Cisco ME 3400 Ethernet Access Switch Software Configuration Guide Cisco IOS Release 12.2(25)EX November 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface xxxiii Audience Purpose xxxiii xxxiii Conventions xxxiii Related Publications xxxiv Obtaining Documentation xxxv Cisco.
Contents Default Settings After Initial Switch Configuration 1-8 Network Configuration Examples 1-11 Multidwelling or Ethernet-to-the-Subscriber Network Layer 2 VPN Application 1-13 Multi-VRF CE Application 1-14 Where to Go Next CHAPTER 2 1-11 1-15 Using the Command-Line Interface Understanding Command Modes Understanding the Help System 2-1 2-1 2-3 Understanding Abbreviated Commands 2-3 Understanding no and default Forms of Commands Understanding CLI Error Messages 2-4 2-4 Using Command Hist
Contents Manually Assigning IP Information 3-9 Checking and Saving the Running Configuration 3-10 Modifying the Startup Configuration 3-12 Default Boot Configuration 3-13 Automatically Downloading a Configuration File 3-13 Specifying the Filename to Read and Write the System Configuration Booting Manually 3-14 Booting a Specific Software Image 3-14 Controlling Environment Variables 3-15 3-13 Scheduling a Reload of the Software Image 3-16 Configuring a Scheduled Reload 3-17 Displaying Scheduled Reload
Contents Configuring NTP 5-4 Default NTP Configuration 5-4 Configuring NTP Authentication 5-5 Configuring NTP Associations 5-6 Configuring NTP Broadcast Service 5-7 Configuring NTP Access Restrictions 5-8 Configuring the Source IP Address for NTP Packets 5-10 Displaying the NTP Configuration 5-11 Configuring Time and Date Manually 5-11 Setting the System Clock 5-11 Displaying the Time and Date Configuration 5-12 Configuring the Time Zone 5-12 Configuring Summer Time (Daylight Saving Time) 5-13 Configuring
Contents CHAPTER 6 Configuring SDM Templates 6-1 Understanding the SDM Templates 6-1 Configuring the Switch SDM Template 6-2 Default SDM Template 6-2 SDM Template Configuration Guidelines Setting the SDM Template 6-3 Displaying the SDM Templates CHAPTER 7 6-2 6-4 Configuring Switch-Based Authentication 7-1 Preventing Unauthorized Access to Your Switch 7-1 Protecting Access to Privileged EXEC Commands 7-2 Default Password and Privilege Level Configuration 7-2 Setting or Changing a Static Enab
Contents Configuring RADIUS 7-20 Default RADIUS Configuration 7-20 Identifying the RADIUS Server Host 7-20 Configuring RADIUS Login Authentication 7-23 Defining AAA Server Groups 7-25 Configuring RADIUS Authorization for User Privileged Access and Network Services 7-27 Starting RADIUS Accounting 7-28 Configuring Settings for All RADIUS Servers 7-29 Configuring the Switch to Use Vendor-Specific RADIUS Attributes 7-29 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 7-31 Displaying t
Contents Configuring IEEE 802.1x Authentication 8-9 Default IEEE 802.1x Configuration 8-9 IEEE 802.1x Configuration Guidelines 8-10 Configuring IEEE 802.
Contents Configuring Auto-MDIX on an Interface 9-18 Adding a Description for an Interface 9-19 Configuring Layer 3 Interfaces Configuring the System MTU 9-20 9-21 Monitoring and Maintaining the Interfaces 9-22 Monitoring Interface Status 9-23 Clearing and Resetting Interfaces and Counters 9-24 Shutting Down and Restarting the Interface 9-24 CHAPTER 10 Configuring Command Macros 10-1 Understanding Command Macros 10-1 Configuring Command Macros 10-2 Default Command Macro Configuration 10-2 Command M
Contents Default Layer 2 Ethernet Interface VLAN Configuration 11-16 Configuring an Ethernet Interface as a Trunk Port 11-16 Interaction with Other Features 11-16 Configuring a Trunk Port 11-17 Defining the Allowed VLANs on a Trunk 11-17 Configuring the Native VLAN for Untagged Traffic 11-19 Configuring Trunk Ports for Load Sharing 11-19 Load Sharing Using STP Port Priorities 11-20 Load Sharing Using STP Path Cost 11-21 Configuring VMPS 11-23 Understanding VMPS 11-23 Dynamic-Access Port VLAN Membership 11-
Contents Configuring a Layer 2 Interface as a Private-VLAN Host Port 12-12 Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port 12-13 Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 12-14 Monitoring Private VLANs CHAPTER 13 12-15 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling 13-1 13-1 Configuring IEEE 802.1Q Tunneling 13-4 Default IEEE 802.1Q Tunneling Configuration 13-4 IEEE 802.
Contents Spanning-Tree Modes and Protocols 14-9 Supported Spanning-Tree Instances 14-10 Spanning-Tree Interoperability and Backward Compatibility STP and IEEE 802.1Q Trunks 14-10 14-10 Configuring Spanning-Tree Features 14-11 Default Spanning-Tree Configuration 14-11 Spanning-Tree Configuration Guidelines 14-12 Changing the Spanning-Tree Mode.
Contents Configuring MSTP Features 15-11 Default MSTP Configuration 15-12 MSTP Configuration Guidelines 15-12 Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch 15-14 Configuring a Secondary Root Switch 15-16 Configuring Port Priority 15-17 Configuring Path Cost 15-18 Configuring the Switch Priority 15-19 Configuring the Hello Time 15-19 Configuring the Forwarding-Delay Time 15-20 Configuring the Maximum-Aging Time 15-21 Configuring the Maximum-Hop Count 15-21 Specifying
Contents CHAPTER 17 Configuring Flex Links 17-1 Understanding Flex Links 17-1 Configuring Flex Links 17-2 Default Flex Link Configuration 17-2 Flex Link Configuration Guidelines 17-2 Configuring Flex Links 17-3 Monitoring Flex Links CHAPTER 18 17-4 Configuring DHCP Features and IP Source Guard Understanding DHCP Features 18-1 DHCP Server 18-2 DHCP Relay Agent 18-2 DHCP Snooping 18-2 Option-82 Data Insertion 18-3 DHCP Snooping Binding Database 18-1 18-5 Configuring DHCP Features 18-6 Default DH
Contents CHAPTER 19 Configuring Dynamic ARP Inspection 19-1 Understanding Dynamic ARP Inspection 19-1 Interface Trust States and Network Security 19-3 Rate Limiting of ARP Packets 19-4 Relative Priority of ARP ACLs and DHCP Snooping Entries Logging of Dropped Packets 19-4 Configuring Dynamic ARP Inspection 19-5 Default Dynamic ARP Inspection Configuration 19-5 Dynamic ARP Inspection Configuration Guidelines 19-6 Configuring Dynamic ARP Inspection in DHCP Environments Configuring ARP ACLs for Non-DHCP E
Contents Understanding Multicast VLAN Registration 20-16 Using MVR in a Multicast Television Application Configuring MVR 20-18 Default MVR Configuration 20-18 MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters 20-19 Configuring MVR Interfaces 20-20 Displaying MVR Information 20-16 20-19 20-22 Configuring IGMP Filtering and Throttling 20-22 Default IGMP Filtering and Throttling Configuration 20-23 Configuring IGMP Profiles 20-23 Applying IGMP Profiles 20-25 Setting the Maximu
Contents CHAPTER 22 Configuring CDP 22-1 Understanding CDP 22-1 Configuring CDP 22-2 Default CDP Configuration 22-2 Configuring the CDP Characteristics 22-2 Disabling and Enabling CDP 22-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP CHAPTER 23 Configuring UDLD 22-5 23-1 Understanding UDLD 23-1 Modes of Operation 23-1 Methods to Detect Unidirectional Links Configuring UDLD 23-4 Default UDLD Configuration 23-4 Configuration Guidelines 23-4 Enabling UDLD Globally 23-5
Contents Configuring Local SPAN 24-10 SPAN Configuration Guidelines 24-10 Creating a Local SPAN Session 24-11 Creating a Local SPAN Session and Configuring Ingress Traffic 24-13 Specifying VLANs to Filter 24-15 Configuring RSPAN 24-16 RSPAN Configuration Guidelines 24-16 Configuring a VLAN as an RSPAN VLAN 24-17 Creating an RSPAN Source Session 24-17 Creating an RSPAN Destination Session 24-19 Creating an RSPAN Destination Session and Configuring Ingress Traffic Specifying VLANs to Filter 24-21 Displaying
Contents CHAPTER 27 Configuring SNMP 27-1 Understanding SNMP 27-1 SNMP Versions 27-2 SNMP Manager Functions 27-3 SNMP Agent Functions 27-4 SNMP Community Strings 27-4 Using SNMP to Access MIB Variables 27-4 SNMP Notifications 27-5 SNMP ifIndex MIB Object Values 27-5 Configuring SNMP 27-6 Default SNMP Configuration 27-6 SNMP Configuration Guidelines 27-6 Disabling the SNMP Agent 27-7 Configuring Community Strings 27-8 Configuring SNMP Groups and Users 27-9 Configuring SNMP Notifications 27-11 Setting th
Contents Applying an IPv4 ACL to an Interface 28-19 Hardware and Software Treatment of IP ACLs IPv4 ACL Configuration Examples 28-21 Numbered ACLs 28-23 Extended ACLs 28-23 Named ACLs 28-23 Time Range Applied to an IP ACL 28-24 Commented IP ACL Entries 28-24 ACL Logging 28-25 Creating Named MAC Extended ACLs 28-26 Applying a MAC ACL to a Layer 2 Interface 28-21 28-28 Configuring VLAN Maps 28-29 VLAN Map Configuration Guidelines 28-30 Creating a VLAN Map 28-31 Examples of ACLs and VLAN Maps 28-31 Applyin
Contents Classification 30-5 Class Maps 30-6 The match Command 30-7 Classification Based on Layer 2 CoS 30-7 Classification Based on IP Precedence 30-8 Classification Based on IP DSCP 30-8 Classification Comparisons 30-9 Classification Based on QoS ACLs 30-10 Classification Based on QoS Groups 30-10 Table Maps 30-11 Policing 30-12 Individual Policing 30-13 Aggregate Policing 30-14 Unconditional Priority Policing 30-15 Marking 30-16 Congestion Management and Scheduling 30-18 Traffic Shaping 30-19 Class-Base
Contents Displaying QoS Information 30-55 QoS Statistics 30-55 Configuration Examples for Policy Maps 30-56 QoS Configuration for Customer A 30-56 QoS Configuration for Customer B 30-58 Modifying Output Policies and Adding or Deleting Classification Criteria 30-59 Modifying Output Policies and Changing Queuing or Scheduling Parameters 30-60 Modifying Output Policies and Adding or Deleting Configured Actions 30-60 Modifying Output Policies and Adding or Deleting a Class 30-61 CHAPTER 31 Configuring Ether
Contents CHAPTER 32 Configuring IP Unicast Routing 32-1 Understanding IP Routing 32-2 Types of Routing 32-2 Steps for Configuring Routing 32-3 Configuring IP Addressing 32-4 Default Addressing Configuration 32-4 Assigning IP Addresses to Network Interfaces 32-5 Use of Subnet Zero 32-6 Classless Routing 32-6 Configuring Address Resolution Methods 32-7 Define a Static ARP Cache 32-8 Set ARP Encapsulation 32-9 Enable Proxy ARP 32-10 Routing Assistance When IP Routing is Disabled 32-10 Proxy ARP 32-10 De
Contents Configuring EIGRP 32-32 Default EIGRP Configuration 32-34 Configuring Basic EIGRP Parameters 32-35 Configuring EIGRP Interfaces 32-36 Configuring EIGRP Route Authentication 32-37 Monitoring and Maintaining EIGRP 32-38 Configuring BGP 32-38 Default BGP Configuration 32-40 Enabling BGP Routing 32-42 Managing Routing Policy Changes 32-45 Configuring BGP Decision Attributes 32-46 Configuring BGP Filtering with Route Maps 32-48 Configuring BGP Filtering by Neighbor 32-49 Configuring Prefix Lists for BG
Contents Filtering Routing Information 32-79 Setting Passive Interfaces 32-79 Controlling Advertising and Processing in Routing Updates Filtering Sources of Routing Information 32-81 Managing Authentication Keys 32-82 Monitoring and Maintaining the IP Network CHAPTER 33 Configuring HSRP 32-80 32-83 33-1 Understanding HSRP 33-1 Multiple HSRP 33-3 Configuring HSRP 33-4 Default HSRP Configuration 33-4 HSRP Configuration Guidelines 33-5 Enabling HSRP 33-5 Configuring HSRP Priority 33-6 Configuring MHSRP
Contents Configuring a Rendezvous Point 34-10 Manually Assigning an RP to Multicast Groups 34-11 Configuring Auto-RP 34-12 Configuring PIMv2 BSR 34-16 Using Auto-RP and a BSR 34-20 Monitoring the RP Mapping Information 34-21 Troubleshooting PIMv1 and PIMv2 Interoperability Problems 34-21 Configuring Advanced PIM Features 34-21 Understanding PIM Shared Tree and Source Tree 34-21 Delaying the Use of PIM Shortest-Path Tree 34-23 Modifying the PIM Router-Query Message Interval 34-24 Configuring Optional IGMP
Contents Controlling Source Information that Your Switch Originates 35-8 Redistributing Sources 35-9 Filtering Source-Active Request Messages 35-11 Controlling Source Information that Your Switch Forwards 35-12 Using a Filter 35-12 Using TTL to Limit the Multicast Data Sent in SA Messages 35-14 Controlling Source Information that Your Switch Receives 35-14 Configuring an MSDP Mesh Group 35-16 Shutting Down an MSDP Peer 35-16 Including a Bordering PIM Dense-Mode Region in MSDP 35-17 Configuring an Originati
Contents Using TDR 36-17 Understanding TDR 36-17 Running TDR and Displaying the Results 36-17 Using Debug Commands 36-18 Enabling Debugging on a Specific Feature 36-18 Enabling All-System Diagnostics 36-19 Redirecting Debug and Error Message Output 36-19 Using the show platform forward Command Using the crashinfo File APPENDIX A Supported MIBs MIB List 36-22 A-1 A-1 Using FTP to Access the MIB Files APPENDIX B 36-19 A-3 Working with the Cisco IOS File System, Configuration Files, and Software
Contents Copying Configuration Files By Using FTP B-11 Preparing to Download or Upload a Configuration File By Using FTP B-12 Downloading a Configuration File By Using FTP B-13 Uploading a Configuration File By Using FTP B-14 Copying Configuration Files By Using RCP B-15 Preparing to Download or Upload a Configuration File By Using RCP B-15 Downloading a Configuration File By Using RCP B-16 Uploading a Configuration File By Using RCP B-17 Clearing Configuration Information B-18 Clearing the Startup Configu
Contents IGMP Snooping Commands C-2 Unsupported Global Configuration Commands C-2 Interface Commands C-3 Unsupported Privileged EXEC Commands C-3 Unsupported Global Configuration Commands C-3 Unsupported Interface Configuration Commands C-3 IP Multicast Routing C-3 Unsupported Privileged EXEC Commands C-3 Unsupported Global Configuration Commands C-4 Unsupported Interface Configuration Commands C-4 IP Unicast Routing C-4 Unsupported Privileged EXEC or User EXEC Commands C-4 Unsupported Global Configurati
Contents Spanning Tree C-9 Unsupported Global Configuration Command C-9 Unsupported Interface Configuration Command C-9 VLAN C-10 Unsupported Global Configuration Commands Unsupported User EXEC Commands C-10 C-10 INDEX Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xxxii 78-17058-01
Preface Audience This guide is for the networking professional managing the Cisco Metro Ethernet (ME) 3400 Series Ethernet Access switch, hereafter referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides procedures for using the commands that have been created or changed for use with the Cisco ME 3400 switch.
Preface Related Publications Interactive examples use these conventions: • Terminal sessions and system displays are in screen font. • Information you enter is in boldface • Nonprinting characters, such as passwords or tabs, are in angle brackets (< >). screen font. Notes, cautions, and timesavers use these conventions and symbols: Note Caution Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual. Means reader be careful.
Preface Obtaining Documentation • Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix (not orderable but available on Cisco.com) • Cisco 100-Megabit Ethernet SFP Modules Compatibility Matrix (not orderable but available on Cisco.com) • Cisco CWDM SFP Transceiver Compatibility Matrix (not orderable but available on Cisco.com) Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com.
Preface Documentation Feedback Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada, or elsewhere at 011 408 519-5001.
Preface Obtaining Technical Assistance Reporting Security Problems in Cisco Products Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT: • Emergencies — security-alert@cisco.
Preface Obtaining Technical Assistance Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs.
Preface Obtaining Additional Publications and Information Obtaining Additional Publications and Information Information about Cisco products, technologies, and network solutions is available from various online and printed sources. • Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL: http://www.cisco.
Preface Obtaining Additional Publications and Information Cisco ME 3400 Ethernet Access Switch Software Configuration Guide xl 78-17058-01
C H A P T E R 1 Overview This chapter provides these topics about the Cisco Metro Ethernet (ME) 3400 Series Ethernet Access switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-8 • Network Configuration Examples, page 1-11 • Where to Go Next, page 1-15 In this document, IP refers to IP Version 4 (IPv4). Features The switch ships with one of these software images installed: • The metro base image provides basic Metro Ethernet features.
Chapter 1 Overview Features The switch has these features: • Performance Features, page 1-2 • Management Options, page 1-3 • Manageability Features, page 1-3 (includes a feature requiring the cryptographic versions of the software) • Availability Features, page 1-4 • VLAN Features, page 1-5 • Security Features, page 1-5 (includes a feature requiring the cryptographic versions of the switch software) • Quality of Service and Class of Service Features, page 1-6 • Layer 2 Virtual Private Netw
Chapter 1 Overview Features • IGMP filtering for controlling the set of multicast groups to which hosts on a switch port can belong • IGMP throttling for configuring the action when the maximum number of entries is in the IGMP forwarding table • IGMP configurable leave timer to configure the leave latency for the network.
Chapter 1 Overview Features • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses • In-band management access for up to 16 simultaneous Telnet connections for multiple CLI-based sessions over the network • In-band management access for up to five simultaneous, encrypted Secure Shell (SSH) connections for multiple CLI-based sessions over the network (requires the cryptographic versions of the switch software).
Chapter 1 Overview Features VLAN Features • Support for up to 1005 VLANs for assigning users to VLANs associated with appropriate network resources, traffic patterns, and bandwidth • Support for VLAN IDs in the full 1 to 4094 range allowed by the IEEE 802.1Q standard • VLAN Query Protocol (VQP) for dynamic VLAN membership • IEEE 802.
Chapter 1 Overview Features • Configuration file security so that only authenticated and authorized users have access to the configuration file, preventing users from accessing the configuration file by using the password recovery process • Multilevel security for a choice of security level, notification, and resulting actions • Port security option for limiting and identifying MAC addresses of the stations allowed to access the port • Port security aging to set the aging time for secure addresses
Chapter 1 Overview Features • Weighted tail drop (WTD) as the congestion-avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications • Table maps for mapping DSCP, CoS, and IP precedence values • Queuing and Scheduling – Shaped round robin (SRR) traffic shaping to mix packets from all queues to minimize traffic burst – Class-based traffic shaping to specify a maximum permitted average rate for a traffic class – Port shaping to specify the m
Chapter 1 Overview Default Settings After Initial Switch Configuration • Protocol-Independent Multicast (PIM) for multicast routing within the network, allowing for devices in the network to receive the multicast feed requested and for switches not participating in the multicast to be pruned.
Chapter 1 Overview Default Settings After Initial Switch Configuration If you do not configure the switch at all, the Cisc0 ME 3400 switch operates with the default settings shown in Table 1-1. Table 1-1 Default Settings After Initial Switch Configuration Feature Default Setting More information in... Switch IP address, subnet mask, and 0.0.0.
Chapter 1 Overview Default Settings After Initial Switch Configuration Table 1-1 Default Settings After Initial Switch Configuration (continued) Feature Default Setting More information in... Chapter 13, “Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling” Tunneling • 802.
Chapter 1 Overview Network Configuration Examples Table 1-1 Default Settings After Initial Switch Configuration (continued) Feature Default Setting More information in...
Chapter 1 Overview Network Configuration Examples denial-of-service attacks are avoided. The Cisco ME switch also provides mechanisms such as port security and IP Source Guard to protect against MAC or IP spoofing. By using advanced access control lists, the service providers have granular control of the types of traffic to enter the network.
Chapter 1 Overview Network Configuration Examples Layer 2 VPN Application Enterprise customers need not only high bandwidth, but also the ability to extend their private network across the service provider’s shared infrastructure. With Ethernet in the WAN network, service providers can meet the bandwidth requirements of enterprise customers and use VPN features to extend customers’ networks.
Chapter 1 Overview Network Configuration Examples Multi-VRF CE Application A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service-provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table, called a VPN routing/forwarding (VRF) table.
Chapter 1 Overview Where to Go Next Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” • Chapter 3, “Assigning the Switch IP Address and Default Gateway” • Chapter 4, “Configuring Cisco IOS CNS Agents” Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01 1-15
Chapter 1 Overview Where to Go Next Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 1-16 78-17058-01
C H A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your Cisco ME 3400 Ethernet Access switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests. • Display system information. Privileged EXEC While in user EXEC mode, enter the enable command. Switch# Enter disable to exit.
Chapter 2 Using the Command-Line Interface Understanding the Help System Understanding the Help System You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 2-2. Table 2-2 Help Summary Command Purpose help Obtain a brief description of the help system in any command mode.
Chapter 2 Using the Command-Line Interface Understanding no and default Forms of Commands Understanding no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Chapter 2 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the switch records ten command lines in its history buffer. You can alter this number for a current terminal session or for all sessions on a particular line. These procedures are optional.
Chapter 2 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Press Esc Y. Recall the next buffer entry. The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry. Delete entries if you make a mistake Press the Delete or or change your mind. Backspace key. Capitalize or lowercase words or capitalize a set of letters.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Editing Command Lines that Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command. The keystroke actions are optional.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can access the CLI through a console connection, through Telnet, or by using the browser. Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or PC to the switch console port and power on the switch as described in the hardware installation guide that shipped with your switch.
Chapter 2 Using the Command-Line Interface Accessing the CLI Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 2-10 78-17058-01
C H A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the switch IP address and default gateway information) for the Cisco Metro Ethernet (ME) 3400 Ethernet Access switch by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • Initializes the flash file system on the system board. • Loads a default operating system software image into memory and boots the switch. The boot loader provides access to the flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information These sections contain this configuration information: • Default Switch Information, page 3-3 • Understanding DHCP-Based Autoconfiguration, page 3-3 • Manually Assigning IP Information, page 3-9 Default Switch Information Table 3-1 shows the default switch information. Table 3-1 Default Switch Information Feature Default Setting IP address and subnet mask No IP address or subnet mask are defined.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Figure 3-1 shows the sequence of messages that are exchanged between the DHCP client and the DHCP server. Figure 3-1 DHCP Client and Server Message Exchange DHCPDISCOVER (broadcast) Switch A DHCPOFFER (unicast) DHCP server DHCPACK (unicast) 51807 DHCPREQUEST (broadcast) The client, Switch A, broadcasts a DHCPDISCOVER message to locate a DHCP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring DHCP-Based Autoconfiguration These sections contain this configuration information: • DHCP Server Configuration Guidelines, page 3-5 • Configuring the TFTP Server, page 3-5 • Configuring the DNS, page 3-6 • Configuring the Relay Device, page 3-6 • Obtaining Configuration Files, page 3-7 • Example Configuration, page 3-8 If your DHCP server is a Cisco device, see the “Configuring DHCP” section
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If you did not specify the configuration filename, the TFTP server, or if the configuration file could not be downloaded, the switch attempts to download a configuration file by using various combinations of filenames and TFTP server addresses. The files include the specified configuration filename (if any) and these files: network-config, cisconet.cfg, hostname.config, or hostname.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note If the switch is acting as the relay device, configure the interface as a routed port. For more information, see the “Routed Ports” section on page 9-4 and the “Configuring Layer 3 Interfaces” section on page 9-20. Figure 3-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information After obtaining its hostname from the default configuration file or the DHCP reply, the switch reads the configuration file that has the same name as its hostname (hostname-confg or hostname.cfg, depending on whether network-confg or cisconet.cfg was read earlier) from the TFTP server. If the cisconet.cfg file is read, the filename of the host is truncated to eight characters.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information DNS Server Configuration The DNS server maps the TFTP server name tftpserver to IP address 10.0.0.3. TFTP Server Configuration (on UNIX) The TFTP server base directory is set to /tftpserver/work/. This directory contains the network-confg file used in the two-file read method. This file contains the hostname to be assigned to the switch based on its IP address.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Step 5 Command Purpose ip default-gateway ip-address Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. The default gateway receives IP packets with unresolved destination IP addresses from the switch.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration ! vlan 2,10 ! class-map match-all test1 class-map match-all class2 class-map match-all class1 ! ! policy-map test class class1 police cir percent 30 policy-map test2 class class2 police cir 8500 bc 1500 policy-map test3 ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 shutdown ! interface FastEthernet0/3 shutdown ! interface FastEthernet0/4 shutdown ! interface FastEthernet0/5 shutdown ! in
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration session-timeout 120 exec-timeout 120 0 speed 115200 line vty 0 4 password cisco no login line vty 5 15 no login ! ! end To store the configuration or changes you have made to your startup configuration in flash memory, enter this privileged EXEC command: Switch# copy running-config startup-config Destination filename [startup-config]? Building configuration...
