on the member switch that you selected to be the command switch Continue with configuration dialog yes no y or Configuring global parameters If this prompt does not appear enter enable and press Return Enter setup and press Return to start the setup program Step 11 Respond to the questions in the setup program When prompted for the hostname recall that on a command switch the hostname...

Страница 1391: ... Using the Ethernet Management Port section on page 1 26 and the hardware configuration guide Step 3 At the switch prompt enter privileged EXEC mode Switch enable Switch Step 4 Enter the password of the failed command switch Step 5 Use the setup program to configure the new switch IP information This program prompts you for IP address information and passwords From privileged EXEC mode enter setup...

Страница 1392: ...at Step 9 Step 13 Start your browser and enter the IP address of the new command switch Step 14 From the Cluster menu select Add to Cluster to display a list of candidate switches to add to the cluster Recovering from Lost Cluster Member Connectivity Some configurations can prevent the command switch from maintaining contact with member switches If you are unable to maintain management contact wit...

Страница 1393: ... the duplex settings on the two ports to match The speed parameter can adjust itself even if the connected port does not autonegotiate Troubleshooting Power over Ethernet Switch Ports Disabled Port Caused by Power Loss page 1 13 Disabled Port Caused by False Link Up page 1 14 Disabled Port Caused by Power Loss If a powered device such as a Cisco IP Phone 7910 that is connected to a PoE switch port...

Страница 1394: ...ugh the error message text refers to GBIC interfaces and modules the security messages actually refer to the SFP modules and module interfaces For more information about error messages see the system message guide for this release If you are using a non Cisco SFP module remove the SFP module from the switch and replace it with a Cisco module After inserting a Cisco SFP module use the errdisable re...

Страница 1395: ... for a reply Ping returns one of these responses Normal response The normal response hostname is alive occurs in 1 to 10 seconds depending on network traffic Destination does not respond If the host does not respond a no answer message is returned Unknown host If the host does not exist an unknown host message is returned Destination unreachable If the default gateway cannot reach the specified ne...

Страница 1396: ...route The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device Layer 2 traceroute supports only unicast source and destination MAC addresses It finds the path by using the MAC address tables of the switches in the path When the switch detects a device in the path that does not support Layer 2 traceroute the swit...

Страница 1397: ... multiple VLANs you must specify the VLAN to which both the source and destination MAC addresses belong If the VLAN is not specified the path is not identified and an error message appears The traceroute mac ip command output shows the Layer 2 path when the specified source and destination IP addresses belong to the same subnet When you specify the IP addresses the switch uses the Address Resoluti...

Страница 1398: ...e of 1 or 0 it drops the datagram and sends an Internet Control Message Protocol ICMP time to live exceeded message to the sender Traceroute finds the address of the first hop by examining the source address field of the ICMP time to live exceeded message To identify the next hop traceroute sends a UDP packet with a TTL value of 2 The first router decrements the TTL field by 1 and sends the datagr...

Страница 1399: ...ce in progress enter the escape sequence Ctrl X by default Simultaneously press and release the Ctrl Shift and 6 keys and then press the X key Using TDR Understanding TDR page 1 19 Running TDR and Displaying the Results page 1 20 Understanding TDR You can use the Time Domain Reflector TDR feature to diagnose and resolve cabling problems When running TDR a local device sends a signal through a cabl...

Страница 1400: ...ir cable or is in series with a solid core cable The link is a 10 Megabit or a 100 Megabit link The cable is a stranded cable The link partner is a Cisco IP Phone The link partner is not IEEE 802 3 compliant Running TDR and Displaying the Results When you run TDR on an interface you can run it on the stack master or a stack member To run TDR enter the test cable diagnostics tdr interface interface...

Страница 1401: ...e the show running config command to check its configuration Even if the switch is properly configured it might not generate the type of traffic you want to monitor during the particular period that debugging is enabled Depending on the feature you are debugging you can use commands such as the TCP IP ping command to generate network traffic To disable debugging of SPAN enter this command in privi...

Страница 1402: ...ing see Chapter 1 Configuring System Message Logging and Smart Logging Using the show platform forward Command The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system Depending upon the parameters entered about the packet the output provides lookup table results and ...

Страница 1403: ...ped due to failed DEJA_VU Check on Gi0 2 This is an example of the output when the packet coming in on port 1 in VLAN 5 is sent to an address already learned on the VLAN on another port It should be forwarded from the port on which the address was learned Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 0009 43a8 0145 ip 13 1 1 1 13 2 2 2 udp 10 20 Global Port Number 24 Asic Number 5...

Страница 1404: ...ing table It should be forwarded as specified in the routing table Switch show platform forward gigabitethernet1 0 1 vlan 5 1 1 1 03 e319 ee44 ip 110 1 5 5 16 1 10 5 Global Port Number 24 Asic Number 5 Src Real Vlan Id 5 Mapped Vlan Id 5 Ingress Lookup Key Used Index Hit A Data InptACL 40_10010A05_0A010505 00_41000014_000A0000 01FFA 03000000 L3Local 00_00000000_00000000 90_00001400_10010A05 010F0 ...

Страница 1405: ...C command to rename it but the contents of the renamed file will not be displayed by the show stacks or the show tech support privileged EXEC command You can delete crashinfo files by using the delete privileged EXEC command You can display the most recent basic crashinfo file that is the file with the highest sequence number at the end of its filename by entering the show stacks or the show tech ...

Страница 1406: ...detected on the switch This example shows the output of the show platform tcam errors command Switch show platform tcam errors TCAM Memory Consistency Checker Errors TCAM Space Values Masks Fixups Retries Failures HFTM 0 0 0 0 0 HQATM 0 0 0 0 0 For more information about the show platform tcam errors privileged EXEC command see the command reference for this release Using On Board Failure Logging ...

Страница 1407: ...of time the switch has been running since it last restarted Voltage System voltages of a standalone switch or a stack member You should manually set the system clock or configure it by using Network Time Protocol NTP When the switch is running you can retrieve the OBFL data by using the show logging onboard privileged EXEC commands If the switch fails contact your Cisco technical support represent...

Страница 1408: ...ing the commands in Table 1 4 and for examples of OBFL data see the command reference for this release Table 1 4 Commands for Displaying OBFL Information Command Purpose show logging onboard module switch number clilog Displays the OBFL CLI commands that were entered on a standalone switch or the specified stack members show logging onboard module switch number environment Display the UDI informat...

Страница 1409: ...hannel links brought down due to loss of communication Failure to respond to management requests ICMP ping SNMP timeouts slow Telnet or SSH sessions UDLD flapping IP SLAs failures because of SLAs responses beyond an acceptable threshold DHCP or IEEE 802 1x failures if the switch does not forward or respond to requests Layer 3 switches Note Layer 3 functions are not supported on switches running th...

Страница 1410: ...ms see the Troubleshooting High CPU Utilization document on Cisco com Table 1 5 Troubleshooting CPU Utilization Problems Type of Problem Cause Corrective Action Interrupt percentage value is almost as high as total CPU utilization value The CPU is receiving too many packets from the network Determine the source of the network packet Stop the flow or change the switch configuration See the section ...

