Cisco IE 2000 Switch Software Configuration Guide Cisco IOS Release 15.0(1)EY July 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S Preface li Audience Purpose li li Conventions li Related Publications lii Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Configuration Overview Features liii 1-1 1-1 Feature Software Licensing 1-1 Ease-of-Deployment and Ease-of-Use Features Performance Features 1-2 Management Options 1-3 Industrial Application 1-4 Manageability Features 1-4 Availability and Redundancy Features 1-5 VLAN Features 1-6 Security Features 1-7 QoS and CoS Features 1-10
Contents Understanding Abbreviated Commands 2-4 No and default Forms of Commands 2-4 CLI Error Messages 2-5 Configuration Logging 2-5 How to Use the CLI to Configure Features 2-6 Configuring the Command History 2-6 Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands Through Keystrokes 2-7 Editing Command Lines That Wrap 2-9 Searching and Filtering Output of sho
Contents Monitoring and Maintaining Switch Alarms Status 3-9 Configuration Examples for Switch Alarms 3-10 Configuring External Alarms: Example 3-10 Associating Temperature Alarms to a Relay: Examples 3-10 Creating or Modifying an Alarm Profile: Example 3-10 Setting the FCS Error Hysteresis Threshold: Example 3-11 Configuring a Dual Power Supply: Examples 3-11 Displaying Alarm Settings: Example 3-11 Additional References 3-12 Related Documents 3-12 Standards 3-12 MIBs 3-12 RFCs 3-13 Technical Assistance
Contents Configuring the Client 4-14 Manually Assigning IP Information on a Routed Port 4-14 Manually Assigning IP Information to SVIs 4-15 Modifying the Startup Configuration 4-15 Specifying the Filename to Read and Write the System Configuration Manually Booting the Switch 4-16 Booting a Specific Software Image 4-17 Monitoring Switch Setup Configuration 4-17 Verifying the Switch Running Configuration 4-15 4-17 Configuration Examples for Performing Switch Setup Configuration 4-18 Retrieving IP Informat
Contents Configuring Cisco IOS Agents 5-7 Enabling CNS Event Agent 5-7 Enabling Cisco IOS CNS Agent and an Initial Configuration Enabling a Partial Configuration 5-10 Monitoring and Maintaining Cisco IOS Configuration Engine 5-8 5-11 Configuration Examples for Cisco IOS Configuration Engine 5-11 Enabling the CNS Event Agent: Example 5-11 Configuring an Initial CNS Configuration: Examples 5-11 Additional References 5-12 Related Documents 5-12 Standards 5-12 MIBs 5-12 RFCs 5-12 Technical Assistance 5-13
Contents Managing Switch Clusters 6-13 Using the CLI to Manage Switch Clusters 6-13 Using SNMP to Manage Switch Clusters 6-14 Additional References 6-15 Related Documents 6-15 Standards 6-15 MIBs 6-15 RFCs 6-15 Technical Assistance 6-15 CHAPTER 7 Performing Switch Administration Finding Feature Information 7-1 7-1 Information About Performing Switch Administration 7-1 System Time and Date Management 7-1 System Clock 7-1 Network Time Protocol 7-2 NTP Version 4 7-3 DNS 7-4 Default DNS Configuration 7-4
Contents Configuring Login Banners 7-12 Configuring a Message-of-the-Day Login Banner 7-12 Configuring a Login Banner 7-13 Managing the MAC Address Table 7-13 Changing the Address Aging Time 7-13 Configuring MAC Address Change Notification Traps 7-14 Configuring MAC Address Move Notification Traps 7-15 Configuring MAC Threshold Notification Traps 7-15 Adding and Removing Static Address Entries 7-17 Configuring Unicast MAC Address Filtering 7-17 Disabling MAC Address Learning on a VLAN 7-17 Monitoring and M
Contents Troubleshooting the PTP Configuration 8-4 Additional References 8-4 Related Documents 8-4 Standards 8-4 MIBs 8-4 RFCs 8-5 Technical Assistance 8-5 CHAPTER Configuring PROFINET 9 9-1 Finding Feature Information 9-1 Restrictions for Configuring PROFINET 9-1 Information About Configuring PROFINET 9-1 PROFINET Device Roles 9-2 PROFINET Device Data Exchange 9-2 How to Configure PROFINET 9-4 Configuring PROFINET 9-4 Default Configuration 9-4 Enabling PROFINET 9-4 Monitoring and Maintaining PR
Contents Standards 10-3 MIBs 10-3 RFCs 10-3 Technical Assistance CHAPTER 11 10-3 Configuring SDM Templates 11-1 Finding Feature Information 11-1 Prerequisites for Configuring SDM Templates 11-1 Restrictions for Configuring SDM Templates 11-1 Information About Configuring SDM Templates 11-1 SDM Templates 11-1 Dual IPv4 and IPv6 SDM Default Template 11-3 How to Configure the Switch SDM Templates Setting the SDM Template 11-4 Monitoring and Maintaining SDM Templates 11-4 11-4 Configuration Exam
Contents TACACS+ 12-5 TACACS+ Operation 12-6 Default TACACS+ Configuration 12-7 TACACS+ Server Host and the Authentication Key 12-7 TACACS+ Login Authentication 12-7 TACACS+ Authorization for Privileged EXEC Access and Network Services 12-7 TACACS+ Accounting 12-8 Switch Access with RADIUS 12-8 RADIUS 12-8 RADIUS Operation 12-9 Default RADIUS Configuration 12-10 RADIUS Change of Authorization 12-10 CoA Request Commands 12-12 RADIUS Server Host 12-14 RADIUS Login Authentication 12-15 Radius Method List 12-1
Contents Setting or Changing a Static Enable Password 12-26 Protecting Enable and Enable Secret Passwords with Encryption 12-27 Disabling Password Recovery 12-27 Setting a Telnet Password for a Terminal Line 12-28 Configuring Username and Password Pairs 12-28 Setting the Privilege Level for a Command 12-29 Changing the Default Privilege Level for Lines 12-29 Logging Into and Exiting a Privilege Level 12-30 Configuring TACACS+ 12-30 Identifying the TACACS+ Server Host and Setting the Authentication Key 12-3
Contents Verifying Secure HTTP Connection: Example 12-47 Additional References 12-47 Related Documents 12-47 Standards 12-48 MIBs 12-48 RFCs 12-48 Technical Assistance 12-48 CHAPTER 13 Configuring IEEE 802.1x Port-Based Authentication Finding Feature Information 13-1 13-1 Restrictions for Configuring IEEE 802.1x Port-Based Authentication 13-1 Information About Configuring IEEE 802.1x Port-Based Authentication 13-1 IEEE 802.
Contents 802.1x Authentication with Inaccessible Authentication Bypass 13-22 Support on Multiple-Authentication Ports 13-22 Authentication Results 13-22 Feature Interactions 13-23 802.1x Authentication with Voice VLAN Ports 13-23 802.1x Authentication with Port Security 13-24 802.1x Authentication with Wake-on-LAN 13-24 802.1x Authentication with MAC Authentication Bypass 13-25 802.1x User Distribution 13-26 802.1x User Distribution Configuration Guidelines 13-26 Network Admission Control Layer 2 802.
Contents Configuring an Authenticator and Supplicant 13-47 Configuring an Authenticator 13-47 Configuring a Supplicant Switch with NEAT 13-47 Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs 13-48 Configuring Downloadable ACLs 13-48 Configuring a Downloadable Policy 13-49 Configuring Open1x 13-50 Resetting the 802.1x Authentication Configuration to the Default Values 13-51 Monitoring and Maintaining IEEE 802.
Contents Host Detection 14-3 Session Creation 14-3 Authentication Process 14-4 Local Web Authentication Banner 14-4 Web Authentication Customizable Web Pages 14-6 Web Authentication Guidelines 14-6 Web-Based Authentication Interactions with Other Features 14-8 Port Security 14-8 LAN Port IP 14-8 Gateway IP 14-9 ACLs 14-9 Context-Based Access Control 14-9 802.
Contents Standards 14-17 MIBs 14-17 RFCs 14-18 Technical Assistance CHAPTER 15 14-18 Configuring Interface Characteristics Finding Feature Information 15-1 15-1 Restrictions for Configuring Interface Characteristics 15-1 Information About Configuring Interface Characteristics 15-1 Interface Types 15-1 Port-Based VLANs 15-2 Switch Ports 15-2 Routed Ports 15-3 Access Ports 15-3 Trunk Ports 15-4 EtherChannel Port Groups 15-4 Dual-Purpose Uplink Ports 15-4 Connecting Interfaces 15-5 Using Interface Co
Contents Configuring the System MTU 15-18 Monitoring and Maintaining Interface Characteristics 15-18 Monitoring Interface Status 15-18 Clearing and Resetting Interfaces and Counters 15-19 Shutting Down and Restarting the Interface 15-19 Configuration Examples for Configuring Interface Characteristics Configuring the Interface Range: Examples 15-20 Configuring Interface Range Macros: Examples 15-20 Setting Speed and Duplex Parameters: Example 15-21 Enabling auto-MDIX: Example 15-21 Adding a Description on
Contents VLANs 17-1 Supported VLANs 17-2 VLAN Port Membership Modes 17-3 Normal-Range VLANs 17-4 Token Ring VLANs 17-5 Normal-Range VLAN Configuration Guidelines 17-6 Default Ethernet VLAN Configuration 17-6 Ethernet VLANs 17-7 VLAN Removal 17-7 Static-Access Ports for a VLAN 17-7 Extended-Range VLANs 17-8 Default VLAN Configuration 17-8 Extended-Range VLAN Configuration Guidelines 17-8 VLAN Trunks 17-9 Trunking Overview 17-9 IEEE 802.
Contents Load Sharing Using STP Port Priorities 17-21 Configuring Load Sharing Using STP Path Cost 17-21 Configuring the VMPS Client 17-22 Entering the IP Address of the VMPS 17-22 Configuring Dynamic-Access Ports on VMPS Clients 17-23 Monitoring and Maintaining VLANs 17-23 Configuration Examples for Configuring VLANs 17-24 VMPS Network: Example 17-24 Configuring a VLAN: Example 17-25 Configuring an Access Port in a VLAN: Example 17-25 Configuring an Extended-Range VLAN: Example 17-25 Configuring a Trunk
Contents How to Configure VTP 18-11 Configuring VTP Domain and Parameters 18-11 Configuring a VTP Version 3 Password 18-12 Enabling the VTP Version 18-12 Enabling VTP Pruning 18-13 Configuring VTP on a Per-Port Basis 18-13 Adding a VTP Client Switch to a VTP Domain 18-13 Monitoring and Maintaining VTP 18-14 Configuration Examples for Configuring VTP 18-14 Configuring a VTP Server: Example 18-14 Configuring a Hidden VTP Password: Example 18-15 Configuring a VTP Version 3 Primary Server: Example 18-15 Addi
Contents RFCs CHAPTER 20 19-7 Configuring STP 20-1 Finding Feature Information 20-1 Prerequisites for Configuring STP Restrictions for Configuring STP 20-1 20-1 Information About Configuring STP 20-1 STP 20-2 Spanning-Tree Topology and BPDUs 20-2 Bridge ID, Switch Priority, and Extended System ID 20-3 Spanning-Tree Interface States 20-4 Blocking State 20-5 Listening State 20-6 Learning State 20-6 Forwarding State 20-6 Disabled State 20-6 How a Switch or Port Becomes the Root Switch or Root Port 2
Contents Configuring Optional STP Parameters Monitoring and Maintaining STP 20-17 20-17 Additional References 20-18 Related Documents 20-18 Standards 20-18 MIBs 20-18 RFCs 20-18 CHAPTER 21 Configuring MSTP 21-1 Finding Feature Information 21-1 Information About Configuring MSTP 21-1 MSTP 21-2 Multiple Spanning-Tree Regions 21-2 IST, CIST, and CST 21-2 Operations Within an MST Region 21-3 Operations Between MST Regions 21-3 IEEE 802.1s Terminology 21-4 Hop Count 21-5 Boundary Ports 21-5 IEEE 802.
Contents Neighbor Type 21-15 Restarting the Protocol Migration Process 21-16 How to Configure MSTP 21-16 Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch 21-17 Configuring the Optional MSTP Parameters 21-18 Monitoring and Maintaining MSTP 21-16 21-20 Configuration Examples for Configuring MSTP 21-20 Configuring the MST Region: Example 21-20 Additional References 21-21 Related Documents 21-21 Standards 21-21 MIBs 21-21 RFCs 21-21 CHAPTER 22 Configuring Optional S
Contents CHAPTER 23 Configuring Resilient Ethernet Protocol Finding Feature Information Prerequisites for REP Restrictions for REP 23-1 23-1 23-1 23-1 Information About Configuring REP 23-1 REP 23-1 Link Integrity 23-4 Fast Convergence 23-4 VLAN Load Balancing 23-4 Spanning Tree Interaction 23-6 REP Ports 23-6 REP Segments 23-7 Default REP Configuration 23-7 REP Configuration Guidelines 23-7 REP Administrative VLAN 23-8 How to Configure REP 23-9 Configuring the REP Administrative VLAN 23-9 Configurin
Contents Learning the Other FlexLinks Port as the mrouter Port 24-3 Generating IGMP Reports 24-3 Leaking IGMP Reports 24-4 MAC Address-Table Move Update 24-4 Default Settings for FlexLinks and MAC Address-Table Move Update 24-5 Configuration Guidelines for FlexLinks and MAC Address-Table Move Update 24-6 How to Configure the FlexLinks and MAC Address-Table Move Update 24-6 Configuring FlexLinks 24-6 Configuring a Preemption Scheme for FlexLinks 24-7 Configuring VLAN Load Balancing on FlexLinks 24-7 Confi
Contents DHCP Server Port-Based Address Allocation 25-9 How to Configure DHCP 25-10 Configuring the DHCP Relay Agent 25-10 Specifying the Packet Forwarding Address 25-10 Enabling DHCP Snooping and Option 82 25-11 Enabling the DHCP Snooping Binding Database Agent 25-12 Enabling DHCP Server Port-Based Address Allocation 25-13 Preassigning an IP Address 25-13 Monitoring and Maintaining DHCP 25-14 Configuration Examples for Configuring DHCP 25-15 Enabling DHCP Server Port-Based Address Allocation: Examples
Contents Configuring Dynamic ARP Inspection in DHCP Environments: Example Configuring ARP ACLs for Non-DHCP Environments: Example 26-12 26-12 Additional References 26-13 Related Documents 26-13 Standards 26-13 MIBs 26-13 RFCs 26-13 Technical Assistance 26-13 CHAPTER 27 Configuring IP Source Guard 27-1 Finding Feature Information 27-1 Prerequisites for IP Source Guard Restrictions for IP Source Guard 27-1 27-1 Information About IP Source Guard 27-1 IP Source Guard 27-1 Source IP Address Filtering
Contents Restrictions for IGMP Snooping and MVR 28-1 Information About IGMP Snooping and MVR 28-1 IGMP Snooping 28-2 IGMP Versions 28-2 Joining a Multicast Group 28-3 Leaving a Multicast Group 28-5 Immediate Leave 28-5 IGMP Configurable-Leave Timer 28-5 IGMP Report Suppression 28-6 Default IGMP Snooping Configuration 28-6 Snooping Methods 28-6 Multicast Flooding Time After a TCN Event 28-7 Flood Mode for TCN 28-7 Multicast Flooding During a TCN Event 28-7 IGMP Snooping Querier Guidelines 28-7 IGMP Report
Contents Configuring IGMP Snooping: Example 28-21 Disabling a Multicast Router Port: Example 28-21 Statically Configuring a Host on a Port: Example 28-21 Enabling IGMP Immediate Leave: Example 28-21 Setting the IGMP Snoopng Querier Parameters: Examples Enabling MVR: Examples 28-22 Creating an IGMP Profile: Example 28-22 Applying an IGMP Profile: Example 28-23 Limiting IGMP Groups: Example 28-23 28-21 Additional References 28-23 Related Documents 28-23 Standards 28-23 MIBs 28-23 RFCs 28-24 Technical Assis
Contents Configuring Protected Ports 29-10 Configuring Port Blocking 29-11 Blocking Flooded Traffic on an Interface 29-11 Configuring Port Security 29-11 Enabling and Configuring Port Security 29-11 Enabling and Configuring Port Security Aging 29-15 Configuring Protocol Storm Protection 29-15 Enabling Protocol Storm Protection 29-15 Monitoring and Maintaining Port-Based Traffic Control 29-16 Configuration Examples for Port-Based Traffic Control 29-16 Enabling Unicast Storm Control: Example 29-16 Enabling
Contents RSPAN VLAN 30-7 SPAN and RSPAN Interaction with Other Features Local SPAN Configuration Guidelines 30-9 RSPAN Configuration Guidelines 30-9 Default SPAN and RSPAN Settings 30-10 30-8 How to Configure SPAN and RSPAN 30-10 Creating a Local SPAN Session 30-10 Creating a Local SPAN Session and Configuring Incoming Traffic 30-12 Specifying VLANs to Filter 30-13 Configuring a VLAN as an RSPAN VLAN 30-14 Creating an RSPAN Source Session 30-15 Creating an RSPAN Destination Session 30-16 Creating an RSPA
Contents Configuring LLDP-MED TLVs 31-6 Configuring Network-Policy TLV 31-6 Configuring Location TLV and Wired Location Service 31-7 Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service 31-8 Configuration Examples for Configuring LLDP, LLDP-MED, and Wired Location Service Enabling LLDP: Examples 31-9 Configuring LDP Parameters: Examples 31-9 Configuring TLV: Example 31-9 Configuring Network Policy: Example 31-10 Configuring Voice Application: Example 31-10 Configuring Civic Location In
Contents CHAPTER 33 Configuring UDLD 33-1 Finding Feature Information Prerequisites for UDLD Restrictions for UDLD 33-1 33-1 33-1 Information About UDLD 33-1 UDLD 33-1 Modes of Operation 33-2 Methods to Detect Unidirectional Links Default UDLD Settings 33-4 How to Configure UDLD 33-4 Enabling UDLD Globally 33-4 Enabling UDLD on an Interface 33-5 Setting and Resetting UDLD Parameters Maintaining and Monitoring UDLD 33-2 33-5 33-6 Additional References 33-6 Related Documents 33-6 Standards 33-6 MI
Contents Standards 34-6 MIBs 34-6 RFCs 34-6 Technical Assistance CHAPTER 35 34-7 Configuring System Message Logging Finding Feature Information 35-1 35-1 Restrictions for System Message Logging 35-1 Information About System Message Logging 35-1 System Message Logging 35-1 System Log Message Format 35-2 Log Messages 35-2 Message Severity Levels 35-3 Configuring UNIX Syslog Servers 35-3 Logging Messages to a UNIX Syslog Daemon 35-4 Default System Message Logging Configuration 35-5 How to Configure S
Contents CHAPTER 36 Configuring SNMP 36-1 Finding Feature Information Prerequisites for SNMP Restrictions for SNMP 36-1 36-1 36-1 Information About SNMP 36-2 SNMP 36-2 SNMP Versions 36-2 SNMP Manager Functions 36-4 SNMP Agent Functions 36-4 SNMP Community Strings 36-4 Using SNMP to Access MIB Variables 36-5 SNMP Notifications 36-5 SNMP ifIndex MIB Object Values 36-6 Community Strings 36-6 SNMP Notifications 36-6 Default SNMP Settings 36-8 How to Configure SNMP 36-8 Disabling the SNMP Agent 36-8 Conf
Contents CHAPTER 37 Configuring Network Security with ACLs Finding Feature Information 37-1 37-1 Restrictions for Network Security with ACLs 37-1 Information About Network Security with ACLs 37-1 ACLs 37-1 Supported ACLs 37-2 Port ACLs 37-2 Handling Fragmented and Unfragmented Traffic 37-3 IPv4 ACLs 37-4 Standard and Extended IPv4 ACLs 37-5 Access List Numbers 37-5 ACL Logging 37-6 Numbered Extended ACL 37-6 Resequencing ACEs in an ACL 37-7 Named Standard and Extended ACLs 37-7 Time Ranges with ACLs
Contents Applying ACL to a Port: Example 37-21 Applying an ACL to an Interface: Example 37-21 Routed ACLs: Examples 37-22 Configuring Numbered ACLs: Example 37-23 Configuring Extended ACLs: Examples 37-23 Creating Named ACLs: Example 37-24 Applying Time Range to an IP ACL: Example 37-24 Creating Commented IP ACL Entries: Examples 37-25 Configuring ACL Logging: Examples 37-25 Applying a MAC ACL to a Layer 2 Interface: Examples 37-26 Additional References 37-27 Related Documents 37-27 Standards 37-27 MIBs 37
Contents Weighted Tail Drop 38-19 SRR Shaping and Sharing 38-20 Queueing and Scheduling on Ingress Queues 38-21 Queueing and Scheduling on Egress Queues 38-22 Packet Modification 38-25 Classification Using Port Trust States 38-26 Trust State on Ports within the QoS Domain 38-26 Configuring a Trusted Boundary to Ensure Port Security 38-26 DSCP Transparency Mode 38-27 DSCP Trust State on a Port Bordering Another QoS Domain 38-27 QoS Policies 38-28 Classifying, Policing, and Marking Traffic on Physical Ports
Contents Configuring the Policed-DSCP Map 38-48 Configuring the DSCP-to-CoS Map 38-48 Configuring the DSCP-to-DSCP-Mutation Map 38-49 Configuring Ingress Queue Characteristics 38-49 Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds 38-49 Allocating Buffer Space Between the Ingress Queues 38-50 Allocating Bandwidth Between the Ingress Queues 38-51 Configuring the Ingress Priority Queue 38-51 Configuring Egress Queue Characteristics 38-52 Allocating Buffer Space to and Setting WTD Thr
Contents Restrictions for Auto-QoS 39-1 Information About Auto-QoS 39-2 Auto-QoS 39-2 Generated Auto-QoS Configuration 39-3 Effects of Auto-QoS on the Configuration 39-7 How to Configure Auto-QoS 39-8 Enabling Auto-QoS for VoIP 39-8 Configuring QoS to Prioritize VoIP Traffic Monitoring and Maintaining Auto-QoS 39-9 39-9 Configuration Examples for Auto-QoS 39-10 Auto-QoS Network: Example 39-10 Enabling Auto-QoS VOIP Trust: Example 39-11 Additional References 39-11 Related Documents 39-11 Standards 39-1
Contents How to Configure EtherChannels 40-11 Configuring Layer 2 EtherChannels 40-11 Configuring EtherChannel Load Balancing 40-14 Configuring the PAgP Learn Method and Priority 40-14 Configuring the LACP Hot-Standby Ports 40-15 Monitoring and Maintaining EtherChannels on the IE 2000 Switch Configuration Examples for Configuring EtherChannels Configuring EtherChannels: Examples 40-16 40-15 40-16 Additional References 40-16 Related Documents 40-16 Standards 40-16 MIBs 40-17 RFCs 40-17 Technical Assistan
Contents IPv6 42-1 IPv6 Addresses 42-2 Supported IPv6 Host Features 42-2 128-Bit Wide Unicast Addresses 42-3 DNS for IPv6 42-3 ICMPv6 42-3 Neighbor Discovery 42-3 Default Router Preference 42-4 IPv6 Stateless Autoconfiguration and Duplicate Address Detection IPv6 Applications 42-4 Dual IPv4 and IPv6 Protocol Stacks 42-4 Static Routes for IPv6 42-5 SNMP and Syslog Over IPv6 42-5 HTTP over IPv6 42-6 Default IPv6 Settings 42-6 How to Configure IPv6 Hosting 42-7 Configuring IPv6 Addressing and Enabling IPv6 Ho
Contents Configuring Link State Tracking 43-4 Monitoring and Maintaining Link State Tracking 43-4 Configuration Examples for Configuring Link State Tracking Displaying Link State Information: Examples 43-4 Creating a Link State Group: Example 43-5 43-4 Additional References 43-5 Related Documents 43-5 Standards 43-5 MIBs 43-6 RFCs 43-6 Technical Assistance 43-6 CHAPTER 44 Configuring IPv6 MLD Snooping Finding Feature Information 44-1 44-1 Prerequisites for Configuring IPv6 MLD Snooping Restrict
Contents Configuration Examples for Configuring IPv6 MLD Snooping 44-10 Statically Configure an IPv6 Multicast Group: Example 44-10 Adding a Multicast Router Port to a VLAN: Example 44-10 Enabling MLD Immediate Leave on a VLAN: Example 44-10 Setting MLD Snooping Global Robustness: Example 44-10 Setting MLD Snooping Last-Listener Query Parameters: Examples 44-10 Additional References 44-12 Related Documents 44-12 Standards 44-12 MIBs 44-12 RFCs 44-12 Technical Assistance 44-12 CHAPTER 45 Configuring Ci
Contents MIBs 45-14 RFCs 45-14 Technical Assistance CHAPTER 46 Troubleshooting 45-14 46-1 Finding Feature Information 46-1 Information for Troubleshooting 46-1 Autonegotiation Mismatches Prevention 46-1 SFP Module Security and Identification 46-2 Ping 46-2 Layer 2 Traceroute 46-3 Layer 2 Traceroute Usage Guidelines 46-3 IP Traceroute 46-4 TDR 46-4 Crashinfo Files 46-5 Basic crashinfo Files 46-5 Extended crashinfo Files 46-5 CPU Utilization 46-6 Problem and Cause for High CPU Utilization 46-6 How
Contents Technical Assistance APPENDIX A 46-17 Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System A-1 Displaying Available File Systems A-1 Detecting an Unsupported SD Flash Memory Card A-2 SD Flash Memory Card LED A-3 Setting the Default File System A-3 Displaying Information About Files on a File System A-4 Changing Directories and Displaying the Working Directory Creating and Removing Directories A-5 Copying Files A-6 Deleting Files A-
Contents Configuration Guidelines A-20 Configuring the Configuration Archive A-21 Performing a Configuration Replacement or Rollback Operation A-21 Working with Software Images A-22 Image Location on the Switch A-23 tar File Format of Images on a Server or Cisco.