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Default Boot Configuration Table 3-3 shows the default boot configuration. Table 3-3 Default Boot Configuration Feature Default Setting Operating system software image The switch attempts to automatically boot the system using information in the BOOT environment variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Booting Manually By default, the switch automatically boots; however, you can configure it to manually boot. Beginning in privileged EXEC mode, follow these steps to configure the switch to manually boot during the next boot cycle: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 boot manual Enable the switch to manually boot during the next boot cycle.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show boot Verify your entries. The boot system global command changes the setting of the BOOT environment variable. During the next boot cycle, the switch attempts to automatically boot the system using information in the BOOT environment variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables. Note For complete syntax and usage information for the boot loader commands and environment variables, see the command reference for this release.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Configuring a Scheduled Reload To configure your switch to reload the software image at a later time, use one of these commands in privileged EXEC mode: • reload in [hh:]mm [text] This command schedules a reload of the software to take affect in the specified minutes or hours and minutes. The reload must take place within approximately 24 days.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Displaying Scheduled Reload Information To display information about a previously scheduled reload or to find out if a reload has been scheduled on the switch, use the show reload privileged EXEC command. It displays reload information including the time the reload is scheduled to occur and the reason for the reload (if it was specified when the reload was scheduled).
C H A P T E R 4 Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS CNS agents on the Cisco ME 3400 switch. Note For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Figure 4-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management These sections contain this conceptual information: • Configuration Service, page 4-2 • Event Service, page 4-3 • What You Should Know About the CNS IDs and Device Hostnames, p
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Event Service The Cisco Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation. The switch can check the syntax of the configuration before applying it.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration Device Required Configuration Access switch Factory default (no configuration file) Distribution switch DHCP server TFTP server CNS Configuration Engine Note • IP helper address • Enable DHCP relay agent • IP routing (if used as default gateway) • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server •
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the CNS Event Agent Note You must enable the CNS event agent on the switch before you enable the CNS configuration agent. Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 7 Step 8 Command Purpose cns id interface num {dns-reverse | ipaddress | mac-address} [event] or cns id {hardware-serial | hostname | string string} [event] Set the unique EventID or ConfigID used by the Configuration Engine.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Command Purpose Step 10 show cns config connections Verify information about the configuration agent. Step 11 show running-config Verify your entries. To disable the CNS Cisco IOS agent, use the no cns config initial {ip-address | hostname} global configuration command. This example shows how to configure an initial configuration on a remote switch. The switch hostname is the unique ID.
Chapter 4 Configuring Cisco IOS CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information. Table 4-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
Chapter 4 Configuring Cisco IOS CNS Agents Displaying CNS Configuration Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 78-17058-01 4-13
C H A P T E R 5 Administering the Switch This chapter describes how to perform one-time operations to administer the Cisco ME 3400 Ethernet Access switch.
Chapter 5 Administering the Switch Managing the System Time and Date Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time.
Chapter 5 Administering the Switch Managing the System Time and Date Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet. Figure 5-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A.
Chapter 5 Administering the Switch Managing the System Time and Date Configuring NTP The switch does not have a hardware-supported clock and cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. The switch also has no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.
Chapter 5 Administering the Switch Managing the System Time and Date Configuring NTP Authentication This procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the switch to synchronize its time to the NTP server.
Chapter 5 Administering the Switch Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this switch can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this switch synchronizes to the other device, and not the other way around).
Chapter 5 Administering the Switch Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead.
Chapter 5 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the switch to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to receive NTP broadcast packets, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary.
Chapter 5 Administering the Switch Managing the System Time and Date Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp access-group {query-only | serve-only | serve | peer} access-list-number Create an access group, and apply a basic IP access list.
Chapter 5 Administering the Switch Managing the System Time and Date To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command. This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99.
Chapter 5 Administering the Switch Managing the System Time and Date Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The specified interface is used for the source address for all packets sent to all destinations.
Chapter 5 Administering the Switch Managing the System Time and Date This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001: Switch# clock set 13:32:00 23 July 2001 Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate).
Chapter 5 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 5 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 5 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default System Name and Prompt Configuration, page 5-15 • Configuring a System Name, page 5-15 • Understanding DNS, page 5-15 Default System Name and Prompt Configuration The default switch system name and prompt is Switch.
Chapter 5 Administering the Switch Configuring a System Name and Prompt These sections contain this configuration information: • Default DNS Configuration, page 5-16 • Setting Up DNS, page 5-16 • Displaying the DNS Configuration, page 5-17 Default DNS Configuration Table 5-2 shows the default DNS configuration. Table 5-2 Default DNS Configuration Feature Default Setting DNS enable state Enabled. DNS default domain name None configured. DNS servers No name server addresses are configured.
Chapter 5 Administering the Switch Creating a Banner Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 5 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 5 Administering the Switch Managing the MAC Address Table Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 5 Administering the Switch Managing the MAC Address Table These sections contain this configuration information: • Building the Address Table, page 5-20 • MAC Addresses and VLANs, page 5-20 • Default MAC Address Table Configuration, page 5-21 • Changing the Address Aging Time, page 5-21 • Removing Dynamic Address Entries, page 5-22 • Configuring MAC Address Notification Traps, page 5-22 • Adding and Removing Static Address Entries, page 5-24 • Configuring Unicast MAC Address Filter
Chapter 5 Administering the Switch Managing the MAC Address Table If the switch is running the metro IP access or metro access image, you can disable MAC address learning on a per-VLAN basis. Customers in a service provider network can tunnel a large number of MAC addresses through the network and fill up the available MAC address table space.
Chapter 5 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table aging-time [0 | 10-1000000] [vlan vlan-id] Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The range is 10 to 1000000 seconds. The default is 300.
Chapter 5 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure the switch to send MAC address notification traps to an NMS host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c | 3}} community-string notification-type • For host-addr, specify the name or address of the NMS.
Chapter 5 Administering the Switch Managing the MAC Address Table Command Purpose Step 9 end Return to privileged EXEC mode. Step 10 show mac address-table notification interface Verify your entries. show running-config Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the switch from sending MAC address notification traps, use the no snmp-server enable traps mac-notification global configuration command.
Chapter 5 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to add a static address: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Add a static address to the MAC address table. • For mac-addr, specify the destination MAC unicast address to add to the address table.
Chapter 5 Administering the Switch Managing the MAC Address Table • If you add a unicast MAC address as a static address and configure unicast MAC address filtering, the switch either adds the MAC address as a static address or drops packets with that MAC address, depending on which command was entered last. The second command that you entered overrides the first command.
Chapter 5 Administering the Switch Managing the MAC Address Table Follow these guidelines when disabling MAC address learning on a VLAN: • Disabling MAC address learning on a VLAN is supported only if the switch is running the metro IP access or metro access image. • Use caution when considering disabling MAC address learning on a VLAN with a switch virtual interface (SVI) configured. If you disable MAC address learning on an SVI, the switch floods all IP packets in the Layer 2 domain.
Chapter 5 Administering the Switch Managing the ARP Table Displaying Address Table Entries You can display the MAC address table by using one or more of the privileged EXEC commands described in Table 5-4: Table 5-4 Commands for Displaying the MAC Address Table Command Description show ip igmp snooping groups Displays the Layer 2 multicast entries for all VLANs or the specified VLAN. show mac address-table address Displays MAC address table information for the specified MAC address.
C H A P T E R 6 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the Cisco ME 3400 Ethernet Access switch. SDM template configuration is supported only when the switch is running the metro IP access image. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 6 Configuring SDM Templates Configuring the Switch SDM Template Table 6-1 shows the approximate number of each resource supported in each of the two templates for a switch running the metro IP access image. The values in the template are based on eight routed interfaces and approximately 1024 VLANs and represent the approximate hardware boundaries set when a template is selected.
Chapter 6 Configuring SDM Templates Configuring the Switch SDM Template • Do not use the default template if you do not have routing enabled on your switch. The sdm prefer default global configuration command prevents other features from using the memory allocated to unicast routing in the routing template. • You should use the default template when you plan to enable routing on the switch.
Chapter 6 Configuring SDM Templates Displaying the SDM Templates This example shows how to configure a switch with the layer-2 template. Switch(config)# sdm prefer layer-2 Switch(config)# end Switch# reload Proceed with reload? [confirm] Displaying the SDM Templates Use the show sdm prefer privileged EXEC command with no parameters to display the active template. Use the show sdm prefer [default | layer-2] privileged EXEC command to display the resource numbers supported by the specified template.
C H A P T E R 7 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the Cisco ME 3400 switch.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Access to Privileged EXEC Commands A simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can enter after they have logged into a network device.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands To re-enable password recovery, use the service password-recovery global configuration command. Note Disabling password recovery will not work if you have set the switch to boot manually by using the boot manual global configuration command. This command produces the boot loader prompt (switch:) after the switch is power cycled.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Logging into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Step 1 Command Purpose enable level Log in to a specified privilege level. For level, the range is 0 to 15. Step 2 disable level Exit to a specified privilege level. For level, the range is 0 to 15.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 7-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) 171.20.10.8 101230 Configure the switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Configuring TACACS+ This section describes how to configure your switch to support TACACS+. At a minimum, you must identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+ authentication. You can optionally define method lists for TACACS+ authorization and accounting.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 tacacs-server host hostname [port integer] [timeout integer] [key string] Identify the IP host or hosts maintaining a TACACS+ server.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 5 Command Purpose login authentication {default | list-name} Apply the authentication list to a line or set of lines. • If you specify default, use the default list created with the aaa authentication login command. • For list-name, specify the list created with the aaa authentication login command. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Controlling Switch Access with RADIUS This section describes how to enable and configure the RADIUS, which provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS RADIUS is not suitable in these network security situations: • Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections. • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring RADIUS This section describes how to configure your switch to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or hostname of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 5 Command Purpose login authentication {default | list-name} Apply the authentication list to a line or set of lines. • If you specify default, use the default list created with the aaa authentication login command. • For list-name, specify the list created with the aaa authentication login command. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the switch for user RADIUS authorization for all network-related service requests.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cis
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption) version of the switch software must be installed on your switch.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 7-2 Kerberos Terms (continued) Term KEYTAB Definition 3 Principal A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as SRVTAB 4.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Authenticating to a Boundary Switch This section describes the first layer of security through which a remote user must pass. The user must first authenticate to the boundary switch. This process then occurs: 1. The user opens an un-Kerberized Telnet connection to the boundary switch. 2. The switch prompts the user for a username and password. 3. The switch requests a TGT from the KDC for this user. 4.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization Configuring Kerberos So that remote users can authenticate to network services, you must configure the hosts and the KDC in the Kerberos realm to communicate and mutually authenticate users and network services. To do this, you must identify them to each other.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Understanding SSH SSH is a protocol that provides a secure, remote connection to a device. SSH provides more security for remote connections than Telnet does by providing strong encryption when a device is authenticated. This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring SSH This section has this configuration information: • Configuration Guidelines, page 7-39 • Setting Up the Switch to Run SSH, page 7-39 (required) • Configuring the SSH Server, page 7-40 (required only if you are configuring the switch as an SSH server) Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client: • An RSA key pair generated by a SSHv
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 4 Command Purpose crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair. We recommend that a minimum modulus size of 1024 bits. When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use. Step 5 end Return to privileged EXEC mode.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Step 5 Command Purpose show ip ssh Show the version and configuration information for your SSH server. or Step 6 show ssh Show the status of the SSH server connections on the switch. copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 7-42 78-17058-01
C H A P T E R 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Cisco ME 3400 Ethernet Access switch. As LANs extend to hotels, airports, and corporate lobbies and create insecure environments, 802.1x prevents unauthorized devices (clients) from gaining access to the network. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication These sections describe IEEE 802.1x port-based authentication: • Device Roles, page 8-2 • Authentication Initiation and Message Exchange, page 8-3 • Ports in Authorized and Unauthorized States, page 8-4 • IEEE 802.1x Accounting, page 8-5 • IEEE 802.1x Accounting Attribute-Value Pairs, page 8-5 • IEEE 802.1x Host Mode, page 8-6 • Using IEEE 802.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Switch (edge switch or wireless access point)—controls the physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 8-3 Multiple Host Mode Example Access point Authentication server (RADIUS) 101227 Wireless clients Using IEEE 802.1x with Port Security You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode. (You also must configure port security on the port by using the switchport port-security interface configuration command.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Using IEEE 802.1x with VLAN Assignment The RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the client connected to the switch port. You can use this feature to limit network access for certain users. When configured on the switch and the RADIUS server, IEEE 802.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Authentication These sections contain this configuration information: • Default IEEE 802.1x Configuration, page 8-9 • IEEE 802.1x Configuration Guidelines, page 8-10 • Configuring IEEE 802.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 8-2 Default IEEE 802.1x Configuration (continued) Feature Default Setting Quiet period 60 seconds (number of seconds that the switch remains in the quiet state following a failed authentication exchange with the client). Retransmission time 30 seconds (number of seconds that the switch should wait for a response to an EAP request/identity frame from the client before resending the request).
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication • You can configure IEEE 802.1x on a private-VLAN port, but do not configure IEEE 802.1x with port security on private-VLAN ports. • Before globally enabling IEEE 802.1x on a switch by entering the dot1x system-auth-control global configuration command, remove the EtherChannel configuration from the interfaces on which IEEE 802.1x and EtherChannel are configured. Configuring IEEE 802.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 5 aaa authorization network {default} group radius (Optional) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment. Step 6 interface interface-id Specify the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command. This example shows how to specify the server with IP address 172.20.39.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Changing the Switch-to-Client Retransmission Time The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 3 dot1x max-reauth-req count Set the number of times that the switch sends an EAP frame to the client before restarting the authentication process. The range is 1 to 10; the default is 2. Step 4 end Return to privileged EXEC mode. Step 5 show dot1x interface interface-id Verify your entries.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.1x-authorized port that has the dot1x port-control interface configuration command set to auto. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring IEEE 802.1x Accounting Enabling AAA system accounting with IEEE 802.1x accounting allows system reload events to be sent to the accounting RADIUS server for logging. The server can then infer that all active IEEE 802.1x sessions are closed. Because RADIUS uses the unreliable UDP transport protocol, accounting messages might be lost due to poor network conditions.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status Displaying IEEE 802.1x Statistics and Status To display IEEE 802.1x statistics for all ports, use the show dot1x all statistics privileged EXEC command. To display IEEE 802.1x statistics for a specific port, use the show dot1x statistics interface interface-id privileged EXEC command. To display the IEEE 802.
Chapter 8 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.
C H A P T E R 9 Configuring Interface Characteristics This chapter defines the types of interfaces on the Cisco ME 3400 Ethernet Access switch and describes how to configure them.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 11, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types Note When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. For detailed information about configuring access port and trunk port characteristics, see Chapter 11, “Configuring VLANs.” For more information about tunnel ports, see Chapter 13, “Configuring IEEE 802.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types they are enabled. Dynamic access ports on the switch are assigned to a VLAN by a VLAN Membership Policy Server (VMPS). The VMPS can be a Catalyst 6500 series switch; the Cisco ME switch cannot be a VMPS server. Dynamic access ports for VMPS are only supported on UNIs. Trunk Ports An IEEE 802.1Q trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types Note Entering a no switchport interface configuration command shuts down the interface and then re-enables it, which might generate messages on the device to which the interface is connected. When you put an interface that is in Layer 2 mode into Layer 3 mode, the previous configuration information related to the affected interface might be lost. The number of routed ports that you can configure is not limited by software.
Chapter 9 Configuring Interface Characteristics Understanding Interface Types EtherChannel Port Groups EtherChannel port groups treat multiple switch ports as one switch port. These port groups act as a single logical port for high-bandwidth connections between switches or between switches and servers. An EtherChannel balances the traffic load across the links in the channel. If a link within the EtherChannel fails, traffic previously carried over the failed link changes to the remaining links.
Chapter 9 Configuring Interface Characteristics Using Interface Configuration Mode When the metro IP access image is running on the switch, routing can be enabled on the switch. Whenever possible, to maintain high performance, forwarding is done by the switch hardware. However, only IP Version 4 packets with Ethernet II encapsulation can be routed in hardware. The routing function can be enabled on all SVIs and routed ports. The switch routes only IP traffic.
Chapter 9 Configuring Interface Characteristics Using Interface Configuration Mode Note Step 3 You do not need to add a space between the interface type and interface number. For example, in the preceding line, you can specify either fastethernet 0/1, fastethernet0/1, fa 0/1, or fa0/1.
Chapter 9 Configuring Interface Characteristics Using Interface Configuration Mode Command Purpose Step 6 show interfaces [interface-id] Verify the configuration of the interfaces in the range. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 9 Configuring Interface Characteristics Using Interface Configuration Mode Configuring and Using Interface Range Macros You can create an interface range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface range macro global configuration command string, you must use the define interface-range global configuration command to define the macro.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces • All interfaces defined as in a range must be the same type (all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs), but you can combine multiple interface types in a macro.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Default Ethernet Interface Configuration Table 9-1 shows the Ethernet interface default configuration for NNIs, and Table 9-2 shows the Ethernet interface default configuration for UNIs. For more details on the VLAN parameters listed in the table, see Chapter 11, “Configuring VLANs.” For details on controlling traffic to the port, see Chapter 21, “Configuring Port-Based Traffic Control.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 9-2 Default Ethernet Configuration for UNIs Feature Default Setting Operating mode Layer 2 or switching mode (switchport command). Allowed VLAN range VLANs 1– 4094. Default VLAN (for access ports) VLAN 1 (Layer 2 interfaces only). Native VLAN (for IEEE 802.1Q trunks) VLAN 1 (Layer 2 interfaces only). VLAN trunking Switchport mode access (Layer 2 interfaces only). Dynamic VLAN Enabled.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Beginning in privileged EXEC mode, follow these steps to configure the port type on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode Step 2 interface interface-id Specify the interface to configure, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Speed and Duplex Configuration Guidelines When configuring an interface speed and duplex mode, note these guidelines: • You can configure interface speed on Fast Ethernet (10/100-Mbps) and Gigabit Ethernet (10/100/1000-Mbps) ports. You can configure Fast Ethernet ports to full-duplex, half-duplex, or to autonegotiate mode. You can configure Gigabit Ethernet ports to full-duplex mode or to autonegotiate.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Step 4 Command Purpose speed {10 | 100 | 1000 | auto [10 | 100 | 1000] | nonegotiate} Enter the appropriate speed parameter for the interface: • Enter 10, 100, or 1000 to set a specific speed for the interface. The 1000 keyword is available only for 10/100/1000 Mbps ports or SFP module ports with a 1000BASE-T SFP module. • Enter auto to enable the interface to autonegotiate speed with the connected device.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring IEEE 802.3x Flow Control IEEE 802.3x flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If one port experiences congestion and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately.
Chapter 9 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to enable auto-MDIX on a port: Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# no shutdown Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function.
Chapter 9 Configuring Interface Characteristics Configuring Layer 3 Interfaces Configuring Layer 3 Interfaces The Cisco 3400 ME switch must be running the metro IP access image to support Layer 3 interfaces. The Cisco ME switch supports these types of Layer 3 interfaces: • SVIs: You should configure SVIs for any VLANs for which you want to route traffic. SVIs are created when you enter a VLAN ID following the interface vlan global configuration command.
Chapter 9 Configuring Interface Characteristics Configuring the System MTU Command Purpose Step 3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled. Step 4 no switchport For physical ports only, enter Layer 3 mode. Step 5 ip address ip_address subnet_mask Configure the IP address and IP subnet. Step 6 no shutdown Enable the interface. Step 7 end Return to privileged EXEC mode. Step 8 show interfaces [interface-id] Verify the configuration.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Note If Layer 2 Gigabit Ethernet interfaces are configured to accept frames greater than the 10/100 interfaces, jumbo frames received on a Layer 2 Gigabit Ethernet interface and sent on a Layer 2 10/100 interface are dropped.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface, including the versions of the software and the hardware, the configuration, and statistics about the interfaces. Table 9-4 lists some of these interface monitoring commands. (You can display the full list of show commands by using the show ? command at the privileged EXEC prompt.
Chapter 9 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 9-5 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 9-5 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
C H A P T E R 10 Configuring Command Macros This chapter describes how to configure and apply command macros on the Cisco 3400 ME switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 10 Configuring Command Macros Configuring Command Macros Configuring Command Macros You can create a new command macro or use an existing macro as a template to create a new macro that is specific to your application. After you create the macro, you can apply it globally to a switch, to a switch interface, or to a range of interfaces.
Chapter 10 Configuring Command Macros Configuring Command Macros • Some CLI commands are specific to certain interface types. If a macro is applied to an interface that does not accept the configuration, the macro will fail the syntax check or the configuration check, and the switch will return an error message. • Applying a macro to an interface range is the same as applying a macro to a single interface.
Chapter 10 Configuring Command Macros Configuring Command Macros Applying Command Macros Beginning in privileged EXEC mode, follow these steps to apply a command macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 10 Configuring Command Macros Displaying Command Macros You can delete a global macro-applied configuration on a switch only by entering the no version of each command that is in the macro. You can delete a macro-applied configuration on an interface by entering the default interface interface-id interface configuration command.
Chapter 10 Configuring Command Macros Displaying Command Macros Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 10-6 78-17058-01
C H A P T E R 11 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the Cisco ME 3400 Ethernet Access switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 11 Configuring VLANs Understanding VLANs Figure 11-1 shows an example of VLANs segmented into logically defined networks. Figure 11-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 90571 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 11 Configuring VLANs Understanding VLANs Supported VLANs VLANs are identified with a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. VLAN IDs greater than 1005 are extended-range VLANs and are not stored in the VLAN database. Although the switch supports a total of 1005 (normal-range and extended-range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware.
Chapter 11 Configuring VLANs Understanding VLANs • Ring number for FDDI and TrCRF VLANs • Parent VLAN number for TrCRF VLANs • Spanning Tree Protocol (STP) type for TrCRF VLANs • VLAN number to use when translating from one VLAN type to another • Private VLAN. Configure the VLAN as a primary or secondary private VLAN. For information about private VLANs, see Chapter 12, “Configuring Private VLANs.” • Remote SPAN VLAN.
Chapter 11 Configuring VLANs Understanding VLANs Table 11-1 Port Membership Modes (continued) Membership Mode VLAN Membership Characteristics Dynamic-access A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VMPS. The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, for example, but never a Cisco ME 3400 Ethernet Access switch. The Cisco ME 3400 switch is a VMPS client. Note Only UNIs can be dynamic-access ports.
Chapter 11 Configuring VLANs Creating and Modifying VLANs • UNI community VLAN—Local switching is allowed among UNIs on the switch that belong to the same UNI community VLAN. If UNIs belong to the same customer, and you want to switch packets between the ports, you can configure the common VLAN as a UNI community VLAN. There is no local switching between ports in a UNI community VLAN and ports outside of the VLAN. The switch does not support more than eight UNIs in a UNI community VLAN.
Chapter 11 Configuring VLANs Creating and Modifying VLANs These sections contain VLAN configuration information: • Default Ethernet VLAN Configuration, page 11-7 • VLAN Configuration Guidelines, page 11-8 • Creating or Modifying an Ethernet VLAN, page 11-9 • Assigning Static-Access Ports to a VLAN, page 11-10 • Creating an Extended-Range VLAN with an Internal VLAN ID, page 11-11 • Configuring UNI VLANs, page 11-12 If the switch is running the metro IP access or metro access image, for more eff
Chapter 11 Configuring VLANs Creating and Modifying VLANs VLAN Configuration Guidelines Follow these guidelines when creating and modifying VLANs in your network: • The switch supports 1005 VLANs. • Normal-range Ethernet VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through 1005 are reserved for Token Ring and FDDI VLANs. • The switch does not support Token Ring or FDDI media. The switch does not forward FDDI, FDDI-Net, TrCRF, or TrBRF traffic.
Chapter 11 Configuring VLANs Creating and Modifying VLANs Creating or Modifying an Ethernet VLAN To access VLAN configuration mode, enter the vlan global configuration command with a VLAN ID. Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN. You can use the default VLAN configuration (Table 11-2) or enter commands to configure the VLAN.
Chapter 11 Configuring VLANs Creating and Modifying VLANs To delete a VLAN, use the no vlan vlan-id global configuration command. You cannot delete VLAN 1 or VLANs 1002 to 1005. Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. To return the VLAN name to the default settings, use the no name or no mtu VLAN configuration command.