Страница 1411: ... is good Connect a known good non PoE Ethernet device to the Ethernet cable and make sure that the powered device establishes a link and exchanges traffic with another host Verify that the total cable length from the switch front panel to the powered device is not more than 100 meters Disconnect the Ethernet cable from the switch port Use a short Ethernet cable to connect a known good Ethernet dev...

Страница 1412: ...e the existing distribution cables Enter the shut and no shut interface configuration commands and verify that an Ethernet link is established If this connection is good use a short patch cord to connect a powered device to this port and verify that it powers on If the device powers on verify that all intermediate patch panels are correctly connected Disconnect all but one of the Ethernet cables f...

Страница 1413: ... correctly If a non PoE device has link problems or a high error rate the problem might be an unreliable cable connection between the switch port and the powered device For more information see Cisco Phone Disconnects or Resets on Cisco com Non Cisco powered device does not work on Cisco PoE switch A non Cisco powered device is connected to a Cisco PoE switch but never powers on or powers on and t...

Страница 1414: ...witch see Configuration Mismatch StackWise port frequently or rapidly changing up down states flapping Error messages report stack link problems Possible traffic disruption Unreliable StackWise cable connection or interface see StackWise Port Flapping Switch member port not coming up Enter the show switch detail privileged EXEC command Unreliable StackWise cable connection or interface see StackWi...

Страница 1415: ...ems off Verify port numbering see Stack Master Election and Port Number Assignment Enter the show switch privileged EXEC command Interpret state messages see Joining a Stack Typical Sequence States and Rules Stack members need to be upgraded Stack members running different major or minor versions of the Cisco IOS software Defective StackWise switch interface or cable see Quick and Easy Catalyst 37...

Страница 1416: ...1 36 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Chapter 1 Troubleshooting Troubleshooting Tables ...

Страница 1417: ...nnected to a live network The online diagnostics contain packet switching tests that check different hardware components and verify the data path and the control signals The online diagnostics detect problems in these areas Hardware components Interfaces Ethernet ports and so forth Solder joints Online diagnostics are categorized as on demand scheduled or health monitoring diagnostics On demand di...

Страница 1418: ...e for this release Configuring Health Monitoring Diagnostics You can configure health monitoring diagnostic testing on a switch while it is connected to a live network You can configure the execution interval for each health monitoring test enable the switch to generate a syslog message because of a test failure and enable a specific test Command Purpose diagnostic schedule switch number test name...

Страница 1419: ...how diagnostic content command output all All of the diagnostic tests When specifying the interval set these parameters hh mm ss Monitoring interval in hours minutes and seconds The range for hh is 0 to 24 and the range for mm and ss is 0 to 60 milliseconds Monitoring interval in milliseconds ms The range is from 0 to 999 day Monitoring interval in the number of days The range is from 0 to 20 Step...

Страница 1420: ...Loopback Running Online Diagnostic Tests After you configure online diagnostics you can manually start diagnostic tests or display the test results You can also see which tests are configured for the switch or switch stack and the diagnostic tests that have already run Starting Online Diagnostic Tests page 1 5 Displaying Online Diagnostic Tests and Test Results page 1 5 Step 5 diagnostic monitor s...

Страница 1421: ... switch number keyword is supported only on Catalyst 3750 X switches The range is from 1 to 9 You can specify the tests by using one of these options name Enter the name of the test Use the show diagnostic content privileged EXEC command to display the test ID list test id Enter the ID number of the test Use the show diagnostic content privileged EXEC command to display the test ID list test id ra...

Страница 1422: ...on of the show diagnostic command in the command reference for this release show diagnostic schedule switch number all 1 Display the online diagnostics test schedule show diagnostic post Display the POST results The output is the same as the show post command output 1 The switch number all parameter is supported only on Catalyst 3750 X switches Table 1 1 Commands for Diagnostic Test Configuration ...

Страница 1423: ... single flash device on which you can store files It also provides several commands to help you manage software image and configuration files The default flash file system on the switch is named flash As viewed from the stack master or any stack member flash refers to the local flash device which is the device attached to the same switch on which the file system is being viewed In a switch stack e...

Страница 1424: ...8976 5135872 flash rw flash opaque rw bs opaque rw vb 524288 520138 nvram rw nvram network rw tftp opaque rw null opaque rw system opaque ro xmodem opaque ro ymodem This example shows a switch stack In this example the stack master is stack member 2 therefore flash2 is aliased to flash The file system on stack member 5 is displayed as flash5 on the stack master Switch show file systems File System...

Страница 1425: ...onfiguration file to flash memory you might want to verify that the file system does not already contain a configuration file with the same name Similarly before copying a flash configuration file to another location you might want to verify its filename for use in another command Type Type of file system flash The file system is for a flash memory device nvram The file system is for a NVRAM devic...

Страница 1426: ...y Beginning in privileged EXEC mode follow these steps to change directories and to display the working directory Table 1 2 Commands for Displaying Information About Files Command Description dir all filesystem filename Display a list of files on a file system show file systems Display more information about each of the files on a file system show file information file url Display information abou...

Страница 1427: ...be recovered Copying Files To copy a file from a source to a destination use the copy source url destination url privileged EXEC command For the source and destination URLs you can use running config and startup config keyword shortcuts For example the copy running config startup config command saves the currently running configuration file to the NVRAM section of flash memory to be used as the co...

Страница 1428: ...e at the beginning of this deletion process Use the force and recursive keywords for deleting old software images that were installed by using the archive download sw command but are no longer needed If you omit the filesystem option the switch uses the default device specified by the cd command For file url you specify the path directory and the name of the file to be deleted When you attempt to ...

Страница 1429: ...filename TFTP syntax tftp location directory filename For flash file url specify the location on the local flash file system in which the new file is created You can also specify an optional list of files or directories within the source directory to add to the new file If none are specified all files and directories at this level are written to the newly created file Step 2 archive table source u...

Страница 1430: ...const htm 556 bytes html xhome htm 9373 bytes html menu css 1654 bytes output truncated This example shows how to extract the contents of a file located on the TFTP server at 172 20 10 30 Switch archive xtract tftp 172 20 10 30 saved flash new configs Step 3 archive xtract source url flash file url dir file Extract a file into a directory on the flash file system For source url specify the source ...

Страница 1431: ...rform this for one of these reasons To restore a backed up configuration file To use the configuration file for another switch For example you might add another switch to your network and want it to have a configuration similar to the original switch By copying the file to the new switch you can change the relevant parts rather than recreating the whole file To load the same configuration commands...

Страница 1432: ...ration files on the switch as if you were entering the commands at the command line The switch does not erase the existing running configuration before adding the commands If a command in the copied configuration file replaces a command in the existing configuration file the existing command is erased For example if the copied configuration file contains a different IP address in a particular comm...

Страница 1433: ...ch by using configuration files you create download from another switch or download from a TFTP server You can copy upload configuration files to a TFTP server for storage These sections contain this configuration information Preparing to Download or Upload a Configuration File By Using TFTP page 1 11 Downloading the Configuration File By Using TFTP page 1 12 Uploading the Configuration File By Us...