Contents Cisco IE 2000 Switch Software Configuration Guide l OL-25866-01
Preface Audience This guide is for the networking professional managing your switch. Before using this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of Ethernet and local area networking. Purpose This guide provides the information that you need to configure Cisco IOS software features on your switch. This guide provides procedures for using the commands that have been created or changed for use with the switch.
Preface • Terminal sessions and system displays are in screen font. • Information you enter is in boldface • Nonprinting characters, such as passwords or tabs, are in angle brackets (< >). screen font. Notes, cautions, and timesavers use these conventions and symbols: Note Caution Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual. Means reader be careful.
Preface http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html – Cisco Gigabit Ethernet Transceiver Modules Compatibility Matrix Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.
Preface Cisco IE 2000 Switch Software Configuration Guide liv OL-25866-01
CH A P T E R 1 Configuration Overview Features Your switch uses the Cisco IOS software licensing (CISL) architecture to support a single universal cryptographic image (supports encryption). This image implements the LAN Base or LAN Lite features depending on your switch model:r • The LAN Base image provides quality of service (QoS), port security, 1588v2 PTP, and static routing features.
Chapter 1 Configuration Overview Feature Software Licensing Ease-of-Deployment and Ease-of-Use Features • Express Setup for quickly configuring a switch for the first time with basic IP information, contact information, switch and Telnet passwords, and Simple Network Management Protocol (SNMP) information through a browser-based program. For more information about Express Setup, see the getting started guide.
Chapter 1 Configuration Overview Feature Software Licensing • IGMP throttling for configuring the action when the maximum number of entries is in the IGMP forwarding table • IGMP leave timer for configuring the leave latency for the network • Switch Database Management (SDM) templates for allocating system resources to maximize support for user-selected features • Cisco IOS IP Service Level Agreements (SLAs), a part of Cisco IOS software that uses active traffic monitoring for measuring network per
Chapter 1 Configuration Overview Feature Software Licensing Industrial Application • CIP—Common Industrial Protocol (CIP) is a peer-to-peer application protocol that provides application level connections between the switch and industrial devices such as I/O controllers, sensors, relays, and so forth.You can manage the switch using CIP-based management tools, such as RSLogix. For more information about the CIP commands that the switch supports, see the command reference.
Chapter 1 Configuration Overview Feature Software Licensing – PTP enhancement to support PTP messages on the expansion module ports. • Cisco IOS File System (IFS) for providing a single interface to all file systems that the switch uses. • Support for the SSM PIM protocol to optimize multicast applications, such as video. • Configuration logging to log and to view changes to the switch configuration.
Chapter 1 Configuration Overview Feature Software Licensing • IEEE 802.1D Spanning Tree Protocol (STP) for redundant backbone connections and loop-free networks. STP has these features: – Up to 128 spanning-tree instances supported – Per-VLAN spanning-tree plus (PVST+) for load balancing across VLANs – Rapid PVST+ for load balancing across VLANs and providing rapid convergence of spanning-tree instances • IEEE 802.
Chapter 1 Configuration Overview Feature Software Licensing • VLAN 1 minimization for reducing the risk of spanning-tree loops or storms by allowing VLAN 1 to be disabled on any individual VLAN trunk link. With this feature enabled, no user traffic is sent or received on the trunk. The switch CPU continues to send and receive control protocol frames. • VLAN FlexLink load balancing to provide Layer 2 redundancy without requiring Spanning Tree Protocol (STP).
Chapter 1 Configuration Overview Feature Software Licensing • DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers • IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snooping database and IP source bindings • Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN • Layer 2 protocol tunneling bypass feature to provide int
Chapter 1 Configuration Overview Feature Software Licensing For information about configuring NAC Layer 2 802.1x validation, see the “Configuring NAC Layer 2 802.1x Validation” section on page 13-46 – NAC Layer 2 IP validation of the posture of endpoint systems or clients before granting the devices network access For information about configuring NAC Layer 2 IP validation, see the Network Admission Control Software Configuration Guide – IEEE 802.
Chapter 1 Configuration Overview Feature Software Licensing • Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3). This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit, 192-bit, and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3. QoS and CoS Features Note These features require the LAN Base image.
Chapter 1 Configuration Overview Default Settings After Initial Switch Configuration – WTD as the congestion-avoidance mechanism for managing the queue lengths and providing drop precedences for different traffic classifications. – SRR as the scheduling service for specifying the rate at which packets are dequeued to the egress interface (shaping or sharing is supported on egress queues). Shaped egress queues are guaranteed but limited to using a share of port bandwidth.
Chapter 1 Configuration Overview Default Settings After Initial Switch Configuration If you do not configure the switch at all, the switch operates with these default settings: • Default switch IP address, subnet mask, and default gateway is 0.0.0.0. For more information, see Chapter 4, “Performing Switch Setup Configuration,” and Chapter 25, “Configuring DHCP.” • Default domain name is not configured. For more information, see Chapter 4, “Performing Switch Setup Configuration.
Chapter 1 Configuration Overview Default Settings After Initial Switch Configuration • MSTP is disabled. For more information, see Chapter 21, “Configuring MSTP.” • Optional spanning-tree features are disabled. For more information, see Chapter 22, “Configuring Optional Spanning-Tree Features.” • FlexLinks are not configured. For more information, see Chapter 24, “Configuring FlexLinks and the MAC Address-Table Move Update.” • DHCP snooping is disabled.
Chapter 1 Configuration Overview Network Configuration Examples Network Configuration Examples This section provides network configuration concepts and includes examples of using the switch to create dedicated network segments and interconnecting the segments through Fast Ethernet and Gigabit Ethernet connections.
Chapter 1 Configuration Overview Network Configuration Examples Table 1-2 Providing Network Services Network Demands Suggested Design Methods Efficient bandwidth usage for multimedia applications and guaranteed bandwidth for critical applications • Use IGMP snooping to efficiently forward multimedia and multicast traffic.
Chapter 1 Configuration Overview Network Configuration Examples Demilitarized Zone The demilitarized zone (DMZ) provides a buffer for sharing of data and services between the enterprise and manufacturing zones. The DMZ maintains availability, addresses security vulnerabilities, and abiding by regulatory compliance mandates. The DMZ provides segmentation of organizational control, for example, between the IT and production organizations.
Chapter 1 Configuration Overview Network Configuration Examples Figure 1-1 shows the EttF architecture.
Chapter 1 Configuration Overview Network Configuration Examples Topology Options Topology design starts with considering how devices are connected to the network. The cell network also requires physical topologies that meet the physical constraints of the production floor. This section provides guidelines for topology designs and describes the trunk-drop, ring, and redundant-star topologies. • Physical layout—The layout of the production environment drives the topology design.
Chapter 1 Configuration Overview Network Configuration Examples Figure 1-2 Cell Network–Trunk-Drop Topology Catalyst 3750 Stackwise Switch Stack Human Machine Interface (HMI) Controllers Cell Zone Controllers, Drives, and Remote I/Os 285192 IE2000 Cell Network—Ring Topology A ring topology is similar to a trunk-drop topology except that the last switch in the chain is connected to the Layer 3 switch that forms a network ring.
Chapter 1 Configuration Overview Network Configuration Examples Figure 1-3 Cell Network–Ring Topology Catalyst 3750 Stackwise Switch Stack Human Machine Interface (HMI) Controllers Cell Zone Controllers, Drives, and Remote I/O 285193 IE2000 Cell Network—Redundant-Star Topology In a redundant-star topology, every Layer 2 access switch has dual connections to a Layer 3 distribution switch. Devices are connected to the Layer 2 switches. See Figure 1-4.
Chapter 1 Configuration Overview Where to Go Next Figure 1-4 Cell Network–Redundant Star Topology Catalyst 3750 Stackwise Switch Stack IE2000 Human Machine Interface (HMI) Controllers, Drives, and Remote I/O 285194 Cell Zone Where to Go Next Before configuring the switch, review these sections for startup information: • Chapter 2, “Using the Command-Line Interface” • Chapter 4, “Performing Switch Setup Configuration” To locate and download MIBs for a specific Cisco product and release, use the
Chapter 1 Configuration Overview Where to Go Next Cisco IE 2000 Switch Software Configuration Guide 1-22 OL-25866-01
CH A P T E R 2 Using the Command-Line Interface Information About Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your switch. Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
Chapter 2 Using the Command-Line Interface Information About Using the Command-Line Interface Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt Exit Method About This Mode User EXEC Begin a session with your switch. Switch> Enter logout or quit. Use this mode to • Change terminal settings.
Chapter 2 Using the Command-Line Interface Information About Using the Command-Line Interface Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# To exit to global Use this mode to configure configuration mode, parameters for the Ethernet enter exit. ports. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Information About Using the Command-Line Interface Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface CLI Error Messages CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command. Reenter the command followed by a question mark (?) with a space between the command and the question mark.
Chapter 2 Using the Command-Line Interface How to Use the CLI to Configure Features How to Use the CLI to Configure Features Configuring the Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface How to Use the CLI to Configure Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface How to Use the CLI to Configure Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character. Press Ctrl-A. Move the cursor to the beginning of the command line. Press Ctrl-E. Move the cursor to the end of the command line. Press Esc B. Move the cursor back one word. Press Esc F. Move the cursor forward one word. Press Ctrl-T.
Chapter 2 Using the Command-Line Interface How to Use the CLI to Configure Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface How to Use the CLI to Configure Features Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see. Using these commands is optional.
CH A P T E R 3 Configuring Switch Alarms Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 3 Configuring Switch Alarms Information About Switch Alarms Global Status Monitoring Alarms The switch processes alarms related to temperature and power supply conditions, referred to as global or facility alarms. Table 3-1 Global Status Monitoring Alarms Alarm Description Power supply alarm By default, the switch monitors a single power supply. If you configure a dual power supply, an alarm triggers if one power supply fails.
Chapter 3 Configuring Switch Alarms Information About Switch Alarms Alarm profiles provide a mechanism for you to enable or disable alarm conditions for a port and associate the alarm conditions with one or both alarm relays. You can also use alarm profiles to set alarm conditions to send alarm traps to an SNMP server and system messages to a syslog server. The alarm profile defaultPort is applied to all interfaces in the factory configuration (by default).
Chapter 3 Configuring Switch Alarms Information About Switch Alarms The snmp-server enable traps command can be changed so that the user can send alarm traps to an SNMP server. You can use alarm profiles to set environmental or port status alarm conditions to send SNMP alarm traps. See the “Enabling SNMP Traps” section on page 3-9 for more information. • Syslog Messages You can use alarm profiles to send system messages to a syslog server.
Chapter 3 Configuring Switch Alarms How to Configure Switch Alarms Default Switch Alarm Settings Table 3-3 Default Switch Alarm Settings Global Alarm Default Setting Power supply alarm Enabled in switch single power mode. No alarm. In dual-power supply mode, the default alarm notification is a system message to the console. Primary temperature alarm Enabled for switch temperature range of 203oF (95oC) maximum to –4°F (–20 oC) minimum.
Chapter 3 Configuring Switch Alarms How to Configure Switch Alarms Command Purpose Step 6 show env alarm-contact Shows the configured alarm contacts. Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring the Power Supply Alarms Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 power-supply dual Configures dual power supplies.
Chapter 3 Configuring Switch Alarms How to Configure Switch Alarms Associating the Temperature Alarms to a Relay By default, the primary temperature alarm is associated to the relay. You can use the alarm facility temperature global configuration command to associate the primary temperature alarm to an SNMP trap, or a syslog message, or to associate the secondary temperature alarm to the relay, an SNMP trap, or a syslog message. Note The single relay on the switch is called the major relay.
Chapter 3 Configuring Switch Alarms How to Configure Switch Alarms Setting the FCS Error Hysteresis Threshold The hysteresis setting prevents the toggle of an alarm when the actual bit error-rate fluctuates near the configured rate. The FCS hysteresis threshold is applied to all ports of a switch. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 alarm facility fcs-hysteresis percentage Sets the hysteresis percentage for the switch.
Chapter 3 Configuring Switch Alarms Monitoring and Maintaining Switch Alarms Status Command Purpose relay-major {fcs-error | link-fault | not-forwarding | not-operating} (Optional) Configures the alarm to send an alarm trap to the relay. syslog {fcs-error | link-fault | not-forwarding | not-operating} (Optional) Configures the alarm to send an alarm trap to a syslog server. Attaching an Alarm Profile to a Specific Port Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 3 Configuring Switch Alarms Configuration Examples for Switch Alarms Configuration Examples for Switch Alarms Configuring External Alarms: Example This example configures alarm input 1 named door sensor to assert a major alarm when the door circuit is closed and then displays the status and configuration for all alarms: Switch(config)# alarm contact 1 description door sensor Switch(config)# alarm contact 1 severity major Switch(config)# alarm contact 1 trigger closed Switch(config)# end Switch(co
Chapter 3 Configuring Switch Alarms Configuration Examples for Switch Alarms Setting the FCS Error Hysteresis Threshold: Example This example shows how to set the FCS bit error rate for a port to 10-10: Switch# configure terminal Switch(config)# interface fastethernet1/1 Switch(config-if) # fcs-threshold 10 Configuring a Dual Power Supply: Examples This example shows how to configure two power supplies: Switch# configure terminal Switch(config)# power-supply dual These examples show how to display infor
Chapter 3 Configuring Switch Alarms Additional References Alarm Relay Notifies Syslog Input-Alarm 2 Alarm Relay Notifies Syslog Enabled Disabled Enabled Enabled Disabled Enabled Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 3 Configuring Switch Alarms Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.
Chapter 3 Configuring Switch Alarms Additional References Cisco IE 2000 Switch Software Configuration Guide 3-14 OL-25866-01
CH A P T E R 4 Performing Switch Setup Configuration Restrictions for Performing Switch Setup Configuration Note • The DHCP-based autoconfiguration with a saved configuration process stops if there is not at least one Layer 3 interface in an up state without an assigned IP address in the network. • Unless you configure a timeout, the DHCP-based autoconfiguration with a saved configuration feature tries indefinitely to download an IP address.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration • Initializes the flash memory card file system on the system board. • Loads a default operating system software image into memory and boots up the switch. The boot loader provides access to the flash file system before the operating system is loaded. Normally, the boot loader is used only to load, uncompress, and launch the operating system.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Default Switch Boot Settings Feature Default Setting Operating system software image The switch attempts to automatically boot up the system using information in the BOOT environment variable. If the variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Switch Information Assignment You can assign IP information through the switch setup program, through a DHCP server, or manually. Use the switch setup program if you want to be prompted for specific IP information. With this program, you can also configure a hostname and an enable secret password.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses. If you are using DHCP to relay the configuration file location on the network, you might also need to configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration A DHCP client might receive offers from multiple DHCP or BOOTP servers and can accept any of the offers; however, the client usually accepts the first offer it receives. The offer from the DHCP server is not a guarantee that the IP address is allocated to the switch. However, the server usually reserves the address until the client has had a chance to formally request the address.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration After you install the switch in your network, the auto-image update feature starts. The downloaded configuration file is saved in the running configuration of the switch, and the new image is downloaded and installed on the switch. When you reboot the switch, the configuration is stored in the saved configuration on the switch.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration these files: network-config, cisconet.cfg, and hostname.config (or hostname.cfg), where hostname is the switch’s current hostname. The TFTP server addresses used include the specified TFTP server address (if any) and the broadcast address (255.255.255.255). For the switch to successfully download a configuration file, the TFTP server must contain one or more configuration files in its base directory.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Figure 4-2 Relay Device Used in Autoconfiguration Switch (DHCP client) Cisco router (Relay) 10.0.0.2 10.0.0.1 DHCP server 20.0.0.3 TFTP server 20.0.0.4 DNS server 49068 20.0.0.2 20.0.0.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Note The switch broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot be resolved to an IP address.
Chapter 4 Performing Switch Setup Configuration Information About Performing Switch Setup Configuration Common Environment Variables Table 4-2 describes the function of the most common environment variables. Table 4-2 Environment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem:/file-url ... boot system filesystem:/file-url ...
Chapter 4 Performing Switch Setup Configuration How to Perform Switch Setup Configuration You have these reload options: • Software reload to take effect in the specified minutes or hours and minutes. The reload must take place within approximately 24 days. You can specify the reason for the reload in a string up to 255 characters in length. • Software reload to take place at the specified time (using a 24-hour clock).
Chapter 4 Performing Switch Setup Configuration How to Perform Switch Setup Configuration Command Purpose Step 7 exit Returns to global configuration mode. Step 8 tftp-server flash:filename.text Specifies the configuration file on the TFTP server. Step 9 interface interface-id Specifies the address of the client that will receive the configuration file. Step 10 no switchport Puts the interface into Layer 3 mode.
Chapter 4 Performing Switch Setup Configuration How to Perform Switch Setup Configuration Command Purpose Step 16 ip address address mask Specifies the IP address and mask for the interface. Step 17 end Returns to privileged EXEC mode. Step 18 copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring the Client You should only configure and enable the Layer 3 interface.
Chapter 4 Performing Switch Setup Configuration How to Perform Switch Setup Configuration Command Purpose Step 8 show ip redirects Verifies the configured default gateway. Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file. Manually Assigning IP Information to SVIs This task describes how to manually assign IP information to multiple switched virtual interfaces (SVIs). Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 4 Performing Switch Setup Configuration How to Perform Switch Setup Configuration Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 boot config-file flash:/file-url Specifies the configuration file to load during the next boot-up cycle. For file-url, specify the path (directory) and the configuration filename. Filenames and directory names are case sensitive. Step 3 end Returns to privileged EXEC mode. Step 4 show boot Verifies your entries.
Chapter 4 Performing Switch Setup Configuration Monitoring Switch Setup Configuration Booting a Specific Software Image By default, the switch attempts to automatically boot up the system using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable image it can by performing a recursive, depth-first search throughout the flash file system.
Chapter 4 Performing Switch Setup Configuration Configuration Examples for Performing Switch Setup Configuration . interface gigabitethernet1/1 no switchport ip address 172.20.137.50 255.255.255.0 ! interface gigabitethernet1/2 mvr type source
Chapter 4 Performing Switch Setup Configuration Configuration Examples for Performing Switch Setup Configuration Switches B through D retrieve their configuration files and IP addresses in the same way. Figure 4-3 shows a sample network for retrieving IP information by using DHCP-based autoconfiguration. Figure 4-3 DHCP-Based Autoconfiguration Network Example Switch 1 Switch 2 Switch 3 Switch 4 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 Cisco router 10.0.0.10 DHCP server 10.0.0.
Chapter 4 Performing Switch Setup Configuration Configuration Examples for Performing Switch Setup Configuration switchd-confg prompt> cat network-confg ip host switcha 10.0.0.21 ip host switchb 10.0.0.22 ip host switchc 10.0.0.23 ip host switchd 10.0.0.24 DHCP Client Configuration No configuration file is present on Switch A through Switch D. Scheduling Software Image Reload: Examples This example shows how to reload the software on the switch on the current day at 7:30 p.
Chapter 4 Performing Switch Setup Configuration Configuration Examples for Performing Switch Setup Configuration Switch(config)# tftp-server flash:boot-config.text Switch(config)# tftp-server flash: autoinstall_dhcp Switch(config)# interface gigabitethernet1/2 Switch(config-if)# no switchport Switch(config-if)# ip address 10.10.10.1 255.255.255.
Chapter 4 Performing Switch Setup Configuration Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release15.
CH A P T E R 5 Configuring Cisco IOS Configuration Engine Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 5 Configuring Cisco IOS Configuration Engine Information About Configuring Cisco IOS Configuration Engine Table 5-1 Prerequisites for Enabling Automatic Configuration (continued) Device DHCP server TFTP server CNS Configuration Engine Required Configuration • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server • Default gateway IP address • A bootstrap configuration file that includes the CNS configuration commands that enable the
Chapter 5 Configuring Cisco IOS Configuration Engine Information About Configuring Cisco IOS Configuration Engine Figure 5-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management Configuration Service Configuration Service is the core component of Cisco Configuration Engine.