Chapter 11 Configuring VLANs Creating and Modifying VLANs To return an interface to its default configuration, use the default interface interface-id interface configuration command. This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 2 Switch(config-if)# end End with CNTL/Z.
Chapter 11 Configuring VLANs Creating and Modifying VLANs Configuring UNI VLANs By default, every VLAN configured on the switch is a UNI isolated VLAN. You can change VLAN configuration to that of a UNI community VLAN, a private VLAN. or an RSPAN VLAN. You can also change the configuration of one of these VLANs to the default of a UNI isolated VLAN. Configuration Guidelines These are guidelines for UNI VLAN configuration: • UNI isolated VLANs have no effect on NNI ports.
Chapter 11 Configuring VLANs Creating and Modifying VLANs Configuring UNI VLANs By default, every VLAN created on the switch is a UNI isolated VLAN. You can change the configuration to UNI community VLAN or to a private VLAN or RSPAN VLAN. For procedures for configuring private VLANs or RSPAN VLANs, see Chapter 12, “Configuring Private VLANs” and Chapter 24, “Configuring SPAN and RSPAN.
Chapter 11 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. Table 11-3 lists other privileged EXEC commands for monitoring VLANs. Table 11-3 VLAN Monitoring Commands Command Purpose show interfaces [vlan vlan-id] Display characteristics for all interfaces or for the specified VLAN configured on the switch.
Chapter 11 Configuring VLANs Configuring VLAN Trunks • Table 11-4 To enable trunking, use the switchport mode trunk interface configuration command to change the interface to a trunk. Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Default Layer 2 Ethernet Interface VLAN Configuration Table 11-5 shows the default Layer 2 Ethernet interface VLAN configuration. Table 11-5 Default Layer 2 Ethernet Interface VLAN Configuration Feature Default Setting Interface mode switchport mode access Allowed VLAN range VLANs 1 to 4094 Default VLAN (for access ports) VLAN 1 Native VLAN (for IEEE 802.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Configuring a Trunk Port Beginning in privileged EXEC mode, follow these steps to configure a port as an IEEE 802.1Q trunk port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured for trunking, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Note VLAN 1 is the default VLAN on all trunk ports in all Cisco switches, and it has previously been a requirement that VLAN 1 always be enabled on every trunk link. The VLAN 1 minimization feature allows you to disable VLAN 1 on any individual VLAN trunk link so that no user traffic (including spanning-tree advertisements) is sent or received on VLAN 1. You do this by removing VLAN 1 from the allowed VLAN list.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Configuring the Native VLAN for Untagged Traffic A trunk port configured with IEEE 802.1Q tagging can receive both tagged and untagged traffic. By default, the switch forwards untagged traffic in the native VLAN configured for the port. The native VLAN is VLAN 1 by default. Note The native VLAN can be assigned any VLAN ID. For information about IEEE 802.1Q configuration issues, see the “IEEE 802.1Q Configuration Considerations” section on page 11-15.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state. You can set the priorities on a parallel NNI trunk port so that the port carries all the traffic for a given VLAN. The NNI trunk port with the higher priority (lower values) for a VLAN is forwarding traffic for that VLAN.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 17 interface gigabitethernet 0/2 Define the interface to be configured as the Trunk 2 interface, and enter interface configuration mode. Step 18 port-type nni Configure the interface as an NNI. Step 19 switchport mode trunk Configure the port as a trunk port. Step 20 spanning-tree vlan 3-6 port-priority 16 Assign the port priority of 16 for VLANs 3 through 6 on Trunk 2. Step 21 end Return to privileged EXEC mode.
Chapter 11 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 11-4: Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 interface fastethernet0/1 Define the interface to be configured as Trunk port 1, and enter interface configuration mode. Step 3 port-type nni Configure the interface as an NNI. Step 4 switchport mode trunk Configure the port as a trunk port.
Chapter 11 Configuring VLANs Configuring VMPS Configuring VMPS The VLAN Query Protocol (VQP) supports dynamic-access ports, which are not permanently assigned to a VLAN, but give VLAN assignments based on the MAC source addresses seen on the port. Note Because only UNIs can be configured as dynamic-access ports, only UNIs take part in VQP.
Chapter 11 Configuring VLANs Configuring VMPS If the switch receives an access-denied response from the VMPS, it continues to block traffic to and from the host MAC address. The switch continues to monitor the packets directed to the port and sends a query to the VMPS when it identifies a new host address. If the switch receives a port-shutdown response from the VMPS, it disables the port. The port must be manually re-enabled by using the CLI or SNMP.
Chapter 11 Configuring VLANs Configuring VMPS VMPS Configuration Guidelines These guidelines and restrictions apply to dynamic-access port VLAN membership: • You should configure the VMPS before you configure ports as dynamic-access ports. • IEEE 802.1x ports cannot be configured as dynamic-access ports. If you try to enable IEEE 802.1x on a dynamic-access (VQP) port, an error message appears, and IEEE 802.1x is not enabled. If you try to change an IEEE 802.
Chapter 11 Configuring VLANs Configuring VMPS Configuring Dynamic-Access Ports on VMPS Clients Caution Dynamic-access port VLAN membership is for end stations or hubs connected to end stations. Connecting dynamic-access ports to other switches can cause a loss of connectivity. Beginning in privileged EXEC mode, follow these steps to configure a dynamic-access port on a VMPS client switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 11 Configuring VLANs Configuring VMPS Changing the Reconfirmation Interval VMPS clients periodically reconfirm the VLAN membership information received from the VMPS.You can set the number of minutes after which reconfirmation occurs. Beginning in privileged EXEC mode, follow these steps to change the reconfirmation interval: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 11 Configuring VLANs Configuring VMPS • VMPS Action—the result of the most recent reconfirmation attempt. A reconfirmation attempt can occur automatically when the reconfirmation interval expired, or you can force it by entering the vmps reconfirm privileged EXEC command. This is an example of output for the show vmps privileged EXEC command: Switch# show vmps VQP Client Status: -------------------VMPS VQP Version: 1 Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.
Chapter 11 Configuring VLANs Configuring VMPS Figure 11-5 Dynamic Port VLAN Membership Configuration TFTP server Catalyst 6500 series switch A Primary VMPS Server 1 Router 172.20.26.150 172.20.22.7 Client switch B End station 1 Dynamic-access port 172.20.26.151 Trunk port Switch C 172.20.26.152 Switch D 172.20.26.153 Switch E 172.20.26.154 Switch F 172.20.26.155 Switch G 172.20.26.156 Switch H 172.20.26.
Chapter 11 Configuring VLANs Configuring VMPS Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 11-30 78-17058-01
C H A P T E R 12 Configuring Private VLANs This chapter describes how to configure private VLANs on the Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 12 Configuring Private VLANs Understanding Private VLANs Types of Private VLANs and Private-VLAN Ports Private VLANs partition a regular VLAN domain into subdomains. A subdomain is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A private VLAN can have multiple VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. See Figure 12-1.
Chapter 12 Configuring Private VLANs Understanding Private VLANs Note • Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
Chapter 12 Configuring Private VLANs Understanding Private VLANs IP Addressing Scheme with Private VLANs Assigning a separate VLAN to each customer creates an inefficient IP addressing scheme: • Assigning a block of addresses to a customer VLAN can result in unused IP addresses. • If the number of devices in the VLAN increases, the number of assigned address might not be large enough to accommodate them.
Chapter 12 Configuring Private VLANs Configuring Private VLANs Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary VLANs.
Chapter 12 Configuring Private VLANs Configuring Private VLANs • Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port, page 12-13 • Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface, page 12-14 Tasks for Configuring Private VLANs To configure a private VLAN, perform these steps: Step 1 Create the primary and secondary VLANs and associate them. See the “Configuring and Associating VLANs in a Private VLAN” section on page 12-10.
Chapter 12 Configuring Private VLANs Configuring Private VLANs Secondary and Primary VLAN Configuration Follow these guidelines when configuring private VLANs: • You use VLAN configuration mode to configure private VLANs. For more information about VLAN configuration, see the “Creating and Modifying VLANs” section on page 11-6. • You must configure private VLANs on each device where you want private-VLAN ports. • A private VLAN cannot be a UNI VLAN.
Chapter 12 Configuring Private VLANs Configuring Private VLANs • When a frame is Layer 2 forwarded within a private VLAN, the same VLAN map is applied at the receiving and sending sides. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the receiving side. – For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied.
Chapter 12 Configuring Private VLANs Configuring Private VLANs Limitations with Other Features When configuring private VLANs, remember these limitations with other features: Note In some cases, the configuration is accepted with no error messages, but the commands have no effect. • When IGMP snooping is enabled on the switch (the default), the switch supports no more than 20 private-VLAN domains. • A private VLAN cannot be a UNI isolated or UNI community VLAN.
Chapter 12 Configuring Private VLANs Configuring Private VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: Note The private-vlan commands do not take effect until you exit VLAN configuration mode. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan vlan-id Enter VLAN configuration mode, and designate or create a VLAN that will be the primary VLAN.
Chapter 12 Configuring Private VLANs Configuring Private VLANs When you associate secondary VLANs with a primary VLAN, note this syntax information: • The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. • The secondary_vlan_list parameter can contain multiple community VLAN IDs but only one isolated VLAN ID.
Chapter 12 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Host Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 12 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port You can configure only NNIs as promiscuous ports. Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 12 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the switch is running the metro IP access image and the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Chapter 12 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 12-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 12-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belong. show vlan private-vlan [type] Display the private-VLAN information for the switch. show interface switchport Display the private-VLAN configuration on interfaces.
Chapter 12 Configuring Private VLANs Monitoring Private VLANs Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 12-16 78-17058-01
C H A P T E R 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk port, and the other end is configured as a tunnel port.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype DA SA Etype DA SA Etype Frame Check Sequence Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: • Default IEEE 802.1Q Tunneling Configuration, page 13-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 13-4 • IEEE 802.1Q Tunneling and Other Features, page 13-6 • Configuring an IEEE 802.1Q Tunneling Port, page 13-6 Default IEEE 802.1Q Tunneling Configuration By default, IEEE 802.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. The Cisco ME switch does not support ISL trunks.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling and Other Features Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there are incompatibilities between some Layer 2 features and Layer 3 switching. Note Layer 3 switching is supported only when the metro IP access image is running on the switch. • A tunnel port cannot be a routed port. • IP routing is not supported on a VLAN that includes IEEE 802.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Step 4 Command Purpose switchport access vlan vlan-id Specify the default VLAN, which is used if the interface stops trunking. This VLAN ID is specific to the particular customer. Note If the VLAN is a UNI isolated VLAN, local switching does not occur between UNIs on the switch. If the VLAN is a UNI community VLAN, local switching is allowed.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Customers at different sites connected across a service-provider network need to use various Layer 2 protocols to scale their topologies to include all remote sites, as well as the local sites. STP must run properly, and every VLAN should build a proper spanning tree that includes the local site and all remote sites across the service-provider network.
Chapter 13 Configuring IEEE 802.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling For example, in Figure 13-6, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 13-14 for instructions.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling address. These double-tagged packets have the metro VLAN tag of 40, as well as an inner VLAN tag (for example, VLAN 100). When the double-tagged packets enter Switch D, the outer VLAN tag 40 is removed, the well-known MAC address is replaced with the respective Layer 2 protocol MAC address, and the packet is sent to Customer Y on Site 2 as a single-tagged frame in VLAN 100.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling • The switch supports PAgP, LACP, and UDLD tunneling for emulated point-to-point network topologies. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports or on access ports. • If you enable PAgP or LACP tunneling, we recommend that you also enable UDLD on the interface for faster link-failure detection.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 5 l2protocol-tunnel [cdp | stp | vtp] Enable protocol tunneling for the desired protocol. If no keyword is entered, tunneling is enabled for all three Layer 2 protocols. Step 6 l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation.
Chapter 13 Configuring IEEE 802.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Step 7 Command Purpose l2protocol-tunnel drop-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface drops packets if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Command Purpose Step 6 channel-group channel-group-number Assign the interface to a channel group, and specify desirable for the PAgP mode desirable mode if the interface is an NNI. For more information about configuring EtherChannels, see Chapter 31, “Configuring EtherChannels.” Step 7 exit Return to global configuration mode.
Chapter 13 Configuring IEEE 802.
Chapter 13 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 13-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 13-2 Commands for Monitoring and Maintaining Tunneling Command Purpose clear l2protocol-tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports. show dot1q-tunnel Display IEEE 802.
C H A P T E R 14 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the Cisco ME 3400 Ethernet Access switch. The switch uses the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or it can use the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. On the Cisco ME switch, STP is supported only on network node interfaces (NNIs).
Chapter 14 Configuring STP Understanding Spanning-Tree Features • Spanning-Tree Modes and Protocols, page 14-9 • Supported Spanning-Tree Instances, page 14-10 • Spanning-Tree Interoperability and Backward Compatibility, page 14-10 • STP and IEEE 802.1Q Trunks, page 14-10 For configuration information, see the “Configuring Spanning-Tree Features” section on page 14-11. For information about optional spanning-tree features, see Chapter 16, “Configuring Optional Spanning-Tree Features.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Note The switch sends keepalive messages (to ensure the connection is up) only on interfaces that do not have small form-factor pluggable (SFP) modules. Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. • The spanning-tree path cost to the root switch.
Chapter 14 Configuring STP Understanding Spanning-Tree Features • A designated switch for each LAN segment is selected. The designated switch incurs the lowest path cost when forwarding packets from that LAN to the root switch. The port through which the designated switch is attached to the LAN is called the designated port. For the Cisco ME switch, this only applies to NNIs.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Each Layer 2 interface on a switch using spanning tree (or on a Cisco ME switch, each Layer 2 NNI) exists in one of these states: • Blocking—The interface does not participate in frame forwarding. • Listening—The first transitional state after the blocking state when the spanning tree determines that the interface should participate in frame forwarding. • Learning—The interface prepares to participate in frame forwarding.
Chapter 14 Configuring STP Understanding Spanning-Tree Features When the spanning-tree algorithm places a Layer 2 spanning-tree interface in the forwarding state, this process occurs: 1. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state. 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Forwarding State A Layer 2 interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state.
Chapter 14 Configuring STP Understanding Spanning-Tree Features When the spanning-tree topology is calculated based on default parameters, the path between source and destination end stations in a switched network might not be ideal. For instance, connecting higher-speed links to an interface that has a higher number than the root port can cause a root-port change. The goal is to make the fastest link the root port.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes, the default setting of the mac address-table aging-time global configuration command. However, a spanning-tree reconfiguration can cause many station locations to change.
Chapter 14 Configuring STP Understanding Spanning-Tree Features Supported Spanning-Tree Instances In PVST+ or rapid-PVST+ mode, the switch supports up to 128 spanning-tree instances. In MSTP mode, the switch supports up to 16 MST instances. The number of VLANs that can be mapped to a particular MST instance is unlimited. Spanning-Tree Interoperability and Backward Compatibility Table 14-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Features These sections contain this configuration information: • Default Spanning-Tree Configuration, page 14-11 • Spanning-Tree Configuration Guidelines, page 14-12 • Changing the Spanning-Tree Mode.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Spanning-Tree Configuration Guidelines If more VLANs are defined than there are spanning-tree instances, you can enable PVST+ or rapid PVST+ on NNIs in only 128 VLANs on the switch. The remaining VLANs operate with spanning tree disabled. However, you can map multiple VLANs to the same spanning-tree instances by using MSTP. For more information, see Chapter 15, “Configuring MSTP.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the rapid PVST+ protocol on all NNIs. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 14 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree mode global configuration command. To return the NNI to its default spanning-tree setting, use the no spanning-tree link-type interface configuration command. Disabling Spanning Tree Spanning tree is enabled by default on all NNIs in VLAN 1 and in all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 14-10.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Note If your network consists of switches that both do and do not support the extended system ID, it is unlikely that the switch with the extended system ID support will become the root switch. The extended system ID increases the switch priority value every time the VLAN number is greater than the priority of the connected switches running older software.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to configure the port priority of an NNI. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode. Valid interfaces include physical NNIs and port-channel logical interfaces (port-channel port-channel-number) that contain only NNIs.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface (NNI or port channel of multiple NNIs). If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 14 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree path costs, see the “Configuring Trunk Ports for Load Sharing” section on page 11-19. Configuring the Switch Priority of a VLAN You can configure the switch priority and make it more likely that the switch will be chosen as the root switch.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 14-4 describes the timers that affect the entire spanning-tree performance. Table 14-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the NNI begins forwarding.
Chapter 14 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 14 Configuring STP Displaying the Spanning-Tree Status Displaying the Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 14-5: Table 14-5 Commands for Displaying Spanning-Tree Status Command Purpose show spanning-tree active Displays spanning-tree information only on active NNIs. show spanning-tree detail Displays a detailed summary of interface information.
C H A P T E R 15 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the Cisco ME 3400 Ethernet Access switch. On the Cisco ME switch, STP is supported only on network node interfaces (NNIs). User network interfaces (UNIs) on the switch do not participate in STP and forward traffic immediately when they are brought up. Note The multiple spanning-tree (MST) implementation is a pre-standard implementation.
Chapter 15 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 15 Configuring MSTP Understanding MSTP All MST instances within the same region share the same protocol timers, but each MST instance has its own topology parameters, such as root switch ID, root path cost, and so forth. By default, all VLANs are assigned to the IST. An MST instance is local to the region; for example, MST instance 1 in region A is independent of MST instance 1 in region B, even if regions A and B are interconnected.
Chapter 15 Configuring MSTP Understanding MSTP Figure 15-1 MST Regions, IST Masters, and the CST Root A IST master and CST root D Legacy 802.1D MST Region 1 IST master MST Region 2 C IST master MST Region 3 88762 B Figure 15-1 does not show additional MST instances for each region. Note that the topology of MST instances can be different from that of the IST for the same region.
Chapter 15 Configuring MSTP Understanding MSTP maximum value. When a switch receives this BPDU, it decrements the received remaining hop count by one and propagates this value as the remaining hop count in the BPDUs it generates. When the count reaches zero, the switch discards the BPDU and ages the information held for the port.
Chapter 15 Configuring MSTP Understanding RSTP If all the legacy switches on the link are RSTP switches, they can process MSTP BPDUs as if they are RSTP BPDUs. Therefore, MSTP switches send either a Version 0 configuration and TCN BPDUs or Version 3 MSTP BPDUs on a boundary port. A boundary port connects to a LAN, the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration.
Chapter 15 Configuring MSTP Understanding RSTP Table 15-1 Port State Comparison Operational Status STP Port State (IEEE 802.1D) RSTP Port State Is Port Included in the Active Topology? Enabled Blocking Discarding No Enabled Listening Discarding No Enabled Learning Learning Yes Enabled Forwarding Forwarding Yes Disabled Disabled Discarding No To be consistent with Cisco STP implementations, this guide documents the port state as blocking instead of discarding.
Chapter 15 Configuring MSTP Understanding RSTP The switch learns the link type from the port duplex mode: a full-duplex port is considered to have a point-to-point connection; a half-duplex port is considered to have a shared connection. You can override the default setting that is controlled by the duplex setting by using the spanning-tree link-type interface configuration command.
Chapter 15 Configuring MSTP Understanding RSTP Figure 15-3 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5. Forward Edge port 8. Agreement 3. Block 11. Forward 6. Proposal 7. Proposal 10. Agreement Root port Designated port 88761 2. Block 9. Forward Bridge Protocol Data Unit Format and Processing The RSTP BPDU format is the same as the IEEE 802.1D BPDU format except that the protocol version is set to 2.
Chapter 15 Configuring MSTP Understanding RSTP The RSTP does not have a separate topology change notification (TCN) BPDU. It uses the topology change (TC) flag to show the topology changes. However, for interoperability with 802.1D switches, the RSTP switch processes and generates TCN BPDUs. The learning and forwarding flags are set according to the state of the sending port.
Chapter 15 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.
Chapter 15 Configuring MSTP Configuring MSTP Features Default MSTP Configuration Table 15-3 shows the default MSTP configuration. Table 15-3 Default MSTP Configuration Feature Default Setting Spanning-tree mode Rapid PVST+ (PVST+ and MSTP are disabled). Switch priority (configurable on a per-CIST port basis) 32768. Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mbps: 4. 100 Mbps: 19. 10 Mbps: 100.
Chapter 15 Configuring MSTP Configuring MSTP Features of the MST regions must contain the CST root, and all of the other MST regions must have a better path to the root contained within the MST cloud than a path through the PVST+ or rapid-PVST+ cloud. You might have to manually configure the switches in the clouds. • Partitioning the network into a large number of regions is not recommended.
Chapter 15 Configuring MSTP Configuring MSTP Features Step 8 Command Purpose spanning-tree mode mst Enable MSTP. RSTP is also enabled. Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and rapid PVST+ or both MSTP and PVST+ at the same time. Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries.
Chapter 15 Configuring MSTP Configuring MSTP Features If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 14-1 on page 14-4.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring a Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring Port Priority If a loop occurs, the MSTP uses the port priority when selecting an NNI to put into the forwarding state. You can assign higher priority values (lower numerical values) to NNIs that you want selected first and lower priority values (higher numerical values) that you want selected last.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an NNI. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to NNIs that you want selected first and higher cost values that you want selected last.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Switch Priority You can configure the switch priority and make it more likely that the switch will be chosen as the root switch. Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority.
Chapter 15 Configuring MSTP Configuring MSTP Features Beginning in privileged EXEC mode, follow these steps to configure the hello time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst hello-time seconds Configure the hello time for all MST instances. The hello time is the interval between the generation of configuration messages by the root switch. These messages mean that the switch is alive.
Chapter 15 Configuring MSTP Configuring MSTP Features Configuring the Maximum-Aging Time Beginning in privileged EXEC mode, follow these steps to configure the maximum-aging time for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree mst max-age seconds Configure the maximum-aging time for all MST instances.
Chapter 15 Configuring MSTP Configuring MSTP Features Specifying the Link Type to Ensure Rapid Transitions If you connect an NNI to another NNI through a point-to-point link and the local port becomes a designated port, the RSTP negotiates a rapid transition with the other port by using the proposal-agreement handshake to ensure a loop-free topology as described in the “Rapid Convergence” section on page 15-7.
Chapter 15 Configuring MSTP Displaying the MST Configuration and Status To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command.
Chapter 15 Configuring MSTP Displaying the MST Configuration and Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 15-24 78-17058-01
C H A P T E R 16 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the Cisco ME 3400 Ethernet Access switch. You can configure all of these features when your switch is running per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an NNI configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states. You can use Port Fast on NNIs connected to a single workstation or server, as shown in Figure 16-1, to allow those devices to immediately connect to the network, rather than waiting for the spanning tree to converge.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service. Use the BPDU guard feature in a service-provider network to prevent an access port from participating in the spanning tree. You can enable the BPDU guard feature for the entire switch or for an interface.
Chapter 16 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If a switch outside the SP network becomes the root switch, the interface is blocked (root-inconsistent state), and spanning tree selects a new root switch. The customer’s switch does not become the root switch and is not in the path to the root. If the switch is operating in multiple spanning-tree (MST) mode, root guard forces the interface to be a designated port.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features These sections contain this configuration information: • Default Optional Spanning-Tree Configuration, page 16-5 • Optional Spanning-Tree Configuration Guidelines, page 16-5 • Enabling Port Fast, page 16-5 (optional) • Enabling BPDU Guard, page 16-6 (optional) • Enabling BPDU Filtering, page 16-7 (optional) • Enabling EtherChannel Guard, page 16-8 (optio
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable Port Fast. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify an interface to configure, and enter interface configuration mode.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Caution Configure Port Fast only on NNIs that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. You also can use the spanning-tree bpduguard enable interface configuration command to enable BPDU guard on any NNI without also enabling the Port Fast feature.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any NNI without also enabling the Port Fast feature. This command prevents the NNI from sending or receiving BPDUs. Caution Enabling BPDU filtering on an NNI is the same as disabling spanning tree on it and can result in spanning-tree loops.
Chapter 16 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Command Purpose Step 4 show spanning-tree summary Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the EtherChannel guard feature, use the no spanning-tree etherchannel guard misconfig global configuration command.
Chapter 16 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Note You cannot enable both loop guard and root guard at the same time. You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable loop guard. This procedure is optional. Step 1 Command Purpose show spanning-tree active Verify which interfaces are alternate or root ports.
C H A P T E R 17 Configuring Flex Links This chapter describes how to configure Flex Links, a pair of interfaces on the Cisco ME 3400 switch that are used to provide a mutual backup. This feature is available only when the switch is running the metro IP access or metro access image. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 17 Configuring Flex Links Configuring Flex Links port 2 (the backup link) and switch C is not forwarding traffic. If port 1 goes down, port 2 comes up and starts forwarding traffic to switch C. When port 1 comes back up, it goes into standby mode and does not forward traffic; port 2 continues forwarding traffic.
Chapter 17 Configuring Flex Links Configuring Flex Links • A backup link does not have to be the same type (Fast Ethernet, Gigabit Ethernet, or port channel) as the active link. However, you should configure both Flex Links with similar characteristics so that there are no loops or changes in behavior if the standby link begins to forward traffic. • STP is disabled on Flex Link ports. If STP is configured on the switch, Flex Links do not participate in STP in all VLANs in which STP is configured.