Страница 1434: ...a TFTP server follow these steps Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation Step 2 Verify that the TFTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using TFTP section on page 1 11 Step 3 Log into the switch through the console port the Ethernet management port or a Telnet session Step 4 Downl...

Страница 1435: ...3750 E switches The file is uploaded to the TFTP server This example shows how to upload a configuration file from a switch to a TFTP server Switch copy system running config tftp 172 16 2 155 tokyo confg Write file tokyo confg on host 172 16 2 155 confirm y Writing tokyo confg OK Copying Configuration Files By Using FTP You can copy configuration files to or from an FTP server The FTP protocol re...

Страница 1436: ...f you do not have a router to route traffic between subnets Check connectivity to the FTP server by using the ping command If you are accessing the switch through the console or a Telnet session and you do not have a valid username make sure that the current FTP username is the one that you want to use for the FTP download You can enter the show users privileged EXEC command to view the valid user...

Страница 1437: ...erver with an IP address of 172 16 101 101 to the switch startup configuration Switch configure terminal Switch config ip ftp username netadmin1 Switch config ip ftp password mypass Switch config end Switch copy ftp nvram startup config Address of remote host 255 255 255 255 172 16 101 101 Name of configuration file rtr2 confg host2 confg Configure using host2 confg from 172 16 101 101 confirm Con...

Страница 1438: ...p ftp password mypass Switch config end Switch copy nvram startup config ftp Remote host 172 16 101 101 Name of configuration file to write switch2 confg Write file switch2 confg on host 172 16 101 101 confirm OK Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the Preparing to Download or Upload a Configuration File By Using FTP section on page 1 14 Step 2 ...

Страница 1439: ...ame as the remote username The switch hostname For a successful RCP copy request you must define an account on the network server for the remote username If the server has a directory structure the configuration file is written to or copied from the directory associated with the remote username on the server For example if the configuration file is in the home directory of a user on the server spe...

Страница 1440: ...directory on the remote server with an IP address of 172 16 101 101 and load and run those commands on the switch Switch copy rcp netadmin1 172 16 101 101 host1 confg system running config Configure using host1 confg from 172 16 101 101 confirm Connected to 172 16 101 101 Loading 1112 byte file host1 confg OK Switch SYS 5 CONFIG Configured from host1 config by rcp from 172 16 101 101 Command Purpo...

Страница 1441: ...ad a configuration file by using RCP This example shows how to copy the running configuration file named switch2 confg to the netadmin1 directory on the remote host with an IP address of 172 16 101 101 Switch copy system running config rcp netadmin1 172 16 101 101 switch2 confg Write file switch confg on host 172 16 101 101 confirm Building configuration OK Connected to 172 16 101 101 Switch Comma...

Страница 1442: ...r the erase startup config privileged EXEC command Caution You cannot restore the startup configuration file after it has been deleted Deleting a Stored Configuration File To delete a saved configuration from flash memory use the delete flash filename privileged EXEC command Depending on the setting of the file prompt global configuration command you might be prompted for confirmation before you d...

Страница 1443: ...the configuration files saved in the configuration archive The Cisco IOS configuration archive in which the configuration files are stored and available for use with the configure replace command is in any of these file systems FTP HTTP RCP TFTP Replacing a Configuration The configure replace privileged EXEC command replaces the running configuration with any saved configuration file When you ente...

Страница 1444: ...ack Make sure that the switch has free memory larger than the combined size of the two configuration files the running configuration and the saved replacement configuration Otherwise the configuration replacement operation fails Make sure that the switch also has sufficient free memory to execute the configuration replacement or rollback configuration commands Certain configuration commands such a...

Страница 1445: ...Set the maximum number of archive files of the running configuration to be saved in the configuration archive number Maximum files of the running configuration file in the configuration archive Valid values are from 1 to 14 The default is 10 Note Before using this command you must first enter the path archive configuration command to specify the location and filename prefix for the files in the co...

Страница 1446: ... time seconds Specify the time in seconds within which you must enter the configure confirm command to confirm replacement of the running configuration file If you do not enter the configure confirm command within the specified time limit the configuration replacement operation is automatically stopped In other words the running configuration file is restored to the configuration that existed befo...

Страница 1447: ...PC or workstation by using a web browser HTTP and then by using the device manager or Cisco Network Assistant to upgrade your switch For information about upgrading your switch by using a TFTP server or a web browser HTTP see the release notes You can replace the current image with the new one or keep the current image in flash memory after a download You can use the archive download sw allow feat...

Страница 1448: ...loaded instead of specifying complete paths with each tar file For example in a mixed hardware stack you can enter archive download sw directory tftp 10 1 1 10 c3750 ipservices tar 122 35 SE tar c3750e universal tar 122 35 SE2 tar File Format of Images on a Server or Cisco com Software images on a server or downloaded from Cisco com are in a file format which contains these files An info file whic...

Страница 1449: ...embers To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member to the incompatible switch That switch automatically reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using TFTP page 1 ...

Страница 1450: ...sing the ping command Ensure that the image to be downloaded is in the correct directory on the TFTP server usually tftpboot on a UNIX workstation For download operations ensure that the permissions on the file are set correctly The permission on the file should be world read Before uploading the image file you might need to create an empty file on the TFTP server To create an empty file enter the...

Страница 1451: ...nt image The allow feature upgrade option allows installation of a software images with different feature sets Optional The directory option specifies a directory for the images The overwrite option overwrites the software image in flash memory with the downloaded image The reload option reloads the system after downloading the image unless the configuration has been changed and not been saved For...

Страница 1452: ...tch of the same type Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image Beginning in privileged EXEC mode follow these steps to upload an image to a TFTP server The archive upload sw privileged EXEC command builds an image file on the server by uploading these files in order info the Cisco IOS image and th...

Страница 1453: ...y reloads and joins the stack as a fully functioning member These sections contain this configuration information Preparing to Download or Upload an Image File By Using FTP page 1 31 Downloading an Image File By Using FTP page 1 32 Uploading an Image File By Using FTP page 1 34 Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server The FTP pro...

Страница 1454: ...username by using the ip ftp username username global configuration command This new name will be used during all archive operations The new username is stored in NVRAM If you are accessing the switch through a Telnet session and you have a valid username this username is used and you do not need to set the FTP username Include the username in the archive download sw or archive upload sw privilege...

Страница 1455: ...not been saved For username password specify the username and password these must be associated with an account on the FTP server For more information see the Preparing to Download or Upload an Image File By Using FTP section on page 1 31 For location specify the IP address of the FTP server For directory image name1 tar directory image name2 tar image name3 tar image name4 tar specify the directo...

Страница 1456: ...e url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using FTP You can upload an image from the switch to an FTP server You can later download this image to the same switch or to another switch of the same type Use ...

Страница 1457: ...r switch stacks the archive download sw and archive upload sw privileged EXEC commands can only be used through the stack master Software images downloaded to the stack master are automatically downloaded to the rest of the stack members To upgrade a switch with an incompatible software image use the archive copy sw privileged EXEC command to copy the software image from an existing stack member t...