Chapter 5 Configuring Cisco IOS Configuration Engine Information About Configuring Cisco IOS Configuration Engine Event Service is a highly capable publish-and-subscribe communication method. Event Service uses subject-based addressing to send messages to their destinations. Subject-based addressing conventions define a simple, uniform namespace for messages and their destinations.
Chapter 5 Configuring Cisco IOS Configuration Engine Information About Configuring Cisco IOS Configuration Engine The origin of the DeviceID is defined by the Cisco IOS hostname of the switch. However, the DeviceID variable and its usage reside within the event gateway adjacent to the switch. The logical Cisco IOS termination point on the event bus is embedded in the event gateway, which in turn functions as a proxy on behalf of the switch.
Chapter 5 Configuring Cisco IOS Configuration Engine Information About Configuring Cisco IOS Configuration Engine The Cisco IOS agents initiate communication with Configuration Engine by using the appropriate ConfigID and EventID. Configuration Engine maps the ConfigID to a template and downloads the full configuration file to the switch. Figure 5-2 shows a sample network configuration for retrieving the initial bootstrap configuration file by using DHCP-based autoconfiguration.
Chapter 5 Configuring Cisco IOS Configuration Engine How to Configure Cisco IOS Configuration Engine How to Configure Cisco IOS Configuration Engine Configuring Cisco IOS Agents CNS Event Agent and Cisco IOS CNS Agent embedded in the Cisco IOS software on the switch allows the switch to be connected and automatically configured. Both agents must be enabled and the CNS configuration can be initial or partial.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Enabling Cisco IOS CNS Agent and an Initial Configuration Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 cns template connect name Enters CNS template connect configuration mode, and specifies the name of the CNS connect template. Step 3 cli config-text Enters a command line for the CNS connect template. Repeat this step for each command line in the template.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Command Purpose Step 12 ip route network-number (Optional) Establishes a static route to Configuration Engine whose IP address is network-number. Step 13 cns id interface num {dns-reverse | ipaddress (Optional) Sets the unique EventID or ConfigID used by the | mac-address} [event] [image] Configuration Engine.
Chapter 5 Configuring Cisco IOS Configuration Engine Configuring Cisco IOS Agents Step 14 Command Purpose cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enables the Cisco IOS agent and initiates an initial configuration. • {hostname | ip-address}—Enters the hostname or the IP address of the configuration server. • (Optional) port-number—Enters the port number of the configuration server. The default port number is 80.
Chapter 5 Configuring Cisco IOS Configuration Engine Monitoring and Maintaining Cisco IOS Configuration Engine Monitoring and Maintaining Cisco IOS Configuration Engine Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed. show cns config stats Displays statistics about the Cisco IOS agent.
Chapter 5 Configuring Cisco IOS Configuration Engine Additional References Switch(config-cns-conn)# discover interface gigabitethernet Switch(config-cns-conn)# template template-dhcp Switch(config-cns-conn)# template ip-route Switch(config-cns-conn)# exit Switch(config)# hostname RemoteSwitch RemoteSwitch(config)# ip route 172.28.129.22 255.255.255.255 11.11.11.1 RemoteSwitch(config)# cns id ethernet 0 ipaddress RemoteSwitch(config)# cns config initial 172.28.129.
Chapter 5 Configuring Cisco IOS Configuration Engine Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
Chapter 5 Configuring Cisco IOS Configuration Engine Additional References Cisco IE 2000 Switch Software Configuration Guide 5-14 OL-25866-01
CH A P T E R 6 Configuring Switch Clusters This chapter provides the concepts and procedures to create and manage switch clusters on your switch. You can create and manage switch clusters by using Cisco Network Assistant (CNA), the command-line interface (CLI), or SNMP. For complete procedures, see the online help for CNA. For the CLI cluster commands, see the switch command reference. This chapter focuses on Cisco IE 2000 switch clusters.
Chapter 6 Configuring Switch Clusters Prerequisites for Configuring Switch Clusters Standby Cluster Command Switch Characteristics A standby cluster command switch must meet these requirements: • Is running Cisco IOS 15.0(1)EY or later. • Has an IP address. • Has CDP version 2 enabled. • Is connected to the command switch and to other standby command switches through its management VLAN.
Chapter 6 Configuring Switch Clusters Restrictions for Configuring Switch Clusters Restrictions for Configuring Switch Clusters We do not recommend using the ip http access-class global configuration command to limit access to specific hosts or networks. Access should be controlled through the cluster command switch or by applying access control lists (ACLs) on interfaces that are configured with IP address. For more information on ACLs, see Chapter 37, “Configuring Network Security with ACLs.
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering Table 6-1 Switch Software and Cluster Capability (continued) Switch Cisco IOS Release Cluster Capability IE 3000 switch 12.2(40)EX or later Member or command switch Catalyst 3750-X or Catalyst 3560-X 12.2(53)SE2 or later Member or command switch Catalyst 3750-E or Catalyst 3560-E 12.2(35)SE2 or later Member or command switch Catalyst 3750 12.1(11)AX or later Member or command switch Catalyst 3560 12.
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering Automatic Discovery of Cluster Candidates and Members The cluster command switch uses Cisco Discovery Protocol (CDP) to discover cluster member switches, candidate switches, neighboring switch clusters, and edge devices across multiple VLANs and in star or cascaded topologies.
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering Figure 6-1 Discovery Through CDP Hops Command device VLAN 62 Member device 8 Member device 10 Member device 9 Device 12 Device 11 candidate device Device 13 Edge of cluster Candidate devices Device 14 Device 15 101321 VLAN 16 Cisco IE 2000 Switch Software Configuration Guide 6-6 OL-25866-01
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering Discovery Through Non-CDP-Capable and Noncluster-Capable Devices If a cluster command switch is connected to a non-CDP-capable third-party hub (such as a non-Cisco hub), it can discover cluster-enabled devices connected to that third-party hub. However, if the cluster command switch is connected to a noncluster-capable Cisco device, it cannot discover a cluster-enabled device connected beyond the noncluster-capable Cisco device.
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering Figure 6-3 Discovery Through Different VLANs Command device VLAN 62 VLAN trunk 9,16 VLAN 50 VLAN trunk 9,16 VLAN 16 VLAN trunk 4,16 101322 VLAN 62 Discovery Through Different Management VLANs Catalyst 2970, Catalyst 3550, Catalyst 3560, or Catalyst 3750 cluster command switches can discover and manage cluster member switches in different VLANs and different management VLANs.
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering Discovery Through Routed Ports Note The LAN Base image supports static routing and RIP. If the cluster command switch has a routed port (RP) configured, it discovers only candidate and cluster member switches in the same VLAN as the routed port. The Layer 3 cluster command switch in Figure 6-4 can discover the switches in VLANs 9 and 62 but not the switch in VLAN 4.
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering Figure 6-5 Discovery Through Different Management VLANs with a Layer 3 Cluster Command Switch Command device Standby command device VLAN 9 VLAN 16 VLAN 16 VLAN 62 Device 5 (management VLAN 62) VLAN trunk 4, 62 Device 7 (management VLAN 4) Device 4 (management VLAN 16) VLAN 62 Device 9 (management VLAN 62) VLAN 9 Device 6 (management VLAN 9) VLAN 9 Device 8 (management VLAN 9) VLAN 4 Device 10 (management VLAN 4) 101323 De
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering Figure 6-6 Discovery of Newly Installed Switches Command device VLAN 9 VLAN 16 Device A Device B VLAN 9 New (out-of-box) candidate device AP VLAN 16 New (out-of-box) candidate device 101325 AP IP Addresses You must assign IP information to a cluster command switch. You can assign more than one IP address to the cluster command switch, and you can access the cluster through any of the command-switch IP addresses.
Chapter 6 Configuring Switch Clusters How to Plan for Switch Clustering If a switch received its hostname from the cluster command switch, was removed from a cluster, was then added to a new cluster, and kept the same member number (such as 5), the switch overwrites the old hostname (such as eng-cluster-5) with the hostname of the cluster command switch in the new cluster (such as mkg-cluster-5).
Chapter 6 Configuring Switch Clusters Managing Switch Clusters LRE Profiles A configuration conflict occurs if a switch cluster has Long-Reach Ethernet (LRE) switches that use both private and public profiles. If one LRE switch in a cluster is assigned a public profile, all LRE switches in that cluster must have that same public profile. Before you add an LRE switch to a cluster, make sure that you assign it the same public profile used by other LRE switches in the cluster.
Chapter 6 Configuring Switch Clusters Managing Switch Clusters Using SNMP to Manage Switch Clusters When you first power on the switch, SNMP is enabled if you enter the IP information by using the setup program and accept its proposed configuration. If you did not use the setup program to enter the IP information and SNMP was not enabled, you can enable it as described in the Chapter 36, “Configuring SNMP.” On Catalyst 1900 and Catalyst 2820 switches, SNMP is enabled by default.
Chapter 6 Configuring Switch Clusters Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 6 Configuring Switch Clusters Additional References Cisco IE 2000 Switch Software Configuration Guide 6-16 OL-25866-01
CH A P T E R 7 Performing Switch Administration This chapter describes how to perform one-time operations to administer your switch. Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
Chapter 7 Performing Switch Administration Information About Performing Switch Administration The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by a time source considered to be authoritative). If it is not authoritative, the time is available only for display purposes and is not redistributed. For configuration information, see the “Configuring Time and Date Manually” section on page 7-9.
Chapter 7 Performing Switch Administration Information About Performing Switch Administration Figure 7-1 shows a typical network example using NTP. Switch A is the NTP master, with Switches B, C, and D configured in NTP server mode, in server association with Switch A. Switch E is configured as an NTP peer to the upstream and downstream switches, Switch B and Switch F.
Chapter 7 Performing Switch Administration Information About Performing Switch Administration • Improved security compared to NTPv3. The NTPv4 protocol provides a security framework based on public key cryptography and standard X509 certificates. • Automatic calculation of the time-distribution hierarchy for a network. Using specific multicast groups, NTPv4 automatically configures the hierarchy of the servers to achieve the best time accuracy for the lowest bandwidth cost.
Chapter 7 Performing Switch Administration Information About Performing Switch Administration System Name and Prompt You configure the system name on the switch to identify it. By default, the system name and prompt are Switch. If you have not configured a system prompt, the first 20 characters of the system name are used as the system prompt. A greater-than symbol [>] is appended. The prompt is updated whenever the system name changes.
Chapter 7 Performing Switch Administration Information About Performing Switch Administration When private VLANs are configured, address learning depends on the type of MAC address: • Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a private-VLAN secondary VLAN is replicated in the primary VLAN. • Static MAC addresses configured in a primary or secondary VLAN are not replicated in the associated VLANs.
Chapter 7 Performing Switch Administration Information About Performing Switch Administration You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission. Because all ports are associated with at least one VLAN, the switch acquires the VLAN ID for the address from the ports that you specify. You can specify a different list of destination ports for each source port.
Chapter 7 Performing Switch Administration Information About Performing Switch Administration MAC Address Learning on a VLAN By default, MAC address learning is enabled on all VLANs on the switch. You can control MAC address learning on a VLAN to manage the available MAC address table space by controlling which VLANs, and therefore which ports, can learn MAC addresses. Before you disable MAC address learning, be sure that you are familiar with the network topology and the switch system configuration.
Chapter 7 Performing Switch Administration How to Perform Switch Administration IP datagrams and ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword) is enabled on the IP interface. ARP entries added manually to the table do not age and must be manually removed.
Chapter 7 Performing Switch Administration How to Perform Switch Administration Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Sets the time zone. Step 3 end The switch keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set. • zone—Enters the name of the time zone to be displayed when standard time is in effect.
Chapter 7 Performing Switch Administration How to Perform Switch Administration Configuring Summer Time (Exact Date and Time) To configure summer time when it does not follow a recurring pattern (configure the exact date and time of the next summer time events), perform this task: Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 7 Performing Switch Administration How to Perform Switch Administration Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 ip domain-name name Defines a default domain name that the software uses to complete unqualified hostnames (names without a dotted-decimal domain name). Do not include the initial period that separates an unqualified name from the domain name.
Chapter 7 Performing Switch Administration How to Perform Switch Administration Configuring a Login Banner You can configure a login banner to be displayed on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 banner login c message c Specifies the login message.
Chapter 7 Performing Switch Administration How to Perform Switch Administration Configuring MAC Address Change Notification Traps Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specifies the recipient of the trap message. | 2c | 3}} community-string notification-type • host-addr—Specifies the name or address of the NMS. • traps (the default)—Sends SNMP traps to the host.
Chapter 7 Performing Switch Administration How to Perform Switch Administration Step 7 Step 8 Command Purpose snmp trap mac-notification change {added | removed} Enables the MAC address change notification trap on the interface. end • Enables the trap when a MAC address is added on this interface. • Enables the trap when a MAC address is removed from this interface. Returns to privileged EXEC mode.
Chapter 7 Performing Switch Administration How to Perform Switch Administration Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specifies the recipient of the trap message. | 2c | 3}} community-string notification-type • host-addr—Specifies the name or address of the NMS. • traps (the default)—Sends SNMP traps to the host. • informs—Sends SNMP informs to the host.
Chapter 7 Performing Switch Administration How to Perform Switch Administration Adding and Removing Static Address Entries Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 mac address-table static mac-addr vlan vlan-id interface interface-id Adds a static address to the MAC address table. Step 3 end • mac-addr—Specifies the destination MAC unicast address to add to the address table.
Chapter 7 Performing Switch Administration Monitoring and Maintaining Switch Administration Monitoring and Maintaining Switch Administration Command Purpose clear mac address-table dynamic Removes all dynamic entries. clear mac address-table dynamic address mac-address Removes a specific MAC address. clear mac address-table dynamic interface interface-id Removes all addresses on the specified physical port or port channel.
Chapter 7 Performing Switch Administration Configuration Examples for Performing Switch Admininistration This example (for daylight savings time) shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00: Switch(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00 This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26, 2001, at 02:00: Switch(config)# clo
Chapter 7 Performing Switch Administration Configuration Examples for Performing Switch Admininistration Switch(config)# interface gigabitethernet1/2 Switch(config-if)# snmp trap mac-notification change added Sending MAC Address Move Notification Traps: Example This example shows how to specify 172.20.10.
Chapter 7 Performing Switch Administration Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.0(1)EY Cisco IOS basic commands Cisco IOS Configuration Fundamentals Command Reference Cisco IOS routing commands.
Chapter 7 Performing Switch Administration Additional References Cisco IE 2000 Switch Software Configuration Guide 7-22 OL-25866-01
CH A P T E R 8 Configuring PTP Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 8 Configuring PTP How to Configure PTP Synchronization behavior depends on the PTP clock setting mode that you configure on the switch. The mode can be boundary, end-to-end transparent, or forward: • A switch clock in boundary mode participates in the selection of the most accurate master clock. If more accurate clocks are not detected, that switch clock becomes the master clock.
Chapter 8 Configuring PTP Monitoring and Maintaining the PTP Configuration Setting Up PTP Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Enters interface configuration mode. Step 3 ptp {announce {interval value | timeout value} | delay-req interval value | enable | sync {interval value | limit value}} Specifies the settings for the timing messages. These options are available only when the switch is in boundary mode.
Chapter 8 Configuring PTP Troubleshooting the PTP Configuration Troubleshooting the PTP Configuration Table 8-3 Commands for Troubleshooting the PTP Configuration Command Purpose debug ptp bmc Enables debugging of the PTP Best Master Clock Algorithm. debug ptp clock-correction Enables debugging of PTP clock correction. debug ptp collision Enables debugging of PTP source collision. debug ptp error Enables debugging of PTP errors. debug ptp event Enables debugging of PTP state event.
Chapter 8 Configuring PTP Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.
Chapter 8 Configuring PTP Additional References Cisco IE 2000 Switch Software Configuration Guide 8-6 OL-25866-01
CH A P T E R 9 Configuring PROFINET Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 9 Configuring PROFINET Information About Configuring PROFINET PROFINET Device Roles Figure 9-1 PROFINET Device Roles I/O controller/PLC I/O supervisor (Programming device/PC) Control and exchange data with I/O devices Commissioning, Plant diagnostics Read and write I/O data I/O device (Field device) 333318 Ethernet An I/O controller is a programmable logic controller (PLC) that controls I/O devices and exchanges data such as configuration, alarms, and I/O data through an automation progr
Chapter 9 Configuring PROFINET Information About Configuring PROFINET Table 9-1 PROFINET I/O Switch Attributes PROFINET I/O Switch Configuration Attributes Value or Action Device name Configures a name for the device. TCP/IP IP address, subnet mask, default gateway, SVI. Primary temperature alarm Enables or disables monitoring for the specified alarm. Secondary temperature alarm Enables or disables monitoring for the specified alarm.
Chapter 9 Configuring PROFINET How to Configure PROFINET Although the Cisco IE 2000 switch has a default reduction ratio of 128 ms, we recommend a reduction ratio of 256 ms or 512 ms to reduce the load on the switch CPU when the switch uses a complex configuration.
Chapter 9 Configuring PROFINET Monitoring and Maintaining PROFINET Command Purpose Step 4 profinet vlan vlan id (Optional) Changes the VLAN number. The default VLAN number is 1. The VLAN ID range is 1-4096. Step 5 end Returns to privileged EXEC mode. Step 6 show running-config Verifies your entries. Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Chapter 9 Configuring PROFINET Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
CH A P T E R 10 Configuring CIP Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 10 Configuring CIP Monitoring CIP Enabling CIP Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 cip security {password password Sets CIP security options on the switch. | window timeout value} Step 3 interface vlan 20 Enters interface configuration mode. Step 4 cip enable Enables CIP on a VLAN. Step 5 end Returns to privileged EXEC mode. Step 6 show running-config Verifies your entries.
Chapter 10 Configuring CIP Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 10 Configuring CIP Additional References Cisco IE 2000 Switch Software Configuration Guide 10-4 OL-25866-01
CH A P T E R 11 Configuring SDM Templates Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 11 Configuring SDM Templates Information About Configuring SDM Templates You can select a template to provide maximum system usage for some functions or use the default template to balance resources. To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support for certain features.
Chapter 11 Configuring SDM Templates Information About Configuring SDM Templates The first eight rows in the tables (unicast MAC addresses through security ACEs) represent approximate hardware boundaries set when a template is selected. If a section of a hardware resource is full, all processing overflow is sent to the CPU, seriously impacting switch performance. The last row is a guideline used to calculate hardware resource consumption related to the number of Layer 2 VLANs on the switch.
Chapter 11 Configuring SDM Templates How to Configure the Switch SDM Templates Table 11-3 Approximate Feature Resources Allowed by Dual IPv6-IPv6 Templates1 (continued) Resource IPv4-and-IPv6 Default IPv4-and-IPv6 Routing IPv6 QoS ACEs 0 0.125 K IPv6 security ACEs 0.125 K 0.125 K 1. Template estimates are based on a switch with 8 routed interfaces and approximately 1000 VLANs. 2. IPv6 policy-based routing is not supported.
Chapter 11 Configuring SDM Templates Configuration Examples for Configuring SDM Templates This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 default command: Switch# show sdm prefer dual-ipv4-and-ipv6 default "dual-ipv4-and-ipv6 default" template: The selected template optimizes the resources in the switch to support this level of features for 0 routed interfaces and 1024 VLANs.
Chapter 11 Configuring SDM Templates Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
CH A P T E R 12 Configuring Switch-Based Authentication Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Prevention for Unauthorized Switch Access You can prevent unauthorized users from reconfiguring your switch and viewing configuration information.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication TACACS+, administered through the AAA security services, can provide these services: • Authentication—Provides complete control of authentication through login and password dialog, challenge and response, and messaging support.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication 3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an ACCEPT or REJECT authorization response.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec tacacs+ local command sets these authorization parameters: Note • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication • Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during the session.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization. Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization, if it is enabled.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Table 12-2 Supported IETF Attributes Attribute Number Attribute Name 24 State 31 Calling-Station-ID 44 Acct-Session-ID 80 Message-Authenticator 101 Error-Cause Table 12-3 Error-Cause Values Value Explanation 201 Residual Session Context Removed 202 Invalid EAP Packet (Ignored) 401 Unsupported Attribute 402 Missing Attribute 403 NAS Identification Mismatch 404 Invalid Re
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Unless all session identification attributes included in the CoA message match the session, the switch returns a Disconnect-NAK or CoA-NAK with the Invalid Attribute Value error-code attribute.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication CoA Session Reauthentication The AAA server typically generates a session reauthentication request when a host with an unknown identity or posture joins the network and is associated with a restricted access authorization profile (such as a guest VLAN). A reauthentication request allows the host to be placed in the appropriate authorization group when its credentials are known.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication CoA Request: Disable Host Port This command is carried in a standard CoA-Request message that has this new VSA: Cisco:Avpair="subscriber:command=disable-host-port" Because this command is session-oriented, it must be accompanied by one or more of the session identification attributes described in the “CoA Session Identification” section on page 12-11.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication The Kerberos credential scheme uses a process called single logon. This process authenticates a user once and then allows secure authentication (without encrypting another password) wherever that user credential is accepted.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Table 12-5 Kerberos Terms (continued) Term Definition Kerberos server A daemon that is running on a network host. Users and network services register their identity with the Kerberos server. Network services query the Kerberos server to authenticate to other network services. KEYTAB3 A password that a network service shares with the KDC.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication 4. The KDC sends an encrypted TGT that includes the user identity to the switch. 5. The switch attempts to decrypt the TGT by using the password that the user entered. • If the decryption is successful, the user is authenticated to the switch.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Secure Shell To use this feature, you must install the cryptographic (encrypted) software image on your switch. You must obtain authorization to use this feature and to download the cryptographic software files from Cisco.com. For more information, see the release notes for this release.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Limitations These limitations apply to SSH: • The switch supports Rivest, Shamir, and Adelman (RSA) authentication. • SSH supports only the execution-shell application. • The SSH server and the SSH client are supported only on DES (56-bit) and 3DES (168-bit) data encryption software.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application. When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Note The certificate authorities and trustpoints must be configured on each device individually. Copying them from other devices makes them invalid on the switch. Note The values that follow TP self-signed depend on the serial number of the device. You can use an optional command (ip http secure-client-auth) to allow the HTTPS server to request an X.509v3 certificate from the client.