Chapter 17 Configuring Flex Links Monitoring Flex Links Monitoring Flex Links Table 17-1 shows the privileged EXEC command for monitoring Flex Link configuration. Table 17-1 Flex Link Monitoring Command Command Purpose show interface [interface-id] switchport backup Displays the Flex Link backup interface configured for an interface, or displays all Flex Links configured on the switch and the state of each active and backup interface (up or standby mode).
C H A P T E R 18 Configuring DHCP Features and IP Source Guard This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the Cisco ME 3400 Ethernet Access witch. It also describes how to configure the IP source guard feature, which is supported on switches running the metro access and metro IP access images.
Chapter 18 Configuring DHCP Features and IP Source Guard Understanding DHCP Features DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it can forward the request to one or more secondary DHCP servers defined by the network administrator. The Cisco ME switch cannot be a DHCP server.
Chapter 18 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
Chapter 18 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Figure 18-1 DHCP Relay Agent in a Metropolitan Ethernet Network DHCP server Cisco ME switch (DHCP relay agent) Access layer VLAN 10 Subscribers Host B (DHCP client) 92999 Host A (DHCP client) When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs: • The host (DHCP client) generates a DHCP request and broadcasts it on the network.
Chapter 18 Configuring DHCP Features and IP Source Guard Understanding DHCP Features In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a switch with 24 10/100 ports and small form-factor pluggable (SFP) module slots, port 3 is the Fast Ethernet 0/1 port, port 4 is the Fast Ethernet 0/2 port, and so forth. Port 27 is the SFP module slot 0/1, and so forth. Figure 18-2 shows the packet formats for the remote ID suboption and the circuit ID suboption.
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring DHCP Features This is the format of the file that has the bindings: TYPE DHCP-SNOOPING VERSION 1 BEGIN ... ... END Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file.
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Default DHCP Configuration Table 18-1 shows the default DHCP configuration.
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring DHCP Features • Before configuring the DHCP snooping information option on your switch, be sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, or you must configure DHCP options for these devices. • Before configuring the DHCP relay agent on your switch, make sure to configure the device that is acting as the DHCP server.
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Specifying the Packet Forwarding Address If the DHCP server and the DHCP clients are on different networks or subnets and the switch is running the metro IP access image, you must configure the switch with the ip helper-address address interface configuration command. The general rule is to configure the command on the Layer 3 interface closest to the client.
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Enabling DHCP Snooping and Option 82 Beginning in privileged EXEC mode, follow these steps to enable DHCP snooping on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip dhcp snooping Enable DHCP snooping globally. Step 3 ip dhcp snooping vlan vlan-range Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094.
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose Step 13 show running-config Verify your entries. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global configuration command.
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Displaying DHCP Snooping Information To display the DHCP snooping information, use one or more of the privileged EXEC commands in Table 18-2: Table 18-2 Commands for Displaying DHCP Information Command Purpose show ip dhcp snooping Displays the DHCP snooping configuration for a switch show ip dhcp snooping binding Displays only the dynamically configured bindings in the DHCP snooping binding database, also
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Source IP Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table.
Chapter 18 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard IP Source Guard Configuration Guidelines Note IP source guard is supported only when the metro access or metro IP access image is running on the switch. These are the configuration guides for IP source guard: • You can configure static IP bindings only on nonrouted ports.
Chapter 18 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Command Purpose Step 5 exit Return to global configuration mode. Step 6 ip source binding mac-address vlan vlan-id ip-address inteface interface-id Add a static IP source binding. Step 7 end Return to privileged EXEC mode. Step 8 show ip verify source [interface interface-id] Display the IP source guard configuration for all interfaces or for a specific interface.
C H A P T E R 19 Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Cisco ME 3400 switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Note This feature is supported only when the metro IP access or metro access image is running on the switch.
Chapter 19 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 19-1 Host A (IA, MA) ARP Cache Poisoning A B Host B (IB, MB) Host C (man-in-the-middle) (IC, MC) 111750 C Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Chapter 19 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 19-12.
Chapter 19 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command. For configuration information, see the “Configuring the Log Buffer” section on page 19-13.
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Dynamic ARP Inspection Configuration Guidelines These are the dynamic ARP inspection configuration guidelines: Note This feature is supported only when the metro IP access or metro access image is running on the switch. • Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection in DHCP Environments This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 19-2 on page 19-3. Both switches are running dynamic ARP inspection on VLAN 1 where the hosts are located. A DHCP server is connected to Switch A.
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show ip arp inspection interfaces Verify the dynamic ARP inspection configuration. show ip arp inspection vlan vlan-range Step 9 show ip dhcp snooping binding Verify the DHCP bindings. Step 10 show ip arp inspection statistics vlan vlan-range Check the dynamic ARP inspection statistics.
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 3 Command Purpose permit ip host sender-ip mac host sender-mac [log] Permit ARP packets from the specified host (Host 2). • For sender-ip, enter the IP address of Host 2. • For sender-mac, enter the MAC address of Host 2. • (Optional) Specify log to log a packet in the log buffer when it matches the access control entry (ACE).
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 8 Command Purpose no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination.
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 19-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Performing Validation Checks Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional.
Chapter 19 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Configuring the Log Buffer When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 19 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Step 3 Command Purpose ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Control the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.
Chapter 19 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 19-3: Table 19-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
Chapter 19 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 19-16 78-17058-01
C H A P T E R 20 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the Cisco ME 3400 Ethernet Access switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action.
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note For more information on IP multicast and IGMP, see RFC 1112 and RFC 2236. The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request.
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Note IGMPv3 join and leave messages are not supported on switches running IGMP filtering or MVR. An IGMPv3 switch can receive messages from and forward messages to a device running the Source Specific Multicast (SSM) feature. For more information about source-specific multicast with IGMPv3 and IGMP, see this URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t5/dtssm5t.
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Table 20-1 IGMP Snooping Forwarding Table Destination Address Type of Packet Ports 224.1.2.3 IGMP 1, 2 The switch hardware can distinguish IGMP information packets from other packets for the multicast group. The information in the table tells the switching engine to send frames addressed to the 224.1.2.3 multicast IP address that are not IGMP packets to the router and to the host that has joined the group.
Chapter 20 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested hosts respond to the queries. If at least one host in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports. The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 20-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping Immediate Leave Disabled Static groups None configured TCN1 flood query count 2 TCN query solicitation Disabled IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Multicast Router Port To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Note Static connections to multicast routers are supported only on switch ports.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id static ip_address Statically configure a Layer 2 port as a member of a multicast interface interface-id group: • vlan-id is the multicast group VLAN ID. The range is 1 to 1001 and 1006 to 4094.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring TCN-Related Commands These sections describe how to control flooded multicast traffic during a TCN event: • Controlling the Multicast Flooding Time After a TCN Event, page 20-11 • Recovering from Flood Mode, page 20-11 • Disabling Multicast Flooding During a TCN Event, page 20-12 Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCH event by us
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to enable the switch sends the global leave message whether or not it is the spanning-tree root: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping tcn query solicit Send an IGMP leave message (global leave) to speed the process of recovering from the flood mode caused during a TCN event.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring the IGMP Snooping Querier Follow these guidelines when configuring the IGMP snooping querier: • Configure the VLAN in global configuration mode. • Configure an IP address on the VLAN interface. When enabled, the IGMP snooping querier uses the IP address as the query source address.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Snooping This example shows how to set the IGMP snooping querier source address to 10.0.0.64: Switch# configure terminal Switch(config)# ip igmp snooping querier 10.0.0.
Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information Displaying IGMP Snooping Information You can display IGMP snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for IGMP snooping. To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 20-4.
Chapter 20 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration For more information about the keywords and options in these commands, see the command reference for this release. Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 20 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration this receiver port and VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN. Uplink ports that send and receive multicast data to and from the multicast VLAN are called MVR source ports.
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR IGMP leave was received. As soon as the leave message is received, the receiver port is removed from multicast group membership, which speeds up leave latency. Enable the Immediate-Leave feature only on receiver ports to which a single receiver device is connected. MVR eliminates the need to duplicate television-channel multicast traffic for subscribers in each VLAN.
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR MVR Configuration Guidelines and Limitations Follow these guidelines when configuring MVR: • Receiver ports can only be access ports; they cannot be trunk ports. Receiver ports on a switch can be in different VLANs, but should not belong to the multicast VLAN. • The maximum number of multicast entries (MVR group addresses) that can be configured on a switch (that is, the maximum number of television channels that can be received) is 256.
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 4 mvr querytime value (Optional) Define the maximum time to wait for IGMP report memberships on a receiver port before removing the port from multicast group membership. The value is in units of tenths of a second. The range is 1 to 100, and the default is 5 tenths or one-half second. Step 5 mvr vlan vlan-id (Optional) Specify the VLAN in which multicast data is received; all source ports must belong to this VLAN.
Chapter 20 Configuring IGMP Snooping and MVR Configuring MVR Step 5 Command Purpose mvr type {source | receiver} Configure an MVR port as one of these: • source—Configure uplink ports that receive and send multicast data as source ports. Subscribers cannot be directly connected to source ports. All source ports on a switch belong to the single multicast VLAN. • receiver—Configure a port as a receiver port if it is a subscriber port and should only receive multicast data.
Chapter 20 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles only to Layer 2 access ports; you cannot apply IGMP profiles to routed ports or SVIs. You cannot apply profiles to ports that belong to an EtherChannel port group.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Beginning in privileged EXEC mode, follow these steps to set the maximum number of IGMP groups in the forwarding table: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. The interface can be a Layer 2 port that does not belong to an EtherChannel group or a EtherChannel interface.
Chapter 20 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling To prevent the switch from removing the forwarding-table entries, you can configure the IGMP throttling action before an interface adds entries to the forwarding table. Beginning in privileged EXEC mode, follow these steps to configure the throttling action when the maximum number of entries is in the forwarding table: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 20 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Displaying IGMP Filtering and Throttling Configuration You can display IGMP profile characteristics, and you can display the IGMP profile and maximum group configuration for all interfaces on the switch or for a specified interface. You can also display the IGMP throttling configuration for all interfaces on the switch or for a specified interface.
C H A P T E R 21 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 21 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received With each method, the p
Chapter 21 Configuring Port-Based Traffic Control Configuring Storm Control Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent. Configuring Storm Control and Threshold Levels You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic.
Chapter 21 Configuring Port-Based Traffic Control Configuring Storm Control Command Step 4 Purpose storm-control {broadcast | multicast | Configure broadcast, multicast, or unicast storm control. By default, unicast} level {level [level-low] | bps storm control is disabled. bps [bps-low] | pps pps [pps-low]} The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 21 Configuring Port-Based Traffic Control Configuring Protected Ports To disable storm control, use the no storm-control {broadcast | multicast | unicast} level interface configuration command.
Chapter 21 Configuring Port-Based Traffic Control Configuring Protected Ports Protected Port Configuration Guidelines You can configure protected ports on a physical interface that is configured as an NNI (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Do not configure a private-VLAN port as a protected port.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Blocking Configuring Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to block unicast and multicast flooding on a port: Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# no shutdown Switch(config-if)# switchport block multicast Switch(config-if)# switchport block unicast Switch(config-if)# end Configuring Port Security You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of th
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security • Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed when the switch restarts. • Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security • shutdown—a port security violation causes the interface to become error-disabled and to shut down immediately, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security • When you enter a maximum secure address value for an interface, and the new value is greater than the previous value, the new value overwrites the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected. • The switch does not support port security aging of sticky secure MAC addresses.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Step 6 Command Purpose switchport port-security [maximum value [vlan vlan-list | access] (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is set by the active Switch Database Management (SDM) template.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security This example shows how to enable sticky port security on a port, to manually configure MAC addresses for data VLAN, and to set the total maximum number of secure addresses to 10.
Chapter 21 Configuring Port-Based Traffic Control Configuring Port Security Step 4 Command Purpose switchport port-security aging {static | time time | type {absolute | inactivity}} Enable or disable static aging for the secure port, or set the aging time or type. Note The switch does not support port security aging of sticky secure addresses. Enter static to enable aging for statically configured secure addresses on this port. For time, specify the aging time for this port.
Chapter 21 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Displaying Port-Based Traffic Control Settings The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show storm-control and show port-security privileged EXEC commands display those storm control and port security settings.
Chapter 21 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 21-18 78-17058-01
C H A P T E R 22 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the Cisco ME 3400 Ethernte Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 22 Configuring CDP Configuring CDP Configuring CDP These sections contain this configuration information: • Default CDP Configuration, page 22-2 • Configuring the CDP Characteristics, page 22-2 • Disabling and Enabling CDP, page 22-3 • Disabling and Enabling CDP on an Interface, page 22-4 Default CDP Configuration Table 22-1 shows the default CDP configuration.
Chapter 22 Configuring CDP Configuring CDP Command Purpose Step 6 show cdp Verify your settings. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the CDP commands to return to the default settings. This example shows how to configure CDP characteristics.
Chapter 22 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 22 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 22 Configuring CDP Monitoring and Maintaining CDP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 22-6 78-17058-01
C H A P T E R 23 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 23 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Chapter 23 Configuring UDLD Understanding UDLD • Event-driven detection and echoing UDLD relies on echoing as its detection mechanism. Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out-of-sync neighbor, it restarts the detection window on its side of the connection and sends echo messages in reply. Because this behavior is the same on all UDLD neighbors, the sender of the echoes expects to receive an echo in reply.
Chapter 23 Configuring UDLD Configuring UDLD Configuring UDLD These sections contain this configuration information: • Default UDLD Configuration, page 23-4 • Configuration Guidelines, page 23-4 • Enabling UDLD Globally, page 23-5 • Enabling UDLD on an Interface, page 23-5 • Resetting an Interface Disabled by UDLD, page 23-6 Default UDLD Configuration Table 23-1 shows the default UDLD configuration.
Chapter 23 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring UDLD Displaying UDLD Status Step 4 Command Purpose udld port [aggressive] UDLD is disabled by default. • udld port—Enables UDLD in normal mode on the specified port. • udld port aggressive—Enables UDLD in aggressive mode on the specified port. Note Use the no udld port interface configuration command to disable UDLD on a specified fiber-optic port. For more information about aggressive and normal modes, see the “Modes of Operation” section on page 23-1.
C H A P T E R 24 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 24-2 • Remote SPAN, page 24-2 • SPAN and RSPAN Concepts and Terminology, page 24-3 • SPAN and RSPAN Interaction with Other Features, page 24-8 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports reside in the same switch.
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 24-2 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • Transmit (Tx) SPAN—The goal of transmit (or egress) SPAN is to monitor as much as possible all the packets sent by the source interface after all modification and processing is performed by the switch. A copy of each packet sent by the source is sent to the destination port for that SPAN session. The copy is provided after the packet is modified.
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN • It can be any port type—for example, EtherChannel, Fast Ethernet, Gigabit Ethernet, user network interface (UNI), network node interface (NNI), and so forth. • For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a physical port as it participates in the port channel. • It can be a routed port, an access port, or a trunk port. • It cannot be a destination port.
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch as the source port.
Chapter 24 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN. • RSPAN VLAN traffic only flows on trunk ports. • RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • EtherChannel—You can configure an EtherChannel group as a source port but not as a SPAN destination port. When a group is configured as a SPAN source, the entire group is monitored. If a physical port is added to a monitored EtherChannel group, the new port is added to the SPAN source port list. If a port is removed from a monitored EtherChannel group, it is automatically removed from the source port list.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration Table 24-1 shows the default SPAN and RSPAN configuration. Table 24-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both). Encapsulation type (destination port) Native form (untagged packets).
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is being monitored, only traffic on the VLANs specified with this keyword is monitored. By default, all VLANs are monitored on a trunk port. • You cannot mix source VLANs and filter VLANs within a single SPAN session.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation{dot1q | replicate}] Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored. This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN 10.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Step 4 Purpose Specify the SPAN session, the destination port, the packet monitor session session_number encapsulation, and the ingress VLAN and encapsulation. destination {interface interface-id [, | -] [encapsulation {dot1q | replicate}] [ingress For session_number, specify the session number entered in Step 3. {[dot1q | untagged] vlan vlan-id}] For interface-id, specify the destination port.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Specifying VLANs to Filter Beginning in privileged EXEC mode, follow these steps to limit SPAN source traffic to specific VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Remove any existing SPAN configuration for the session. For session_number, the range is 1 to 66.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor traffic received on Gigabit Ethernet trunk port 2, and send traffic for only VLANs 1 through 5 and VLAN 9 to destination Gigabit Ethernet port 1.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Configuring a VLAN as an RSPAN VLAN Create a new VLAN to be the RSPAN VLAN for the RSPAN session. You must create the RSPAN VLAN in all switches that will participate in RSPAN. You must configure RSPAN VLAN on source and destination switches and any intermediate switches. To get an efficient flow of RSPAN traffic, manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specify the RSPAN session and the source port (monitored port). For session_number, the range is 1 to 66. Enter a source port or source VLAN for the RSPAN session: • For interface-id, specify the source port to monitor.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Creating an RSPAN Destination Session You configure the RSPAN destination session on a different switch; that is, not the switch on which the source session was configured.
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface: Switch(config)# monitor session 1 source remote vlan 901 Switch(config)# monitor session 1 destination interface gigabitethernet0/1 Switch(config)# end Creating an RSPAN Destination Session and Configuring Ingress Traffic Beginning in privileged EXEC mode, follow these steps to create an RSPAN destination session, to specify the
Chapter 24 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete an RSPAN session, use the no monitor session session_number global configuration command.
Chapter 24 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Step 5 Command Purpose monitor session session_number destination remote vlan vlan-id Specify the RSPAN session and the destination remote VLAN (RSPAN VLAN). For session_number, enter the session number specified in step 3. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. Step 6 end Return to privileged EXEC mode.
C H A P T E R 25 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the Cisco ME 3400 Ethernet Access switch. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 25 Configuring RMON Configuring RMON Figure 25-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. Workstations Workstations 101233 RMON history and statistic collection enabled.
Chapter 25 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Only RMON 1 is supported on the switch. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 25 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 25 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 25 Configuring RMON Displaying RMON Status Collecting Group Ethernet Statistics on an Interface Beginning in privileged EXEC mode, follow these steps to collect group Ethernet statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which to collect statistics, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary.
C H A P T E R 26 Configuring System Message Logging This chapter describes how to configure system message logging on the Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Configuring System Message Logging These sections contain this configuration information: • System Log Message Format, page 26-2 • Default System Message Logging Configuration, page 26-3 • Disabling Message Logging, page 26-3 (optional) • Setting the Message Display Destination Device, page 26-4 (optional) • Synchronizing Log Messages, page 26-5 (optional) • Enabling and Disabling Time Stamps on Log Messages, page
Chapter 26 Configuring System Message Logging Configuring System Message Logging Table 26-1 System Log Message Elements (continued) Element Description MNEMONIC Text string that uniquely describes the message. description Text string containing detailed information about the event being reported.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to disable message logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no logging console Disable message logging. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging host Log messages to a UNIX syslog server host. For host, specify the name or IP address of the host to be used as the syslog server. To build a list of syslog servers that receive logging messages, enter this command more than once. For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 26-10.
Chapter 26 Configuring System Message Logging Configuring System Message Logging is returned. Therefore, unsolicited messages and debug command output are not interspersed with solicited device output and prompts. After the unsolicited messages appear, the console again displays the user prompt. Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 26 Configuring System Message Logging Configuring System Message Logging To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 26-3.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Table 26-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging history size number Specify the number of syslog messages that can be stored in the history table. The default is to store one message. The range is 0 to 500 messages. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. 1.
Chapter 26 Configuring System Message Logging Configuring System Message Logging Step 3 Make sure the syslog daemon reads the new changes: $ kill -HUP `cat /etc/syslog.pid` For more information, see the man syslog.conf and man syslogd commands on your UNIX system. Configuring the UNIX System Logging Facility When sending system log messages to an external device, you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities.
Chapter 26 Configuring System Message Logging Displaying the Logging Configuration Table 26-4 Logging Facility-Type Keywords (continued) Facility Type Keyword Description mail Mail system news USENET news sys9-14 System use syslog System log user User process uucp UNIX-to-UNIX copy system Displaying the Logging Configuration To display the logging configuration and the contents of the log buffer, use the show logging privileged EXEC command.
C H A P T E R 27 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the Cisco ME 3400 Ethernet Access switch. Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release and to the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 27 Configuring SNMP Understanding SNMP • Using SNMP to Access MIB Variables, page 27-4 • SNMP Notifications, page 27-5 • SNMP ifIndex MIB Object Values, page 27-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standard, defined in RFC 1157.
Chapter 27 Configuring SNMP Understanding SNMP Table 27-1 identifies the characteristics of the different combinations of security models and levels. Table 27-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 27 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 27 Configuring SNMP Understanding SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Chapter 27 Configuring SNMP Configuring SNMP Configuring SNMP These sections contain this configuration information: • Default SNMP Configuration, page 27-6 • SNMP Configuration Guidelines, page 27-6 • Disabling the SNMP Agent, page 27-7 • Configuring Community Strings, page 27-8 • Configuring SNMP Groups and Users, page 27-9 • Configuring SNMP Notifications, page 27-11 • Setting the Agent Contact and Location Information, page 27-14 • Limiting TFTP Servers Used Through SNMP, page 27-15 •
Chapter 27 Configuring SNMP Configuring SNMP When configuring SNMP, follow these guidelines: • When configuring an SNMP group, do not specify a notify view. The snmp-server host global configuration command autogenerates a notify view for the user and then adds it to the group associated with that user. Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Configuration Fundamentals Command Reference, Release 12.
Chapter 27 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch.
Chapter 27 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command.
Chapter 27 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 27 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 27 Configuring SNMP Configuring SNMP Table 27-5 Switch Notification Types Notification Type Keyword Description bgp Generates Border Gateway Protocol (BGP) state change traps. This option is only available when the metro IP access image is installed. bridge Generates STP bridge MIB traps. config Generates a trap for SNMP configuration changes. config-copy Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes.
Chapter 27 Configuring SNMP Configuring SNMP Note Though visible in the command-line help strings, the cpu [threshold], flash insertion, flash removal, fru-ctrl, and vtp keywords are not supported. The snmp-server enable informs global configuration command is not supported. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command.
Chapter 27 Configuring SNMP Configuring SNMP Step 6 Command Purpose snmp-server enable traps notification-types Enable the switch to send traps or informs and specify the type of notifications to be sent. For a list of notification types, see Table 27-5 on page 27-12, or enter snmp-server enable traps ? To enable multiple types of traps, you must enter a separate snmp-server enable traps command for each trap type.
Chapter 27 Configuring SNMP Configuring SNMP Limiting TFTP Servers Used Through SNMP Beginning in privileged EXEC mode, follow these steps to limit the TFTP servers used for saving and loading configuration files through SNMP to the servers specified in an access list: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server tftp-server-list access-list-number Limit TFTP servers used for configuration file copies through SNMP to the servers in the access list.
Chapter 27 Configuring SNMP Displaying SNMP Status This example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public. Switch(config)# snmp-server community comaccess ro 4 Switch(config)# snmp-server enable traps snmp authentication Switch(config)# snmp-server host cisco.
C H A P T E R 28 Configuring Network Security with ACLs This chapter describes how to configure network security on the Cisco ME 3400 Ethernet Access switch by using access control lists (ACLs), which are also referred to in commands and tables as access lists. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4).
Chapter 28 Configuring Network Security with ACLs Understanding ACLs which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both. An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE.
Chapter 28 Configuring Network Security with ACLs Understanding ACLs • When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL. Incoming routed IPv4 packets received on other ports are filtered by both the VLAN map and the router ACL. Other packets are filtered only by the VLAN map.
Chapter 28 Configuring Network Security with ACLs Understanding ACLs Figure 28-1 Using ACLs to Control Traffic to a Network Host A Host B Research & Development network = ACL denying traffic from Host B and permitting traffic from Host A = Packet 101365 Human Resources network When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses.
Chapter 28 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IPv4 packet.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch does not support these Cisco IOS router ACL-related features: • Non-IP protocol ACLs (see Table 28-1 on page 28-8) or bridge-group ACLs • IP accounting • Inbound and outbound rate limiting (except with QoS ACLs) • Reflexive ACLs or dynamic ACLs • ACL logging for port ACLs and VLAN maps These are the steps to use IP ACLs on the switch: Step 1 Create an ACL by specifying an access list number or name and the access
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs IPv4 Access List Numbers The number you use to denote your IPv4 ACL shows the type of access list that you are creating. Table 28-1 lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs The first packet that triggers the ACL causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they appear or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs This example shows how to create a standard ACL to deny access to IP host 171.69.198.102, permit access to any others, and display the results. Switch (config)# access-list 2 deny host 171.69.198.102 Switch (config)# access-list 2 permit any Switch(config)# end Switch# show access-lists Standard IP access list 2 10 deny 171.69.198.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Step 2e Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 28-18), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 28-19), or to VLANs (see the “Configuring VLAN Maps” section on page 28-29).