Страница 1458: ...The switch hostname For the RCP copy request to execute successfully an account must be defined on the network server for the remote username If the server has a directory structure the image file is written to or copied from the directory associated with the remote username on the server For example if the image file resides in the home directory of a user on the server specify that user s name a...

Страница 1459: ...ote username see Steps 4 and 5 Step 4 ip rcmd remote username username Optional Specify the remote username Step 5 end Return to privileged EXEC mode Step 6 archive download sw allow feature upgrade directory overwrite reload tftp location directory image name1 tar image name2 tar image name3 tar image name4 tar Download the images file from the RCP server to the switch and overwrite the current i...

Страница 1460: ...force recursive filesystem file url privileged EXEC command For filesystem use flash for the system board flash device For file url enter the directory name of the old software image All the files in the directory and the directory are removed Caution For the download and upload algorithms to operate properly do not rename image names Uploading an Image File By Using RCP You can upload an image fr...

Страница 1461: ... to copy the software image from an existing stack member to the one that has incompatible software That switch automatically reloads and joins the stack as a fully functioning member Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the Preparing to Download or Upload an Image File By Using RCP section on page 1 36 Step 2 Log into the switch through the cons...

Страница 1462: ... version in the service module is compatible with the software running on the switch When you download software by entering the archive download sw privileged EXEC command the switch also runs a version check to verify software compatibility if applicable If the switch is in a switch stack it checks the compatibility of the stack protocol and the switches in the stack If a network services module ...

Страница 1463: ...32 341 PLATFORM_SM10G 6 LICENSE FRULink 10G Service Module C3KX SM 10G features are not supported with this license level Module is in pass thru mode You can use the show switch service module user EXEC command to view a service module on the switch or any service modules in the stack and the service module software version supported by the switch This is an example of output when the software ver...

Страница 1464: ...1 42 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Appendix 1 Working with the Cisco IOS File System Configuration Files and Software Images Working with Software Images ...

Страница 1465: ...nds are listed by software feature and command mode Note In addition to those listed Layer 3 commands are not supported on switches running the LAN base feature set Access Control Lists Unsupported Privileged EXEC Commands access enable host timeout minutes access template access list number name dynamic name source destination timeout minutes clear access template access list number name dynamic ...

Страница 1466: ...ommands Unsupported Privileged EXEC Commands archive config logging persistent show archive config show archive log ARP Commands Unsupported Global Configuration Commands arp ip address hardware address smds arp ip address hardware address srp a arp ip address hardware address srp b Unsupported Interface Configuration Commands arp probe ip probe proxy Boot Loader Commands Unsupported User EXEC Com...

Страница 1467: ...ository url location Parameters are not supported for this command event manager run policy name paramater1 paramater15 show event manager detector show event manager version Unsupported Global Configuration Commands event manager detector rpc no event manager directory user repository url location event manager applet applet name maxrun Unsupported Commands in Applet Configuration Mode attribute ...

Страница 1468: ... Commands clear bridge bridge group multicast router ports groups counts group address interface unit counts clear vlan statistics show bridge bridge group circuit group circuit group src mac address dst mac address show bridge bridge group multicast router ports groups group address show bridge vlan show interfaces crb show interfaces ethernet fastethernet interface slot port irb show subscriber ...

Страница 1469: ...list access list number bridge group bridge group input lat service deny group list bridge group bridge group input lat service permit group list bridge group bridge group input lsap list access list number bridge group bridge group input pattern list access list number bridge group bridge group input type list access list number bridge group bridge group lat compression bridge group bridge group ...

Страница 1470: ...nterface Multilink interface Virtual Template interface Virtual Tokenring Unsupported Interface Configuration Commands mtu standby mac refresh seconds standby use bia IGMP Snooping Commands Unsupported Global Configuration Commands ip igmp snooping tcn Interface Commands Unsupported Privileged EXEC Commands show interfaces interface id vlan vlan id crb fair queue irb mac accounting precedence irb ...

Страница 1471: ...d 3560 X Switch Software Configuration Guide OL 25303 03 Appendix 1 Unsupported Commands in Cisco IOS Release 15 0 2 SE and Later Interface Commands Unsupported Interface Configuration Commands transmit interface type number ...

Страница 1472: ...kets are switched in hardware without CPU involvement you can use this command but multicast packet information is not displayed The show ip mpacket commands are supported but are only useful for packets received at the switch CPU If the route is hardware switched the command has no effect because the CPU does not receive the packet and cannot display it show ip pim vc group address name type numb...

Страница 1473: ...gp address flap statistics clear ip bgp prefix list debug ip cef stats show cef drop not cef switched show ip accounting checkpoint output packets access violations show ip bgp dampened paths show ip bgp inconsistent as show ip bgp regexp regular expression Unsupported Global Configuration Commands ip accounting precedence input output ip accounting list ip address wildcard ip accounting transits ...

Страница 1474: ...ommands Unsupported BGP Router Configuration Commands address family vpnv4 default information originate neighbor advertise map neighbor allowas in neighbor default originate neighbor description network backdoor table map Unsupported VPN Configuration Commands All Unsupported Route Map Commands match route type for policy based routing PBR set automatic tag set dampening half life reuse suppress ...

Страница 1475: ...ow mac address table aging time show mac address table count show mac address table dynamic show mac address table interface show mac address table multicast show mac address table notification show mac address table static show mac address table vlan show mac address table multicast Note Use the show ip igmp snooping groups privileged EXEC command to display Layer 2 multicast address table entrie...

Страница 1476: ... unicast flood l2protocol tunnel global drop threshold memory reserve critical service compress config stack mac persistent timer supported on Catalyst 3750 X switches only track object number rtr MSDP Unsupported Privileged EXEC Commands show access expression show exception show location show pm LINE show smf interface id show subscriber policy policy number show template template name Unsupport...

Страница 1477: ...upported Multicast Routing Manager Commands All Unsupported IP Multicast Rate Limiting Commands All Unsupported UDLR Commands All Unsupported Multicast Over GRE Commands All NetFlow Commands Unsupported Global Configuration Commands ip flow aggregation cache ip flow cache entries ip flow export Network Address Translation NAT Commands Unsupported Privileged EXEC Commands show ip nat statistics sho...

Страница 1478: ...lass default is the class map name RADIUS Unsupported Global Configuration Commands aaa nas port extended aaa authentication feature default enable aaa authentication feature default line radius server attribute nas port radius server configure radius server extended portnames SNMP Unsupported Global Configuration Commands snmp server enable informs snmp server ifindex persist logging discriminato...

Страница 1479: ...ree pathcost method long short Unsupported Interface Configuration Command spanning tree stack port VLAN Unsupported Global Configuration Command vlan internal allocation policy ascending descending Unsupported User EXEC Commands show running config vlan show vlan ifindex VTP Unsupported Privileged EXEC Command vtp password password pruning version number Note This command has been replaced by the...

Страница 1480: ...1 16 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 Appendix 1 Unsupported Commands in Cisco IOS Release 15 0 2 SE and Later VTP ...