Chapter 12 Configuring Switch-Based Authentication Information About Configuring Switch-Based Authentication Because SSH also relies on AAA authentication, and SCP relies further on AAA authorization, correct configuration is necessary. Note • Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch. • Because SCP relies on SSH for its secure transport, the switch must have an Rivest, Shamir, and Adelman (RSA) key pair.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication How to Configure Switch-Based Authentication Configuring Password Protection Setting or Changing a Static Enable Password Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 enable password password Defines a new password or changes an existing password for access to privileged EXEC mode. By default, no password is defined.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Protecting Enable and Enable Secret Passwords with Encryption Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Defines a new password or changes an existing password for access to privileged EXEC mode.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Setting a Telnet Password for a Terminal Line Command Step 1 Purpose Attaches a PC or workstation with emulation software to the switch console port. The default data characteristics of the console port are 9600, 8, 1, no parity. You might need to press the Return key several times to see the command-line prompt. Step 2 enable password password Enters privileged EXEC mode.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Step 4 Command Purpose login local Enables local password checking at login time. Authentication is based on the username specified in Step 2. To disable password checking and allow connections without a password, use the no login line configuration command. Step 5 end Returns to privileged EXEC mode.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Logging Into and Exiting a Privilege Level Command Purpose enable level Logs in to a specified privilege level. level—The range is 0 to 15. disable level Exits to a specified privilege level. level—The range is 0 to 15. Configuring TACACS+ This section describes how to configure your switch to support TACACS+.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Step 5 Command Purpose server ip-address (Optional) Associates a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 end Returns to privileged EXEC mode. Step 7 show tacacs Verifies your entries.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Creates a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 aaa authorization network tacacs+ Configures the switch for user TACACS+ authorization for all network-related service requests.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specifies the IP address or hostname of the remote RADIUS server host. • (Optional) auth-port port-number—Specifies the UDP destination port for authentication requests.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Defining AAA Server Groups Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specifies the IP address or hostname of the remote RADIUS server host.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Configuring RADIUS Login Authentication Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 aaa new-model Enables AAA. Step 3 aaa authentication login {default Creates a login authentication method list. | list-name} method1 [method2...
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Configuring RADIUS Authorization for User Privileged Access and Network Services Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 aaa authorization network radius Configures the switch for user RADIUS authorization for all network-related service requests.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Step 6 Command Purpose radius-server vsa send [accounting | authentication] Enables the switch to recognize and use VSAs as defined by RADIUS IETF attribute 26. • (Optional) accounting—Limits the set of recognized vendor-specific attributes to only accounting attributes. • (Optional) authentication—Limits the set of recognized vendor-specific attributes to only authentication attributes.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Command Purpose Step 4 client {ip-address | name} [vrf vrfname] Enters dynamic authorization local server configuration mode and [server-key string] specifies a RADIUS client from which a device will accept CoA and disconnect requests. Step 5 server-key [0 | 7] string Configures the RADIUS key to be shared between a device and RADIUS clients.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enters the local database, and establishes a username-based authentication system. Repeat this command for each user. • name—Specifies the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) level—Specifies the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Step 4 Command Purpose crypto key generate rsa Enables the SSH server for local and remote authentication on the switch and generates an RSA key pair. We recommend that a minimum modulus size of 1024 bits. When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use.
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Configuring Secure HTTP Servers and Clients Configuring a CA Trustpoint Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 hostname hostname Specifies the hostname of the switch (required only if you have not previously configured a hostname).
Chapter 12 Configuring Switch-Based Authentication How to Configure Switch-Based Authentication Step 1 Command Purpose show ip http server status (Optional) Displays the status of the HTTP server to determine if the secure HTTP server feature is supported in the software. You should see one of these lines in the output: HTTP secure server capability: Present or HTTP secure server capability: Not present Step 2 configure terminal Enters global configuration mode.
Chapter 12 Configuring Switch-Based Authentication Monitoring and Maintaining Switch-Based Authentication Command Purpose Step 12 end Returns to privileged EXEC mode. Step 13 show ip http server secure status Displays the status of the HTTP secure server to verify the configuration. Configuring the Secure HTTP Client Before You Begin The standard HTTP client and secure HTTP client are always enabled. A certificate authority is required for secure HTTP client certification.
Chapter 12 Configuring Switch-Based Authentication Configuration Examples for Configuring Switch-Based Authentication Command Purpose show ip http client secure status Displays the HTTP secure client configuration. show ip http server secure status Displays the HTTP secure server configuration. Configuration Examples for Configuring Switch-Based Authentication Changing the Enable Password: Example This example shows how to change the enable password to l1u2c3k4y5.
Chapter 12 Configuring Switch-Based Authentication Configuration Examples for Configuring Switch-Based Authentication Defining AAA Server Groups: Example In this example, the switch is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry. Switch(config)# radius-server host 172.20.0.
Chapter 12 Configuring Switch-Based Authentication Additional References
Chapter 12 Configuring Switch-Based Authentication Additional References Related Topic Document Title Password protection commands Cisco IOS Security Command Reference Kerberos commands Cisco IOS Security Command Reference Secure Shell commands Cisco IOS Security Command Reference Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature.
CH A P T E R 13 Configuring IEEE 802.1x Port-Based Authentication Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Device Roles Figure 13-1 802.1x Device Roles Authentication server (RADIUS) 101229 Workstations (clients) • Client—The device (workstation) that requests access to the LAN and switch services and responds to requests from the switch. The workstation must be running 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Authentication Process When 802.1x port-based authentication is enabled and the client supports 802.1x-compliant client software, these events occur: • If the client identity is valid and the 802.1x authentication succeeds, the switch grants the client access to the network. • If 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication The switch reauthenticates a client when one of these situations occurs: • Periodic reauthentication is enabled, and the reauthentication timer expires. You can configure the reauthentication timer to use a switch-specific value or to be based on values from the RADIUS server. After 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Note If 802.1x authentication is not enabled or supported on the network access device, any EAPOL frames from the client are dropped. If the client does not receive an EAP-request/identity frame after three attempts to start authentication, the client sends frames as if the port is in the authorized state.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Table 13-1 802.1x Features Mode Authentication Method Single Host Multiple Host MDA1 Multiple Authentication2 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Note You can only set any as the source in the ACL. Note For any ACL configured for multiple-host mode, the source portion of statement must be any. (For example, permit icmp any host 10.10.1.1.) You must specify any in the source ports of any defined ACL. Otherwise, the ACL cannot be applied and authorization fails.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Ports in Authorized and Unauthorized States During 802.1x authentication, depending on the switch port state, the switch can grant a client access to the network. The port starts in the unauthorized state. While in this state, the port that is not configured as a voice VLAN port disallows all ingress and egress traffic except for 802.1x authentication, CDP, and STP packets.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication In multiple-hosts mode, you can attach multiple hosts to a single 802.1x-enabled port. Figure 13-5 on page 13-10 shows 802.1x port-based authentication in a wireless LAN. In this mode, only one of the attached clients must be authorized for all clients to be granted network access.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication • A voice device MAC address that is binding on the data VLAN is not counted towards the port security MAC address limit. • MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect to devices that do not support 802.1x authentication. For more information, see the “MAC Authentication Bypass Guidelines” section on page 13-33.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication For more information about configuring multiauth mode on a port, see the “Configuring the Host Mode” section on page 13-38. MAC Move When a MAC address is authenticated on one switch port, that address is not allowed on another authentication manager-enabled port of the switch.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication If a port is in open authentication mode, any new MAC address is immediately added to the MAC address table. For more information see the “Configuring Optional 802.1x Authentication Features” section on page 13-40. 802.1x Accounting The 802.1x standard defines how users are authorized and authenticated for network access but does not keep track of network usage. 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication 802.1x Authentication with VLAN Assignment The RADIUS server sends the VLAN assignment to configure the switch port. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of the client connected to the switch port. You can use this feature to limit network access for certain users.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication To configure VLAN assignment you need to perform these tasks: • Enable AAA authorization by using the network keyword to allow interface configuration from the RADIUS server. • Enable 802.1x authentication. (The VLAN assignment feature is automatically enabled when you configure 802.1x authentication on an access port.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication 802.1x Authentication with Per-User ACLs You can enable per-user access control lists (ACLs) to provide different levels of network access and service to an 802.1x-authenticated user. When the RADIUS server authenticates a user connected to an 802.1x port, it retrieves the ACL attributes based on the user identity and sends them to the switch.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication 802.1x Authentication with Downloadable ACLs and Redirect URLs You can download ACLs and redirect URLs from a RADIUS server to the switch during 802.1x authentication or MAC authentication bypass of the host. You can also download ACLs during web authentication. Note A downloadable ACL is also referred to as a dACL.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication If a host falls back to web authentication on a port without a configured ACL: • If the port is in open authentication mode, the auth-default-ACL-OPEN is created. • If the port is in closed authentication mode, the auth-default-ACL is created. The access control entries (ACEs) in the fallback ACL are converted to per-user entries.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication VLAN ID-Based MAC Authentication You can use VLAN ID-based MAC authentication if you want to authenticate hosts based on a static VLAN ID instead of a downloadable VLAN. When you have a static VLAN policy configured on your switch, VLAN information is sent to an IAS (Microsoft) RADIUS server along with the MAC address of each host for authentication.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Any number of 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN. If an 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted. Guest VLANs are supported on 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Restricted VLANs are supported only on 802.1x ports in single-host mode and on Layer 2 ports. You can configure any active VLAN except an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an 802.1x restricted VLAN. The restricted VLAN feature is not supported on internal VLANs (routed ports) or trunk ports; it is supported only on access ports.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication You can configure the critical port to reinitialize hosts and move them out of the critical VLAN when the RADIUS server is again available. When this is configured, all critical ports in the critical-authentication state are automatically reauthenticated.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it. When 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication 802.1x Authentication with MAC Authentication Bypass You can configure the switch to authorize clients based on the client MAC address (see Figure 13-2 on page 13-3) by using the MAC authentication bypass feature. For example, you can enable this feature on 802.1x ports connected to devices such as printers. If 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication • Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception list. • Network Edge Access Topology (NEAT)—MAB and NEAT are mutually exclusive.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Network Admission Control Layer 2 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Open1x Authentication Open1x authentication allows a device access to a port before that device is authenticated. When open authentication is configured, a new host can pass traffic according to the access control list (ACL) defined on the port. After the host is authenticated, the policies configured on the RADIUS server are applied to that host.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication • Host authorization ensures that only traffic from authorized hosts (connecting to the switch with supplicant) is allowed on the network. The switches use Client Information Signalling Protocol (CISP) to send the MAC addresses connecting to the supplicant switch to the authenticator switch, as shown in Figure 13-6.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication An IEEE 802.1x port in single-host mode uses ACLs from the ACS to provide different levels of service to an IEEE 802.1x-authenticated user. When the RADIUS server authenticates this type of user and port, it sends ACL attributes based on the user identity to the switch. The switch applies the attributes to the port for the duration of the user session.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Table 13-3 Default 802.1x Authentication Settings (continued) Feature Default Setting Periodic reauthentication Disabled. Number of seconds between reauthentication attempts 3600 seconds. Reauthentication number 2 times (number of times that the switch restarts the authentication process before the port changes to the unauthorized state).
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication Note You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab. 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Information About Configuring IEEE 802.1x Port-Based Authentication VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass Guidelines • When 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN. • The 802.1x authentication with VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic-access port assignment through a VMPS.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication • If the port is in the authorized state, the port remains in this state until reauthorization occurs. • You can configure a timeout period for hosts that are connected by MAC authentication bypass but are inactive. The range is 1to 65535 seconds. Maximum Number of Allowed Devices Per Port Guidelines This is the maximum number of devices allowed on an 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Beginning in privileged EXEC mode, follow these steps to configure 802.1x port-based authentication: Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 aaa new-model Enables AAA. Step 3 aaa authentication dot1x {default} method1 Creates an 802.1x authentication method list.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Configuring the Switch-to-RADIUS-Server Communication You can globally configure the timeout, retransmission, and encryption key values for all RADIUS servers by using the radius-server host global configuration command.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Enabling Voice Aware 802.1x Security Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 errdisable detect cause security-violation shutdown vlan Shuts down any VLAN on which a security violation error occurs. Step 3 errdisable recovery cause security-violation (Optional) Enables automatic per-VLAN error recovery.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Step 5 switchport mode access Sets the port to access mode. Step 6 authentication violation {shutdown | restrict | protect | replace} Configures the violation mode. • shutdown—Error-disables the port. • restrict—Generates a syslog error. • protect—Drops packets from any new device that sends traffic to the port.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Step 5 switchport voice vlan vlan-id (Optional) Configures the voice VLAN. Step 6 end Returns to privileged EXEC mode. Step 7 show authentication interface interface-id Verifies your entries. Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring Periodic Reauthentication You can enable periodic 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Step 7 show authentication interface interface-id Verifies your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring Optional 802.1x Authentication Features Command Purpose Step 1 dot1x reauthenticate interface interface-id (Optional) Manually initiates a reauthentication of the specified IEEE 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Step 6 Command Purpose dot1x max-reauth-req count (Optional) Sets the number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process. The range is 1 to 10; the default is 2.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Configuring 802.1x Accounting Before You Begin AAA must be enabled on your switch. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the port to be configured, and enter interface configuration mode. Step 3 aaa accounting dot1x default start-stop group radius Enables 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Configuring a Restricted VLAN When you configure a restricted VLAN on a switch, clients that are 802.1x-compliant are moved into the restricted VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode. Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Step 7 end Returns to privileged EXEC mode. Step 8 show authentication interface interface-id (Optional) Verifies your entries. Step 9 copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring Inaccessible Authentication Bypass Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Step 4 Command Purpose radius-server host ip-address [acct-port udp-port] [auth-port udp-port] [test username name [idle-time time] [ignore-acct-port] [ignore-auth-port]] [key string] (Optional) Configures the RADIUS server parameters by using these keywords: • acct-port udp-port—Specifies the UDP port for the RADIUS accounting server.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Step 9 authentication server dead action authorize [vlan] Authorizes the switch in access VLAN or configured VLAN (if the VLAN is specified) when the ACS server is down. Step 10 end Returns to privileged EXEC mode. Step 11 show authentication interface interface-id (Optional) Verifies your entries.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Step 7 show authentication interface interface-id Verifies your 802.1x authentication configuration. Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file. Configuring an Authenticator and Supplicant You can also use an Auto Smartports user-defined macro instead of the switch VSA to configure the authenticator switch.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Step 3 dot1x credentials profile Creates 802.1x credentials profile. This must be attached to the port that is configured as supplicant. Step 4 username suppswitch Creates a username. Step 5 password password Creates a password for the new username.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Command Purpose Step 6 interface interface-id Specifies the port to be configured, and enters interface configuration mode. Step 7 ip access-group acl-id in Configures the default ACL on the port in the input direction. Note The acl-id is an access list name or number. Step 8 show running-config interface interface-id Verifies your configuration.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication How to Configure IEEE 802.1x Port-Based Authentication Step 9 Step 10 Command Purpose ip device tracking probe [count | interval | use-svi] (Optional) Configures the IP device tracking table: • count count—Sets the number of times that the switch sends the ARP probe. The range is from 1 to 5. The default is 3. • interval interval—Sets the number of seconds that the switch waits for a response before resending the ARP probe.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Monitoring and Maintaining IEEE 802.1x Port-Based Authentication Resetting the 802.1x Authentication Configuration to the Default Values Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Enters interface configuration mode, and specifies the port to be configured. Step 3 dot1x default Resets the 802.1x parameters to the default values.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Configuration Examples for Configuring IEEE 802.1x Port-Based Authentication Enabling 802.1x Authentication: Example This example shows how to enable 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Configuration Examples for Configuring IEEE 802.1x Port-Based Authentication Enabling an 802.1x Guest VLAN: Example This example shows how to enable VLAN 2 as an 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Configuration Examples for Configuring IEEE 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Configuration Examples for Configuring IEEE 802.1x Port-Based Authentication Switch(config)# interface gigabitethernet1/1 Switch(config-if)# switchport mode access Switch(config-if)# authentication port-control auto Switch(config-if)# dot1x pae authenticator Switch(config-if)# spanning-tree portfast trunk Configuring an 802.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 13 Configuring IEEE 802.1x Port-Based Authentication Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
Chapter 13 Configuring IEEE 802.
CH A P T E R 14 Configuring Web-Based Authentication Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication • Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT when web-based authentication is running on an interface. • Web-based authentication supports only RADIUS authorization servers. You cannot use TACACS+ servers or local authorization.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication • Switch—Controls the physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication If the server response to the NRH request is access rejected, the HTTP intercept ACL is activated, and the session waits for HTTP traffic from the host. Authentication Process When you enable web-based authentication, these events occur: • The user initiates an HTTP session. • The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to the user.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication Figure 14-2 Authentication Successful Banner You can also customize the banner, as shown in Figure 14-3. • Add a switch, router, or company name to the banner by using the ip admission auth-proxy-banner http banner-text global configuration command. • Add a logo or text file to the banner by using the ip admission auth-proxy-banner http file-path global configuration command.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication Figure 14-4 Login Screen with No Banner For more information, see the Cisco IOS Security Command Reference and the “Configuring a Web Authentication Local Banner” section on page 14-14. Web Authentication Customizable Web Pages During the web-based authentication process, the switch internal HTTP server hosts four HTML pages to deliver to an authenticating client.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication • If you configure web pages for HTTP authentication, they must include the appropriate HTML commands (for example, to set the page time out, to set a hidden password, or to confirm that the same page is not submitted twice). • The CLI command to redirect users to a specific URL is not available when the configured login form is enabled.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication Figure 14-5 Customizeable Authentication Page Web-Based Authentication Interactions with Other Features • Port Security, page 14-8 • LAN Port IP, page 14-8 • Gateway IP, page 14-9 • ACLs, page 14-9 • Context-Based Access Control, page 14-9 • 802.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication If the web-based authentication idle timer expires, the NAC policy is removed. The host is authenticated, and posture is validated again. Gateway IP You cannot configure Gateway IP (GWIP) on a Layer 3 VLAN interface if web-based authentication is configured on any of the switch ports in the VLAN. You can configure web-based authentication on the same Layer 3 interface as Gateway IP.
Chapter 14 Configuring Web-Based Authentication Information About Configuring Web-Based Authentication Default Web-Based Authentication Settings Table 14-1 Default Web-Based Authentication Settings Feature Default Settings AAA Disabled RADIUS server • IP address • None specified • UDP authentication port • 1812 • Key • None specified Default value of inactivity timeout 3600 seconds Inactivity timeout Enabled Configuring Switch-to-RADIUS-Server Communication RADIUS security servers i
Chapter 14 Configuring Web-Based Authentication How to Configure Web-Based Authentication How to Configure Web-Based Authentication Configuring the Authentication Rule and Interfaces Command Purpose Step 1 ip admission name name proxy http Configures an authentication rule for web-based authorization. Step 2 interface type slot/port Enters interface configuration mode and specifies the ingress Layer 2 interface to be enabled for web-based authentication.
Chapter 14 Configuring Web-Based Authentication How to Configure Web-Based Authentication Configuring Switch-to-RADIUS-Server Communication Command Purpose Step 1 ip radius source-interface interface_name Specifies that the RADIUS packets have the IP address of the indicated interface. Step 2 radius-server host {hostname | ip-address} test username username Specifies the host name or IP address of the remote RADIUS server.
Chapter 14 Configuring Web-Based Authentication How to Configure Web-Based Authentication Customizing the Authentication Proxy Web Pages Before You Begin You can configure web authentication to display four substitute HTML pages to the user in place of the switch default HTML pages during web-based authentication.
Chapter 14 Configuring Web-Based Authentication Monitoring and Maintaining Web-Based Authentication Configuring a Web Authentication Local Banner Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 ip admission auth-proxy-banner http [banner-text | file-path] Enables the local banner. Step 3 end Returns to privileged EXEC mode. Step 4 copy running-config startup-config (Optional) Saves your entries in the configuration file.
Chapter 14 Configuring Web-Based Authentication Configuration Examples for Configuring Web-Based Authentication This example shows how to verify the configuration: Switch# show ip admission configuration Authentication Proxy Banner not configured Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication global init state time is 2 minutes Authentication Proxy Watch-list is disabled Authentication Proxy Rule Configuration Auth-proxy name webauth1 http li
Chapter 14 Configuring Web-Based Authentication Configuration Examples for Configuring Web-Based Authentication Authentication Proxy Watch-list is disabled Authentication Proxy Auditing is disabled Max Login attempts per user is 5 Configuring a Redirection URL: Example This example shows how to configure a redirection URL for successful login: Switch(config)# ip admission proxy http success redirect www.cisco.
Chapter 14 Configuring Web-Based Authentication Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 14 Configuring Web-Based Authentication Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.
CH A P T E R 15 Configuring Interface Characteristics Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see the Chapter 17, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics Routed Ports Note The LAN base image supports static routing. A routed port is a physical port that acts like a port on a router; it does not have to be connected to a router. A routed port is not associated with a particular VLAN, as is an access port. A routed port behaves like a regular router interface, except that it does not support VLAN subinterfaces.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics Trunk Ports A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN database. The switch supports only IEEE 802.1Q trunk ports. An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An IEEE 802.1Q trunk port is assigned a default port VLAN ID (PVID), and all untagged traffic travels on the port default PVID.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics By default, the switch dynamically selects the interface type that first links up. However, you can use the media-type interface configuration command to manually select the RJ-45 connector or the SFP module connector. To return to the default setting, use the media-type auto interface or the no media-type interface configuration commands.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics Figure 15-1 Connecting VLANs with a Layer 3 Switch Layer 3 switch with routing enabled SVI 1 Host A SVI 2 172.20.129.1 Host B VLAN 20 VLAN 30 101350 172.20.128.1 Basic routing (static routing and RIP) is supported on the LAN base image. Whenever possible, to maintain high performance, forwarding is done by the switch hardware.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics • Port number—The physical interface number on the switch. The port numbers for the IE-2000-4TC switch model are 1–4 for the Fast Ethernet ports and 1–2 for the Gigabit Ethernet ports. The port numbers for the IE-2000-8TC switch model are 1–8 for the Fast Ethernet ports and 1–2 for the Gigabit Ethernet ports. Table 15-1 shows the switch and module combinations and the interface numbers.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics Default Ethernet Interface Settings For more details on the VLAN parameters listed in the table, see Chapter 17, “Configuring VLANs.” For details on controlling traffic to the port, see Chapter 29, “Configuring Port-Based Traffic Control.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics Interface Speed and Duplex Mode Depending on the supported port types, Ethernet interfaces on the switch operate at 10, 100, or 1000 Mb/s, or in either full- or half-duplex mode. In full-duplex mode, two stations can send and receive traffic at the same time. Normally, 10-Mb/s ports operate in half-duplex mode, which means that stations can either receive or send traffic.
Chapter 15 Configuring Interface Characteristics Information About Configuring Interface Characteristics Note Ports on the switch can receive, but not send, pause frames. You use the flowcontrol interface configuration command to set the interface’s ability to receive pause frames to on, off, or desired. The default state is off.
Chapter 15 Configuring Interface Characteristics How to Configure Interface Characteristics Note You cannot configure a routing MTU size that exceeds the system MTU size. If you change the system MTU size to a value smaller than the currently configured routing MTU size, the configuration change is accepted, but not applied until the next switch reset. When the configuration change takes effect, the routing MTU size automatically defaults to the new system MTU size.
Chapter 15 Configuring Interface Characteristics How to Configure Interface Characteristics When configuring SVIs, you can also configure SVI autostate exclude on a port in the SVI to exclude that port from being included in determining SVI line-state status. See the “Configuring SVI Autostate Exclude” section on page 15-17. • Routed ports: Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command.