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 3 Command Purpose deny {source [source-wildcard] | host source | any} [log] In access-list configuration mode, specify one or more conditions denied or permitted to decide if the packet is forwarded or dropped. or • host source—A source and source wildcard of source 0.0.0.0. permit {source [source-wildcard] | host source | any} [log] • any—A source and source wildcard of 0.0.0.0 255.255.255.255.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs This example shows how you can delete individual ACEs from the named access list border-list: Switch(config)# ip access-list extended border-list Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 3 Command Purpose absolute [start time date] [end time date] Specify when the function it will be applied to is operational. or periodic day-of-the-week hh:mm to [day-of-the-week] hh:mm • You can use only one absolute statement in the time range. If you configure more than one absolute statement, only the one configured last is executed. • You can enter multiple periodic statements.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode. • console—Specify the console terminal line. The console port is DCE.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode. The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL).
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Use router ACLs to do this in one of two ways: • Create a standard ACL, and filter traffic coming to the server from Port 1. • Create an extended ACL, and filter traffic coming from the server into Port 1. Figure 28-3 Using Router ACLs to Control Traffic Server A Benefits Server B Payroll Port 2 Port 1 Accounting 172.20.128.64-95 101354 Human Resources 172.20.128.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 36.0.0.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Chapter 28 Configuring Network Security with ACLs Configuring IPv4 ACLs In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Switch(config-std-nacl)# deny 171.69.0.0 0.0.255.
Chapter 28 Configuring Network Security with ACLs Creating Named MAC Extended ACLs This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp packets icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 0.0.0.0(0) -> 255.255.255.255(0), 1 0.0.0.0(0) -> 255.255.255.
Chapter 28 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acces
Chapter 28 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Applying a MAC ACL to a Layer 2 Interface After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines: • If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Configuring VLAN Maps This section describes how to configure VLAN maps, which is the only way to control filtering within a VLAN. VLAN maps have no direction. To filter traffic in a specific direction by using a VLAN map, you need to include an ACL with specific source or destination addresses.
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps VLAN Map Configuration Guidelines Follow these guidelines when configuring VLAN maps: • If there is no ACL configured to deny traffic on an interface and no VLAN map is configured, all traffic is permitted. • Each VLAN map consists of a series of entries. The order of entries in an VLAN map is important. A packet that comes into the switch is tested against the first entry in the VLAN map.
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan access-map name [number] Create a VLAN map, and give it a name and (optionally) a number. The number is the sequence number of the entry within the map.
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps This example shows how to create a VLAN map to permit a packet. ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded. In this map, any IP packets that did not match any of the previous ACLs (that is, packets that are not TCP packets or UDP packets) would get dropped.
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config)# mac access-list extended good-protocols Switch(config-ext-macl)# permit any any decnet-ip Switch(config-ext-macl)# permit any any vines-ip Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-mac-default 10 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-mac-default 20 Switch(config-acces
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Using VLAN Maps in Your Network These sections describes some typical uses for VLAN maps: • Wiring Closet Configuration, page 28-34 • Denying Access to a Server on Another VLAN, page 28-35 Wiring Closet Configuration In a wiring closet configuration, routing might not be enabled on the switch. In this configuration, the switch can still support a VLAN map and a QoS classification ACL.
Chapter 28 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config)# ip access-list extended match_all Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map map2 20 Switch(config-access-map)# match ip address match_all Switch(config-access-map)# action forward Then, apply VLAN access map map2 to VLAN 1.
Chapter 28 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Step 2 Define a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward IP packets that do not match the ACL.
Chapter 28 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs • Whenever possible, try to write the ACL with all entries having a single action except for the final, default action of the other type. That is, write the ACL using one of these two forms: permit... permit... permit... deny ip any any or deny... deny... deny... permit ip any any • To define multiple actions in an ACL (permit, deny), group each action type together to reduce the number of entries.
Chapter 28 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 28-6 Applying ACLs on Switched Packets VLAN 10 map Input router ACL Output router ACL VLAN 20 map Frame Host A (VLAN 10) Routing function or fallback bridge VLAN 10 VLAN 20 Packet 101357 Host C (VLAN 10) ACLs and Routed Packets Figure 28-7 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3.
Chapter 28 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration ACLs and Multicast Packets Figure 28-8 shows how ACLs are applied on packets that are replicated for IP multicasting. A multicast packet being routed has two different kinds of filters applied: one for destinations that are other ports in the input VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed.
Chapter 28 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Table 28-2 Commands for Displaying Access Lists and Access Groups (continued) Command Purpose show ip interface interface-id Displays detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display.
C H A P T E R 29 Configuring Control-Plane Security This chapter describes the control-plane security feature in the Cisco ME 3400 Ethernet Access switch. In any network, Layer 2 and Layer 3 switches exchange control packets with other switches in the network. The Cisco ME switch, which acts as a transition between the customer network and the service-provider network, uses control-plane security to ensure that the topology information between the two networks is isolated.
Chapter 29 Configuring Control-Plane Security Understanding Control-Plane Security These types of control packets are dropped or rate-limited: • Layer 2 protocol control packets: – Control packets that are always dropped on UNIs, such as Dynamic Trunking Protocol (DTP) packets and some bridge protocol data units (BPDUs).
Chapter 29 Configuring Control-Plane Security Understanding Control-Plane Security Table 29-1 CPU Protection Actions When Layer 2 Protocol Packets Are Received on a UNI (continued) When Layer 2 Protocol Tunneling Is Enabled 1 Protocol Default When Feature Is Enabled CISCO_L2 (any other Cisco Layer 2 protocols with the MAC address 01:00:0c:cc:cc:cc) Dropped – Rate-limited if CDP, DTP, UDLD, PAGP, or VTP are Layer 2 tunneled KEEPALIVE (MAC address, SNAP encapsulation, LLC, Org ID, or HDLC packets)
Chapter 29 Configuring Control-Plane Security Configuring Control-Plane Security This example shows the default policers assigned to NNIs. Most protocols have no policers assigned to NNIs. A value of 255 means that no policer is assigned to the port for the protocol.
Chapter 29 Configuring Control-Plane Security Monitoring Control-Plane Security This example shows how to set the CPU protection threshold to 10000 bps and to verify the configuration. Switch# config t Enter configuration commands, one per line. Switch(config)# policer cpu uni 10000 Switch(config)# end Switch# show policer cpu uni rate End with CNTL/Z.
Chapter 29 Configuring Control-Plane Security Monitoring Control-Plane Security Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 29-6 78-17058-01
C H A P T E R 30 Configuring QoS This chapter describes how to configure quality of service (QoS) by using the modular QoS command-line interface (CLI), or MQC, commands on the Cisco ME 3400 Ethernet Access switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. When QoS is not configured, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Chapter 30 Configuring QoS Understanding QoS Modular QoS CLI Model Classification Policing Marking Policer Drops Congestion Avoidance Congestion Drops Queuing 141149 Figure 30-1 Scheduling Basic QoS includes these actions. • Packet classification allows you to organize traffic on the basis of whether or not the traffic matches a specific criteria.
Chapter 30 Configuring QoS Understanding QoS Modular QoS CLI Modular QoS CLI (MQC) allows users to create traffic policies and attach these policies to interfaces. A traffic policy contains a traffic class and one or more QoS features. You use a traffic class to classify traffic, and the QoS features in the traffic policy determine how to treat the classified traffic. Modular QoS CLI configuration includes these steps: Step 1 Define a traffic class.
Chapter 30 Configuring QoS Understanding QoS Step 3 Attach the traffic policy to an interface. You use the service-policy interface configuration command to attach the policy map to an interface for packets entering or leaving the interface. You must specify whether the traffic policy characteristics should be applied to incoming or outgoing packets.
Chapter 30 Configuring QoS Understanding QoS Output Policy Maps Output policy map classification criteria include matching a CoS, a DSCP, an IP precedence, or a QoS group values. Output policy maps can have any of these actions: • Queuing (queue-limit) • Scheduling (bandwidth, priority, and shape average) Output policy maps do not support matching of access groups. You can use QoS groups as an alternative by matching the appropriate access group in the input policy map and setting a QoS group.
Chapter 30 Configuring QoS Understanding QoS Figure 30-3 QoS Classification Layers in Frames and Packets Layer 2 IEEE 802.1Q and IEEE 802.1P Frame Preamble Start frame delimiter DA SA TAG 4 Bytes Type PT Data FCS 3 bits used for CoS (IEEE 802.
Chapter 30 Configuring QoS Understanding QoS You can match more than one criterion for classification. You can also create a class map that requires that all matching criteria in the class map be in the packet header by using the class map match-all class-map name global configuration command to enter class map configuration mode. A class map with no match condition has a default of match all. You can configure only one match entry in a match-all class map.
Chapter 30 Configuring QoS Understanding QoS This example shows how to create a class map to match a CoS value of 5: Switch(config)# class-map premium Switch(config-cmap)# match cos 5 Switch(config-cmap)# exit Classification Based on IP Precedence You can classify IPv4 traffic based on the packet IP precedence values, which range from 0 to 7.
Chapter 30 Configuring QoS Understanding QoS cs6 cs7 default ef Match Match Match Match packets packets packets packets with with with with CS6(precedence 6) dscp (110000) CS7(precedence 7) dscp (111000) default dscp (000000) EF dscp (101110) For more information on DSCP prioritization, see RFC-2597 (AF per-hop behavior), RFC-2598 (EF), or RFC-2475 (DSCP).
Chapter 30 Configuring QoS Understanding QoS Classification Based on QoS ACLs Packets can also be classified in input policy maps based on an ACL lookup. The ACL classification is communicated to an output policy by assigning a QoS group or number in the input policy map. To classify based on ACL lookup, you first create an IP or MAC ACL. Configure a class map and use the match access-group {acl-number | acl name} class-map configuration command, and attach the class map to a policy map.
Chapter 30 Configuring QoS Understanding QoS To communicate an ACL classification to an output policy, you assign a QoS number to specify packets at ingress. This example identifies specific packets as part of QoS group 1 for later processing in an output policy: Switch(config)# policy-map in-gold-policy Switch(config-pmap)# class in-class1 Switch(config-pmap-c)# set qos-group 1 Switch(config-cmap-c)# exit Switch(config-cmap)# exit You use the set qos-group command only in an input policy.
Chapter 30 Configuring QoS Understanding QoS The switch supports a maximum of 256 unique table maps. You can enter up to 64 different map from–to entries in a table map.
Chapter 30 Configuring QoS Understanding QoS These sections describe the types of policing supported on the switch: • Individual Policing, page 30-13 • Aggregate Policing, page 30-14 • Unconditional Priority Policing, page 30-15 Individual Policing Individual policing applies only to input policy maps. In policy-map configuration mode, you enter the class command followed by class-map name, and enter policy-map class configuration mode.
Chapter 30 Configuring QoS Understanding QoS After you create a table map, you configure a policy-map policer to use the table map. • You can configure only one exceed-action police markdown table map of each type (CoS, DSCP, or IP precedence) on the switch. You can reference that table map in multiple policers. • When you use a table map in an input policy map, the protocol type for the from–action in the table map must be the same as the protocol type of the associated classification.
Chapter 30 Configuring QoS Understanding QoS After you configure the aggregate policer, you create a policy map and an associated class map, associate the policy map with the aggregate policer, and apply the service policy to a port. Note Only one policy map can use any specific aggregate policer. Aggregate policing cannot be used to aggregate traffic streams across multiple interfaces. It can be used only to aggregate traffic streams across multiple classes in a policy map attached to an interface.
Chapter 30 Configuring QoS Understanding QoS This example shows how to use the priority with police commands to configure out-class1 as the priority queue, with traffic going to the queue limited to 20,000,000 bps so that the priority queue never uses more than that. Traffic above that rate is dropped. This allows other traffic queues to receive some port bandwidth, in this case a minimum bandwidth guarantee of 500,000 and 200,000 kbps. The class class-default queue gets the remaining port bandwidth.
Chapter 30 Configuring QoS Understanding QoS Note You configure only one set action with a table map in a class. You cannot configure any other set action in the same class as a set action with table map. Figure 30-6 shows the procedures for marking traffic.
Chapter 30 Configuring QoS Understanding QoS This example uses a policy map to remark a packet. The first marking (the set command) applies to the QoS default class map that matches all traffic not matched by class AF31-AF33 and sets all traffic to an IP DSCP value of 1. The second marking sets the traffic in classes AF31 to AF33 to an IP DSCP of 3.
Chapter 30 Configuring QoS Understanding QoS These sections contain additional information about scheduling: • Traffic Shaping, page 30-19 • Class-Based Weighted Fair Queuing, page 30-21 • Priority Queuing, page 30-22 Traffic Shaping Traffic shaping is a traffic-control mechanism similar to traffic policing. While traffic policing is used in input policy maps, traffic shaping occurs as traffic leaves an interface.
Chapter 30 Configuring QoS Understanding QoS Port Shaping To configure port shaping (a transmit port shaper), create a policy map that contains only a default class, and use the shape average command to specify the maximum bandwidth for a port. This example shows how to configure a policy map that shapes a port to 90 Mbps, allocated according to the out-policy policy map configured in the previous example.
Chapter 30 Configuring QoS Understanding QoS Class-Based Weighted Fair Queuing You can configure class-based weighted fair queuing (CBWFQ) to set the relative precedence of a queue by allocating a portion of the total bandwidth that is available for the port. You use the bandwidth policy-map class configuration command to set the output bandwidth for a class of traffic as a rate (kilobits per second), a percentage of total bandwidth, or a percentage of remaining bandwidth.
Chapter 30 Configuring QoS Understanding QoS Switch(config)# interface fastethernet 0/1 Switch(config-if)# service-policy output out-policy Switch(config-if)# exit This example shows how to allocate the excess bandwidth among queues by configuring bandwidth for a traffic class as a percentage of remaining bandwidth. The class outclass1 is given priority queue treatment.
Chapter 30 Configuring QoS Understanding QoS Note When priority is configured in an output policy map without the police command, you can only configure the other queues for sharing by using the bandwidth remaining percent policy-map command to allocate excess bandwidth. Priority queuing has these restrictions: • You can associate the priority command with a single unique class for all attached output polices on the switch.
Chapter 30 Configuring QoS Understanding QoS Congestion Avoidance and Queuing Congestion avoidance uses algorithms such as tail drop to control the number of packets entering the queuing and scheduling stage to avoid congestion and network bottlenecks. The switch uses weighted tail drop (WTD) to manage the queue sizes and provide a drop precedence for traffic classifications. You set the size limits depending on the markings of the packets in the queue.
Chapter 30 Configuring QoS Understanding QoS This example configures class A to match DCSP values and a policy map, PM1. The DSCP values of 30 and 50 are mapped to unique thresholds (32 and 64, respectively). The DSCP values of 40 and 60 are mapped to the maximum threshold of 112 packets.
Chapter 30 Configuring QoS Configuring QoS • A WTD qualifier in the queue-limit command must be the same as at least one match qualifier in the associated class map. This example shows how to configure bandwidth and queue limit so that out-class1, out-class2, and out-class3 get a minimum of 50, 20, and 10 percent of the traffic bandwidth, and the remaining traffic (class-default) gets the remaining 20 percent.
Chapter 30 Configuring QoS Configuring QoS Default QoS Configuration There are no policy maps, class maps, table maps, or policers configured. At the egress port, all traffic goes through a single default queue that is given the full operational port bandwidth. The default size of the default queue is 48 (256-byte) packets. The packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed).
Chapter 30 Configuring QoS Configuring QoS Creating IP Standard ACLs Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number permit source [source-wildcard] Create an IP standard ACL, repeating the command as many times as necessary. or ip access-list standard name • For access-list-number, enter the access list number.
Chapter 30 Configuring QoS Configuring QoS Creating IP Extended ACLs Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number permit protocol {source source-wildcard destination destination-wildcard} [precedence precedence] [tos tos] [dscp dscp] Create an IP extended ACL, repeating the command as many times as necessary.
Chapter 30 Configuring QoS Configuring QoS Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show access-lists Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete an access list, use the no access-list access-list-number global configuration command.
Chapter 30 Configuring QoS Configuring QoS To delete an access list, use the no mac access-list extended access-list-name global configuration command. This example shows how to create a Layer 2 MAC ACL with two permit statements. The first statement allows traffic from the host with MAC address 0001.0000.0001 to the host with MAC address 0002.0000.0001. The second statement allows only Ethertype XNS-IDP traffic from the host with MAC address 0001.0000.0002 to the host with MAC address 0002.0000.0002.
Chapter 30 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create a class map and to define the match criterion to classify traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] {class-map-name | class-default} Create a class map, and enter class-map configuration mode. By default, no class maps are defined.
Chapter 30 Configuring QoS Configuring QoS Command Purpose Step 5 show class-map Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the appropriate command to delete an existing class map or remove a match criterion. This example shows how to create access list 103 and configure the class map called class1. The class1 has one match criterion, which is access list 103.
Chapter 30 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create a table map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 table-map table-map-name Create a table map by entering a table-map name and entering table-map configuration mode. Step 3 map from from-value to to-value Enter the mapping values to be included in the table.
Chapter 30 Configuring QoS Configuring QoS Attaching a Traffic Policy to an Interface You use the service-policy interface configuration command to attach a traffic policy to an interface and to specify the direction in which the policy should be applied: either an input policy map for incoming traffic or an output policy map for outgoing traffic. Input and output policy maps support different QoS features.
Chapter 30 Configuring QoS Configuring QoS • When an input policy map with only Layer 2 classification is attached to a routed port or a switch port containing a routed SVI, the service policy acts only on switching eligible traffic and not on routing eligible traffic. • On an IEEE 802.1Q tunnel port, you can use only an input policy map with Layer 2 classification based on MAC ACLs to classify traffic.
Chapter 30 Configuring QoS Configuring QoS Step 4 Step 5 Command Purpose police {rate-bps | cir cir-bps} [burst-bytes | bc burst-bytes] Define a policer for the class of traffic. conform-action [set-cos-transmit new-cos-value | set-dscp-transmit new-dscp-value| set-prec-transmit new-precedence-value | set-qos-transmit qos-group-value | transmit] By default, no policer is defined. • For rate-bps, specify average traffic rate in bits per second (bps). The range is 8000 to 1000000000.
Chapter 30 Configuring QoS Configuring QoS After you have created an input policy map, you attach it to an interface in the input direction. See the “Attaching a Traffic Policy to an Interface” section on page 30-35. Use the no form of the appropriate command to delete an existing policy map, class map, or policer. This example shows how to create a traffic classification with a CoS value of 4, create a policy map, and attach it to an ingress port.
Chapter 30 Configuring QoS Configuring QoS This example shows how to use policy-map class police configuration mode to set exceed action mark-down using table-maps. The policy map sets a committed information rate of 23000 bps and a conform burst-size of 10000 bytes. The policy map includes the default conform action (transmit) and the exceed action to mark the Layer 2 CoS value based on the table map.
Chapter 30 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to create an aggregate policer: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 30 Configuring QoS Configuring QoS To remove the specified aggregate policer from a policy map, use the no police aggregate aggregate-policer-name policy map configuration mode. To delete an aggregate policer and its parameters, use the no policer aggregate aggregate-policer-name global configuration command. This example shows how to create an aggregate policer and attach it to multiple classes within a policy map. The policy map is attached to an ingress port.
Chapter 30 Configuring QoS Configuring QoS Step 3 Command Purpose class {class-map-name | class-default} Enter a class-map name or class-default, and enter policy-map class configuration mode. • For class-map-name, specify the name of the class map. • Enter class-default to match all unclassified packets. If you enter a class-map name, you must have already created the class map by using the class-map global configuration command.
Chapter 30 Configuring QoS Configuring QoS Configuring Output Policy Maps You use output policy maps to manage congestion avoidance, queuing, and scheduling of packets leaving the switch. The switch has four egress queues, and you use output policy maps to control the queue traffic. You configure shaping, queue-limit, and bandwidth on these queues. You can use high priority (class-based priority queuing).
Chapter 30 Configuring QoS Configuring QoS • You can attach only one output policy map per port. • The maximum number of policy maps configured on the switch is 256.
Chapter 30 Configuring QoS Configuring QoS Step 4 Command Purpose bandwidth {rate | percent value | remaining percent value} Set output bandwidth limits for the policy-map class. • Enter a rate to set bandwidth in kilobits per second. The range is from 64 to 1000000. • Enter percent value to set bandwidth as a percentage of the total bandwidth. The range is 1 to 100 percent. • Enter remaining percent value to set bandwidth as a percentage of the remaining bandwidth. The range is 1 to 100 percent.
Chapter 30 Configuring QoS Configuring QoS Configuring Output Policy Maps with Class-Based Shaping You use the shape average policy-map class configuration command to configure traffic shaping. Class-based shaping is a control mechanism that is applied to classes of traffic leaving an interface and uses the shape average command to limit the rate of data transmission used for the committed information rate (CIR) for the class.
Chapter 30 Configuring QoS Configuring QoS This example shows how to configure traffic shaping for outgoing traffic on a Fast Ethernet port so that outclass1, outclass2, and outclass3 get a maximum of 50, 20, and 10 Mbps of the available port bandwidth. The class class-default gets the remaining bandwidth.
Chapter 30 Configuring QoS Configuring QoS Command Purpose Step 11 show policy-map [policy-map-name [class class-map-name]] Verify your entries. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file. After you have created the hierarchical output policy map, you attach it to an egress port. See the “Attaching a Traffic Policy to an Interface” section on page 30-35.
Chapter 30 Configuring QoS Configuring QoS Beginning in privileged EXEC mode, follow these steps to configure a strict priority queue: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map class-map-name Create classes for three egress queues. Enter match conditions classification for each class. Step 3 policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode.
Chapter 30 Configuring QoS Configuring QoS This example shows how to configure the class out-class1 as a strict priority queue so that all packets in that class are sent before any other class of traffic. Other traffic queues are configured so that out-class-2 gets 50 percent of the remaining bandwidth and out-class3 gets 20 percent of the remaining bandwidth. The class class-default receives the remaining 30 percent with no guarantees.
Chapter 30 Configuring QoS Configuring QoS Step 6 Command Purpose police {rate-bps | cir cir-bps} Define a policer for the priority class of traffic. • Note • Note Step 7 conform-action [transmit] exceed-action [drop] When you use the police command with the priority command in an output policy, the police rate range and the cir range is 64000 to 1000000000 bps, even though the range that appears in the CLI help is 8000 to 1000000000.
Chapter 30 Configuring QoS Configuring QoS Step 11 Command Purpose bandwidth {rate | percent value} Set output bandwidth limits for the policy-map class in kilobits per second (the range is 64 to 1000000) or percentage of the total bandwidth (the range is 1 to 100 percent). or Specify the average class-based shaping rate in bits per second (the range is 64000 to 1000000000). or shape average target bps Step 12 exit Return to policy-map configuration mode.
Chapter 30 Configuring QoS Configuring QoS Configuring Output Policy Maps with Weighted Tail Drop Weighted tail drop (WTD) adjusts the queue size (buffer size) associated with a traffic class. You configure WTD by using the queue-limit policy-map class configuration command. Follow these guidelines when configuring WTD: • Configuring WTD with the queue-limit command is supported only when you first configure a scheduling action, such as bandwidth, shape average, or priority.
Chapter 30 Configuring QoS Configuring QoS Command Step 5 Purpose queue-limit [cos value | dscp value | precedence Specify the queue size for the traffic class. value | qos-group value] number-of-packets • (Optional) For cos value, specify a CoS value. The range is [packets]} from 0 to 7. • (Optional) For dscp value, specify a DSCP value. The range is from 0 to 63. • (Optional) For precedence value, specify an IP precedence value. The range is from 0 to 7.
Chapter 30 Configuring QoS Displaying QoS Information Displaying QoS Information To display QoS information, use one or more of the privileged EXEC commands in Table 30-2. For explanations about available keywords, see the command reference for this release. Table 30-2 Commands for Displaying Standard QoS Information Command Purpose show class-map [class-map-name] Display QoS class-map information for all class maps or the specified class map.
Chapter 30 Configuring QoS Configuration Examples for Policy Maps Configuration Examples for Policy Maps This section includes configuration examples for configuring QoS policies on the Cisco ME switch, including configuration limitations and restrictions. The sections are broken into different configurations actions that a customer might do. Each section provides the exact sequence of steps that you must follow for successful configuration or modification.
Chapter 30 Configuring QoS Configuration Examples for Policy Maps This example configures classes for input service policies and defines three classes of service: gold, silver, and bronze. Because a match-all classification (the default) can have only single classification criterion, the match-any classification is used so that you can add classification criteria in the future.
Chapter 30 Configuring QoS Configuration Examples for Policy Maps This example configures a second output service policy to be applied to Fast Ethernet UNIs 1 to 8, providing strict priority to the gold class and distributing the remaining bandwidth in the desired proportions over the remaining classes.