Страница 1481: ... 13 switch clusters 1 13 accessing stack members 1 30 access lists See ACLs access ports and Layer 2 protocol tunneling 1 12 defined 1 3 in switch clusters 1 9 access template 1 2 accounting with 802 1x 1 53 with IEEE 802 1x 1 14 with RADIUS 1 34 with TACACS 1 11 1 17 ACEs and QoS 1 8 defined 1 2 Ethernet 1 2 IP 1 2 ACLs ACEs 1 2 applying on bridged packets 1 42 on multicast packets 1 43 on routed...

Страница 1482: ...v4 1 16 IPv6 1 3 names 1 4 number per QoS class map 1 39 port 1 3 1 2 precedence of 1 3 QoS 1 7 1 49 resequencing entries 1 16 router 1 3 1 2 router ACLs and VLAN map configuration guidelines 1 40 standard IP configuring for QoS classification 1 49 1 51 standard IPv4 creating 1 10 matching criteria 1 8 support for 1 11 support in hardware 1 23 time ranges 1 18 types supported 1 2 unsupported featu...

Страница 1483: ... 14 maximum for MSTP 1 24 1 25 for STP 1 24 1 25 alarms RMON 1 3 allowed VLAN list 1 19 application engines redirecting traffic to 1 1 area border routers See ABRs area routing IS IS 1 67 ISO IGRP 1 67 ARP configuring 1 11 defined 1 7 1 24 1 10 encapsulation 1 11 static cache configuration 1 11 table address resolution 1 24 managing 1 24 ASBRs 1 27 AS path filters BGP 1 56 asymmetrical links and I...

Страница 1484: ...ades auto upgrade in switch stacks 1 12 auto MDIX configuring 1 35 described 1 34 autonegotiation duplex mode 1 4 interface configuration guidelines 1 32 mismatches 1 13 autonomous system boundary routers See ASBRs autonomous systems in BGP 1 50 Auto RP described 1 7 autosensing port speed 1 4 autostate exclude 1 6 auxiliary VLAN See voice VLAN availability features 1 9 B BackboneFast described 1 ...

Страница 1485: ...ot process 1 2 manually 1 19 specific image 1 20 boot loader accessing 1 21 described 1 2 environment variables 1 21 prompt 1 21 trap door mechanism 1 2 Boot Loader Upgrade and Image Verification for the FIPS Mode of Operation 1 25 bootstrap router BSR described 1 7 Border Gateway Protocol See BGP BPDU error disabled state 1 2 filtering 1 3 RSTP format 1 12 BPDU filtering described 1 3 disabling 1...

Страница 1486: ...Suites 1 50 Cisco 7960 IP Phone 1 1 Cisco Discovery Protocol See CDP Cisco Express Forwarding See CEF Cisco Group Management Protocol See CGMP Cisco intelligent power management 1 8 Cisco IOS DHCP server See DHCP Cisco IOS DHCP server Cisco IOS File System See IFS Cisco IOS IP SLAs 1 2 Cisco Redundant Power System 2300 configuring 1 46 managing 1 46 Cisco Secure ACS attribute value pairs for downl...

Страница 1487: ...scribed 1 1 LRE profile considerations 1 16 managing through CLI 1 16 through SNMP 1 17 planning 1 4 planning considerations automatic discovery 1 5 automatic recovery 1 10 CLI 1 16 host names 1 13 IP addresses 1 13 LRE profiles 1 16 passwords 1 14 RADIUS 1 16 SNMP 1 14 1 17 switch stacks 1 14 TACACS 1 16 See also candidate switch command switch cluster standby group member switch and standby comm...

Страница 1488: ...lity feature 1 12 compatibility software See stacks switch configurable leave timer IGMP 1 6 configuration initial defaults 1 20 Express Setup 1 2 configuration conflicts recovering from lost member connectivity 1 12 configuration examples network 1 23 configuration files archiving 1 21 clearing the startup configuration 1 20 creating and using guidelines for 1 10 creating using a text editor 1 11...

Страница 1489: ...ority 1 6 trust priority 1 6 CoS input queue threshold map for QoS 1 18 CoS output queue threshold map for QoS 1 21 CoS to DSCP map for QoS 1 73 counters clearing interface 1 53 CPU utilization troubleshooting 1 29 crashinfo file 1 24 critical authentication IEEE 802 1x 1 63 critical VLAN 1 23 cross stack EtherChannel configuration guidelines 1 13 configuring on Layer 2 interfaces 1 13 on Layer 3 ...

Страница 1490: ...C address table move update 1 8 MSDP 1 4 MSTP 1 14 multi VRF CE 1 79 MVR 1 20 optional spanning tree configuration 1 12 OSPF 1 28 password and privilege level 1 2 PIM 1 11 private VLANs 1 6 RADIUS 1 27 REP 1 7 RIP 1 21 RMON 1 3 RSPAN 1 12 SDM template 1 5 SNMP 1 6 SPAN 1 12 SSL 1 51 standard QoS 1 37 STP 1 13 switch stacks 1 24 system message logging 1 4 system name and prompt 1 8 TACACS 1 13 UDLD...

Страница 1491: ...d image update configuring 1 11 to 1 14 understanding 1 5 to 1 6 DHCP binding database See DHCP snooping binding database DHCP binding table See DHCP snooping binding database DHCP object tracking configuring primary interface 1 11 DHCP option 82 circuit ID suboption 1 5 configuration guidelines 1 9 default configuration 1 8 displaying 1 16 forwarding address specifying 1 11 helper address 1 11 ov...

Страница 1492: ...L 1 37 directed unicast requests 1 7 directories changing 1 4 creating and removing 1 5 displaying the working 1 4 discovery clusters See automatic discovery Distance Vector Multicast Routing Protocol See DVMRP distance vector protocols 1 3 distribute list command 1 104 DNS and DHCP based autoconfiguration 1 8 default configuration 1 9 displaying the configuration 1 10 in IPv6 1 4 overview 1 8 set...

Страница 1493: ...obe messages 1 49 displaying information 1 54 prevent peering with nonpruning 1 57 rejecting nonpruning 1 55 overview 1 9 routes adding a metric offset 1 62 advertising all 1 61 advertising the default route to neighbors 1 53 caching DVMRP routes learned in report messages 1 55 changing the threshold for syslog messages 1 58 favoring one over another 1 62 limiting the number injected into MBONE 1 ...

Страница 1494: ...oting 1 31 types of connections 1 29 dynamic routing 1 3 ISO CLNS 1 66 Dynamic Trunking Protocol See DTP E EAC 1 2 EBGP 1 46 editing features enabling and disabling 1 6 keystrokes used 1 7 wrapped lines 1 8 EEM 3 2 1 5 EIGRP authentication 1 43 components 1 38 configuring 1 41 default configuration 1 39 definition 1 37 interface parameters configuring 1 42 monitoring 1 45 stub routing 1 44 support...