Chapter 15 Configuring Interface Characteristics How to Configure Interface Characteristics Configuring Interfaces These general instructions apply to all interface configuration processes. Step 1 Enter the configure terminal command at the privileged EXEC prompt: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# Step 2 Enter the interface global configuration command.
Chapter 15 Configuring Interface Characteristics How to Configure Interface Characteristics • All interfaces defined as in a range must be the same type (all Fast Ethernet ports, all Gigabit Ethernet ports, all EtherChannel ports, or all VLANs), but you can combine multiple interface types in a macro. Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 15 Configuring Interface Characteristics Configuring Ethernet Interfaces Command Purpose Step 4 end Returns to privileged EXEC mode. Step 5 show running-config | include define Shows the defined interface range macro configuration. Configuring Ethernet Interfaces Setting the Type of a Dual-Purpose Uplink Port Perform this task to select which dual-purpose uplink to activate so that you can set the speed and duplex. This procedure is optional.
Chapter 15 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the physical interface to be configured, and enters interface configuration mode.
Chapter 15 Configuring Interface Characteristics Configuring Ethernet Interfaces Configuring Auto-MDIX on an Interface Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the physical interface to be configured, and enters interface configuration mode. Step 3 speed auto Configures the interface to autonegotiate speed with the connected device.
Chapter 15 Configuring Interface Characteristics Monitoring and Maintaining Interface Characteristics Configuring the System MTU Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 system mtu bytes (Optional) Changes the MTU size for all interfaces on the switch that are operating at 10 or 100 Mb/s. The range is 1500 to 1998 bytes; the default is 1500 bytes.
Chapter 15 Configuring Interface Characteristics Monitoring and Maintaining Interface Characteristics Table 15-3 Show Commands for Interfaces (continued) Command Purpose show ip interface [interface-id] (Optional) Displays the usability status of all interfaces configured for IP routing or the specified interface. show interface [interface-id] stats (Optional) Displays the input and output packets by the switching path for the interface.
Chapter 15 Configuring Interface Characteristics Configuration Examples for Configuring Interface Characteristics Step 3 Command Purpose shutdown Shuts down an interface. Note Use the no shutdown interface configuration command to restart the interface. Step 4 end Returns to privileged EXEC mode. Step 5 show running-config Verifies your entry.
Chapter 15 Configuring Interface Characteristics Configuration Examples for Configuring Interface Characteristics This example shows how to enter interface-range configuration mode for the interface-range macro enet_list: Switch# configure terminal Switch(config)# interface range macro enet_list Switch(config-if-range)# This example shows how to delete the interface-range macro enet_list and to verify that it was deleted.
Chapter 15 Configuring Interface Characteristics Additional References Configuring SVI Autostate Exclude: Example This example shows how to configure an access or trunk port in an SVI to be excluded from the status calculation: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 15 Configuring Interface Characteristics Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
Chapter 15 Configuring Interface Characteristics Additional References Cisco IE 2000 Switch Software Configuration Guide 15-24 OL-25866-01
CH A P T E R 16 Configuring Smartports Macros Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 16 Configuring Smartports Macros How to Configure Smartports Macros Table 16-1 Default Smartports Macros Macro Name1 Description cisco-ie-global Use this global configuration macro to configure the switch settings for the industrial Ethernet environment. This macro is automatically applied when you use Express Setup to initially configure the switch. Note You must first apply the cisco-ie-global macro for the cisco-ethernetip macro to work properly.
Chapter 16 Configuring Smartports Macros How to Configure Smartports Macros • When you apply a macro to a switch or a switch interface, the macro name is automatically added to the switch or interface. You can display the applied commands and macro names by using the show running-config user EXEC command. Applying Smartports Macros Command Purpose Step 1 show parser macro Displays the Cisco-default Smartports macros embedded in the switch software.
Chapter 16 Configuring Smartports Macros Monitoring and Maintaining Smartports Macros Command Purpose Step 9 show running-config interface interface-id Verifies that the macro is applied to an interface. Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file. Monitoring and Maintaining Smartports Macros Table 16-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all Smartports macros.
Chapter 16 Configuring Smartports Macros Additional References Macro type : default interface #macro name cisco-ethernetip #macro keywords ACCESS_VLAN #macro description cisco-ethernetip switchport host switchport access vlan ACCESS-VLAN storm-control broadcast level 3.00 1.
Chapter 16 Configuring Smartports Macros Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.
CH A P T E R 17 Configuring VLANs Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 17 Configuring VLANs VLANs Figure 17-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Floor 3 Gigabit Ethernet Floor 2 90571 Floor 1 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is assigned manually on an interface-by-interface basis.
Chapter 17 Configuring VLANs VLANs Although the switch supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
Chapter 17 Configuring VLANs VLANs Membership Mode VLAN Membership Characteristics VTP Characteristics Dynamic access A dynamic-access port can belong to one VLAN and is dynamically assigned by a VMPS (VLAN Membership Policy Server). The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, for example, but never an IE 2000switch. The IE 2000 switch is a VMPS client. VTP is required. Configure the VMPS and the client with the same VTP domain name.
Chapter 17 Configuring VLANs VLANs You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in the VLAN database: • VLAN ID • VLAN name • VLAN type (Ethernet, Fiber Distributed Data Interface [FDDI], FDDI network entity title [NET], TrBRF, or TrCRF, Token Ring, Token Ring-Net) • VLAN state (active or suspended) • Maximum transmission unit (MTU) for the VLAN • Security Association Identifier (SAID) • Bridge identification number for TrBRF VLANs • Ring n
Chapter 17 Configuring VLANs VLANs • Token Ring TrCRF VLANs For more information on configuring Token Ring VLANs, see the Catalyst 6500 Series Software Configuration Guide. Normal-Range VLAN Configuration Guidelines Follow these guidelines when creating and modifying normal-range VLANs in your network: • The switch supports 1005 VLANs in VTP client, server, and transparent modes. • Normal-range VLANs are identified with a number between 1 and 1001.
Chapter 17 Configuring VLANs VLANs Table 17-2 Ethernet VLAN Defaults and Ranges Parameter Default Range VLAN ID 1 1 to 4096. Note Extended-range VLANs (VLAN IDs 1006 to 4096) are only saved in the VLAN database in VTP version 3. VLAN name VLANxxxx, where xxxx represents four numeric No range digits (including leading zeros) equal to the VLAN ID number IEEE 802.
Chapter 17 Configuring VLANs VLANs If you are assigning a port on a cluster member switch to a VLAN, first use the rcommand privileged EXEC command to log in to the cluster member switch. Note If you assign an interface to a VLAN that does not exist, the new VLAN is created. (See the “Creating or Modifying an Ethernet VLAN” section on page 17-17.
Chapter 17 Configuring VLANs VLANs • Each routed port on the switch creates an internal VLAN for its use. These internal VLANs use extended-range VLAN numbers, and the internal VLAN ID cannot be used for an extended-range VLAN. If you try to create an extended-range VLAN with a VLAN ID that is already allocated as an internal VLAN, an error message is generated, and the command is rejected.
Chapter 17 Configuring VLANs VLANs Table 17-3 Layer 2 Interface Modes Mode Function switchport mode access Puts the interface (access port) into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. switchport mode dynamic auto Makes the interface able to convert the link to a trunk link.
Chapter 17 Configuring VLANs VLANs Default Layer 2 Ethernet Interface VLAN Settings Table 17-4 Default Layer 2 Ethernet Interface VLAN Settings Feature Default Setting Interface mode switchport mode dynamic auto Allowed VLAN range VLANs 1 to 4096 VLAN range eligible for pruning VLANs 2 to 1001 Default VLAN (for access ports) VLAN 1 Native VLAN (for IEEE 802.
Chapter 17 Configuring VLANs VLANs Allowed VLANs on a Trunk By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs, 1 to 4096, are allowed on each trunk. However, you can remove VLANs from the allowed list, preventing traffic from those VLANs from passing over the trunk. To restrict the traffic a trunk carries, use the switchport trunk allowed vlan remove vlan-list interface configuration command to remove specific VLANs from the allowed list.
Chapter 17 Configuring VLANs VLANs Load Sharing Using STP Port Priorities When two ports on the same switch form a loop, the switch uses the STP port priority to decide which port is enabled and which port is in a blocking state. You can set the priorities on a parallel trunk port so that the port carries all the traffic for a given VLAN. The trunk port with the higher priority (lower values) for a VLAN is forwarding traffic for that VLAN.
Chapter 17 Configuring VLANs VLANs Figure 17-3 Load-Sharing Trunks with Traffic Distributed by Path Cost Switch A Trunk port 2 VLANs 8 – 10 (path cost 30) VLANs 2 – 4 (path cost 19) 90573 Trunk port 1 VLANs 2 – 4 (path cost 30) VLANs 8 – 10 (path cost 19) Switch B See the “Configuring Load Sharing Using STP Path Cost” section on page 17-21.
Chapter 17 Configuring VLANs VLANs Dynamic-Access Port VLAN Membership A dynamic-access port can belong to only one VLAN with an ID from 1 to 4096. When the link comes up, the switch does not forward traffic to or from this port until the VMPS provides the VLAN assignment. The VMPS receives the source MAC address from the first packet of a new host connected to the dynamic-access port and attempts to match the MAC address to a VLAN in the VMPS database.
Chapter 17 Configuring VLANs VLANs • Trunk ports cannot be dynamic-access ports, but you can enter the switchport access vlan dynamic interface configuration command for a trunk port. In this case, the switch retains the setting and applies it if the port is later configured as an access port. You must turn off trunking on the port before the dynamic-access setting takes effect. • Dynamic-access ports cannot be monitor ports. • Secure ports cannot be dynamic-access ports.
Chapter 17 Configuring VLANs How to Configure VLANs How to Configure VLANs Creating or Modifying an Ethernet VLAN Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 vlan vlan-id Enters a VLAN ID, and enters VLAN configuration mode. Note The available VLAN ID range for this command is 1 to 4096. For information about adding VLAN IDs greater than 1005 (extended-range VLANs), see the “Creating an Extended-Range VLAN” section on page 17-18.
Chapter 17 Configuring VLANs How to Configure VLANs Creating an Extended-Range VLAN Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 vtp mode transparent Configures the switch for VTP transparent mode and disables VTP. Note This step is not required for VTP version 3. Step 3 vlan vlan-id Enters an extended-range VLAN ID and enters VLAN configuration mode. The range is 1006 to 4096. Step 4 mtu mtu-size (Optional) Modifies the VLAN by changing the MTU size.
Chapter 17 Configuring VLANs How to Configure VLANs Configuring an Ethernet Interface as a Trunk Port Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the port to be configured for trunking, and enters interface configuration mode.
Chapter 17 Configuring VLANs How to Configure VLANs Command Purpose Step 3 switchport trunk pruning vlan {add | except | none | remove} vlan-list [,vlan[,vlan[,,,]] Configures the list of VLANs allowed to be pruned from the trunk. (See the “VTP Pruning” section on page 18-7.) Step 4 end Returns to privileged EXEC mode. Configuring the Native VLAN for Untagged Traffic Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 17 Configuring VLANs How to Configure VLANs Load Sharing Using STP Port Priorities Command Purpose Step 1 configure terminal Enters global configuration mode on Switch A. Step 2 vtp domain domain-name Configures a VTP administrative domain. The domain name can be 1 to 32 characters. Step 3 vtp mode server Configures Switch A as the VTP server. Step 4 end Returns to privileged EXEC mode. Step 5 show vtp status Verifies the VTP configuration on both Switch A and Switch B.
Chapter 17 Configuring VLANs How to Configure VLANs Step 4 Command Purpose exit Returns to global configuration mode. Step 5 Repeat Steps 2 through 4 on a second interface in Switch A. Step 6 end Returns to privileged EXEC mode. Step 7 show running-config Verifies your entries. In the display, make sure that the interfaces are configured as trunk ports. Step 8 show vlan When the trunk links come up, Switch A receives the VTP information from the other switches.
Chapter 17 Configuring VLANs Monitoring and Maintaining VLANs Command Purpose Step 5 vmps retry count (Optional) Changes the retry count. Step 6 end Returns to privileged EXEC mode. Configuring Dynamic-Access Ports on VMPS Clients Before You Begin If you are configuring a port on a cluster member switch as a dynamic-access port, first use the rcommand privileged EXEC command to log in to the cluster member switch.
Chapter 17 Configuring VLANs Configuration Examples for Configuring VLANs Configuration Examples for Configuring VLANs VMPS Network: Example Figure 17-4 shows a network with a VMPS server switch and VMPS client switches with dynamic-access ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. • The Catalyst 6500 series Switch A is the primary VMPS server. • The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers.
Chapter 17 Configuring VLANs Configuration Examples for Configuring VLANs Configuring a VLAN: Example This example shows how to create Ethernet VLAN 20, name it test20, and add it to the VLAN database: Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# name test20 Switch(config-vlan)# end Configuring an Access Port in a VLAN: Example This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line.
Chapter 17 Configuring VLANs Additional References Reconfirm Interval: 60 min Server Retry Count: 3 VMPS domain server: 172.20.128.86 (primary, current) 172.20.128.87 Reconfirmation status --------------------VMPS Action: other Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
CH A P T E R 18 Configuring VTP Finding VTP Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 18 Configuring VTP Information About Configuring VTP Information About Configuring VTP VTP A VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
Chapter 18 Configuring VTP Information About Configuring VTP If you configure a switch for VTP transparent mode, you can create and modify VLANs, but the changes are not sent to other switches in the domain, and they affect only the individual switch. However, configuration changes made when the switch is in this mode are saved in the switch running configuration and can be saved to the switch startup configuration file.
Chapter 18 Configuring VTP Information About Configuring VTP Note Caution For VTP version 1 and 2, before you create extended-range VLANs (VLAN IDs 1006 to 4096), you must set VTP mode to transparent by using the vtp mode transparent global configuration command. Save this configuration to the startup configuration so that the switch starts in VTP transparent mode. Otherwise, you lose the extended-range VLAN configuration if the switch resets and boots up in VTP server mode (the default).
Chapter 18 Configuring VTP Information About Configuring VTP • VLAN type • VLAN state • Additional VLAN configuration information specific to the VLAN type In VTP version 3, VTP advertisements also include the primary server ID, an instance number, and a start index. VTP Version 2 If you use VTP in your network, you must decide which version of VTP to use. By default, VTP operates in version 1.
Chapter 18 Configuring VTP Information About Configuring VTP • VTP primary server and VTP secondary servers. A VTP primary server updates the database information and sends updates that are honored by all devices in the system. A VTP secondary server can only back up the updated VTP configurations received from the primary server to its NVRAM. By default, all devices come up as secondary servers. You can enter the vtp primary privileged EXEC command to specify a primary server.
Chapter 18 Configuring VTP Information About Configuring VTP Caution • When a VTP version 3 device detects a VTP version 2 device on a trunk port, it continues to send VTP version 3 packets, in addition to VTP version 2 packets, to allow both kinds of neighbors to coexist on the same trunk. • A VTP version 3 device does not accept configuration information from a VTP version 2 or version 1 device.
Chapter 18 Configuring VTP Information About Configuring VTP Figure 18-1 Flooding Traffic without VTP Pruning Switch D Port 2 Switch E Switch B Red VLAN Switch F Switch C 89240 Port 1 Switch A Figure 18-2 shows a switched network with VTP pruning enabled. The broadcast traffic from Switch A is not forwarded to Switches C, E, and F because traffic for the Red VLAN has been pruned on the links shown (Port 5 on Switch B and Port 4 on Switch D).
Chapter 18 Configuring VTP Information About Configuring VTP VTP pruning is not designed to function in VTP transparent mode. If one or more switches in the network are in VTP transparent mode, you should do one of these: • Turn off VTP pruning in the entire network. • Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to the VTP transparent switch pruning ineligible.
Chapter 18 Configuring VTP Information About Configuring VTP • If the VTP mode or the domain name in the startup configuration do not match the VLAN database, the domain name and the VTP mode and configuration for the first 1005 VLANs use the VLAN database information. Domain Names When configuring VTP for the first time, you must always assign a domain name. You must configure all switches in the VTP domain with the same domain name.
Chapter 18 Configuring VTP How to Configure VTP How to Configure VTP Configuring VTP Domain and Parameters Before You Begin You should configure the VTP domain before configuring other VTP parameters. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 vtp domain domain-name Configures the VTP administrative-domain name. The name can be 1 to 32 characters.
Chapter 18 Configuring VTP How to Configure VTP Command Purpose Step 3 show vtp status Verifies your entries in the VTP Operating Mode and the VTP Domain Name fields of the display. Step 4 copy running-config startup-config (Optional) Saves the configuration in the startup configuration file. Note Only VTP mode and domain name are saved in the switch running configuration and can be copied to the startup configuration file.
Chapter 18 Configuring VTP How to Configure VTP Enabling VTP Pruning Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 vtp pruning Enables pruning in the VTP administrative domain. By default, pruning is disabled. You need to enable pruning on only one switch in VTP server mode. Step 3 end Returns to privileged EXEC mode. Step 4 show vtp status Verifies your entries in the VTP Pruning Mode field of the display.
Chapter 18 Configuring VTP Monitoring and Maintaining VTP Command Purpose Step 3 vtp domain domain-name Changes the domain name from the original one displayed in Step 1 to a new name. Step 4 end Updates VLAN information on the switch and resets configuration revision number to 0. Step 5 show vtp status Verifies that the configuration revision number has been reset to 0. Step 6 configure terminal Enters global configuration mode.
Chapter 18 Configuring VTP Additional References for Configuring VTP Switch(config)# vtp password mypassword Setting device VLAN database password to mypassword. Switch(config)# end Configuring a Hidden VTP Password: Example This example shows how to configure a hidden password and how it appears: Switch(config)# vtp password mypassword hidden Generating the secret associated to the password.
Chapter 18 Configuring VTP Additional References for Configuring VTP MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
CH A P T E R 19 Configuring Voice VLAN Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 19 Configuring Voice VLAN Information About Configuring Voice VLAN Figure 19-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 19 Configuring Voice VLAN Information About Configuring Voice VLAN Cisco IP Phone Data Traffic The switch can also process tagged data traffic (traffic in IEEE 802.1Q or IEEE 802.1p frame types) from the device attached to the access port on the Cisco IP phone (see Figure 19-1).
Chapter 19 Configuring Voice VLAN Information About Configuring Voice VLAN – They both use IEEE 802.1p or untagged frames. – The Cisco IP phone uses IEEE 802.1p frames, and the device uses untagged frames. – The Cisco IP phone uses untagged frames, and the device uses IEEE 802.1p frames. – The Cisco IP phone uses IEEE 802.1Q frames, and the voice VLAN is the same as the access VLAN.
Chapter 19 Configuring Voice VLAN How to Configure VTP How to Configure VTP Configuring Cisco IP Phone for Voice Traffic Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the interface connected to the phone, and enters interface configuration mode. Step 3 mls qos trust cos Configures the interface to classify incoming traffic packets by using the packet CoS value. For untagged packets, the port default CoS value is used.
Chapter 19 Configuring Voice VLAN Monitoring and Maintaining Voice VLAN Monitoring and Maintaining Voice VLAN Command Purpose show interfaces interface-id switchport Verifies your entries. copy running-config startup-config Saves your entries in the configuration file.
Chapter 19 Configuring Voice VLAN Additional References for Configuring Voice VLAN Related Topic Document Title Protected port configuration “Configuring Protected Ports” section on page 29-10 Secure port configuration “Configuring Port Security” section on page 29-11 Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature.
Chapter 19 Configuring Voice VLAN Additional References for Configuring Voice VLAN Cisco IE 2000 Switch Software Configuration Guide 19-8 OL-25866-01
CH A P T E R 20 Configuring STP Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 20 Configuring STP Information About Configuring STP STP STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages.
Chapter 20 Configuring STP Information About Configuring STP When the switches in a network are powered up, each functions as the root switch. Each switch sends a configuration BPDU through all of its ports. The BPDUs communicate and compute the spanning-tree topology.
Chapter 20 Configuring STP Information About Configuring STP The switch supports the IEEE 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Chapter 20 Configuring STP Information About Configuring STP Figure 20-1 illustrates how an interface moves through the states. Figure 20-1 Spanning-Tree Interface States Power-on initialization Blocking state Listening state Disabled state Forwarding state 43569 Learning state When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning.
Chapter 20 Configuring STP Information About Configuring STP Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding.
Chapter 20 Configuring STP Information About Configuring STP How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 20-2, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address.
Chapter 20 Configuring STP Information About Configuring STP Spanning Tree and Redundant Connectivity Active link Blocked link Workstations 101226 Figure 20-3 You can also create redundant links between switches by using EtherChannel groups. For more information, see Chapter 40, “Configuring EtherChannels.” Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C2000000 to 0x0180C2000010, to be used by different bridge protocols.
Chapter 20 Configuring STP Information About Configuring STP Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: • PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Chapter 20 Configuring STP Information About Configuring STP Spanning-Tree Interoperability and Backward Compatibility Table 20-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 20 Configuring STP Information About Configuring STP Default Spanning-Tree Settings Table 20-3 Default Spanning-Tree Settings Feature Default Setting Enable state Enabled on VLAN 1. Spanning-tree mode PVST+. (Rapid PVST+ and MSTP are disabled.) Switch priority 32768. Spanning-tree port priority (configurable on a per-interface basis) 128. Spanning-tree port cost (configurable on a per-interface basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100.
Chapter 20 Configuring STP Information About Configuring STP If any root switch for the specified VLAN has a switch priority lower than 24576, the switch sets its own priority for the specified VLAN to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 20-1 on page 20-4.) Note The spanning-tree vlan vlan-id root global configuration command fails if the value necessary to be the root switch is less than 1.
Chapter 20 Configuring STP Information About Configuring STP Path Cost The spanning-tree path cost default value is derived from the media speed of an interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 20 Configuring STP How to Configure STP You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. Setting up allowed lists is not necessary in many cases and can make it more labor-intensive to add another VLAN to the network. Spanning-tree commands control the configuration of VLAN spanning-tree instances. You create a spanning-tree instance when you assign an interface to a VLAN.
Chapter 20 Configuring STP How to Configure STP Command Purpose Step 5 end Returns to privileged EXEC mode. Step 6 clear spanning-tree detected-protocols (Recommended for rapid-PVST+ mode only) Restarts the protocol migration process on the entire switch if any port on the switch is connected to a port on a legacy IEEE 802.1D switch, This step is optional if the designated switch detects that this switch is running rapid PVST+.
Chapter 20 Configuring STP How to Configure STP Configuring a Secondary Root Switch Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 spanning-tree vlan vlan-id root secondary [diameter net-diameter [hello-time seconds]] Configures a switch to become the secondary root for the specified VLAN. • vlan-id—Specifies a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4096.