Chapter 30 Configuring QoS Configuration Examples for Policy Maps This example configures a third output service policy to be attached to Fast Ethernet UNIs 9 through 12, providing a minimum guaranteed bandwidth of 50 Mbps to the gold class, 20 Mbps to the silver class, and 10 Mbps to the bronze class: Switch(config)# policy-map output9-12 Switch(config-pmap)# class gold-out Switch(config-pmap-c)# bandwidth 50000 Switch(config-pmap-c)# exit Switch(config-pmap)# class silver-out Switch(config-pmap-c)# band
Chapter 30 Configuring QoS Configuration Examples for Policy Maps Modifying Output Policies and Changing Queuing or Scheduling Parameters This section provides examples of updating an existing set of output policy maps to modify the parameters of the configured queuing and scheduling actions. The modification in the output policy map might be required due to a change in the service provisioning requirements. You can make the change without shutting down any port.
Chapter 30 Configuring QoS Configuration Examples for Policy Maps • Reattach the output policy to the appropriate ports. • Take the ports out of the shutdown state. Note these restrictions for configuring output policies: • You can define up to three classes in the output policy map. • The defined classes must be the same as other output policy maps. • The number of defined classes in each output policy map must be same.
Chapter 30 Configuring QoS Configuration Examples for Policy Maps This is the overall sequence of configuration: • Shut down all active ports. • Detach the output policies from all Fast Ethernet and Gigabit Ethernet ports. • Delete the class. • Reattach the output policies to the Fast Ethernet and Gigabit Ethernet ports. • Take the Fast Ethernet and Gigabit Ethernet ports out of the shutdown state.
Chapter 30 Configuring QoS Configuration Examples for Policy Maps These steps activate all applicable Fast Ethernet and Gigabit Ethernet ports: Switch(config)# interface range gigabitethernet0/1-2, fastethernet0/1-12 Switch(config-if-range)# no shutdown Switch(config-if-range)# exit You should use the same procedure when adding a class to an attached output service policy. Note Problems can occur if you do not follow the previous sequence.
Chapter 30 Configuring QoS Configuration Examples for Policy Maps Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 30-64 78-17058-01
C H A P T E R 31 Configuring EtherChannels This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the Cisco ME 3400 Ethernet Access switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 31 Configuring EtherChannels Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 31-1.
Chapter 31 Configuring EtherChannels Understanding EtherChannels You can configure an EtherChannel in one of these modes: Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), or On mode. PAgP and LACP are available only on NNIs. Configure both ends of the EtherChannel in the same mode: • When you configure one end of an EtherChannel in either PAgP or LACP mode, the system negotiates with the other end of the channel to determine which ports should become active.
Chapter 31 Configuring EtherChannels Understanding EtherChannels Figure 31-2 Relationship of Physical Ports, Logical Port Channels, and Channel Groups Logical port-channel Physical ports 101238 Channel-group binding After you configure an EtherChannel, configuration changes applied to the port-channel interface apply to all the physical ports assigned to the port-channel interface. Configuration changes applied to the physical port affect only the port to which you apply the configuration.
Chapter 31 Configuring EtherChannels Understanding EtherChannels PAgP Modes Table 31-1 shows the user-configurable EtherChannel PAgP modes for the channel-group interface configuration command on an NNI. Table 31-1 EtherChannel PAgP Modes Mode Description auto Places a port into a passive negotiating state in which the port responds to PAgP packets it receives but does not start PAgP packet negotiation. This setting minimizes the transmission of PAgP packets.
Chapter 31 Configuring EtherChannels Understanding EtherChannels Link Aggregation Control Protocol The LACP is defined in IEEE 802.3ad standard and enables Cisco switches to manage Ethernet channels between switches that conform to the standard. LACP facilitates the automatic creation of EtherChannels by exchanging LACP packets between Ethernet ports. Note LACP is available only on NNIs.
Chapter 31 Configuring EtherChannels Understanding EtherChannels EtherChannel On Mode EtherChannel on mode can be used to manually configure an EtherChannel. The on mode forces a port to join an EtherChannel without negotiations. It can be useful if the remote device does not support PAgP or LACP. With the on mode, a usable EtherChannel exists only when both ends of the link are configured in the on mode. Note For UNIs, the only available mode is on.
Chapter 31 Configuring EtherChannels Understanding EtherChannels With destination-IP-address-based forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the EtherChannel based on the destination-IP address of the incoming packet. Therefore, to provide load-balancing, packets from the same IP source address sent to different IP destination addresses could be sent on different ports in the channel.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Configuring EtherChannels These sections contain this configuration information: • Default EtherChannel Configuration, page 31-9 • EtherChannel Configuration Guidelines, page 31-10 • Configuring Layer 2 EtherChannels, page 31-11 (required) • Configuring Layer 3 EtherChannels, page 31-13 (required) • Configuring EtherChannel Load Balancing, page 31-16 (optional) • Configuring the PAgP Learn Method and Priority, page 31-17 (optional)
Chapter 31 Configuring EtherChannels Configuring EtherChannels EtherChannel Configuration Guidelines If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and other problems. Follow these guidelines to avoid configuration problems: • Do not try to configure more than 48 EtherChannels on the switch. • Configure a PAgP EtherChannel including only NNIs. • Configure a LACP EtherChannel including only NNIs.
Chapter 31 Configuring EtherChannels Configuring EtherChannels • For Layer 2 EtherChannels: – Assign all ports in the EtherChannel to the same VLAN, or configure them as trunks. Ports with different native VLANs cannot form an EtherChannel. – If you configure an EtherChannel from trunk ports, verify that the trunking mode is the same on all the trunks. Inconsistent trunk modes on EtherChannel ports can have unexpected results.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Step 4 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. For UNIs, the only available mode is on. Note For mode, select one of these keywords: • auto—Enables PAgP only if a PAgP device is detected.
Chapter 31 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show etherchannel channel-group-number detail Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Assign an Ethernet port to the Layer 3 EtherChannel. For more information, see the “Configuring the Physical Interfaces” section on page 31-14.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Step 5 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces” section on page 31-13.
Chapter 31 Configuring EtherChannels Configuring EtherChannels This example shows how to configure an EtherChannel.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Configuring the PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge. A device is an aggregate-port learner if it learns addresses by aggregate (logical) ports. The learn method must be configured the same at both ends of the link.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode.
Chapter 31 Configuring EtherChannels Configuring EtherChannels Note LACP is only available on NNIs. If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 31 Configuring EtherChannels Configuring EtherChannels To return the LACP system priority to the default value, use the no lacp system-priority global configuration command. Configuring the LACP Port Priority By default, all ports use the same port priority.
Chapter 31 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 31-4: Table 31-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel | protocol | summary} Displ
Chapter 31 Configuring EtherChannels Displaying EtherChannel, PAgP, and LACP Status Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 31-22 78-17058-01
C H A P T E R 32 Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the Cisco ME 3400 Ethernet Access switch. Note Routing is supported only on switches that are running the metro IP access image. For more detailed IP unicast configuration information, see the Cisco IOS IP Configuration Guide, Release 12.
Chapter 32 Configuring IP Unicast Routing Understanding IP Routing Understanding IP Routing In some network environments, VLANs are associated with individual networks or subnetworks. In an IP network, each subnetwork is mapped to an individual VLAN. Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local.
Chapter 32 Configuring IP Unicast Routing Steps for Configuring Routing • Routers using link-state protocols maintain a complex database of network topology, based on the exchange of link-state advertisements (LSAs) between routers. LSAs are triggered by an event in the network, which speeds up the convergence time or time required to respond to these changes. Link-state protocols respond quickly to topology changes, but require greater bandwidth and more resources than distance-vector protocols.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Configuring IP Addressing A required task for configuring IP routing is to assign IP addresses to Layer 3 network interfaces to enable the interfaces and allow communication with the hosts on those interfaces that use IP. These sections describe how to configure various IP addressing features. Assigning IP addresses to the interface is required; the other procedures are optional.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Table 32-1 Default Addressing Configuration (continued) Feature Default Setting IRDP Disabled. Defaults when enabled: • Broadcast IRDP advertisements. • Maximum interval between advertisements: 600 seconds. • Minimum interval between advertisements: 0.75 times max interval • Preference: 0. IP proxy ARP Enabled. IP routing Disabled. IP subnet-zero Disabled.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Use of Subnet Zero Subnetting with a subnet address of zero is strongly discouraged because of the problems that can arise if a network and a subnet have the same addresses. For example, if network 131.108.0.0 is subnetted as 255.255.255.0, subnet zero would be written as 131.108.0.0, which is the same as the network address. You can use the all ones subnet (131.108.255.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing In Figure 32-3, the router in network 128.20.0.0 is connected to subnets 128.20.1.0, 128.20.2.0, and 128.20.3.0. If the host sends a packet to 120.20.4.1, because there is no network default route, the router discards the packet. Figure 32-3 No IP Classless Routing 128.0.0.0/8 128.20.4.1 128.20.0.0 Bit bucket 128.20.1.0 128.20.3.0 128.20.4.1 Host 45748 128.20.2.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing The switch can use these forms of address resolution: • Address Resolution Protocol (ARP) is used to associate IP address with MAC addresses. Taking an IP address as input, ARP learns the associated MAC address and then stores the IP address/MAC address association in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 arp ip-address hardware-address type [alias] (Optional) Specify that the switch respond to ARP requests as if it were the owner of the specified IP address. Step 4 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 5 no shutdown Enable the interface if necessary. By default, UNIs are disabled and NNIs are enabled.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Enable Proxy ARP By default, the switch uses proxy ARP to help hosts learn MAC addresses of hosts on other networks or subnets. Beginning in privileged EXEC mode, follow these steps to enable proxy ARP if it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Default Gateway Another method for locating routes is to define a default router or default gateway. All nonlocal packets are sent to this router, which either routes them appropriately or sends an IP Control Message Protocol (ICMP) redirect message back, defining which local router the host should use. The switch caches the redirect messages and forwards each packet as efficiently as possible.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Step 5 Command Purpose ip irdp multicast (Optional) Send IRDP advertisements to the multicast address (224.0.0.1) instead of IP broadcasts. Note This command allows for compatibility with Sun Microsystems Solaris, which requires IRDP packets to be sent out as multicasts. Many implementations cannot receive these multicasts; ensure end-host ability before using this command.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Routers provide some protection from broadcast storms by limiting their extent to the local cable. Bridges (including intelligent bridges), because they are Layer 2 devices, forward broadcasts to all network segments, thus propagating broadcast storms. The best solution to the broadcast storm problem is to use a single broadcast address scheme on a network.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show ip interface [interface-id] Verify the configuration on the interface or all interfaces. or show running-config Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip directed-broadcast interface configuration command to disable translation of directed broadcast to physical broadcasts.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing Step 8 Command Purpose show ip interface [interface-id] Verify the configuration on the interface or all interfaces. or show running-config Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip helper-address interface configuration command to disable the forwarding of broadcast packets to specific addresses.
Chapter 32 Configuring IP Unicast Routing Configuring IP Addressing To be considered for flooding, packets must meet these criteria. (Note that these are the same conditions used to consider packet forwarding using IP helper addresses.) • The packet must be a MAC-level broadcast. • The packet must be an IP-level broadcast. • The packet must be a TFTP, DNS, Time, NetBIOS, ND, or BOOTP packet, or a UDP specified by the ip forward-protocol udp global configuration command.
Chapter 32 Configuring IP Unicast Routing Enabling IPv4 Unicast Routing Monitoring and Maintaining IP Addressing When the contents of a particular cache, table, or database have become or are suspected to be invalid, you can remove all its contents by using the clear privileged EXEC commands. Table 32-2 lists the commands for clearing contents. Table 32-2 Commands to Clear Caches, Tables, and Databases Command Purpose clear arp-cache Clear the IP ARP cache and the fast-switching cache.
Chapter 32 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 3 router ip_routing_protocol Specify an IP routing protocol. This step might include other commands, such as specifying the networks to route with the network (RIP) router configuration command. For information on specific protocols, see sections later in this chapter and to the Cisco IOS IP Configuration Guide, Release 12.2. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 32 Configuring IP Unicast Routing Configuring RIP These sections contain this configuration information: • Default RIP Configuration, page 32-19 • Configuring Basic RIP Parameters, page 32-19 • Configuring RIP Authentication, page 32-21 • Configuring Summary Addresses and Split Horizon, page 32-21 Default RIP Configuration Table 32-4 shows the default RIP configuration. Table 32-4 Default RIP Configuration Feature Default Setting Auto summary Enabled.
Chapter 32 Configuring IP Unicast Routing Configuring RIP Beginning in privileged EXEC mode, follow these steps to enable and configure RIP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip routing Enable IP routing. (Required only if IP routing is disabled.) Step 3 router rip Enable a RIP routing process, and enter router configuration mode. Step 4 network network number Associate a network with a RIP routing process.
Chapter 32 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 13 show ip protocols Verify your entries. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. To turn off the RIP routing process, use the no router rip global configuration command. To display the parameters and current state of the active routing protocol process, use the show ip protocols privileged EXEC command.
Chapter 32 Configuring IP Unicast Routing Configuring RIP Note In general, disabling split horizon is not recommended unless you are certain that your application requires it to properly advertise routes. If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial-up clients, use the ip summary-address rip interface configuration command.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF Configuring Split Horizon Routers connected to broadcast-type IP networks and using distance-vector routing protocols normally use the split-horizon mechanism to reduce the possibility of routing loops. Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated. This feature can optimize communication among multiple routers, especially when links are broken.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF The Cisco implementation conforms to the OSPF Version 2 specifications with these key features: • Definition of stub areas is supported. • Routes learned through any IP routing protocol can be redistributed into another IP routing protocol. At the intradomain level, this means that OSPF can import routes learned through EIGRP and RIP. OSPF routes can also be exported into RIP.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF Table 32-5 Default OSPF Configuration (continued) Feature Default Setting Area Authentication type: 0 (no authentication). Default cost: 1. Range: Disabled. Stub: No stub area defined. NSSA: No NSSA area defined. Auto cost 100 Mbps. Default-information originate Disabled. When enabled, the default metric setting is 10, and the external route type default is Type 2.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF Configuring Basic OSPF Parameters Enabling OSPF requires that you create an OSPF routing process, specify the range of IP addresses to be associated with the routing process, and assign area IDs to be associated with that range. Beginning in privileged EXEC mode, follow these steps to enable OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 4 ip ospf cost (Optional) Explicitly specify the cost of sending a packet on the interface. Step 5 ip ospf retransmit-interval seconds (Optional) Specify the number of seconds between link state advertisement transmissions. The range is 1 to 65535 seconds. The default is 5 seconds. Step 6 ip ospf transmit-delay seconds (Optional) Set the estimated number of seconds to wait before sending a link state update packet.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF Route summarization is the consolidation of advertised addresses into a single summary route to be advertised by other areas. If network numbers are contiguous, you can use the area range router configuration command to configure the ABR to advertise a summary route that covers all networks in the range. Note The OSPF area router configuration commands are all optional.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF Configuring Other OSPF Parameters You can optionally configure other OSPF parameters in router configuration mode. • Route summarization: When redistributing routes from other protocols as described in the “Using Route Maps to Redistribute Routing Information” section on page 32-73, each route is advertised individually in an external LSA.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 4 area area-id virtual-link router-id [hello-interval seconds] [retransmit-interval seconds] [trans] [[authentication-key key] | message-digest-key keyid md5 key]] (Optional) Establish a virtual link and set its parameters. See the “Configuring OSPF Interfaces” section on page 32-26 for parameter definitions and Table 32-5 on page 32-24 for virtual link defaults.
Chapter 32 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 timers lsa-group-pacing seconds Change the group pacing of LSAs. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no timers lsa-group-pacing router configuration command.
Chapter 32 Configuring IP Unicast Routing Configuring EIGRP Table 32-6 Show IP OSPF Statistics Commands Command Purpose show ip ospf [process-id] Display general information about OSPF routing processes. show ip ospf [process-id] database [router] [link-state-id] Display lists of information related to the OSPF database.
Chapter 32 Configuring IP Unicast Routing Configuring EIGRP • Arbitrary route summarization. • EIGRP scales to large networks. EIGRP has these four basic components: • Neighbor discovery and recovery is the process that routers use to dynamically learn of other routers on their directly attached networks. Routers must also discover when their neighbors become unreachable or inoperative. Neighbor discovery and recovery is achieved with low overhead by periodically sending small hello packets.
Chapter 32 Configuring IP Unicast Routing Configuring EIGRP Default EIGRP Configuration Table 32-7, Part 1 shows the default EIGRP configuration. Table 32-7, Part 1 Default EIGRP Configuration Feature Default Setting Auto summary Enabled. Subprefixes are summarized to the classful network boundary when crossing classful network boundaries. Default-information Exterior routes are accepted and default information is passed between EIGRP processes when doing redistribution.
Chapter 32 Configuring IP Unicast Routing Configuring EIGRP To create an EIGRP routing process, you must enable EIGRP and associate networks. EIGRP sends updates to the interfaces in the specified networks. If you do not specify an interface network, it is not advertised in any EIGRP update. Configuring Basic EIGRP Parameters Beginning in privileged EXEC mode, follow these steps to configure EIGRP.
Chapter 32 Configuring IP Unicast Routing Configuring EIGRP Configuring EIGRP Interfaces Other optional EIGRP parameters can be configured on an interface basis. Beginning in privileged EXEC mode, follow these steps to configure EIGRP interfaces: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. Step 3 no shutdown Enable the interface if necessary.
Chapter 32 Configuring IP Unicast Routing Configuring EIGRP Configuring EIGRP Route Authentication EIGRP route authentication provides MD5 authentication of routing updates from the EIGRP routing protocol to prevent the introduction of unauthorized or false routing messages from unapproved sources. Beginning in privileged EXEC mode, follow these steps to enable authentication: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Monitoring and Maintaining EIGRP You can delete neighbors from the neighbor table. You can also display various EIGRP routing statistics. Table 32-8 lists the privileged EXEC commands for deleting neighbors and displaying statistics. For explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 32 Configuring IP Unicast Routing Configuring BGP AS 100 EBGP, IBGP, and Multiple Autonomous Systems Router A 129.213.1.2 192.208.10.1 EBGP EBGP 129.213.1.1 Router B AS 300 Router D 192.208.10.2 IBGP 175.220.212.1 Router C 175.220.1.
Chapter 32 Configuring IP Unicast Routing Configuring BGP BGP Version 4 supports classless interdomain routing (CIDR) so you can reduce the size of your routing tables by creating aggregate routes, resulting in supernets. CIDR eliminates the concept of network classes within BGP and supports the advertising of IP prefixes.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Table 32-9 Default BGP Configuration (continued) Feature BGP confederation identifier/peers Default Setting • Identifier: None configured. • Peers: None identified. BGP Fast external fallover Enabled. BGP local preference 100. The range is 0 to 4294967295 with the higher value preferred. BGP network None specified; no backdoor route advertised. BGP route dampening Disabled by default.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Table 32-9 Default BGP Configuration (continued) Feature Default Setting Neighbor • Advertisement interval: 30 seconds for external peers; 5 seconds for internal peers. • Change logging: Enabled. • Conditional advertisement: Disabled. • Default originate: No default route is sent to the neighbor. • Description: None. • Distribute list: None defined. • External BGP multihop: Only directly connected neighbors are allowed.
Chapter 32 Configuring IP Unicast Routing Configuring BGP The switch supports the use of private AS numbers, usually assigned by service providers and given to systems whose routes are not advertised to external neighbors. The private AS numbers are from 64512 to 65535. You can configure external neighbors to remove private AS numbers from the AS path by using the neighbor remove-private-as router configuration command.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Use the no router bgp autonomous-system global configuration command to remove a BGP AS. Use the no network network-number router configuration command to remove the network from the BGP table. Use the no neighbor {ip-address | peer-group-name} remote-as number router configuration command to remove a neighbor.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Managing Routing Policy Changes Routing policies for a peer include all the configurations that might affect inbound or outbound routing table updates. When you have defined two routers as BGP neighbors, they form a BGP connection and exchange routing information.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Step 3 Step 4 Command Purpose clear ip bgp {* | address | peer-group-name} soft out (Optional) Perform an outbound soft reset to reset the inbound routing table on the specified connection. Use this command if route refresh is supported. show ip bgp show ip bgp neighbors • Enter an asterisk (*) to specify that all connections be reset. • Enter an IP address to specify the connection to be reset.
Chapter 32 Configuring IP Unicast Routing Configuring BGP 9. Prefer the route that can be reached through the closest IGP neighbor (the lowest IGP metric). This means that the router will prefer the shortest internal path within the AS to reach the destination (the shortest path to the BGP next-hop). 10. If the following conditions are all true, insert the route for this path into the IP routing table: • Both the best route and this route are external.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 11 bgp default local-preference value (Optional) Change the default local preference value. The range is 0 to 4294967295; the default value is 100. The highest local preference value is preferred. Step 12 maximum-paths number (Optional) Configure the number of paths to be added to the IP routing table. The default is to only enter the best path in the routing table. The range is from 1 to 8.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Configuring BGP Filtering by Neighbor You can filter BGP advertisements by using AS-path filters, such as the as-path access-list global configuration command and the neighbor filter-list router configuration command. You can also use access lists with the neighbor distribute-list router configuration command. Distribute-list filters are applied to network numbers.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 3 router bgp autonomous-system Enter BGP router configuration mode. Step 4 neighbor {ip-address | peer-group name} filter-list {access-list-number | name} {in | out | weight weight} Establish a BGP filter based on an access list. Step 5 end Return to privileged EXEC mode. Step 6 show ip bgp neighbors [paths regular-expression] Verify the configuration.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show ip prefix list [detail | summary] name [network/len] [seq seq-num] [longer] [first-match] Verify the configuration by displaying information about a prefix list or prefix list entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to create and to apply a community list: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip community-list community-list-number Create a community list, and assign it a number. {permit | deny} community-number • The community-list-number is an integer from 1 to 99 that identifies one or more permit or deny groups of communities.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure BGP peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 neighbor peer-group-name peer-group Create a BGP peer group. Step 4 neighbor ip-address peer-group peer-group-name Make a BGP neighbor a member of the peer group.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Command Step 18 Purpose neighbor {ip-address | peer-group-name} timers (Optional) Set timers for the neighbor or peer group. keepalive holdtime • The keepalive interval is the time within which keepalive messages are sent to peers. The range is 1 to 4294967295 seconds; the default is 60. • The holdtime is the interval after which a peer is declared inactive after not receiving a keepalive message from it.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 4 aggregate-address address mask as-set (Optional) Generate AS set path information. This command creates an aggregate entry following the same rules as the previous command, but the advertised path will be an AS_SET consisting of all elements contained in all paths. Do not use this keyword when aggregating many paths because this route must be continually withdrawn and updated.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Step 6 Command Purpose show ip bgp neighbor Verify the configuration. show ip bgp network Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring BGP Route Reflectors BGP requires that all of the IBGP speakers be fully meshed. When a router receives a route from an external neighbor, it must advertise it to all internal neighbors.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show ip bgp Verify the configuration. Display the originator ID and the cluster-list attributes. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring Route Dampening Route flap dampening is a BGP feature designed to minimize the propagation of flapping routes across an internetwork.
Chapter 32 Configuring IP Unicast Routing Configuring BGP Monitoring and Maintaining BGP You can remove all contents of a particular cache, table, or database. This might be necessary when the contents of the particular structure have become or are suspected to be invalid. You can display specific statistics, such as the contents of BGP routing tables, caches, and databases. You can use the information to get resource utilization and solve network problems.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring Multi-VRF CE Virtual Private Networks (VPNs) provide a secure way for customers to share bandwidth over an ISP backbone network. A VPN is a collection of sites sharing a common routing table. A customer site is connected to the service-provider network by one or more interfaces, and the service provider associates each interface with a VPN routing table, called a VPN routing/forwarding (VRF) table.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE sites participate in the same VPN. Each VPN is mapped to a specified VRF. After learning local VPN routes from CEs, a PE router exchanges VPN routing information with other PE routers by using internal BGP (IBPG). • Provider routers or core routers are any routers in the service provider network that do not attach to CE devices.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE This is the packet-forwarding process in a multi-VRF-CE-enabled network: • When the switch receives a packet from a VPN, the switch looks up the routing table based on the input policy label number. When a route is found, the switch forwards the packet to the PE. • When the ingress PE receives a packet from the CE, it performs a VRF lookup.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE • Multi-VRF CE lets multiple customers share the same physical link between the PE and the CE. Trunk ports with multiple VLANs separate packets among customers. Each customer has its own VLAN. • Multi-VRF CE does not support all MPLS-VRF functionality. It does not support label exchange, LDP adjacency, or labeled packets. • For the PE router, there is no difference between using multi-VRF CE or using multiple CEs.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 4 rd route-distinguisher Create a VRF table by specifying a route distinguisher. Enter either an AS number and an arbitrary number (xxx:y) or an IP address and arbitrary number (A.B.C.D:y) Step 5 route-target {export | import | both} route-target-ext-community Create a list of import, export, or import and export route target communities for the specified VRF.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE Use the no router ospf process-id vrf vrf-name global configuration command to disassociate the VPN forwarding table from the OSPF routing process. Configuring BGP PE to CE Routing Sessions Beginning in privileged EXEC mode, follow these steps to configure a BGP PE to CE routing session: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 32-6 Multi-VRF CE Configuration Example Switch A Switch B Switch C VPN1 Switch D VPN1 208.0.0.0 Fast Ethernet 8 Switch H Switch E 108.0.0.0 VPN2 Fast Ethernet 7 CE1 Switch F 118.0.0.0 Fast Ethernet 11 VPN2 PE CE2 Switch J Gigabit Ethernet 1 Global network Switch K Global network 168.0.0.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config)# interface gigabitethernet1/0/5 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# no ip address Switch(config-if)# exit Switch(config)# interface fastethernet1/0/8 Switch(config-if)# no shutdown Switch(config-if)# switchport access vlan 208 Switch(config-if)# no ip address Switch(config-if)# exit Switch(config)# interface fastethernet1/0/11 Switch(config-if)#
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-router)# address-family ipv4 vrf vl1 Switch(config-router-af)# redistribute ospf 1 match internal Switch(config-router-af)# neighbor 38.0.0.3 remote-as 100 Switch(config-router-af)# neighbor 38.0.0.3 activate Switch(config-router-af)# network 8.8.1.0 mask 255.255.255.0 Switch(config-router-af)# end Configuring Switch D Switch D belongs to VPN 1. Configure the connection to Switch A by using these commands.