Страница 1495: ...configuration 1 11 described 1 2 displaying status 1 22 forwarding methods 1 8 1 18 IEEE 802 3ad described 1 7 interaction with STP 1 12 with VLANs 1 12 LACP described 1 7 displaying status 1 22 hot standby ports 1 20 interaction with other features 1 8 modes 1 7 port priority 1 22 system priority 1 21 Layer 3 interface 1 5 load balancing 1 8 1 18 logical interfaces described 1 4 PAgP aggregate po...

Страница 1496: ...ee EBGP external neighbors BGP 1 50 F Fa0 port See Ethernet management port failover support 1 9 fallback bridging and protected ports 1 4 bridge groups creating 1 4 described 1 2 function of 1 2 number supported 1 4 removing 1 5 configuration guidelines 1 4 connecting interfaces with 1 15 default configuration 1 3 described 1 1 frame forwarding flooding packets 1 2 forwarding packets 1 2 overview...

Страница 1497: ...configuring 1 74 overview 1 31 Flexible NetFlow components 1 1 configuring a flow monitor 1 6 configuring flow records 1 3 configuring the exported 1 3 configuring the exporter 1 5 interface configuration 1 7 purpose 1 1 sampling 1 9 unsupported features 1 2 Flex Link Multicast Fast Convergence 1 3 Flex Links configuring 1 8 1 9 configuring preferred VLAN 1 11 configuring VLAN load balancing 1 10 ...

Страница 1498: ...tory table level and number of syslog messages 1 10 host modes MACsec 1 4 host names in clusters 1 13 host ports configuring 1 11 kinds of 1 2 hosts limit on dynamic ports 1 31 Hot Standby Router Protocol See HSRP HP OpenView 1 6 HSRP authentication string 1 10 automatic cluster recovery 1 12 binding to cluster group 1 12 cluster standby group considerations 1 11 command switch redundancy 1 1 1 2 ...

Страница 1499: ...scribed 1 1 tunnel ports with other features 1 6 IEEE 802 1s See MSTP IEEE 802 1w See RSTP IEEE 802 1x See port based authentication IEEE 802 3ad See EtherChannel IEEE 802 3af See PoE IEEE 802 3x flow control 1 33 ifIndex values SNMP 1 5 IFS 1 7 IGMP configurable leave timer described 1 6 enabling 1 11 configuring the switch as a member of a group 1 39 statically connected member 1 44 controlling ...

Страница 1500: ...inition 1 2 enabling and disabling 1 8 1 7 global configuration 1 8 Immediate Leave 1 6 in the switch stack 1 7 method 1 8 monitoring 1 16 1 12 querier configuration guidelines 1 14 configuring 1 14 supported versions 1 3 support for 1 5 VLAN configuration 1 8 IGMP throttling configuring 1 27 default configuration 1 25 described 1 24 displaying action 1 29 IGP 1 27 Immediate Leave IGMP described 1...

Страница 1501: ...named 1 16 undefined 1 23 IP addresses 128 bit 1 2 candidate or member 1 4 1 13 classes of 1 7 cluster access 1 2 command switch 1 3 1 11 1 13 default configuration 1 6 discovering 1 24 for IP routing 1 6 IPv6 1 2 MAC address association 1 10 monitoring 1 19 redundant clusters 1 11 standby command switch 1 11 1 13 See also IP information IP base feature set 1 1 1 2 IP base software image 1 1 IP br...

Страница 1502: ...y 1 11 protocol interaction 1 2 reverse path check RPF 1 8 RP assigning manually 1 24 configuring Auto RP 1 26 configuring PIMv2 BSR 1 30 monitoring mapping information 1 35 using Auto RP and BSR 1 34 stacking stack master functions 1 10 stack member functions 1 10 statistics displaying system and network 1 63 See also CGMP See also DVMRP See also IGMP See also PIM IP phones and QoS 1 1 automatic ...

Страница 1503: ...ult configuration 1 18 described 1 16 disabling 1 20 displaying bindings 1 26 configuration 1 26 enabling 1 19 1 21 filtering source IP address 1 17 source IP and MAC address 1 17 source IP address filtering 1 17 source IP and MAC address filtering 1 17 static bindings adding 1 19 1 21 deleting 1 20 static hosts 1 21 IP traceroute executing 1 18 overview 1 18 IP unicast routing address resolution ...

Страница 1504: ...3 matching criteria 1 3 port 1 2 precedence 1 2 router 1 2 supported 1 2 addresses 1 2 address formats 1 2 and switch stacks 1 15 applications 1 9 assigning address 1 17 autoconfiguration 1 9 CEFv6 1 30 default configuration 1 16 default router preference DRP 1 9 defined 1 1 Enhanced Interior Gateway Routing Protocol EIGRP IPv6 1 12 EIGRP IPv6 Commands 1 13 Router ID 1 12 feature limitations 1 14 ...

Страница 1505: ... configuring 1 42 credentials 1 39 described 1 39 KDC 1 39 operation 1 41 realm 1 40 server 1 41 support for 1 13 switch as trusted third party 1 39 terms 1 40 TGT 1 41 tickets 1 39 key distribution center See KDC L l2protocol tunnel command 1 14 LACP Layer 2 protocol tunneling 1 10 See EtherChannel Layer 2 frames classification with CoS 1 2 Layer 2 interfaces default configuration 1 30 Layer 2 pr...

Страница 1506: ... characteristics 1 6 default configuration 1 5 enabling 1 6 monitoring and maintaining 1 11 overview 1 1 supported TLVs 1 2 switch stack considerations 1 2 transmission timer and holdtime setting 1 6 LLDP MED configuring procedures 1 5 TLVs 1 7 monitoring and maintaining 1 11 overview 1 1 1 2 supported TLVs 1 2 LLDP Media Endpoint Discovery See LLDP MED load balancing 1 4 local SPAN 1 2 location T...

Страница 1507: ... switch security 1 1 MACsec Key Agreement Protocol See MKA magic packet 1 28 manageability features 1 7 management access in band browser session 1 8 CLI session 1 8 device manager 1 8 SNMP 1 8 out of band console port connection 1 8 management address TLV 1 2 management options CLI 1 1 clustering 1 4 CNS 1 1 Network Assistant 1 3 overview 1 6 switch stacks 1 3 management VLAN considerations in sw...

Страница 1508: ...uring policies 1 6 defined 1 2 policies 1 2 replay protection 1 3 statistics 1 5 virtual ports 1 3 module number 1 20 monitoring access groups 1 44 BGP 1 65 cables for unidirectional links 1 1 CDP 1 5 CEF 1 92 EIGRP 1 45 fallback bridging 1 10 features 1 18 Flex Links 1 14 HSRP 1 13 IEEE 802 1Q tunneling 1 19 IGMP snooping 1 16 1 12 interfaces 1 51 IP address tables 1 19 multicast routing 1 63 rou...

Страница 1509: ... peering relationship overview 1 1 requesting source information from 1 8 shutting down 1 16 source active messages caching 1 6 defined 1 2 filtering from a peer 1 11 filtering incoming 1 14 filtering to a peer 1 12 limiting data with TTL 1 14 restricting advertised sources 1 9 support for 1 17 MSTP boundary ports configuration guidelines 1 16 described 1 6 BPDU filtering described 1 3 enabling 1 ...