Chapter 20 Configuring STP Monitoring and Maintaining STP Command Purpose Step 3 spanning-tree cost cost Configures the cost for an interface. Step 4 spanning-tree vlan vlan-id cost cost Configures the cost for a VLAN. If a loop occurs, spanning tree uses the path cost when selecting an interface to place into the forwarding state. A lower path cost represents higher-speed transmission. Step 5 end Returns to privileged EXEC mode.
Chapter 20 Configuring STP Additional References Command Purpose show spanning-tree vlan vlan-id Displays spanning-tree VLAN entries. copy running-config startup-config (Optional) Saves your entries in the configuration file. Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
CH A P T E R 21 Configuring MSTP Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 21 Configuring MSTP Information About Configuring MSTP MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 21 Configuring MSTP Information About Configuring MSTP • A common and internal spanning tree (CIST), which is a collection of the ISTs in each MST region, and the common spanning tree (CST) that interconnects the MST regions and single spanning trees. The spanning tree computed in a region appears as a subtree in the CST that encompasses the entire switched domain. The CIST is formed by the spanning-tree algorithm running among switches that support the IEEE 802.1w, IEEE 802.1s, and IEEE 802.
Chapter 21 Configuring MSTP Information About Configuring MSTP Figure 21-1 MST Regions, CIST Masters, and CST Root A IST master and CST root D Legacy IEEE 802.1D MST Region 1 IST master MST Region 2 C IST master MST Region 3 92983 B Only the CST instance sends and receives BPDUs, and MST instances add their spanning-tree information into the BPDUs to interact with neighboring switches and compute the final spanning-tree topology.
Chapter 21 Configuring MSTP Information About Configuring MSTP • The CIST regional root was called the IST master in the prestandard implementation. If the CIST root is in the region, the CIST regional root is the CIST root. Otherwise, the CIST regional root is the closest switch to the CIST root in the region. The CIST regional root acts as a root switch for the IST. • The CIST internal root path cost is the cost to the CIST regional root in a region. This cost is only relevant to the IST, instance 0.
Chapter 21 Configuring MSTP Information About Configuring MSTP An MST region includes both switches and LANs. A segment belongs to the region of its designated port. Therefore, a port in a different region than the designated port for a segment is a boundary port. This definition allows two ports internal to a region to share a segment with a port belonging to a different region, creating the possibility of receiving both internal and external messages on a port.
Chapter 21 Configuring MSTP Information About Configuring MSTP the alternate before sending out a single prestandard BPDU, AY cannot detect that a prestandard switch is connected to Y and continues to send standard BPDUs. The port BY is fixed in a boundary, and no load balancing is possible between A and B. The same problem exists on segment X, but B might transmit topology changes.
Chapter 21 Configuring MSTP Information About Configuring MSTP Interoperability with IEEE 802.1D STP A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port.
Chapter 21 Configuring MSTP Information About Configuring MSTP In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in IEEE 802.1D). The port state controls the operation of the forwarding and learning processes. Table 21-2 provides a comparison of IEEE 802.1D and RSTP port states.
Chapter 21 Configuring MSTP Information About Configuring MSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology. As the network converges, this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree.
Chapter 21 Configuring MSTP Information About Configuring MSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 21-5. Figure 21-5 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5.
Chapter 21 Configuring MSTP Information About Configuring MSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate topology change notification (TCN) BPDU.
Chapter 21 Configuring MSTP Information About Configuring MSTP • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.
Chapter 21 Configuring MSTP Information About Configuring MSTP • VTP propagation of the MST configuration is not supported. However, you can manually configure the MST configuration (region name, revision number, and VLAN-to-instance mapping) on each switch within the MST region by using the command-line interface (CLI) or through the SNMP support.
Chapter 21 Configuring MSTP Information About Configuring MSTP Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 21 Configuring MSTP How to Configure MSTP Restarting the Protocol Migration Process A switch running MSTP supports a built-in protocol migration mechanism that enables it to interoperate with legacy IEEE 802.1D switches. If this switch receives a legacy IEEE 802.1D configuration BPDU (a BPDU with the protocol version set to 0), it sends only IEEE 802.1D BPDUs on that port.
Chapter 21 Configuring MSTP How to Configure MSTP Step 8 Command Purpose spanning-tree mode mst Enables MSTP. RSTP is also enabled. Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time. Step 9 end Returns to privileged EXEC mode.
Chapter 21 Configuring MSTP How to Configure MSTP Step 3 Command Purpose spanning-tree mst instance-id root secondary [diameter net-diameter [hello-time seconds]] Configures a switch as the secondary root switch. • instance-id—Specifies a single instance, a range of instances separated by a hyphen, or a series of instances separated by a comma. The range is 0 to 4096. • (Optional) diameter net-diameter—Specifies the maximum number of switches between any two end stations. The range is 2 to 7.
Chapter 21 Configuring MSTP How to Configure MSTP Step 4 Command Purpose spanning-tree mst forward-time seconds Configures the forward time for all MST instances. The forward delay is the number of seconds a port waits before changing from its spanning-tree learning and listening states to the forwarding state. seconds—The range is 4 to 30; the default is 15. Step 5 spanning-tree mst max-age seconds Configures the maximum-aging time for all MST instances.
Chapter 21 Configuring MSTP Monitoring and Maintaining MSTP Monitoring and Maintaining MSTP Command Purpose show spanning-tree mst configuration Displays the MST region configuration. show spanning-tree mst configuration digest Displays the MD5 digest included in the current MSTCI. show spanning-tree mst instance-id Displays MST information for the specified instance. show spanning-tree mst interface interface-id Displays MST information for the specified interface.
Chapter 21 Configuring MSTP Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 21 Configuring MSTP Additional References Cisco IE 2000 Switch Software Configuration Guide 21-22 OL-25866-01
CH A P T E R 22 Configuring Optional Spanning-Tree Features Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 22 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Interfaces connected to a single workstation or server should not receive bridge protocol data units (BPDUs). An interface with PortFast enabled goes through the normal cycle of spanning-tree status changes when the switch is restarted.
Chapter 22 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features BPDU Filtering The BPDU filtering feature can be globally enabled on the switch or can be enabled per interface, but the feature operates with some differences. At the global level, you can enable BPDU filtering on PortFast-enabled interfaces by using the spanning-tree portfast bpdufilter default global configuration command.
Chapter 22 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port. By enabling UplinkFast with the spanning-tree uplinkfast global configuration command, you can accelerate the choice of a new root port when a link or switch fails or when the spanning tree reconfigures itself.
Chapter 22 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Figure 22-4 UplinkFast Example After Direct Link Failure Switch A (Root) Switch B L1 L2 L3 Link failure Switch C 43576 UplinkFast transitions port directly to forwarding state. BackboneFast BackboneFast detects indirect failures in the core of the backbone.
Chapter 22 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Figure 22-5 BackboneFast Example Before Indirect Link Failure Switch A (Root) Switch B L1 L2 L3 44963 Blocked port Switch C If link L1 fails as shown in Figure 22-6, Switch C cannot detect this failure because it is not connected directly to link L1.
Chapter 22 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Figure 22-7 Adding a Switch in a Shared-Medium Topology Switch A (Root) Switch B (Designated bridge) Switch C Blocked port 44965 Added switch EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device.
Chapter 22 Configuring Optional Spanning-Tree Features Information About Configuring the Optional Spanning-Tree Features Root guard enabled on an interface applies to all the VLANs to which the interface belongs. VLANs can be grouped and mapped to an MST instance. You can enable this feature by using the spanning-tree guard root interface configuration command. Caution Misuse of the root guard feature can cause a loss of connectivity.
Chapter 22 Configuring Optional Spanning-Tree Features How to Configure the Optional Spanning-Tree Features Default Optional Spanning-Tree Settings Table 22-1 Default Optional Spanning-Tree Settings Feature Default Setting PortFast, BPDU filtering, BPDU guard Globally disabled (unless they are individually configured per interface). UplinkFast Globally disabled. BackboneFast Globally disabled. EtherChannel guard Globally enabled. Root guard Disabled on all interfaces.
Chapter 22 Configuring Optional Spanning-Tree Features Maintaining and Monitoring Optional Spanning-Tree Features Step 4 Command Purpose spanning-tree portfast bpduguard default Enables BPDU guard. By default, BPDU guard is disabled. Step 5 spanning-tree portfast bpdufilter default Enables BPDU filtering. By default, BPDU filtering is disabled. Step 6 spanning-tree uplinkfast [max-update-rate pkts-per-second] Enables UplinkFast.
Chapter 22 Configuring Optional Spanning-Tree Features Additional References Command Purpose show etherchannel summary Displays the EtherChannel configuration. Useful to use on the remote device after switch ports are disabled. [no] shutdown Disables the interface. The no option reenables the interface.
Chapter 22 Configuring Optional Spanning-Tree Features Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
CH A P T E R 23 Configuring Resilient Ethernet Protocol Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 23 Configuring Resilient Ethernet Protocol Information About Configuring REP One REP segment is a chain of ports connected to each other and configured with a segment ID. Each segment consists of standard (non-edge) segment ports and two user-configured edge ports. A switch can have no more than two ports that belong to the same segment, and each segment port can have only one external neighbor.
Chapter 23 Configuring Resilient Ethernet Protocol Information About Configuring REP REP segments have these characteristics: • If all ports in the segment are operational, one port (referred to as the alternate port) is in the blocked state for each VLAN. If VLAN load balancing is configured, two ports in the segment control the blocked state of VLANs. • If one or more ports in a segment is not operational, causing a link failure, all ports forward traffic on all VLANs to ensure connectivity.
Chapter 23 Configuring Resilient Ethernet Protocol Information About Configuring REP Link Integrity REP does not use an end-to-end polling mechanism between edge ports to verify link integrity. It implements local link failure detection. The REP Link Status Layer (LSL) detects its REP-aware neighbor and establishes connectivity within the segment. All VLANs are blocked on an interface until it detects the neighbor.
Chapter 23 Configuring Resilient Ethernet Protocol Information About Configuring REP By entering the neighbor offset number of a port in the segment, which identifies the downstream neighbor port of an edge port. The neighbor offset number range is –256 to +256; a value of 0 is invalid. The primary edge port has an offset number of 1; positive numbers above 1 identify downstream neighbors of the primary edge port.
Chapter 23 Configuring Resilient Ethernet Protocol Information About Configuring REP When VLAN load balancing is triggered, the primary edge port sends out a message to alert all interfaces in the segment about the preemption. When the secondary port receives the message, it is reflected into the network to notify the alternate port to block the set of VLANs specified in the message and to notify the primary edge port to block the remaining VLANs.
Chapter 23 Configuring Resilient Ethernet Protocol REP Segments REP Segments A segment is a collection of ports connected one to the other in a chain and configured with a segment ID. To configure REP segments, you configure the REP administrative VLAN (or use the default VLAN 1) and then add the ports to the segment using interface configuration mode. You should configure two edge ports in the segment, with one of them the primary edge port and the other by default the secondary edge port.
Chapter 23 Configuring Resilient Ethernet Protocol REP Segments • REP ports follow these rules: – There is no limit to the number of REP ports on a switch; however, only two ports on a switch can belong to the same REP segment. – If only one port on a switch is configured in a segment, the port should be an edge port. – If two ports on a switch belong to the same segment, they must be both edge ports, both regular segment ports, or one regular port and one edge no-neighbor port.
Chapter 23 Configuring Resilient Ethernet Protocol How to Configure REP • If you do not configure an administrative VLAN, the default is VLAN 1. • There can be only one administrative VLAN on a switch and on a segment. However, this is not enforced by software. • The administrative VLAN cannot be the RSPAN VLAN. How to Configure REP Configuring the REP Administrative VLAN Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 23 Configuring Resilient Ethernet Protocol How to Configure REP Command Step 4 Purpose rep segment segment-id [edge [no-neighbor] Enables REP on the interface, and identifies a segment number. The [primary]] [preferred] segment ID range is from 1 to 1024. These optional keywords are available: Note • edge—Configures the port as an edge port. Entering edge without the primary keyword configures the port as the secondary edge port. Each segment has only two edge ports.
Chapter 23 Configuring Resilient Ethernet Protocol How to Configure REP Command Step 6 Purpose rep block port {id port-id | neighbor_offset | (Optional) Configures VLAN load balancing on the primary edge preferred} vlan {vlan-list | all} port, identify the REP alternate port in one of three ways, and configure the VLANs to be blocked on the alternate port. • id port-id—Identifies the alternate port by port ID. The port ID is automatically generated for each port in the segment.
Chapter 23 Configuring Resilient Ethernet Protocol Monitoring and Maintaining REP Setting Manual Preemption for VLAN Load Balancing Before You Begin If you do not enter the rep preempt delay seconds interface configuration command on the primary edge port to configure a preemption time delay, the default is to manually trigger VLAN load balancing on the segment. Be sure that all other segment configuration has been completed before manually preempting VLAN load balancing.
Chapter 23 Configuring Resilient Ethernet Protocol Configuration Examples for Configuring REP Configuration Examples for Configuring REP Configuring the Administrative VLAN: Example This example shows how to configure the administrative VLAN as VLAN 100 and verify the configuration by entering the show interface rep detail command on one of the REP interfaces: Switch# configure terminal Switch (conf)# rep admin vlan 100 Switch (conf-if)# end Switch# show interface gigabitethernet1/1 rep detail GigabitEthe
Chapter 23 Configuring Resilient Ethernet Protocol Additional References Switch (conf-if)# rep preempt delay 60 Switch (conf-if)# rep lsl-age-timer 6000 Configuring VLAN Blocking: Example This example shows how to configure the VLAN blocking configuration shown in Figure 23-5. The alternate port is the neighbor with neighbor offset number 4. After manual preemption, VLANs 100 to 200 are blocked at this port, and all other VLANs are blocked at the primary edge port E1 (Gigabit Ethernet port 1/0/1).
Chapter 23 Configuring Resilient Ethernet Protocol Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
Chapter 23 Configuring Resilient Ethernet Protocol Additional References Cisco IE 2000 Switch Software Configuration Guide 23-16 OL-25866-01
CH A P T E R 24 Configuring FlexLinks and the MAC Address-Table Move Update Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.
Chapter 24 Information About Configuring the FlexLinks and the MAC Address-Table Move Update Configuring FlexLinks and the MAC Address-Table Move Update of the interfaces is in the linkup state and forwarding traffic. If the primary link shuts down, the standby link starts forwarding traffic. When the active link comes back up, it goes into standby mode and does not forward traffic. STP is disabled on FlexLinks interfaces. In Figure 24-1, ports 1 and 2 on switch A are connected to uplink switches B and C.
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update Information About Configuring the FlexLinks and the MAC Address-Table Move Update Figure 24-2 VLAN FlexLinks Load Balancing Configuration Example Uplink switch C Uplink switch B Forwarding (1-50) gi2/0/6 Forwarding (51-100) Switch A 201398 gi2/0/8 FlexLinks Multicast Fast Convergence FlexLinks Multicast Fast Convergence reduces the multicast traffic convergence time after a FlexLinks failure.
Chapter 24 Information About Configuring the FlexLinks and the MAC Address-Table Move Update Configuring FlexLinks and the MAC Address-Table Move Update Leaking IGMP Reports To achieve multicast traffic convergence with minimal loss, a redundant data path must be set up before the FlexLinks active link goes down. This can be achieved by leaking only IGMP report packets on the FlexLinks backup link.
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update Information About Configuring the FlexLinks and the MAC Address-Table Move Update Figure 24-3 MAC Address-Table Move Update Example Server Switch C Port 4 Port 3 Switch B Switch D Port 1 Port 2 141223 Switch A PC Default Settings for FlexLinks and MAC Address-Table Move Update Default Settings FlexLinks is not configured, and there are no backup interfaces defined. The preemption mode is off.
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update How to Configure the FlexLinks and MAC Address-Table Move Update Configuration Guidelines for FlexLinks and MAC Address-Table Move Update Follow these guidelines to configure FlexLinks: • You can configure up to 16 backup links. • You can configure only one FlexLinks backup link for any active link, and it must be a different interface from the active interface. • An interface can belong to only one FlexLinks pair.
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update How to Configure the FlexLinks and MAC Address-Table Move Update Command Purpose Step 3 switchport backup interface interface-id Configures a physical Layer 2 interface (or port channel) as part of a FlexLinks pair with the interface. When one link is forwarding traffic, the other interface is in standby mode. Step 4 end Returns to privileged EXEC mode.
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update How to Configure the FlexLinks and MAC Address-Table Move Update Command Purpose Step 3 switchport backup interface interface-id prefer vlan vlan-range Configures a physical Layer 2 interface (or port channel) as part of a FlexLinks pair with the interface, and specifies the VLANs carried on the interface. The VLAN ID range is 1 to 4096. Step 4 end Returns to privileged EXEC mode.
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update Maintaining and Monitoring the FlexLinks and MAC Address-Table Move Update Maintaining and Monitoring the FlexLinks and MAC Address-Table Move Update Command Purpose show interfaces [interface-id] switchport backup Displays the FlexLinks backup interface configured for an interface or all the configured FlexLinks and the state of each active and backup interface (up or standby mode).
Chapter 24 Configuration Examples for the FlexLinks and MAC Address-Table Move Update ---1 401 Configuring FlexLinks and the MAC Address-Table Move Update ----Gi1/1(dynamic), Gi1/2(dynamic) Gi1/1(dynamic), Gi1/2(dynamic) Similarly, both FlexLinks ports are part of learned groups.
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update Configuration Examples for the FlexLinks and MAC Address-Table Move Update 1 1 228.1.5.1 228.1.5.2 igmp igmp v2 v2 Gi1/1, Gi1/2, Gi1/1 Gi1/1, Gi1/2, Gi1/1 Whenever a host responds to the general query, the switch forwards this report on all the mrouter ports.
Chapter 24 Configuration Examples for the FlexLinks and MAC Address-Table Move Update Configuring FlexLinks and the MAC Address-Table Move Update Configuring VLAN Load Balancing on FlexLinks: Examples In the following example, VLANs 1 to 50, 60, and 100 to 120 are configured on the switch: Switch(config)# interface gigabitEthernet 1/2 Switch(config-if)# switchport backup interface gigabitEthernet 1/2 prefer vlan 60,100-120 When both interfaces are up, GigabitEthernet1/1 forwards traffic for VLANs 60 and
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update Additional References Configuring MAC Address-Table Move Update: Example This example shows how to configure an access switch to send MAC address-table move update messages: Switch(conf)# interface gigabitethernet1/1 Switch(conf-if)# switchport backup interface gigabitethernet1/2 mmu primary vlan 2 Switch(conf-if)# exit Switch(conf)# mac address-table move update transmit Switch(conf)# end This example shows how to verify the configur
Chapter 24 Configuring FlexLinks and the MAC Address-Table Move Update Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
CH A P T E R 25 Configuring DHCP Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 25 Configuring DHCP Information About Configuring DHCP DHCP Relay Agent A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers. Relay agents forward requests and replies between clients and servers when they are not on the same physical subnet. Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams are switched transparently between networks.
Chapter 25 Configuring DHCP Information About Configuring DHCP If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface.
Chapter 25 Configuring DHCP Information About Configuring DHCP When you enable the DHCP snooping information option-82 on the switch, this sequence of events occurs: • The host (DHCP client) generates a DHCP request and broadcasts it on the network. • When the switch receives the DHCP request, it adds the option-82 information in the packet.
Chapter 25 Configuring DHCP Information About Configuring DHCP Figure 25-2 Suboption Packet Formats Circuit ID Suboption Frame Format Suboption Circuit type ID type Length Length 1 6 0 4 1 byte 1 byte 1 byte 1 byte VLAN Module Port 2 bytes 1 byte 1 byte Remote ID Suboption Frame Format Remote Suboption ID type type Length Length 8 0 6 1 byte 1 byte 1 byte 1 byte MAC address 6 bytes 116300 2 Figure 25-3 shows the packet formats for user-configured remote-ID and circuit-ID suboptions The s
Chapter 25 Configuring DHCP Information About Configuring DHCP Figure 25-3 User-Configured Suboption Packet Formats Circuit ID Suboption Frame Format (for user-configured string): Suboption Circuit type ID type Length Length 1 N+2 1 N 1 byte 1 byte 1 byte 1 byte ASCII Circuit ID string N bytes (N = 3-63) Remote ID Suboption Frame Format (for user-configured string): 2 N+2 1 N 1 byte 1 byte 1 byte 1 byte ASCII Remote ID string or hostname 145774 Suboption Remote type ID type Length Length
Chapter 25 Configuring DHCP Information About Configuring DHCP When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database. The switch also updates the entries in the binding file. The frequency at which the file is updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops.
Chapter 25 Configuring DHCP Information About Configuring DHCP Table 25-1 Default DHCP Snooping Settings (continued) Feature Default Setting DHCP snooping enabled globally Disabled DHCP snooping information option Enabled DHCP snooping option to accept packets on untrusted input interfaces3 Disabled DHCP snooping limit rate None configured DHCP snooping trust Untrusted DHCP snooping VLAN Disabled DHCP snooping MAC address verification Enabled Cisco IOS DHCP server binding database Enab
Chapter 25 Configuring DHCP Information About Configuring DHCP • Note You can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command, and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command. Do not enable DHCP snooping on RSPAN VLANs. If DHCP snooping is enabled on RSPAN VLANs, DHCP packets might not reach the RSPAN destination port.
Chapter 25 Configuring DHCP How to Configure DHCP option are identified by the client hardware address. When you configure this feature, the port name of the interface overrides the client identifier or hardware address and the actual point of connection, the switch port, becomes the client identifier. In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device.
Chapter 25 Configuring DHCP How to Configure DHCP Command Purpose interface range port-range Configures multiple physical ports that are connected to the DHCP clients, and enters interface range configuration mode. or or interface interface-id Configures a single physical port that is connected to the DHCP client, and enters interface configuration mode. Step 7 switchport mode access Defines the VLAN membership mode for the port.
Chapter 25 Configuring DHCP How to Configure DHCP Command Purpose Step 7 interface interface-id Specifies the interface to be configured, and enters interface configuration mode. Step 8 ip dhcp snooping vlan vlan information (Optional) Configures the circuit-ID suboption for the specified option format-type circuit-id interface. [override] string ASCII-string Specifies the VLAN and port identifier, using a VLAN ID in the range of 1 to 4096.
Chapter 25 Configuring DHCP How to Configure DHCP Step 3 Command Purpose ip dhcp snooping database timeout seconds Specifies (in seconds) how long to wait for the database transfer process to finish before stopping the process. The default is 300 seconds. The range is 0 to 86400. Use 0 to define an infinite duration, which means to continue trying the transfer indefinitely.
Chapter 25 Configuring DHCP Monitoring and Maintaining DHCP Command Purpose Step 3 network network-number [mask | /prefix-length] Specifies the subnet network number and mask of the DHCP address pool. Step 4 address ip-address client-id string [ascii] Reserves an IP address for a DHCP client identified by the interface name. string—Can be an ASCII value or a hexadecimal value. Step 5 reserved-only (Optional) Uses only reserved addresses in the DHCP address pool.