Chapter 32 Configuring IP Unicast Routing Configuring Multi-VRF CE Router(config-vrf)# exit Router(config)# ip cef Router(config)# interface Loopback1 Router(config-if)# ip vrf forwarding v1 Router(config-if)# ip address 3.3.1.3 255.255.255.0 Router(config-if)# exit Router(config)# interface Loopback2 Router(config-if)# ip vrf forwarding v2 Router(config-if)# ip address 3.3.2.3 255.255.255.0 Router(config-if)# exit Router(config)# interface gigabitthernet1/1/0.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Protocol-Independent Features This section describes how to configure IP routing protocol-independent features. For a complete description of the IP routing protocol-independent commands in this chapter, see the “IP Routing Protocol-Independent Commands” chapter of the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features detail privileged EXEC command can be useful to debug software-forwarded traffic. To enable CEF on an interface for the software-forwarding path, use the ip route-cache cef interface configuration command.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 3 maximum-paths maximum Set the maximum number of parallel paths for the protocol routing table. The range is from 1 to 8; the default is 4 for most IP routing protocols, but only 1 for BGP. Step 4 end Return to privileged EXEC mode. Step 5 show ip protocols Verify the setting in the Maximum path field.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Table 32-14 Dynamic Routing Protocol Default Administrative Distances (continued) Route Source Default Distance OSPF 110 Internal BGP 200 Unknown 225 Static routes that point to an interface are advertised through RIP, IGRP, and other dynamic routing protocols, whether or not static redistribute router configuration commands were specified for those routing protocols.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features When default information is passed through a dynamic routing protocol, no further configuration is required. The system periodically scans its routing table to choose the optimal default network as its default route. In IGRP networks, there might be several candidate networks for the system default. Cisco routers use administrative distance and metric information to set the default route or the gateway of last resort.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure a route map for redistribution: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit | deny] [sequence number] Define any route maps used to control redistribution and enter route-map configuration mode. map-tag—A meaningful name for the route map.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 14 set origin {igp | egp as | incomplete} Set the BGP origin code. Step 15 set as-path {tag | prepend as-path-string} Modify the BGP autonomous system path. Step 16 set level {level-1 | level-2 | level-1-2 | stub-area | backbone} Set the level for routes that are advertised into the specified area of the routing domain. The stub-area and backbone are OSPF NSSA and backbone areas.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to control route redistribution. Note that the keywords are the same as defined in the previous procedure. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | eigrp} Enter router configuration mode.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features With PBR, you classify traffic using access control lists (ACLs) and then make traffic go through a different path. PBR is applied to incoming packets. All packets received on an interface with PBR enabled are passed through route maps. Based on the criteria defined in the route maps, packets are forwarded (routed) to the appropriate next hop.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Enabling PBR By default, PBR is disabled on the switch. To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then, you must enable PBR for that route map on an interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 8 ip policy route-map map-tag Enable PBR on a Layer 3 interface, and identify the route map to use. You can configure only one route map on an interface. However, you can have multiple route map entries with different sequence numbers. These entries are evaluated in sequence number order until the first match. If there is no match, packets are routed as usual.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure passive interfaces: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router {bgp | rip | ospf | eigrp} Enter router configuration mode. Step 3 passive-interface interface-id Suppress sending routing updates through the specified Layer 3 interface.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no distribute-list in router configuration command to change or cancel a filter. To cancel suppression of network advertisements in updates, use the no distribute-list out router configuration command.
Chapter 32 Configuring IP Unicast Routing Configuring Protocol-Independent Features Managing Authentication Keys Key management is a method of controlling authentication keys used by routing protocols. Not all protocols can use key management. Authentication keys are available for EIGRP and RIP Version 2. Before you manage authentication keys, you must enable authentication. See the appropriate protocol section to see how to enable authentication for that protocol.
Chapter 32 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Monitoring and Maintaining the IP Network You can remove all contents of a particular cache, table, or database. You can also display specific statistics. Use the privileged EXEC commands in Table 32-15 to clear routes or display status: Table 32-15 Commands to Clear IP Routes or Display Route Status Command Purpose clear ip route {network [mask | *]} Clear one or more routes from the IP routing table.
Chapter 32 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 32-84 78-17058-01
C H A P T E R 33 Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) on the Cisco ME 3400 Ethernet Access switch to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router. The switch must be running the metro IP access image to support HSRP.
Chapter 33 Configuring HSRP Understanding HSRP HSRP provides high network availability by providing redundancy for IP traffic from hosts on networks. In a group of router interfaces, the active router is the router of choice for routing packets; the standby router is the router that takes over the routing duties when an active router fails or when preset conditions are met.
Chapter 33 Configuring HSRP Understanding HSRP Figure 33-1 Typical HSRP Configuration Host B 172.20.130.5 172.20.128.1 Router A Virtual router Standby router 172.20.128.3 172.20.128.2 Router B 172.20.128.55 172.20.128.32 Host C Host A 101361 Active router Multiple HSRP The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups.
Chapter 33 Configuring HSRP Configuring HSRP Figure 33-2 MHSRP Load Sharing Active router for group 1 Standby router for group 2 Active router for group 2 Standby router for group 1 Router A Router B 10.0.0.2 121235 10.0.0.
Chapter 33 Configuring HSRP Configuring HSRP Table 33-1 Default HSRP Configuration (continued) Feature Default Setting Standby delay 0 (no delay) Standby track interface priority 10 Standby hello time 3 seconds Standby holdtime 10 seconds HSRP Configuration Guidelines Follow these guidelines when configuring HSRP: • HSRP can be configured on a maximum of 32 VLAN or routing interfaces.
Chapter 33 Configuring HSRP Configuring HSRP Command Purpose Step 4 no switchport If necessary, disable Layer 2 switching on the port to enable the Layer 3 interface. Step 5 standby [group-number] ip [ip-address [secondary]] Create (or enable) the HSRP group using its number and virtual IP address. • (Optional) group-number—The group number on the interface for which HSRP is being enabled. The range is 0 to 255; the default is 0.
Chapter 33 Configuring HSRP Configuring HSRP • The highest number (1 to 255) represents the highest priority (most likely to become the active router). • When setting the priority, preempt, or both, you must specify at least one keyword (priority, preempt, or both). • The priority of the device can change dynamically if an interface is configured with the standby track command and another interface on the router goes down.
Chapter 33 Configuring HSRP Configuring HSRP Command Step 5 Purpose standby [group-number] [priority Configure the router to preempt, which means that when the local router has priority] preempt [delay delay] a higher priority than the active router, it assumes control as the active router. • (Optional) group-number—The group number to which the command applies. • (Optional) priority—Enter to set or change the group priority. The range is 1 to 255; the default is 100.
Chapter 33 Configuring HSRP Configuring HSRP Configuring MHSRP To enable MHSRP and load balancing, you configure two routers as active routers for their groups, with virtual routers as standby routers. This example shows how to enable the MHSRP configuration shown in Figure 33-2. You need to enter the standby preempt interface configuration command on each HSRP interface so that if a router fails and comes back up, the preemption occurs and restores load balancing.
Chapter 33 Configuring HSRP Configuring HSRP Beginning in privileged EXEC mode, use one or more of these steps to configure HSRP authentication and timers on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the HSRP interface on which you want to set authentication. Step 3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled.
Chapter 33 Configuring HSRP Displaying HSRP Configurations Enabling HSRP Support for ICMP Redirect Messages ICMP (Internet Control Message Protocol) redirect messages are automatically enabled on interfaces configured with HSRP. This feature filters outgoing ICMP redirect messages through HSRP, in which the next hop IP address might be changed to an HSRP virtual IP address.
Chapter 33 Configuring HSRP Displaying HSRP Configurations Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 33-12 78-17058-01
C H A P T E R 34 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the Cisco ME 3400 Ethernet Access switch. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 34 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The switch supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on that LAN to track the multicast groups of which hosts are members.
Chapter 34 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing IGMP Version 1 IGMP Version 1 (IGMPv1) primarily uses a query-response model that enables the multicast router and multilayer switch to find which multicast groups are active (have one or more hosts interested in a multicast group) on the local subnet. IGMPv1 has other processes that enable a host to join and leave a multicast group. For more information, see RFC 1112.
Chapter 34 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing PIM Modes PIM can operate in dense mode (DM), sparse mode (SM), or in sparse-dense mode (PIM DM-SM), which handles both sparse groups and dense groups at the same time. PIM DM PIM DM builds source-based multicast distribution trees. In dense mode, a PIM DM router or multilayer switch assumes that all other routers or multilayer switches forward multicast packets for a group.
Chapter 34 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing switches to a statically configured RP that was defined with the ip pim rp-address global configuration command. If no statically configured RP exists, the router or switch changes the group to dense-mode operation. Multiple RPs serve different group ranges or serve as hot backups of each other.
Chapter 34 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Some multicast routing protocols maintain a separate multicast routing table and use it for the RPF check. However, PIM uses the unicast routing table to perform the RPF check. Figure 34-1 shows port 2 receiving a multicast packet from source 151.10.3.21. Table 34-1 shows that the port on the reverse path to the source is port 1, not port 2.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring IP Multicast Routing These sections contain this configuration information: • Default Multicast Routing Configuration, page 34-7 • Multicast Routing Configuration Guidelines, page 34-7 • Configuring Basic Multicast Routing, page 34-9 (required) • Configuring a Rendezvous Point, page 34-10 (required if the interface is in sparse-dense mode, and you want to treat the group as a sparse group) • Using Auto-RP and
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing PIMv1 and PIMv2 Interoperability The Cisco PIMv2 implementation provides interoperability and transition between Version 1 and Version 2, although there might be some minor problems. You can upgrade to PIMv2 incrementally. PIM Versions 1 and 2 can be configured on different routers and multilayer switches within one network. Internally, all routers and multilayer switches on a shared media network must run the same PIM version.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing • If you have non-Cisco PIMv2 routers that need to interoperate with Cisco PIMv1 routers and multilayer switches, both Auto-RP and a BSR are required. We recommend that a Cisco PIMv2 device be both the Auto-RP mapping agent and the BSR. For more information, see the “Using Auto-RP and a BSR” section on page 34-20.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim version [1 | 2] Configure the PIM version on the interface. By default, Version 2 is enabled and is the recommended setting. An interface in PIMv2 mode automatically downgrades to PIMv1 mode if that interface has a PIMv1 neighbor. The interface returns to Version 2 mode after all Version 1 neighbors are shut down or upgraded.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Manually Assigning an RP to Multicast Groups This section explains how to manually configure an RP. If the RP for a group is learned through a dynamic mechanism (such as Auto-RP or BSR), you need not perform this task for that RP. Senders of multicast traffic announce their existence through register messages received from the source’s first-hop router (designated router) and forwarded to the RP.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an RP address, use the no ip pim rp-address ip-address [access-list-number] [override] global configuration command. This example shows how to configure the address of the RP to 147.106.6.22 for multicast group 225.2.2.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Adding Auto-RP to an Existing Sparse-Mode Cloud This section contains some suggestions for the initial deployment of Auto-RP into an existing sparse-mode cloud to minimize disruption of the existing multicast infrastructure. Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets. All devices within the hop count from the source device receive the Auto-RP discovery messages.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Filtering Incoming RP Announcement Messages You can add configuration commands to the mapping agents to prevent a maliciously configured router from masquerading as a candidate RP and causing problems. Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a sample configuration on an Auto-RP mapping agent that is used to prevent candidate RP announcements from being accepted from unauthorized candidate RPs: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Switch(config)# ip pim rp-announce-filter rp-list 10 group-list 20 access-list 10 permit host 172.16.5.1 access-list 10 permit host 172.16.2.1 access-list 20 deny 239.0.0.0 0.0.255.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the PIM border, use the no ip pim bsr-border interface configuration command. Figure 34-2 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the ip pim bsr-border command on this interface.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 ip multicast boundary access-list-number Configure the boundary, specifying the access list you created in Step 2. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the boundary, use the no ip multicast boundary interface configuration command.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure a candidate BSR, which uses the IP address 172.21.24.18 on a port as the advertised BSR address, uses 30 bits as the hash-mask-length, and has a priority of 10. Switch(config)# interface gigabitethernet0/2 Switch(config-if)# ip address 172.21.24.18 255.255.255.
Chapter 34 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove this device as a candidate RP, use the no ip pim rp-candidate interface-id global configuration command. This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain.
Chapter 34 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. • show ip pim rp-hash group displays the RP that was selected for the specified group. • show ip pim rp [group-name | group-address | mapping] displays how the switch learns of the RP (through the BSR or the Auto-RP mechanism).
Chapter 34 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 34-3 Shared Tree and Source Tree (Shortest-Path Tree) Source Source tree (shortest path tree) Router A Router B Shared tree from RP RP 44967 Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source. This type of distribution tree is called a shortest-path tree or source tree.
Chapter 34 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 34-3). This change occurs because the ip pim spt-threshold global configuration command controls that timing. The shortest-path tree requires more memory than the shared tree but reduces delay. You might want to postpone its use.
Chapter 34 Configuring IP Multicast Routing Configuring Advanced PIM Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features Configuring Optional IGMP Features These sections contain this configuration information: • Default IGMP Configuration, page 34-25 • Configuring the Switch as a Member of a Group, page 34-25 (optional) • Controlling Access to IP Multicast Groups, page 34-26 (optional) • Changing the IGMP Version, page 34-27 (optional) • Modifying the IGMP Host-Query Message Interval, page 34-28 (optional) • Changing the IGMP Query Ti
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features Beginning in privileged EXEC mode, follow these steps to configure the switch to be a member of a group. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode. Step 3 no shutdown Enable the port, if necessary. By default, UNIs are disabled, and NNIs are enabled.
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 exit Return to global configuration mode. Step 6 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list. • For access-list-number, specify the access list created in Step 3. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features Step 4 Command Purpose ip igmp version {1 | 2} Specify the IGMP version that the switch uses. Note If you change to Version 1, you cannot configure the ip igmp query-interval or the ip igmp query-max-response-time interface configuration commands. Step 5 end Return to privileged EXEC mode. Step 6 show ip igmp interface [interface-id] Verify your entries.
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2, you can specify the period of time before the switch takes over as the querier for the interface. By default, the switch waits twice the query interval controlled by the ip igmp query-interval interface configuration command. After that time, if the switch has received no queries, it becomes the querier.
Chapter 34 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show ip igmp interface [interface-id] Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp query-max-response-time interface configuration command.
Chapter 34 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Configuring Optional Multicast Routing Features These sections describe how to configure optional multicast routing features: • Configuring sdr Listener Support, page 34-31 (optional)—for MBONE multimedia conference session and set up • Configuring an IP Multicast Boundary, page 34-32 (optional)—to control bandwidth utilization.
Chapter 34 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Limiting How Long an sdr Cache Entry Exists By default, entries are never deleted from the sdr cache. You can limit how long the entry remains active so that if a source stops advertising SAP information, old advertisements are not needlessly kept. Beginning in privileged EXEC mode, follow these steps to limit how long an sdr cache entry stays active in the cache. This procedure is optional.
Chapter 34 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Figure 34-4 Administratively-Scoped Boundaries Company XYZ 45154 Marketing Engineering 239.128.0.0/16 239.0.0.0/8 You can define an administratively-scoped boundary on a routed interface for multicast group addresses. A standard access list defines the range of addresses affected. When a boundary is defined, no multicast data packets are allowed to flow across the boundary from either direction.
Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Command Purpose Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the boundary, use the no ip multicast boundary interface configuration command. This example shows how to set up a boundary for all administratively-scoped addresses: Switch(config)# access-list 1 deny 239.0.0.0 0.255.255.
Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing You can display information to learn resource utilization and solve network problems. You can also display information about node reachability and discover the routing path your device’s packets are taking through the network.
Chapter 34 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 34-36 78-17058-01
C H A P T E R 35 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the Cisco ME 3400 Ethernet Access switch. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP.
Chapter 35 Configuring MSDP Understanding MSDP MSDP Operation Figure 35-1 shows MSDP operating between two MSDP peers. PIM uses MSDP as the standard mechanism to register a source with the RP of a domain. When MSDP is configured, this sequence occurs. When a source sends its first multicast packet, the first-hop router (designated router or RP) directly connected to the source sends a PIM register message to the RP.
Chapter 35 Configuring MSDP Understanding MSDP Figure 35-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA MSDP SA TCP connection BGP M SD P SA Peer RPF flooding MSDP peer Receiver 49885 Register Multicast (S,G) Join PIM DR Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 35 Configuring MSDP Configuring MSDP Configuring MSDP These sections contain this configuration information: • Default MSDP Configuration, page 35-4 • Configuring a Default MSDP Peer, page 35-4 (required) • Caching Source-Active State, page 35-6 (optional) • Requesting Source Information from an MSDP Peer, page 35-8 (optional) • Controlling Source Information that Your Switch Originates, page 35-8 (optional) • Controlling Source Information that Your Switch Forwards, page 35-12 (option
Chapter 35 Configuring MSDP Configuring MSDP Figure 35-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain SA SA SA 10.1.1.1 Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 86515 Switch B Router A Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 35 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 35 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 35 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 35 Configuring MSDP Configuring MSDP Redistributing Sources SA messages originate on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered. Beginning in privileged EXEC mode, follow these steps to further restrict which registered sources are advertised. This procedure is optional.
Chapter 35 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 35 Configuring MSDP Configuring MSDP Filtering Source-Active Request Messages By default, only switches that are caching SA information can respond to SA requests. By default, such a switch honors all SA request messages from its MSDP peers and supplies the IP addresses of the active sources. However, you can configure the switch to ignore all SA requests from an MSDP peer. You can also honor only those SA request messages from a peer for groups described by a standard access list.
Chapter 35 Configuring MSDP Configuring MSDP Controlling Source Information that Your Switch Forwards By default, the switch forwards all SA messages it receives to all its MSDP peers. However, you can prevent outgoing messages from being forwarded to a peer by using a filter or by setting a time-to-live (TTL) value. These methods are described in the next sections.
Chapter 35 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard (Optional) Create an IP extended access list, repeating the command as many times as necessary. • For access-list-number, enter the number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 35 Configuring MSDP Configuring MSDP Using TTL to Limit the Multicast Data Sent in SA Messages You can use a TTL value to control what data is encapsulated in the first SA message for every source. Only multicast packets with an IP-header TTL greater than or equal to the ttl argument are sent to the specified MSDP peer. For example, you can limit internal traffic to a TTL of 8. If you want other groups to go to external locations, you must send those packets with a TTL greater than 8.
Chapter 35 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp sa-filter in ip-address | name Filter all SA messages from the specified MSDP peer. or or ip msdp sa-filter in {ip-address | name} list access-list-number From the specified peer, pass only those SA messages that pass the IP extended access list.
Chapter 35 Configuring MSDP Configuring MSDP Configuring an MSDP Mesh Group An MSDP mesh group is a group of MSDP speakers that have fully meshed MSDP connectivity among one another. Any SA messages received from a peer in a mesh group are not forwarded to other peers in the same mesh group. Thus, you reduce SA message flooding and simplify peer-RPF flooding. Use the ip msdp mesh-group global configuration command when there are multiple RPs within a domain.
Chapter 35 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode.
Chapter 35 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Chapter 35 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 35-1: Table 35-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
Chapter 35 Configuring MSDP Monitoring and Maintaining MSDP Cisco ME 3400 Ethernet Access Switch Software Configuration Guide 35-20 78-17058-01
C H A P T E R 36 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the Cisco ME 3400 switch. You can use the command-line interface (CLI) to identify and solve problems. Additional troubleshooting information related to hardware is provided in the hardware installation guide.
Chapter 36 Troubleshooting Recovering from Corrupted Software By Using the Xmodem Protocol Recovering from Corrupted Software By Using the Xmodem Protocol Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the Xmodem Protocol to recover from a corrupt or wrong image file.
Chapter 36 Troubleshooting Recovering from a Lost or Forgotten Password Step 6 Press the break key, and at the same time, reconnect the power cord to the switch. You can release the break key a second or two after the LED above port 1 goes off. Several lines of information about the software appear along with instructions: The system has been interrupted, or encountered an error during initializion of the flash filesystem.
Chapter 36 Troubleshooting Recovering from a Lost or Forgotten Password The Cisco ME switch boot loader uses break-key detection to stop the automatic boot sequence for the password recovery purpose. Note The break key character is different for each operating system. On a SUN work station running UNIX, Ctrl-C is the break key. On a PC running Windows XP or 2000, Ctrl-Break is the break key.
Chapter 36 Troubleshooting Recovering from a Lost or Forgotten Password • If you see a message that begins with this: The password-recovery mechanism has been triggered, but is currently disabled. proceed to the “Procedure with Password Recovery Disabled” section on page 36-7, and follow the steps.
Chapter 36 Troubleshooting Recovering from a Lost or Forgotten Password Step 7 At the switch prompt, enter privileged EXEC mode: Switch> enable Step 8 Rename the configuration file to its original name: Switch# rename flash:config.text.old flash:config.text Step 9 Copy the configuration file into memory: Switch# copy flash:config.text system:running-config Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts.
Chapter 36 Troubleshooting Recovering from a Lost or Forgotten Password Procedure with Password Recovery Disabled If the password-recovery mechanism is disabled, this message appears: The password-recovery mechanism has been triggered, but is currently disabled. Access to the boot loader prompt through the password-recovery mechanism is disallowed at this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed.
Chapter 36 Troubleshooting Preventing Autonegotiation Mismatches Step 6 Enter global configuration mode: Switch# configure terminal Step 7 Change the password: Switch (config)# enable secret password The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows spaces but ignores leading spaces.
Chapter 36 Troubleshooting SFP Module Security and Identification SFP Module Security and Identification Cisco small form-factor pluggable (SFP) modules have a serial EEPROM that contains the module serial number, the vendor name and ID, a unique security code, and cyclic redundancy check (CRC). When an SFP module is inserted in the switch, the switch software reads the EEPROM to verify the serial number, vendor name and vendor ID, and recompute the security code and CRC.
Chapter 36 Troubleshooting Using Ping Using Ping These sections contain this information: • Understanding Ping, page 36-10 • Using Ping, page 36-10 Understanding Ping The Cisco ME switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. The Cisco ME switch also provides the Control Plane Security feature, which by default drops ping response packets received on user network interfaces (UNIs).
Chapter 36 Troubleshooting Using Ping All Software Versions For all software images for the Cisco ME switch, you can use a Layer 3 service policy to enable pings from the switch to a host connected to a UNI. Note For a switch running the metro IP access image, IP routing is not enabled by default and does not have to be enabled to use a Layer 3 service policy.
Chapter 36 Troubleshooting Using Ping IP Routing and SVI IP routing is only supported on UNIs when the switch is running the metro IP access image. You can use this configuration to enable IP routing and enable pings from an SVI to a host connected to a UNI. Switch# configure terminal Switch(config)# ip routing Switch(config)# int fa0/1 Switch(config-if)# switchport access vlan 2 Switch(config-if)# no shutdown Switch(config-if)# int vlan 2 Switch(config-if)# ip address 192.168.1.1 255.255.255.
Chapter 36 Troubleshooting Using Layer 2 Traceroute Summary Keep these guidelines in mind while pinging: • IP routing is available only with the metro IP access image and is disabled by default. • To ping a host in a different IP subnetwork from the switch, you must have IP routing configured to route between the subnets, and a static route to the destination might also be appropriate. If you need to enable or configure IP routing, see Chapter 32, “Configuring IP Unicast Routing.