Страница 1510: ...tances 1 2 optional features supported 1 9 overview 1 2 Port Fast described 1 2 enabling 1 12 preventing root switch selection 1 10 root guard described 1 10 enabling 1 18 root switch configuring 1 18 effects of extended system ID 1 18 unexpected behavior 1 18 shutdown Port Fast enabled port 1 2 stack changes effects of 1 8 status displaying 1 27 MTU system 1 43 system jumbo 1 43 system routing 1 ...

Страница 1511: ...tion using a RADIUS server 1 68 IEEE 802 1x validation using RADIUS server 1 68 inaccessible authentication bypass 1 13 1 63 Layer 2 IEEE 802 1x validation 1 13 1 68 Layer 2 IP validation 1 13 named IPv4 ACLs 1 16 named IPv6 ACLs 1 3 NameSpace Mapper See NSM native VLAN and IEEE 802 1Q tunneling 1 4 configuring 1 21 default 1 21 NDAC 1 9 1 2 defined 1 9 MACsec 1 1 NEAT configuring 1 69 overview 1 ...

Страница 1512: ...range VLANs 1 4 configuration guidelines 1 5 configuring 1 4 defined 1 1 no switchport command 1 5 not so stubby areas See NSSA NSAPs as ISO IGRP addresses 1 67 NSF Awareness IS IS 1 69 NSM 1 3 NSSA OSPF 1 33 NTP associations defined 1 2 overview 1 2 stratum 1 2 support for 1 7 time services 1 2 synchronizing 1 2 O OBFL configuring 1 27 described 1 27 displaying 1 28 object tracking HSRP 1 7 IP SL...

Страница 1513: ...path cost MSTP 1 21 STP 1 21 path MTU discovery 1 4 payload encryption 1 1 PBR defined 1 99 enabling 1 101 fast switched policy based routing 1 102 local policy based routing 1 102 PC passive command switch 1 10 peers BGP 1 60 percentage thresholds in tracked lists 1 6 performance network design 1 23 performance features 1 4 persistent self signed certificate 1 49 per user ACLs and Filter Ids 1 8 ...

Страница 1514: ... power negotiation extensions to CDP 1 8 standards supported 1 8 static mode 1 10 troubleshooting 1 13 policed DSCP map for QoS 1 75 policers configuring for each matched traffic class 1 58 for more than one traffic class 1 71 described 1 4 number of 1 41 types of 1 10 policing described 1 4 hierarchical See hierarchical policy maps token bucket algorithm 1 10 policy based routing See PBR policy m...

Страница 1515: ... 1 21 1 22 described 1 21 host mode 1 12 inaccessible authentication bypass configuring 1 63 described 1 23 guidelines 1 40 initiation and message exchange 1 6 magic packet 1 28 maximum number of allowed devices per port 1 41 method lists 1 44 multiple authentication 1 12 multiple hosts mode described 1 12 per user ACLs AAA authorization 1 44 configuration tasks 1 18 described 1 17 RADIUS server a...

Страница 1516: ...nes 1 11 configuring 1 13 default configuration 1 11 described 1 8 on trunk ports 1 14 sticky learning 1 9 violations 1 10 port shutdown response VMPS 1 26 port VLAN ID TLV 1 2 power inline consumption command 1 14 power management TLV 1 3 Power over Ethernet See PoE power supply configuring 1 46 managing 1 46 preempt delay time REP 1 5 preemption default configuration 1 8 preemption delay default...

Страница 1517: ...promiscuous ports configuring 1 13 defined 1 2 protected ports 1 11 1 6 protocol dependent modules EIGRP 1 38 Protocol Independent Multicast Protocol See PIM protocol storm protection 1 19 provider edge devices 1 77 provisioning new members for a switch stack 1 8 proxy ARP configuring 1 12 definition 1 10 with IP routing disabled 1 13 proxy reports 1 3 pruning VTP disabling in VTP domain 1 16 on a...

Страница 1518: ...s within the domain 1 43 trusted boundary 1 45 default auto configuration 1 24 default standard configuration 1 37 DSCP transparency 1 46 egress queues allocating buffer space 1 84 buffer allocation scheme described 1 20 configuring shaped weights for SRR 1 88 configuring shared weights for SRR 1 89 described 1 4 displaying the threshold map 1 87 flowchart 1 19 mapping DSCP or CoS values 1 86 sche...

Страница 1519: ... SRR described 1 15 WTD described 1 15 rewrites 1 22 support for 1 15 trust states bordering another domain 1 47 described 1 5 trusted device 1 45 within the domain 1 43 quality of service See QoS queries IGMP 1 4 query solicitation IGMP 1 13 R RADIUS attributes vendor proprietary 1 36 vendor specific 1 35 configuring accounting 1 34 authentication 1 29 authorization 1 33 communication global 1 27...

Страница 1520: ...4 port priority 1 22 redundant links and UplinkFast 1 15 redundant power system See Cisco Redundant Power System 2300 reliable transport protocol EIGRP 1 38 reloading software 1 23 Remote Authentication Dial In User Service See RADIUS Remote Copy Protocol See RCP Remote Network Monitoring See RMON Remote SPAN See RSPAN remote SPAN 1 3 REP administrative VLAN 1 8 administrative VLAN configuring 1 8...

Страница 1521: ...es 1 7 1253 OSPF 1 27 1267 BGP 1 45 1305 NTP 1 2 1587 NSSAs 1 27 1757 RMON 1 2 1771 BGP 1 45 1901 SNMPv2C 1 2 1902 to 1907 SNMPv2 1 2 2236 IP multicast and IGMP 1 2 2273 2275 SNMPv3 1 2 RFC 5176 Compliance 1 21 RIP advertisements 1 21 authentication 1 23 configuring 1 22 default configuration 1 21 described 1 21 for IPv6 1 11 hop counts 1 21 split horizon 1 24 summary addresses 1 24 support for 1 ...

Страница 1522: ...itch stack 1 3 interaction with other features 1 9 monitored ports 1 7 monitoring ports 1 8 overview 1 18 1 1 received traffic 1 6 session limits 1 12 sessions creating 1 18 defined 1 4 limiting source traffic to specific VLANs 1 20 specifying monitored ports 1 18 with ingress traffic enabled 1 22 source ports 1 7 transmitted traffic 1 6 VLAN based 1 7 RSTP active topology 1 9 BPDU format 1 12 pro...

Страница 1523: ...ket Layer See SSL security port 1 8 Security Exchange Protocol See SXP Security Exchange Protocol See SAP Security Exchange Protocol SXP 1 2 security features 1 10 Security Group Access Control List SGACL 1 2 Security Group Tag SGT 1 2 See SCP sequence numbers in log messages 1 8 server mode VTP 1 3 service provider network MSTP and RSTP 1 1 service provider networks and customer VLANs 1 2 and IEE...