Chapter 25 Configuring DHCP Configuration Examples for Configuring DHCP Configuration Examples for Configuring DHCP Enabling DHCP Server Port-Based Address Allocation: Examples In this example, a subscriber identifier is automatically generated, and the DHCP server ignores any client identifier fields in the DHCP messages and uses the subscriber identifier instead. The subscriber identifier is based on the short name of the interface and the client preassigned IP address 10.1.1.7.
Chapter 25 Configuring DHCP Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
CH A P T E R 26 Configuring Dynamic ARP Inspection Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 26 Configuring Dynamic ARP Inspection Information About Dynamic ARP Inspection because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.
Chapter 26 Configuring Dynamic ARP Inspection Information About Dynamic ARP Inspection Interface Trust States and Network Security DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation process.
Chapter 26 Configuring Dynamic ARP Inspection Information About Dynamic ARP Inspection Note Depending on the setup of the DHCP server and the network, it might not be possible to validate a given ARP packet on all switches in the VLAN. Rate Limiting of ARP Packets The switch CPU performs DAI validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps).
Chapter 26 Configuring Dynamic ARP Inspection Information About Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. Dashes in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry.
Chapter 26 Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Do not enable DAI on RSPAN VLANs. If DAI is enabled on RSPAN VLANs, DAI packets might not reach the RSPAN destination port. Note • A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match. Otherwise, the physical port remains suspended in the port channel. A port channel inherits its trust state from the first physical port that joins the channel.
Chapter 26 Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Step 3 Command Purpose ip arp inspection vlan vlan-range Enables DAI on a per-VLAN basis. By default, DAI is disabled on all VLANs. vlan-range—Specifies a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4096. Specifies the same VLAN ID for both switches.
Chapter 26 Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Step 3 Command Purpose permit ip host sender-ip mac host sender-mac [log] Permits ARP packets from the specified host (Host 2). • sender-ip—Enters the IP address of Host 2. • sender-mac—Enters the MAC address of Host 2. • (Optional) log—Logs a packet in the log buffer when it matches the access control entry (ACE).
Chapter 26 Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Limiting the Rate of Incoming ARP Packets Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the interface to be rate-limited, and enters interface configuration mode. Step 3 ip arp inspection limit {rate pps [burst interval seconds] | none} Limits the rate of incoming ARP requests and responses on the interface.
Chapter 26 Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Performing Validation Checks Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 ip arp inspection validate {[src-mac] [dst-mac] [ip]} Performs a specific check on incoming ARP packets. By default, no checks are performed. • src-mac—Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
Chapter 26 Configuring Dynamic ARP Inspection How to Configure Dynamic ARP Inspection Configuring the Log Buffer Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 ip arp inspection log-buffer {entries Configures the DAI logging buffer. number | logs number interval By default, when DAI is enabled, denied, or dropped, ARP packets are seconds} logged. The number of log entries is 32. The number of system messages is limited to 5 per second.
Chapter 26 Configuring Dynamic ARP Inspection Monitoring and Maintaining Dynamic ARP Inspection Monitoring and Maintaining Dynamic ARP Inspection Command Description clear ip arp inspection log Clears the DAI log buffer. clear ip arp inspection statistics Clears the DAI statistics. show arp access-list [acl-name] Displays detailed information about ARP ACLs. show errdisable recovery Displays the error-disabled recovery timer information.
Chapter 26 Configuring Dynamic ARP Inspection Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 26 Configuring Dynamic ARP Inspection Additional References Cisco IE 2000 Switch Software Configuration Guide 26-14 OL-25866-01
CH A P T E R 27 Configuring IP Source Guard Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 27 Configuring IP Source Guard Information About IP Source Guard You can enable IPSG when DHCP snooping is enabled on an untrusted interface. After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
Chapter 27 Configuring IP Source Guard Information About IP Source Guard IPSG for static hosts also supports dynamic hosts. If a dynamic host receives a DHCP-assigned IP address that is available in the IP DHCP snooping table, the same entry is learned by the IP device tracking table. When you enter the show ip device tracking all EXEC command, the IP device tracking table displays the entries as ACTIVE.
Chapter 27 Configuring IP Source Guard How to Configure IP Source Guard • You can enable this feature when 802.1x port-based authentication is enabled. • If the number of ternary content addressable memory (TCAM) entries exceeds the maximum, the CPU usage increases. How to Configure IP Source Guard Enabling IP Source Guard Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 27 Configuring IP Source Guard How to Configure IP Source Guard Step 6 Command Purpose ip verify source tracking port-security Enables IPSG for static hosts with MAC address filtering. When you enable both IPSG and port security by using the ip verify source port-security interface configuration command: Note Step 7 ip device tracking maximum number • The DHCP server must support option-82, or the client is not assigned an IP address.
Chapter 27 Configuring IP Source Guard How to Configure IP Source Guard Command Purpose Step 6 private-vlan isolated Specifies an isolated VLAN on a private VLAN port. Step 7 exit Exits VLAN configuration mode. Step 8 vlan vlan-id1 Enters configuration VLAN mode. Step 9 private-vlan association 201 Associates the VLAN on an isolated private VLAN port. Step 10 exit Exits VLAN configuration mode. Step 11 interface fastEthernet interface-id Enters interface configuration mode.
Chapter 27 Configuring IP Source Guard Monitoring and Maintaining IP Source Guard Monitoring and Maintaining IP Source Guard Command Purpose show ip device tracking Displays the active IP or MAC binding entries for all interfaces. show ip source binding Displays the IP source bindings on a switch. show ip verify source Displays the IP source guard configuration on the switch. copy running-config startup-config Saves your entries in the configuration file.
Chapter 27 Configuring IP Source Guard Configuration Examples for IP Source Guard Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport access vlan 10 ip device tracking maximum 5 ip verify source tracking end Switch# show ip verify source Interface Filter-type Filter-mode --------- ----------- ----------Gi0/3 ip trk active Gi0/3 ip trk active Gi0/3 ip trk active IP-address --------------40.1.1.24 40.1.1.20 40.1.1.
Chapter 27 Configuring IP Source Guard Configuration Examples for IP Source Guard 200.1.1.4 200.1.1.4 200.1.1.5 200.1.1.5 200.1.1.6 200.1.1.7 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.0000 0001.0600.
Chapter 27 Configuring IP Source Guard Additional References Switch(config-vlan)# exit Switch(config)# vlan 200 Switch(config-vlan)# private-vlan association 201 Switch(config-vlan)# exit Switch(config)# int fastEthernet 4/3 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 200 201 Switch(config-if)# ip device tracking maximum 8 Switch(config-if)# ip verify source tracking Switch# show ip device tracking all IP Device Tracking = Enabled IP De
Chapter 27 Configuring IP Source Guard Additional References Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature. MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.
Chapter 27 Configuring IP Source Guard Additional References Cisco IE 2000 Switch Software Configuration Guide 27-12 OL-25866-01
CH A P T E R 28 Configuring IGMP Snooping and MVR Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR An IGMPv3 switch supports Basic IGMPv3 Snooping Support (BISS), which includes support for the snooping features on IGMPv1 and IGMPv2 switches and for IGMPv3 membership report messages. BISS constrains the flooding of multicast traffic when your network includes IGMPv3 hosts. It constrains traffic to approximately the same set of ports as the IGMP snooping feature on IGMPv2 or IGMPv1 hosts.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR Router A sends a general query to the switch, which forwards the query to ports 2 through 5, which are all members of the same VLAN. Host 1 wants to join multicast group 224.1.2.3 and multicasts an IGMP membership report (IGMP join message) to the group.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR Leaving a Multicast Group The router sends periodic multicast general queries, and the switch forwards these queries through all ports in the VLAN. Interested hosts respond to the queries. If at least one host in the VLAN wishes to receive multicast traffic, the router continues forwarding the multicast traffic to the VLAN.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports. The switch uses IGMP report suppression to forward only one IGMP report per multicast router query to multicast devices.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR You can configure the switch either to snoop on IGMP queries and PIM/DVMRP packets or to listen to CGMP self-join or proxy-join packets. By default, the switch snoops on PIM/DVMRP packets on all VLANs. To learn of multicast router ports through only CGMP packets, use the ip igmp snooping vlan vlan-id mrouter learn cgmp global configuration command.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR is no SVI IP address, the switch uses the first available IP address configured on the switch. The first IP address available appears in the output of the show ip interface privileged EXEC command. The IGMP snooping querier does not generate an IGMP general query if it cannot find an available IP address on the switch. • The IGMP snooping querier supports IGMP Versions 1 and 2.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR You can set the switch for compatible or dynamic mode of MVR operation: • In compatible mode, multicast data received by MVR hosts is forwarded to all MVR data ports, regardless of MVR host membership on those ports. The multicast data is forwarded only to those receiver ports that MVR hosts have joined, either by IGMP reports or by MVR static configuration.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR Figure 28-3 Multicast VLAN Registration Example Multicast VLAN Cisco router Multicast server SP Switch B SP SP SP SP SP SP1 SP2 Multicast data Multicast data Switch A RP1 RP2 RP3 RP4 RP5 RP6 RP7 Customer premises Hub IGMP join Set-top box Set-top box TV data TV RP = Receiver Port SP = Source Port TV 101364 PC Note: All source ports belong to the multicast VLAN.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR These messages dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device. Switch B. The access layer switch, Switch A, modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR IGMP Filtering and Throttling In some environments, for example, metropolitan or multiple-dwelling unit (MDU) installations, you might want to control the set of multicast groups to which a user on a switch port can belong. You can control the distribution of multicast services, such as IP/TV, based on some type of subscription or service plan.
Chapter 28 Configuring IGMP Snooping and MVR Information About IGMP Snooping and MVR IGMP Profiles To configure an IGMP profile, use the ip igmp profile global configuration command with a profile number to create an IGMP profile and to enter IGMP profile configuration mode. From this mode, you can specify the parameters of the IGMP profile to be used for filtering IGMP join requests from a port.
Chapter 28 Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Configuring IGMP Snooping Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces. IGMP snooping is by default enabled on all VLANs, but can be enabled and disabled on a per-VLAN basis.
Chapter 28 Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Step 4 Step 5 Command Purpose ip igmp snooping vlan vlan-id static ip_address interface interface-id (Optional) Statically configures a Layer 2 port as a member of a multicast group: • vlan-id—Multicast group VLAN ID. The range is 1 to 1001 and 1006 to 4096. • ip-address—Group IP address. • interface-id—Member port. It can be a physical interface or a port channel (1 to 6).
Chapter 28 Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Configuring the IGMP Snooping Querier Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 ip igmp snooping querier Enables the IGMP snooping querier. Step 3 ip igmp snooping querier address ip_address (Optional) Specifies an IP address for the IGMP snooping querier. If you do not specify an IP address, the querier tries to use the global IP address configured for the IGMP querier.
Chapter 28 Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 mvr Enables MVR on the switch. Step 3 mvr group ip-address [count] Configures an IP multicast address on the switch or use the count parameter to configure a contiguous series of MVR group addresses (the range for count is 1 to 256; the default is 1).
Chapter 28 Configuring IGMP Snooping and MVR How to Configure IGMP Snooping and MVR Command Step 5 Purpose mvr vlan vlan-id group [ip-address] (Optional) Statically configures a port to receive multicast traffic sent to the multicast VLAN and the IP multicast address. A port statically configured as a member of a group remains a member of the group until statically removed. In compatible mode, this command applies to only receiver ports. In dynamic mode, it applies to receiver ports and source ports.
Chapter 28 Configuring IGMP Snooping and MVR Monitoring and Maintaining IGMP Snooping and MVR Command Purpose Step 3 ip igmp filter profile number Applies the specified IGMP profile to the interface. The range is 1 to 4294967295. Step 4 ip igmp max-groups number Sets the maximum number of IGMP groups that the interface can join. The range is 0 to 4294967294. The default is to have no maximum set.
Chapter 28 Configuring IGMP Snooping and MVR Monitoring and Maintaining IGMP Snooping and MVR Command Purpose show ip igmp snooping mrouter [vlan vlan-id] Displays information on dynamically learned and manually configured multicast router interfaces. Note When you enable IGMP snooping, the switch automatically learns the interface to which a multicast router is connected. These are dynamically learned interfaces. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 28 Configuring IGMP Snooping and MVR Configuration Examples for IGMP Snooping Configuration Examples for IGMP Snooping Configuring IGMP Snooping: Example This example shows how to configure IGMP snooping to use CGMP packets as the learning method: Switch# configure terminal Switch(config)# ip igmp snooping vlan 1 mrouter learn cgmp Switch(config)# end Disabling a Multicast Router Port: Example To remove a multicast router port from the VLAN, use the no ip igmp snooping vlan vlan-id mrouter interf
Chapter 28 Configuring IGMP Snooping and MVR Configuration Examples for IGMP Snooping Switch(config)# ip igmp snooping querier timeout expiry 60 Switch(config)# end This example shows how to set the IGMP snooping querier feature to version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Enabling MVR: Examples This example shows how to enable MVR, configure the group address, set the query time to 1 second (10 tenths), specify the MVR multicast VLA
Chapter 28 Configuring IGMP Snooping and MVR Additional References Applying an IGMP Profile: Example This example shows how to apply IGMP profile 4 to a port: Switch(config)# interface gigabitethernet1/2 Switch(config-if)# ip igmp filter 4 Switch(config-if)# end Limiting IGMP Groups: Example This example shows how to limit to 25 the number of IGMP groups that a port can join: Switch(config)# interface gigabitethernet1/2 Switch(config-if)# ip igmp max-groups 25 Switch(config-if)# end Additional Reference
Chapter 28 Configuring IGMP Snooping and MVR Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.
CH A P T E R 29 Configuring Port-Based Traffic Control Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 29 Configuring Port-Based Traffic Control Information About Port-Based Traffic Control With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level.
Chapter 29 Configuring Port-Based Traffic Control Information About Port-Based Traffic Control Storm Control and Threshold Levels You configure storm control on a port and enter the threshold level that you want to be used for a particular type of traffic. However, because of hardware limitations and the way in which packets of different sizes are counted, threshold percentages are approximations.
Chapter 29 Configuring Port-Based Traffic Control Information About Port-Based Traffic Control Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or community ports. For more information about private VLANs, see Chapter 19, “Configuring Private VLANs.” Port Blocking By default, the switch floods packets with unknown destination MAC addresses out of all ports.
Chapter 29 Configuring Port-Based Traffic Control Information About Port-Based Traffic Control You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command.
Chapter 29 Configuring Port-Based Traffic Control Information About Port-Based Traffic Control • Table 29-1 shutdown vlan—Use to set the security violation mode per-VLAN.
Chapter 29 Configuring Port-Based Traffic Control Information About Port-Based Traffic Control VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Chapter 29 Configuring Port-Based Traffic Control Information About Port-Based Traffic Control Port Security Aging You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port: • Absolute—The secure addresses on the port are deleted after the specified aging time. • Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.
Chapter 29 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Protocol storm protection is disabled by default. When it is enabled, auto-recovery of the virtual port is disabled by default. How to Configure Port-Based Traffic Control Configuring Storm Control Configuring Storm Control and Threshold Levels Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 29 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Command Purpose • pps pps—Specifies the rising threshold level for broadcast, multicast, or unicast traffic in packets per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000.0. • (Optional) pps-low—Specifies the falling threshold level in packets per second (up to one decimal place).
Chapter 29 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Command Purpose Step 3 switchport protected Configures the interface to be a protected port. Step 4 end Returns to privileged EXEC mode. Configuring Port Blocking Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 29 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Step 6 Command Purpose switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]] (Optional) maximum—Specifies the maximum number of secure MAC addresses on the port. By default only 1 MAC address is allowed. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system.
Chapter 29 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Command Step 7 Purpose switchport port-security [violation (Optional) Sets the violation mode, the action to be taken when a security {protect | restrict | shutdown | violation is detected, as one of these: shutdown vlan}] • protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of
Chapter 29 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enters a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 29 Configuring Port-Based Traffic Control How to Configure Port-Based Traffic Control Enabling and Configuring Port Security Aging Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the interface to be configured, and enters interface configuration mode.
Chapter 29 Configuring Port-Based Traffic Control Monitoring and Maintaining Port-Based Traffic Control Command Purpose Step 4 errdisable recovery interval time (Optional) Configures an auto-recovery time (in seconds) for error-disabled virtual ports. When a virtual port is error-disabled, the switch auto-recovers after this time. The range is from 30 to 86400 seconds. Step 5 end Returns to privileged EXEC mode.
Chapter 29 Configuring Port-Based Traffic Control Configuration Examples for Port-Based Traffic Control Enabling Broadcast Address Storm Control on a Port: Example This example shows how to enable broadcast address storm control on a port to a level of 20 percent.
Chapter 29 Configuring Port-Based Traffic Control Configuration Examples for Port-Based Traffic Control This example shows how to configure a static secure MAC address on VLAN 3 on a port: Switch(config)# interface gigabitethernet1/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.
Chapter 29 Configuring Port-Based Traffic Control Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 29 Configuring Port-Based Traffic Control Additional References Cisco IE 2000 Switch Software Configuration Guide 29-20 OL-25866-01
CH A P T E R 30 Configuring SPAN and RSPAN Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 30 Configuring SPAN and RSPAN Information About SPAN and RSPAN SPAN copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports or VLANs. You must dedicate the destination port for SPAN use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not receive or forward traffic.
Chapter 30 Configuring SPAN and RSPAN Information About SPAN and RSPAN Figure 30-2 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN Sessions SPAN sessions (local or remote) allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or
Chapter 30 Configuring SPAN and RSPAN Information About SPAN and RSPAN There can be more than one source session and more than one destination session active in the same RSPAN VLAN. There can also be intermediate switches separating the RSPAN source and destination sessions. These switches need not be capable of running RSPAN, but they must respond to the requirements of the RSPAN VLAN (see the “RSPAN VLAN” section on page 30-7).
Chapter 30 Configuring SPAN and RSPAN Information About SPAN and RSPAN Features that can cause a packet to be dropped during transmit processing also affect the duplicated copy for SPAN. These features include IP standard and extended output ACLs and egress QoS policing. • Both—In a SPAN session, you can also monitor a port or VLAN for both received and sent packets. This is the default. The default configuration for local SPAN session ports is to send all packets untagged.
Chapter 30 Configuring SPAN and RSPAN Information About SPAN and RSPAN • Source ports can be in the same or different VLANs. • You can monitor multiple source ports in a single session. Source VLANs VLAN-based SPAN (VSPAN) is the monitoring of the network traffic in one or more VLANs. The SPAN or RSPAN source interface in VSPAN is a VLAN ID, and traffic is monitored on all the ports for that VLAN.
Chapter 30 Configuring SPAN and RSPAN Information About SPAN and RSPAN A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch as the source port. For an RSPAN session, it is located on the switch containing the RSPAN destination session. There is no destination port on a switch running only an RSPAN source session. • When a port is configured as a SPAN destination port, the configuration overwrites the original port configuration.
Chapter 30 Configuring SPAN and RSPAN Information About SPAN and RSPAN • An RSPAN VLAN cannot be a private-VLAN primary or secondary VLAN. For VLANs 1 to 1005 that are visible to VLAN Trunking Protocol (VTP), the VLAN ID and its associated RSPAN characteristic are propagated by VTP. If you assign an RSPAN VLAN ID in the extended VLAN range (1006 to 4096), you must manually configure all intermediate switches.
Chapter 30 Configuring SPAN and RSPAN Information About SPAN and RSPAN • A secure port cannot be a SPAN destination port. For SPAN sessions, do not enable port security on ports with monitored egress when ingress forwarding is enabled on the destination port. For RSPAN source sessions, do not enable port security on any ports with monitored egress. • An IEEE 802.1x port can be a SPAN source port. You can enable IEEE 802.1x on a port that is a SPAN destination port; however, IEEE 802.
Chapter 30 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN • The RSPAN VLAN is configured only on trunk ports and not on access ports. To avoid unwanted traffic in RSPAN VLANs, make sure that the VLAN remote-span feature is supported in all the participating switches. • Access ports (including voice VLAN ports) on the RSPAN VLAN are put in the inactive state. • RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have active RSPAN VLANs.
Chapter 30 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Step 3 Command Purpose monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx] Specifies the SPAN session and the source port (monitored port). session_number—The range is 1 to 66. interface-id—Specifies the source port or source VLAN to monitor. • source interface-id—Specifies the source port to monitor.
Chapter 30 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specifies the SPAN session and the destination port (monitoring port). session_number—Specifies the session number entered in step 3. Note • interface-id—Specifies the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 30 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate] [ingress {dot1q vlan vlan-id | untagged vlan vlan-id | vlan vlan-id}]} Specifies the SPAN session, the destination port, the packet encapsulation, and the ingress VLAN and encapsulation. session_number—Specifies the session number entered in Step 3. interface-id—Specifies the destination port.
Chapter 30 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Command Step 4 Purpose monitor session session_number filter vlan Limits the SPAN source traffic to specific VLANs. vlan-id [, | -] session_number—Enters the session number specified in Step 3. vlan-id—The range is 1 to 4096. (Optional) Use a comma (,) to specify a series of VLANs, or use a hyphen (-) to specify a range of VLANs. Enter a space before and after the comma; enter a space before and after the hyphen.
Chapter 30 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Creating an RSPAN Source Session Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 no monitor session {session_number | all | local | remote} Removes any existing RSPAN configuration for the session. session_number—The range is 1 to 66. all—Removes all RSPAN sessions local—Removes all local sessions remote—Removes all remote SPAN sessions.
Chapter 30 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Creating an RSPAN Destination Session Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 vlan vlan-id Enters the VLAN ID of the RSPAN VLAN created from the source switch, and enters VLAN configuration mode. If both switches are participating in VTP and the RSPAN VLAN ID is from 2 to 1005, Steps 2 through 4 are not required because the RSPAN VLAN ID is propagated through the VTP network.
Chapter 30 Configuring SPAN and RSPAN How to Configure SPAN and RSPAN Step 3 Command Purpose monitor session session_number source remote vlan vlan-id Specifies the RSPAN session and the source RSPAN VLAN. session_number—The range is 1 to 66. vlan-id—Specifies the source RSPAN VLAN to monitor. Step 4 monitor session session_number Specifies the SPAN session, the destination port, the packet destination {interface interface-id [, | -] encapsulation, and the incoming VLAN and encapsulation.
Chapter 30 Configuring SPAN and RSPAN Monitoring and Maintaining SPAN and RSPAN Step 3 Command Purpose monitor session session_number source interface interface-id Specifies the characteristics of the source port (monitored port) and SPAN session. session_number—The range is 1 to 66. interface-id—Specifies the source port to monitor. The interface specified must already be configured as a trunk port. Step 4 monitor session session_number filter vlan Limits the SPAN source traffic to specific VLANs.
Chapter 30 Configuring SPAN and RSPAN Configuration Examples for SPAN and RSPAN Switch(config)# end This example shows how to disable received traffic monitoring on port 1, which was configured for bidirectional monitoring: Switch(config)# no monitor session 1 source interface gigabitethernet1/1 rx The monitoring of traffic received on port 1 is disabled, but traffic sent from this port continues to be monitored.