Chapter 36 Troubleshooting Using Layer 2 Traceroute Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: • Note Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to function properly, do not disable CDP. CDP is available only on NNIs. For a list of switches that support Layer 2 traceroute, see the “Layer 2 Traceroute Usage Guidelines” section on page 36-14.
Chapter 36 Troubleshooting Using IP Traceroute Displaying the Physical Path You can display the physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands: Note • tracetroute mac [interface interface-id] {source-mac-address} [interface interface-id] {destination-mac-address} [vlan vlan-id] [detail] • tracetroute mac ip {source-ip-address | source-hostname}{destination-ip-address | destination-hostname} [detail] Layer 2 traceroute is
Chapter 36 Troubleshooting Using IP Traceroute port-unreachable error to the source. Because all errors except port-unreachable errors come from intermediate hops, the receipt of a port-unreachable error means that this message was sent by the destination port. Executing IP Traceroute Beginning in privileged EXEC mode, follow this step to trace that the path packets take through the network: Note Command Purpose traceroute ip host Trace the path that packets take through the network.
Chapter 36 Troubleshooting Using TDR To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the Ctrl, Shift, and 6 keys, and then press the X key. Using TDR These sections contain this information: • Understanding TDR, page 36-17 • Running TDR and Displaying the Results, page 36-17 Understanding TDR You can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems.
Chapter 36 Troubleshooting Using Debug Commands Using Debug Commands These sections explains how you use debug commands to diagnose and resolve internetworking problems: Caution Note • Enabling Debugging on a Specific Feature, page 36-18 • Enabling All-System Diagnostics, page 36-19 • Redirecting Debug and Error Message Output, page 36-19 Because debugging output is assigned high priority in the CPU process, it can render the system unusable.
Chapter 36 Troubleshooting Using the show platform forward Command Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Caution Because debugging output takes priority over other network traffic, and because the debug all privileged EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable.
Chapter 36 Troubleshooting Using the show platform forward Command This is an example of the output from the show platform forward command on Gigabit Ethernet port 1 in VLAN 5 when the packet entering that port is addressed to unknown MAC addresses. The packet should be flooded to all other ports in VLAN 5. Switch# show platform forward gigabitethernet0/1 vlan 5 1.1.1 2.2.2 ip 13.1.1.1 13.2.2.
Chapter 36 Troubleshooting Using the show platform forward Command -----------------------------------------Packet 1 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi0/2 Vlan SrcMac 0005 0001.0001.0001 DstMac 0009.43A8.0145 Cos Index-Hit A-Data 01FFE 03000000 Dscpv This is an example of the output when the packet coming in on Gigabit Ethernet port 1 in VLAN 5 has a destination MAC address set to the router MAC address in VLAN 5 and the destination IP address unknown.
Chapter 36 Troubleshooting Using the crashinfo File Using the crashinfo File The crashinfo file saves information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure, and the file is created the next time you boot the Cisco IOS image after the failure (instead of while the system is failing).
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on the Cisco ME 3400 Ethernet Access switch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-3 • BRIDGE-MIB (RFC1493) MIB List Note Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-L2L3-INTERFACE-CONFIG-MIB • CISCO-LAG-MIB • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB • CISCO-PAE-MIB • CISCO-PAGP-MIB • CISCO-PING-MIB • CISCO-PORT-QOS-MIB • CISCO-PRODUCTS-MIB • CISCO-PROCESS-MIB • CISCO-RTTMON-MIB • CISCO-SMI-MIB • CISCO-STACKMAKER-MIB • CISCO-STP-EXTENSIONS-MIB • CISCO-SYSLOG-MIB • CISCO-TC-MIB • CISCO-TCP-MIB • CISCO-UDLDP-MIB • CISCO-VLAN-IFTABLE-RELATIONSHIP-MIB • CISCO-VLAN-MEMBERSHIP-MIB
Appendix A Supported MIBs Using FTP to Access the MIB Files Note • RFC1213-MIB (Functionality is as per the agent capabilities specified in the CISCO-RFC1213-CAPABILITY.my.) • RFC1253-MIB (OSPF-MIB) • RMON-MIB • RMON2-MIB • SNMP-FRAMEWORK-MIB • SNMP-MPD-MIB • SNMP-NOTIFICATION-MIB • SNMP-TARGET-MIB • SNMPv2-MIB • TCP-MIB • UDP-MIB You can also use this URL for a list of supported MIBs for the Cisco ME switch: ftp://nm-tac.cisco.
Appendix A Supported MIBs Using FTP to Access the MIB Files Cisco ME 3400 Ethernet Access Switch Software Configuration Guide A-4 78-17058-01
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the Cisco ME 3400 Ethernet Access switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Displaying Available File Systems To display the available file systems on your switch, use the show file systems privileged EXEC command as shown in this example.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating a tar File To create a tar file and write files into it, use this privileged EXEC command: archive tar /create destination-url flash:/file-url For destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System This example shows how to display the contents of a switch tar file that is in flash memory: Switch# archive tar /table flash:me340x-metrobase-tar.122-25.EX.tar info (219 bytes) me340x-metrobase-mz.122-25.EX/ (directory) me340x-metrobase-mz.122-25.EX/html/ (directory) me340x-metrobase-mz.122-25.EX/html/foo.html (0 bytes) me340x-metrobase-mz.122-25.EX/me340x-metrobase-mz.122-25.EX.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Working with Configuration Files This section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. A way to create a basic configuration file is to use the setup program or to enter the setup privileged EXEC command.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Note The copy {ftp: | rcp: | tftp:} system:running-config privileged EXEC command loads the configuration files on the switch as if you were entering the commands at the command line. The switch does not erase the existing running configuration before adding the commands.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using TFTP You can configure the switch by using configuration files you create, download from another switch, or download from a TFTP server. You can copy (upload) configuration files to a TFTP server for storage.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Log into the switch through the console port or a Telnet session. Step 4 Download the configuration file from the TFTP server to configure the switch. Specify the IP address or hostname of the TFTP server and the name of the file to download.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files When you copy a configuration file from the switch to a server by using FTP, the Cisco IOS software sends the first valid username in this list: • The username specified in the copy command if a username is specified. • The username set by the ip ftp username username global configuration command if the command is configured. • Anonymous.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using FTP: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page B-12.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page B-12.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using RCP The RCP provides another method of downloading, uploading, and copying configuration files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images This example shows how to store a startup configuration file on a server: Switch# configure terminal Switch(config)# ip rcmd remote-username netadmin2 Switch(config)# end Switch# copy nvram:startup-config rcp: Remote host[]? 172.16.101.101 Name of configuration file to write [switch2-confg]? Write file switch2-confg on host 172.16.101.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You upload a switch image file to a TFTP, FTP, or RCP server for backup purposes. You can use this uploaded image for future downloads to the same switch or to another of the same type. The protocol that you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Table B-3 Disregard the stacking_number field. It does not apply to the switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar Download the image file from the TFTP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type. Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 7 to download a new image from an FTP server and overwrite the existing image. To keep the current image, go to Step 7.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 8 Purpose archive download-sw /leave-old-sw /reload Download the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image. /image-name.tar • The /leave-old-sw option keeps the old software version after a download.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using FTP You can upload an image from the switch to an FTP server. You can later download this image to the same switch or to another switch of the same type. Use the upload feature only if the web management pages associated with the embedded device manager have been installed with the existing image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Copying Image Files By Using RCP You can download a switch image from an RCP server or upload the image from the switch to an RCP server. You download a switch image file from a server to upgrade the switch software. You can overwrite the current image with the new one or keep the current image after a download. You upload a switch image file to a server for backup purposes.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using RCP, do these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh). • Ensure that the switch has a route to the RCP server. The switch and the server must be in the same subnetwork if you do not have a router to route traffic between subnets.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image onto the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the Cisco IOS image, and the web management files. After these files are uploaded, the upload algorithm creates the tar file format. Caution For the download and upload algorithms to operate properly, do not rename image names.
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(25)EX This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the Cisco Metro Ethernet (ME) 3400 Ethernet Access switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
I N D EX ACLs (continued) A applying abbreviating commands ABRs 2-3 on multicast packets 32-24 on routed packets access-class command 28-19 See ACEs access-denied response, VMPS 11-23 access groups time ranges to 28-16 to an interface 28-19 to QoS 30-10 28-20 comments in Layer 2 28-20 compiling Layer 3 28-20 defined access lists 28-1, 28-7 creating and Layer 2 protocol tunneling 9-3 28-21 13-11 28-10 matching criteria host keyword with 802.
Index ACLs (continued) addresses (continued) logging messages MAC extended matching adding and removing defined 28-2 See ARP 28-14 adjacency tables, with CEF 28-2 router ACLs and VLAN map configuration guidelines 28-36 creating defined OSPF 28-9 support for 28-7 32-29 support in hardware 28-21 28-16 types supported CDP 22-1 RIP 32-18 aggregate addresses, BGP 28-2 28-7 See EtherChannel using router ACLs with VLAN maps 28-36 aggregate policers VLAN maps configuration guidelines
Index ARP autonegotiation configuring defined duplex mode 32-8 interface configuration guidelines 1-3, 5-28, 32-8 encapsulation mismatches 32-9 static cache configuration managing autonomous systems, in BGP 5-28 Auto-RP, described 5-28 availability, features 32-49 assured forwarding, DSCP attributes, RADIUS vendor-specific audience 7-31 17-1 bandwidth, QoS, configuring 32-37 for CBWFQ NTP associations 7-36 30-18 QoS, configuring 5-5 QoS, described RADIUS 30-44 30-21 with pol
Index BGP (continued) enabling Border Gateway Protocol See BGP 32-42 monitoring BPDU 32-58 multipath support neighbors, types of path selection filtering 32-42 prefix filtering 32-45 route dampening 32-57 routing domain confederation 32-55 routing session with multi-VRF CE supernets 32-64 32-58 Version 4 16-8 enabling 16-7 1-4 described 16-2 disabling 16-7 enabling 16-6 1-4 1-7 broadcast flooding 32-40 broadcast packets binding database DHCP snooping See DHCP snooping bindin
Index CDP (continued) class maps, QoS Layer 2 protocol tunneling monitoring configuring 13-8 described 22-5 overview See CoS 1-3 transmission timer and holdtime, setting updates 22-2 class selectors, DSCP clearing interfaces 22-2 CEF 30-8 9-24 CLI defined abbreviating commands 32-69 enabling command modes 32-70 child policies, QoS CIDR 30-6 class of service 22-1 support for 30-31, 30-32 described 30-20 2-1 1-3 editing features 32-54 Cisco Configuration Engine enabling a
Index command modes configuration files (continued) 2-1 commands downloading abbreviating automatically 2-3 no and default preparing 2-4 commands, setting privilege levels community list, BGP community ports 7-8 32-52 12-3 community strings configuring overview using RCP B-16 B-10 B-5 27-15 3-7 specifying the filename 20-5 types and location preparing 1-11 30-56 QoS adding or deleting a class B-9 B-10, B-12, B-15 reasons for B-8 using FTP B-14 using RCP B-17 using TFTP 30-
Index configuring marking in input policy maps congestion avoidance, QoS connectivity problems DHCP snooping 30-2, 30-24 congestion management, QoS connections, secure remote default configuration (continued) 30-41 DHCP snooping binding database 30-2, 30-18 DNS 7-38 EIGRP 2-9 conventions for examples publication text Flex Links xxxiii HSRP xxxiv corrupted software, recovery steps with Xmodem CoS values 30-7 30-5 counters, clearing interface crashinfo file 9-24 36-22 cryptographic so
Index default configuration (continued) SPAN STP DHCP-based autoconfiguration (continued) relay support 24-10 support for 14-11 system message logging TACACS+ UDLD See DHCP snooping binding database 5-15 DHCP binding table 7-13 See DHCP snooping binding database 23-4 VLAN, Layer 2 Ethernet interfaces VLANs 11-7 VMPS 11-24 DHCP option 82 11-16 circuit ID suboption default configuration 3-10, 32-11 default networks displaying 32-72 default template overview 30-8 9-19 designing your
Index DHCP snooping binding database (continued) bindings 18-5 clearing agent statistics 18-12 configuration guidelines 18-8 configuring xxxiii 5-15 Domain Name System See DNS 18-7 dot1q-tunnel switchport mode binding file bindings IEEE 802.
Index dynamic addresses dynamic ARP inspection (continued) See addresses rate limiting of ARP packets dynamic ARP inspection ARP cache poisoning configuring ARP requests, described ARP spoofing attack described 19-1 19-4 error-disabled state 19-1 clearing 19-15 validation checks, performing 19-15 configuration guidelines 19-12 Dynamic Host Configuration Protocol 19-6 See DHCP-based autoconfiguration configuring ACLs for non-DHCP environments in DHCP environments log buffer dynamic por
Index environment variables, function of equal-cost routing EtherChannel (continued) 3-16 PAgP 1-7, 32-70 error messages during command entry aggregate-port learners 2-4 EtherChannel compatibility with Catalyst 1900 802.
Index flow control F 1-2, 9-17 forward-delay time features, incompatible FIB 21-11 MSTP 32-69 STP fiber-optic, detecting unidirectional links 23-1 15-20 14-21 Forwarding Information Base files See FIB copying B-4 FTP crashinfo accessing MIB files description 36-22 configuration files displaying the contents of location deleting A-3 36-22 downloading 36-22 overview B-5 B-13 B-11 preparing the server displaying the contents of B-7 uploading tar B-12 B-14 image files cre
Index history ICMP ping changing the buffer size described 2-4 disabling 2-5 2-5 executing 36-10 overview 36-10 ICMP Router Discovery Protocol recalling commands See IRDP 2-5 history table, level and number of syslog messages host ports 26-9 IDS appliances and ingress RSPAN configuring kinds of and ingress SPAN 12-12 hosts, limit on dynamic ports See STP 11-28 IEEE 802.
Index IGMP (continued) IGMP groups deleting cache entries displaying groups fast switching configuring filtering 34-34 setting the maximum number 20-25 IGMP leave timer, configuring 20-10 34-35 34-30 flooded multicast traffic IGMP profile controlling flooding time 20-11 applying disabling on an interface 20-12 configuration mode global leave 20-25 configuring 20-11 query solicitation 20-23 20-24 IGMP snooping 20-11 recovering from flood mode 20-11 and address aliasing host-qu
Index input policy maps internal BGP classification criteria configuration guidelines configuring See IBGP 30-4 internal neighbors, BGP 30-35 32-42 Internet Control Message Protocol 30-35 displaying statistics See ICMP 30-55 interface Internet Group Management Protocol number See IGMP 9-7 range macros inter-VLAN routing 9-10 interface command 1-7, 32-2 Intrusion Detection System 9-7 interface configuration mode See IDS appliances 2-2 IP ACLs interfaces for QoS classification
Index IP multicast routing (continued) IP multicast routing (continued) Auto-RP MBONE adding to an existing sparse-mode cloud benefits of described 34-12 clearing the cache preventing candidate RP spoofing setting up in a new internetwork Session Directory (sdr) tool, described 34-14 bootstrap router peering devices 34-35 reverse path check (RPF) 34-17 deleting 34-35 assigning manually configuring 34-9 IP multicast boundary 34-32 default configuration 34-5 RP 34-2 basic multicast
Index IP routing IP unicast routing connecting interfaces with address resolution 9-7 32-7 disabling 32-18 administrative distances enabling 32-17 ARP IP source guard and 802.
Index IP unicast routing (continued) reverse address resolution routed ports boundary switch KDC 32-2 steps to configure subnet mask configuring 32-6 credentials 7-32 cryptographic software image 32-14 described 32-3 See also EIGRP operation See also OSPF realm 7-33 See also RIP server 7-33 7-32 7-34 support for IPv4 ACLs applying to interfaces extended, creating terms 28-10 TGT 28-14 standard, creating 7-34 7-32 key distribution center configuring See KDC 32-11 32-11 1-7 I
Index loop guard Layer 2 traceroute and ARP 36-14 described and CDP 36-14 enabling broadcast traffic described 1-4 36-13 36-14 MAC addresses and VLANs multicast traffic unicast traffic 36-14 36-14 36-14 36-13 usage guidelines Layer 3 features 36-14 5-21 5-20 building the address table 1-7 default configuration 5-20 5-21 disabling learning on a VLAN assigning IP addresses to 32-5 changing from Layer 2 mode discovering 32-5 32-3 displaying 5-27 5-28 5-28 displaying in the IP so
Index management access modular QoS command-line interface in-band See MQC CLI session SNMP module number 1-4 monitoring 1-4 out-of-band console port connection access groups 1-4 management options CLI BGP 4-1 overview 1-3 marking action with aggregate policers described 30-39 for classification guidelines 22-5 CEF 32-70 EIGRP 32-38 features 1-8 33-11 13-18 IGMP 30-31 filters 28-7 20-28 snooping 30-7 maximum aging time interfaces 20-15 9-22 IP 15-21 address tables 1
Index monitoring (continued) MSDP (continued) traffic flowing among switches traffic suppression tunneling peers 25-1 configuring a default 21-17 monitoring 13-18 VLAN 35-19 peering relationship, overview filters 28-40 VLANs 11-14 shutting down caching MQC defined 30-3 steps to configure filtering to a peer 35-3 controlling source information forwarded by switch 35-12 originated by switch 35-8 received by switch default configuration 35-19 support for 35-12 35-14 35-19 1-8
Index MSTP, configuring (continued) root switch MSTP (continued) optional features supported 15-14 secondary root switch switch priority overview 15-16 described enabling 15-3 operations between regions default configuration displaying status described 16-5 enabling enabling 15-15 unexpected behavior extended system ID status, displaying 15-14 effects on secondary root switch unexpected behavior 15-15 Immediate Leave 15-15 leaving 14-10 14-10 20-5 20-8 multicast packets interope
Index multi-VRF CE network management configuration example configuration guidelines configuring SNMP Network Time Protocol See NTP 32-68 network components NNI 32-61 packet-forwarding process support for configuring 32-61 9-13 described 1-8 MVR 9-3 no commands and address aliasing and IGMPv3 nontrunking mode 20-19 configuring interfaces configuring defined 20-18 example application in the switch stack xxxiv See NSSA NSM 20-22 multicast television application setting global para
Index NTP (continued) P synchronizing devices 5-6 packet classification time services defined 5-2 synchronizing 30-5 to organize traffic 5-2 30-2 packet marking configuring O defined 30-16 packet policing, for QoS Open Shortest Path First 30-2 PAgP See OSPF optimizing system resources options, management Layer 2 protocol tunneling 6-1 13-9 See EtherChannel 1-3 parallel paths, in routing tables OSPF area parameters, configuring configuring 32-27 parent policies, QoS metrics c
Index performance features policing 1-2 per-VLAN spanning-tree plus aggregate in input policy maps described See PVST+ PE to CE routing, configuring physical ports priority in output policy maps 9-2 PIM QoS default configuration 30-12 policy-map command 34-4 rendezvous point (RP), described RPF lookups enabling a mode attaching 34-35 30-4, 30-35 configuration examples 34-10 described 34-3 34-24 input 34-21 configuring shortest path tree, delaying the use of 34-23 described spars
Index port-based authentication, configuring (continued) RADIUS server parameters on the switch Port Fast described 8-12 switch-to-client frame-retransmission number enabling 8-15, 8-16 16-5 support for switch-to-client retransmission time default configuration described 8-15 8-9 MSTP STP 8-19 EAPOL-start frame 8-3 11-5 IEEE 802.
Index primary VLANs private VLANs (continued) 12-2, 12-3 priority HSRP ports community 33-6 priority command configuration guidelines 30-15 configuring strict priority queuing for QoS scheduling configuring host ports 30-48 30-22 described priority policing, described 30-15 isolated priority queues 30-22 30-18 priority with police commands configuring described private VLANs 12-4 12-2, 12-3 configuration guidelines configuration tasks 12-6, 12-7, 12-8 12-6 12-6 end station access t
Index QoS, configuration guidelines (continued) Q unconditional priority policing QoS WTD aggregate policers and MQC aggregate policers 30-2 30-44 class maps class-based shaping, described 30-19 classification 30-10 based on DSCP 30-7 based on QoS group 30-8 30-6 queue size 30-6 policy maps, described 30-13 class maps, configuring 30-31 30-58 30-48 30-34 30-60 30-2, 30-24 default configuration 30-2, 30-18 30-27 initial configuration example 30-60 configuration guidelines 30-4
Index QoS (continued) queries, IGMP packet classification 20-3 query solicitation, IGMP 30-2 20-11 packet marking 30-16 queue bandwidth and queue size, relationship packet policing 30-2 queue-limit command, QoS 30-24, 30-25, 30-53 queue size, QoS, managing 30-24 parent-child hierarchy 30-20 30-25 policers configuring described 30-37, 30-40, 30-51 R 30-12 policing RADIUS aggregate 30-14 described 30-2, 30-12 vendor-proprietary individual 30-13 vendor-specific priority attri
Index rapid PVST+ report suppression, IGMP 802.
Index RIP router ACLs advertisements 32-18 authentication configuring 32-21 default configuration 32-31 route targets, VPN 32-22 default RMON displaying status static enabling alarms and events 25-3 32-2 32-73 32-2 routing domain confederation, BGP 32-55 Routing Information Protocol 25-2 See RIP 25-1 statistics routing protocol administrative distances collecting group Ethernet collecting group history support for 25-6 25-5 RSPAN characteristics 24-8 default configuration des
Index RSTP SDM template active topology configuration guidelines 15-6 BPDU format configuring 15-9 processing 15-10 designated port, defined 6-1 deleting 15-5 topology changes 6-1 12-2 secure MAC addresses restarting migration process overview layer 2 6-2 secondary VLANs 15-6 interoperability with 802.
Index shape average command, QoS SNMP (continued) 30-18, 30-20, 30-46 shaped round robin configuration examples default configuration See SRR show access-lists hw-summary command 28-21 show and more command output, filtering 2-8 show cdp traffic command groups host 22-5 show configuration command show forward command engine ID 9-16, 9-19 show l2protocol command 13-13, 13-15, 13-16 show platform forward command described 28-19, 28-20, 28-31, 28-33 9-19 See SNMP applying macros 10-4 co
Index snooping, IGMP Spanning Tree Protocol 20-1 software images See STP location in flash SPAN traffic B-19 recovery procedures speed, configuring on interfaces 36-2 scheduling reloads split horizon, RIP 3-17 tar file format, described source addresses, in IPv4 ACLs configuring 28-11 described standby ip command standby links SPAN destination ports 24-7 displaying status 24-22 interaction with other features monitored ports manually 24-8 session limits 3-14 specific image cle
Index statistics STP (continued) IEEE 802.
Index STP (continued) success response, VMPS summer time loop guard described enabling supernet 16-9 modes supported optional features supported and router ACLs 1-4 defined 11-21, 11-22 enabling 9-5 switch console port 16-2 protocols supported 16-3 switched packets, ACLs on See SPAN 14-8 root guard switched ports 9-2 switchport block multicast command 16-3 switchport block unicast command 16-9 root port, defined switchport command 14-3 root switch 21-7 21-7 9-12 switchport m
Index system clock T See also NTP table maps system message logging default configuration default actions 26-3 defining error message severity levels disabling 26-3 displaying the configuration enabling 26-12 level keywords, described limiting messages message format 30-34 30-12 7-11 authentication, defined 26-9 7-11 authorization, defined 26-2 7-11 configuring setting the display destination device synchronizing log messages 26-7 26-4 26-7 authentication key configuring the daemo
Index templates, SDM traceroute command 6-2 Terminal Access Controller Access Control System Plus See TACACS+ See also IP traceroute traffic terminal lines, setting a password blocking flooded 7-6 TFTP fragmented downloading traffic marking configuration files in base directory configuring for autoconfiguration 3-6 3-5 uploading 30-18 QoS traffic control 30-19 21-1 trap-door mechanism 3-2 traps B-23 limiting access by servers TFTP server for QoS scheduling traffic suppression B-21 3
Index trunks unauthorized ports with 802.1x allowed-VLAN list unconditional priority policing 11-17 load sharing configuration guidelines setting STP path costs priority with police 11-21 using STP port priorities configuring 11-19 described 11-21 tunneling defined 13-1 IEEE 802.
Index uploading (continued) VLAN maps image files applying preparing common uses for B-21, B-24, B-28 reasons for 28-33 28-34 configuration guidelines B-19 using FTP B-27 configuring using RCP B-31 creating 28-31 defined 28-2, 28-5 using TFTP B-23 User Datagram Protocol 28-30 28-29 denying access to a server example denying and permitting packets See UDP user EXEC mode displaying 2-2 username-based authentication 28-35 28-31 28-40 examples of ACLs and VLAN maps 7-7 user n
Index VLANs (continued) modifying VTP Layer 2 protocol tunneling 11-9 multicast 13-8 20-16 native, configuring normal-range 1-5 weighted tail drop 11-3 See WTD port membership modes static-access ports 11-4 WTD 11-10 STP and 802.
Index Cisco ME 3400 Ethernet Access Switch Software Configuration Guide IN-42 78-17058-01