Страница 1524: ...1 4 configuration examples 1 17 default configuration 1 6 engine ID 1 7 groups 1 7 1 9 host 1 7 ifIndex values 1 5 in band management 1 8 in clusters 1 14 informs and trap keyword 1 12 described 1 5 differences from traps 1 5 disabling 1 15 enabling 1 15 limiting access by TFTP servers 1 17 limiting system log messages to NMS 1 10 manager functions 1 6 1 3 managing clusters with 1 17 notifications...

Страница 1525: ...VLANs 1 16 removing destination monitoring ports 1 14 specifying monitored ports 1 13 1 25 with ingress traffic enabled 1 15 source ports 1 7 transmitted traffic 1 6 VLAN based 1 7 spanning tree and native VLANs 1 17 Spanning Tree Protocol See STP SPAN traffic 1 6 split horizon RIP 1 24 SRR configuring shaped weights on egress queues 1 88 shared weights on egress queues 1 89 shared weights on ingr...

Страница 1526: ...e log 1 2 VLANs 1 6 VTP 1 8 stacking and MACsec 1 3 stack master bridge ID MAC address 1 7 defined 1 2 election 1 6 IPv6 1 15 re election 1 6 See also stacks switch stack member accessing CLI of specific member 1 30 configuring member number 1 26 priority value 1 26 defined 1 2 displaying information of 1 30 IPv6 1 15 number 1 7 priority value 1 8 provisioning a new member 1 27 replacing 1 16 See ...

Страница 1527: ...f replacing a provisioned switch 1 11 provisioned configuration defined 1 8 provisioned switch defined 1 8 provisioning a new member 1 27 partitioned 1 5 1 8 provisioned switch adding 1 9 removing 1 11 replacing 1 11 replacing a failed member 1 16 software compatibility 1 11 software image version 1 11 stack protocol version 1 12 STP bridge ID 1 3 instances supported 1 10 root port selection 1 3 s...

Страница 1528: ...stics 802 1X 1 17 CDP 1 5 IEEE 802 1x 1 76 interface 1 52 IP multicast routing 1 63 MKA 1 5 OSPF 1 37 RMON group Ethernet 1 5 RMON group history 1 5 SNMP input and output 1 19 VTP 1 18 sticky learning 1 9 storm control configuring 1 3 described 1 1 disabling 1 5 support for 1 5 thresholds 1 1 STP accelerating root port selection 1 4 and REP 1 6 BackboneFast described 1 7 disabling 1 17 enabling 1 ...

Страница 1529: ... keepalive messages 1 2 Layer 2 protocol tunneling 1 8 limitations with IEEE 802 1Q trunks 1 12 load sharing overview 1 22 using path costs 1 24 using port priorities 1 22 loop guard described 1 11 enabling 1 18 modes supported 1 10 multicast addresses effect of 1 9 optional features supported 1 9 overview 1 2 path costs 1 24 1 25 Port Fast described 1 2 enabling 1 12 port priorities 1 23 preventi...

Страница 1530: ...atures 1 1 switch virtual interface See SVI SXP 1 2 synchronization BGP 1 50 syslog See system message logging system capabilities TLV 1 2 system clock configuring daylight saving time 1 6 manually 1 4 summer time 1 6 time zones 1 5 displaying the time and date 1 5 overview 1 2 See also NTP system description TLV 1 2 system message logging default configuration 1 4 defining error message severity ...

Страница 1531: ...ents of 1 7 extracting 1 8 image file format 1 26 TCL script registering and defining with embedded event manager 1 7 TDR 1 18 Telnet accessing management interfaces 1 10 number of connections 1 8 setting a password 1 6 templates SDM 1 2 temporary self signed certificate 1 49 Terminal Access Controller Access Control System Plus See TACACS terminal lines setting a password 1 6 ternary content addr...

Страница 1532: ... suppression 1 1 transmit hold count see STP transparent mode VTP 1 4 trap door mechanism 1 2 traps configuring MAC address notification 1 15 1 17 1 18 configuring managers 1 12 enabling 1 15 1 17 1 18 1 12 notification types 1 12 overview 1 1 1 4 troubleshooting connectivity problems 1 15 1 16 1 18 CPU utilization 1 29 detecting unidirectional links 1 1 displaying crash information 1 24 PIMv1 and...

Страница 1533: ... neighbor database 1 2 overview 1 1 resetting an interface 1 6 status displaying 1 7 support for 1 9 UDP configuring 1 16 UDP jitter configuring 1 9 UDP jitter operation IP SLAs 1 8 unauthorized ports with IEEE 802 1x 1 10 unicast MAC address filtering 1 7 and adding static addresses 1 21 and broadcast MAC addresses 1 21 and CPU packets 1 21 and multicast addresses 1 21 and router MAC addresses 1 ...

Страница 1534: ...oup 1 11 command switch 1 11 virtual ports MKA 1 3 Virtual Private Network See VPN virtual router 1 1 1 2 virtual switches and PAgP 1 6 vlan dat file 1 4 VLAN 1 disabling on a trunk port 1 20 minimization 1 19 VLAN ACLs See VLAN maps vlan assignment response VMPS 1 26 VLAN blocking REP 1 12 VLAN configuration at bootup 1 7 saving 1 7 VLAN database and startup configuration file 1 7 and VTP 1 1 VLA...

Страница 1535: ...1 10 illustrated 1 2 internal 1 11 in the switch stack 1 6 limiting source traffic with RSPAN 1 20 limiting source traffic with SPAN 1 16 modifying 1 8 multicast 1 17 native configuring 1 21 normal range 1 1 1 4 number supported 1 10 parameters 1 4 port membership modes 1 3 static access ports 1 9 STP and IEEE 802 1Q trunks 1 12 supported 1 2 Token Ring 1 5 traffic between 1 2 VLAN bridge STP 1 12...

Страница 1536: ...P 1 82 ping 1 82 RADIUS 1 83 SNMP 1 82 syslog 1 83 tftp 1 84 traceroute 1 84 uRPF 1 83 VRFs configuring multicast 1 85 VTP adding a client to a domain 1 17 advertisements 1 17 1 4 and extended range VLANs 1 2 and normal range VLANs 1 2 client mode configuring 1 13 configuration requirements 1 11 saving 1 9 configuration requirements 1 11 configuration revision number guideline 1 17 resetting 1 17 ...

Страница 1537: ...aintaining 1 10 negotiation 1 3 packet redirection 1 3 packet return method 1 3 redirecting traffic received from a client 1 6 setting the password 1 7 unsupported WCCPv2 features 1 5 web authentication 1 15 configuring 1 16 to described 1 11 web based authentication customizeable web pages 1 6 description 1 1 web based authentication interactions with other features 1 7 Web Cache Communication Pr...

Страница 1538: ...Index IN 58 Catalyst 3750 X and 3560 X Switch Software Configuration Guide OL 25303 03 ...

Результаты поиска

Содержание Catalyst 3560-X Series

Отзывы:

Похожие инструкции для Catalyst 3560-X Series

Бренды по названию

Популярные бренды

Cisco Catalyst 3560-X Series, Руководство по настройке программного обеспечения

Результаты поиска

Содержание Catalyst 3560-X Series

Отзывы:

Похожие инструкции для Catalyst 3560-X Series

Бренды по названию

Популярные бренды