Chapter 30 Configuring SPAN and RSPAN Additional References Configuring a VLAN for a SPAN Session: Example This example shows how to configure VLAN 901 as the source remote VLAN and port 1 as the destination interface: Switch(config)# monitor session 1 source remote vlan 901 Switch(config)# monitor session 1 destination interface gigabitethernet1/1 Switch(config)# end Modifying RSPAN Sessions: Examples This example shows how to remove any existing RSPAN configuration for session 1, configure RSPAN sessi
Chapter 30 Configuring SPAN and RSPAN Additional References Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature. MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.
Chapter 30 Configuring SPAN and RSPAN Additional References Cisco IE 2000 Switch Software Configuration Guide 30-22 OL-25866-01
CH A P T E R 31 Configuring LLDP, LLDP-MED, and Wired Location Service Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service Information About LLDP, LLDP-MED, and Wired Location Service LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. This protocol can advertise details such as configuration information, device capabilities, and device identity.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service Information About LLDP, LLDP-MED, and Wired Location Service • Inventory management TLV Allows an endpoint to send detailed inventory information about itself to the switch, including information hardware revision, firmware version, software version, serial number, manufacturer name, model name, and asset ID TLV. • Location TLV Provides location information from the switch to the endpoint device.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service Information About LLDP, LLDP-MED, and Wired Location Service • Slot and port that was disconnected • MAC address • IP address • 802.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service How to Configure LLDP, LLDP-MED, and Wired Location Service • For wired location to function, you must first enter the ip device tracking global configuration command. LLDP-MED TLVs By default, the switch only sends LLDP packets until it receives LLDP-MED packets from the end device. It then sends LLDP packets with MED TLVs. When the LLDP-MED entry has been aged out, it only sends LLDP packets.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service How to Configure LLDP, LLDP-MED, and Wired Location Service Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 lldp holdtime seconds (Optional) Specifies the amount of time a receiving device should hold the information from your device before discarding it. The range is 0 to 65535 seconds; the default is 120 seconds.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service How to Configure LLDP, LLDP-MED, and Wired Location Service Step 3 Command Purpose {voice | voice-signaling} vlan [vlan-id {cos cvalue | dscp dvalue}] | [[dot1p {cos cvalue | dscp dvalue}] | none | untagged] Configures the policy attributes: voice—Specifies the voice application type. voice-signaling—Specifies the voice-signaling application type. vlan—Specifies the native VLAN for voice traffic.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service Monitoring and Maintaining LLDP, LLDP-MED, and Wired Location Service Command Purpose Step 4 interface interface-id Specifies the interface on which you are configuring the location information, and enters interface configuration mode.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service Configuration Examples for Configuring LLDP, LLDP-MED, and Wired Location Service Command Description show lldp neighbors [interface-id] [detail] Displays information about neighbors, including device type, interface type and number, holdtime settings, capabilities, and port ID. You can limit the display to neighbors of a specific interface or expand the display for more detailed information.
Chapter 31 Configuration Examples for Configuring LLDP, LLDP-MED, and Wired Location Service Configuring LLDP, LLDP-MED, and Wired Location Service Switch(config-if)# lldp med-tlv-select inventory-management Switch(config-if)# end Configuring Network Policy: Example This example shows how to configure VLAN 100 for voice application with CoS and to enable the network-policy profile and network-policy TLV on an interface: Switch# configure terminal Switch(config)# network-policy profile 1 Switch(config-net
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 31 Configuring LLDP, LLDP-MED, and Wired Location Service Additional References Cisco IE 2000 Switch Software Configuration Guide 31-12 OL-25866-01
CH A P T E R 32 Configuring CDP Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 32 Configuring CDP How to Configure CDP For a switch and connected endpoint devices running Cisco Medianet, these events occur: • CDP identifies connected endpoints that communicate directly with the switch. • Only one wired switch reports the location information to prevent duplicate reports of neighboring devices. • The wired switch and the endpoints both send and receive location information. The switch supports CDP Version 2.
Chapter 32 Configuring CDP Monitoring and Maintaining CDP Disabling CDP CDP is enabled by default. Note Switch clusters and other Cisco devices (such as Cisco IP Phones) regularly exchange CDP messages. Disabling CDP can interrupt cluster discovery and device connectivity. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 no cdp run Disables CDP globally.
Chapter 32 Configuring CDP Configuration Examples for CDP Configuration Examples for CDP Configuring CDP Parameters: Example This example shows how to configure CDP parameters: Switch# configure terminal Switch(config)# cdp timer 50 Switch(config)# cdp holdtime 120 Switch(config)# cdp advertise-v2 Switch(config)# end Enabling CDP: Examples This example shows how to enable CDP on a port when it has been disabled: Switch# configure terminal Switch(config)# interface gigabitethernet1/1 Switch(config-if)# c
Chapter 32 Configuring CDP Additional References Standards Standards Title No new or modified standards are supported by this — feature, and support for existing standards has not been modified by this feature. MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.
Chapter 32 Configuring CDP Additional References Cisco IE 2000 Switch Software Configuration Guide 32-6 OL-25866-01
CH A P T E R 33 Configuring UDLD Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 33 Configuring UDLD Information About UDLD Modes of Operation UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode, UDLD can detect unidirectional links due to misconnected ports on fiber-optic connections. In aggressive mode, UDLD can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to misconnected ports on fiber-optic links.
Chapter 33 Configuring UDLD Information About UDLD When the switch receives a hello message, it caches the information until the age time (hold time or time-to-live) expires. If the switch receives a new hello message before an older cache entry ages, the switch replaces the older entry with the new one.
Chapter 33 Configuring UDLD How to Configure UDLD Default UDLD Settings Table 33-1 Default UDLD Settings Feature Default Setting UDLD global enable state Globally disabled UDLD per-port enable state for fiber-optic media Disabled on all Ethernet fiber-optic ports UDLD per-port enable state for twisted-pair (copper) media Disabled on all Ethernet 10/100 and 1000BASE-TX ports UDLD aggressive mode Disabled How to Configure UDLD Enabling UDLD Globally Follow these steps to enable UDLD in the aggr
Chapter 33 Configuring UDLD How to Configure UDLD Enabling UDLD on an Interface Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the port to be enabled for UDLD, and enters interface configuration mode. Step 3 udld port [aggressive] UDLD is disabled by default. • udld port—Enables UDLD in normal mode on the specified port. • udld port aggressive—Enables UDLD in aggressive mode on the specified port.
Chapter 33 Configuring UDLD Maintaining and Monitoring UDLD Maintaining and Monitoring UDLD Command Purpose show udld [interface-id] Displays UDLD status. Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 33 Configuring UDLD Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
Chapter 33 Configuring UDLD Additional References Cisco IE 2000 Switch Software Configuration Guide 33-8 OL-25866-01
CH A P T E R 34 Configuring RMON Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 34 Configuring RMON Information About RMON Figure 34-1 Remote Monitoring Example Network management station with generic RMON console application RMON alarms and events configured. SNMP configured. Workstations Workstations 101233 RMON history and statistic collection enabled.
Chapter 34 Configuring RMON How to Configure RMON How to Configure RMON Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 rmon alarm number variable interval {absolute | delta} rising-threshold value [event-number] falling-threshold value [event-number] [owner string] Sets an alarm on a MIB object.
Chapter 34 Configuring RMON How to Configure RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the interface on which to collect history, and enters interface configuration mode.
Chapter 34 Configuring RMON Monitoring and Maintaining RMON Monitoring and Maintaining RMON Table 34-1 Commands for Displaying RMON Status Command Purpose show rmon Displays general RMON statistics. show rmon alarms Displays the RMON alarm table. show rmon events Displays the RMON event table. show rmon history Displays the RMON history table. show rmon statistics Displays the RMON statistics table.
Chapter 34 Configuring RMON Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 34 Configuring RMON Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
Chapter 34 Configuring RMON Additional References Cisco IE 2000 Switch Software Configuration Guide 34-8 OL-25866-01
CH A P T E R 35 Configuring System Message Logging Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 35 Configuring System Message Logging Information About System Message Logging You can access logged system messages by using the switch command-line interface (CLI) or by saving them to a properly configured syslog server. The switch software saves syslog messages in an internal buffer. You can remotely monitor system messages by viewing the logs on a syslog server or by accessing the switch through Telnet or through the console port.
Chapter 35 Configuring System Message Logging Information About System Message Logging When synchronous logging of unsolicited messages and debug command output is enabled, unsolicited device output appears on the console or printed after solicited device output appears or is printed. Unsolicited messages and debug command output appears on the console after the prompt for user input is returned.
Chapter 35 Configuring System Message Logging Information About System Message Logging Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. This procedure is optional. Note Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
Chapter 35 Configuring System Message Logging How to Configure System Message Logging Table 35-3 Logging Facility-Type Keywords (continued) Facility Type Keyword Description user User process uucp UNIX-to-UNIX copy system Default System Message Logging Configuration Table 35-4 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled. Console severity Debugging (and numerically lower levels; see Table 35-2 on page 35-3).
Chapter 35 Configuring System Message Logging How to Configure System Message Logging Command Purpose Step 2 no logging console Disables message logging. Step 3 end Returns to privileged EXEC mode. Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console.
Chapter 35 Configuring System Message Logging How to Configure System Message Logging Synchronizing Log Messages Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 line [console | vty] line-number [ending-line-number] Specifies the line to be configured for synchronous logging of messages. • Use the console keyword for configurations that occur through the switch console port.
Chapter 35 Configuring System Message Logging How to Configure System Message Logging Enabling and Disabling Time Stamps on Log Messages Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 service timestamps log uptime Enables log time stamps. or The first command enables time stamps on log messages, showing the time since the system was rebooted.
Chapter 35 Configuring System Message Logging How to Configure System Message Logging Limiting Syslog Messages Sent to the History Table and to SNMP If you enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the switch history table. You also can change the number of messages that are stored in the history table.
Chapter 35 Configuring System Message Logging Monitoring and Maintaining the System Message Log Configuring the UNIX System Logging Facility When sending system log messages to an external device, you can cause the switch to identify its messages as originating from any of the UNIX syslog facilities. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 logging host Logs messages to a UNIX syslog server host by entering its IP address.
Chapter 35 Configuring System Message Logging Configuration Examples for the System Message Log Logging Display: Examples This example shows part of a logging display with the service timestamps log datetime global configuration command enabled: *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.
Chapter 35 Configuring System Message Logging Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 35 Configuring System Message Logging Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
Chapter 35 Configuring System Message Logging Additional References Cisco IE 2000 Switch Software Configuration Guide 35-14 OL-25866-01
CH A P T E R 36 Configuring SNMP Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 36 Configuring SNMP Information About SNMP • Changing the value of the SNMP engine ID has important implications. A user's password (entered on the command line) is converted to an MD5 or SHA security digest based on the password and the local engine ID. The command-line password is then destroyed, as required by RFC 2274.
Chapter 36 Configuring SNMP Information About SNMP – Encryption—Mixes the contents of a package to prevent it from being read by an unauthorized source. Note To select encryption, enter the priv keyword. This keyword is available only when the cryptographic (encrypted) software image is installed. Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to access the agent’s MIB is defined by an IP address access control list and password.
Chapter 36 Configuring SNMP Information About SNMP SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in Table 36-2. Table 36-2 SNMP Operations Operation Description get-request Retrieves a value from a specific variable. get-next-request Retrieves a value from a variable within a table.
Chapter 36 Configuring SNMP Information About SNMP Using SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the switch MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, increase network performance, verify the configuration of devices, monitor traffic loads, and more.
Chapter 36 Configuring SNMP Information About SNMP SNMP ifIndex MIB Object Values In an NMS, the IF-MIB generates and assigns an interface index (ifIndex) object value that is a unique number greater than zero to identify a physical or a logical interface. When the switch reboots or the switch software is upgraded, the switch uses this same value for the interface. For example, if the switch assigns a port 2 an ifIndex value of 10003, this value is the same after the switch reboots.
Chapter 36 Configuring SNMP Information About SNMP This table describes the supported switch traps (notification types). You can enable any or all of these traps and configure a trap manager to receive them. To enable the sending of SNMP inform notifications, use the snmp-server enable traps global configuration command combined with the snmp-server host host-addr informs global configuration command.
Chapter 36 Configuring SNMP How to Configure SNMP Table 36-4 Switch Notification Types (continued) Notification Type Keyword Description vlandelete Generates SNMP VLAN deleted traps. vtp Generates a trap for VLAN Trunking Protocol (VTP) changes. Note Though visible in the command-line help strings, the fru-ctrl, insertion, and removal keywords are not supported.
Chapter 36 Configuring SNMP How to Configure SNMP Configuring Community Strings Note To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 snmp-server community string [view Configures the community string. view-name] [ro | rw] Note The @ symbol is used for delimiting the context information.
Chapter 36 Configuring SNMP How to Configure SNMP Configuring SNMP Groups and Users You can specify an identification name (engine ID) for the local or remote SNMP server engine on the switch. You can configure an SNMP server group that maps SNMP users to SNMP views, and you can add new users to the SNMP group. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 snmp-server engineID {local engineid-string Configures a name for either the local or remote copy of SNMP.
Chapter 36 Configuring SNMP How to Configure SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configures a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • groupname—Specifies the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 36 Configuring SNMP How to Configure SNMP Command Step 4 Purpose snmp-server user username groupname Adds a new user for an SNMP group. {remote host [udp-port port]} {v1 [access • username—Specifies a name of the user on the host that access-list] | v2c [access access-list] | v3 connects to the agent. [encrypted] [access access-list] [auth {md5 | • groupname—Specifies a name of the group to which the user sha} auth-password]} [priv {des | 3des | aes is associated.
Chapter 36 Configuring SNMP How to Configure SNMP Command Purpose snmp-server user username groupname {remote host [udp-port port]} {v1 [access access-list] | v2c [access access-list] | v3 [encrypted] [access access-list] [auth {md5 | sha} auth-password]} Configures an SNMP user to be associated with the remote host created in Step 2.
Chapter 36 Configuring SNMP How to Configure SNMP Command Purpose Step 7 snmp-server trap-source interface-id (Optional) Specifies the source interface, which provides the IP address for the trap message. This command also sets the source IP address for informs. Step 8 snmp-server queue-length length (Optional) Establishes the message queue length for each trap host. The range is 1 to 1000; the default is 10.
Chapter 36 Configuring SNMP Monitoring and Maintaining SNMP Limiting TFTP Servers Used Through SNMP Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 snmp-server tftp-server-list access-list-number Limits TFTP servers used for configuration file copies through SNMP to the servers in the access list. access-list-number—Enters an IP standard access list numbered from 1 to 99 and 1300 to 1999.
Chapter 36 Configuring SNMP Configuration Examples for SNMP Configuration Examples for SNMP Enabling SNMP Versions: Example This example shows how to enable all versions of SNMP. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public. This configuration does not cause the switch to send any traps.
Chapter 36 Configuring SNMP Additional References Associating a User with a Remote Host: Example This example shows how to associate a user with a remote host and to send auth (authNoPriv) authentication-level informs when the user enters global configuration mode: Switch(config)# Switch(config)# Switch(config)# mypassword Switch(config)# Switch(config)# Switch(config)# Switch(config)# snmp-server engineID remote 192.180.1.
Chapter 36 Configuring SNMP Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
CH A P T E R 37 Configuring Network Security with ACLs Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs switch rejects the packet. If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards, including packets bridged within a VLAN. You configure access lists on a router or Layer 3 switch to provide basic security for your network.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs The switch examines ACLs associated with all inbound features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. In this way, ACLs control access to a network or to part of a network. Figure 37-1 is an example of using port ACLs to control access to a network when all workstations are in the same VLAN.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IP packet.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs Standard and Extended IPv4 ACLs This section describes IP ACLs. An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs Note In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs • Note Note User Datagram Protocol (udp) ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered. The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the type of service (ToS) minimize-monetary-cost bit. Supported parameters can be grouped into these categories: TCP, UDP, ICMP, IGMP, or other IP.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. After you create an ACL, any additions are placed at the end of the list.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs IPv4 ACL to a Terminal Line You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them. For procedures for applying ACLs to interfaces, see the “Applying an IPv4 ACL to an Interface” section on page 37-17.
Chapter 37 Configuring Network Security with ACLs Information About Network Security with ACLs When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security. Hardware and Software Handling of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing.
Chapter 37 Configuring Network Security with ACLs How to Configure Network Security with ACLs To determine the specialized hardware resources, enter the show platform layer4 acl map privileged EXEC command. If the switch does not have available resources, the output shows that index 0 to index 15 are not available. For more information about configuring ACLs with insufficient resources, see CSCsq63926 in the Bug Toolkit.
Chapter 37 Configuring Network Security with ACLs How to Configure Network Security with ACLs Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 access-list access-list-number {deny | permit} Defines a standard IPv4 access list by using a source address and source [source-wildcard] [log] wildcard. access-list-number—Specifies a decimal number from 1 to 99 or 1300 to 1999. deny or permit—Specifies whether to deny or permit access if conditions are matched.
Chapter 37 Configuring Network Security with ACLs How to Configure Network Security with ACLs Creating a Numbered Extended ACL Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2a access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] Defines an extended IPv4 access list and the access conditions.
Chapter 37 Configuring Network Security with ACLs How to Configure Network Security with ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, defines an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.
Chapter 37 Configuring Network Security with ACLs How to Configure Network Security with ACLs Step 2d Step 2e Step 3 Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Defines an extended ICMP access list and the access conditions.
Chapter 37 Configuring Network Security with ACLs How to Configure Network Security with ACLs Step 3 Command Purpose {deny | permit} {source [source-wildcard] | host source | any} [log] In access-list configuration mode, specifies one or more conditions denied or permitted to decide if the packet is forwarded or dropped. or • host source—A source and source wildcard of source 0.0.0.0.
Chapter 37 Configuring Network Security with ACLs How to Configure Network Security with ACLs Applying an IPv4 ACL to a Terminal Line This task restricts incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 line [console | vty] line-number Identifies a specific line to configure, and enters in-line configuration mode. • console—Specifies the console terminal line.
Chapter 37 Configuring Network Security with ACLs How to Configure Network Security with ACLs Step 3 Step 4 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] I
Chapter 37 Configuring Network Security with ACLs Monitoring and Maintaining Network Security with ACLs Monitoring and Maintaining Network Security with ACLs Command Purpose show access-lists [number | name] Displays the contents of one or all current IP and MAC address access lists or a specific access list (numbered or named). show ip access-lists [number | name] Displays the contents of all current IP access lists or a specific IP access list (numbered or named).
Chapter 37 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs Switch(config)# end Switch# show access-lists Extended IP access list 102 10 deny tcp 171.69.198.0 0.0.0.255 172.20.52.0 0.0.0.255 eq telnet 20 permit tcp any any Configuring Time Ranges: Examples This example shows how to configure time ranges for workhours and to configure January 1, 2006, as a company holiday and to verify your configuration.
Chapter 37 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs Including Comments in ACLs: Examples In this example, the workstation that belongs to Jones is allowed access, and the workstation that belongs to Smith is not allowed access: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones workstation through permit 171.69.2.88 remark Do not allow Smith through deny 171.
Chapter 37 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs Router ACLs function as follows: • The hardware controls permit and deny actions of standard and extended ACLs (input and output) for security access control. • If log has not been specified, the flows that match a deny statement in a security ACL are dropped by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in hardware.
Chapter 37 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs Switch# show access-lists Standard IP access list 6 permit 172.20.128.64, wildcard bits 0.0.0.31 Switch(config)# interface gigabitethernet1/1 Switch(config-if)# ip access-group 6 out This example uses an extended ACL to filter traffic coming from Server B into a port, permitting traffic from any source address (in this case Server B) to only the Accounting destination addresses 172.20.128.64 to 172.20.
Chapter 37 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address is 128.88.1.2. The established keyword is used only for the TCP to show an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which show that the packet belongs to an existing connection.
Chapter 37 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs Switch(config-if)# ip access-group strict in Creating Commented IP ACL Entries: Examples In this example of a numbered ACL, the workstation that belongs to Jones is allowed access, and the workstation that belongs to Smith is not allowed access: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 1 1 1 1 remark Permit only Jones workstation
Chapter 37 Configuring Network Security with ACLs Configuration Examples for Network Security with ACLs
Chapter 37 Configuring Network Security with ACLs Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 37 Configuring Network Security with ACLs Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
CH A P T E R 38 Configuring Standard QoS Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 38 Configuring Standard QoS Information About Standard QoS Information About Standard QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size.
Chapter 38 Configuring Standard QoS Information About Standard QoS Note IPv6 port-based trust with the dual IPv4 and IPv6 Switch Database Management (SDM) templates is supported on this switch. You must reload the switch with the dual IPv4 and IPv6 templates for switches running IPv6. For more information, see Chapter 11, “Configuring SDM Templates.
Chapter 38 Configuring Standard QoS Information About Standard QoS Standard QoS Model To implement QoS, the switch must distinguish packets or flow from one another (classify), assign a label to indicate the given quality of service as the packets move through the switch, make the packets comply with the configured resource usage limits (police and mark), and provide different treatment (queue and schedule) in all situations where resource contention exists.
Chapter 38 Configuring Standard QoS Information About Standard QoS Figure 38-2 Standard QoS Model Standard QoS Configuration Guidelines QoS ACL These are the guidelines for configuring QoS with access control lists (ACLs): • It is not possible to match IP fragments against configured IP extended ACLs to enforce QoS. IP fragments are sent as best-effort. IP fragments are denoted by fields in the IP header.
Chapter 38 Configuring Standard QoS Information About Standard QoS – In a hierarchical policy map attached to an SVI, you can only configure an individual policer at the interface level on a physical port to specify the bandwidth limits for the traffic on the port. The ingress port must be configured as a trunk or as a static-access port. You cannot configure policers at the VLAN level of the hierarchical policy map. – The switch does not support aggregate policers in hierarchical policy maps.
Chapter 38 Configuring Standard QoS Information About Standard QoS Default Ingress Queue Settings Table 38-1 shows the default ingress queue settings when QoS is enabled. Table 38-1 Default Ingress Queue Settings Feature Queue 1 Queue 2 Buffer allocation 90 percent 10 percent 4 4 0 10 WTD drop threshold 1 100 percent 100 percent WTD drop threshold 2 100 percent 100 percent Bandwidth allocation 1 Priority queue bandwidth 2 1. The bandwidth is equally shared between the queues.
Chapter 38 Configuring Standard QoS Information About Standard QoS Table 38-4 Default Egress Queue Settings (continued) Feature Queue 1 Queue 2 Queue 3 Queue 4 Maximum threshold 400 percent 400 percent 400 percent 400 percent SRR shaped weights (absolute) 1 25 0 0 0 SRR shared weights 2 25 25 25 25 1. A shaped weight of zero means that this queue is operating in shared mode. 2. One quarter of the bandwidth is allocated to each queue.
Chapter 38 Configuring Standard QoS Information About Standard QoS Table 38-7 Default DSCP-to-CoS Map (continued) DSCP Value CoS Value 16–23 2 24–31 3 32–39 4 40–47 5 48–55 6 56–63 7 Table 38-8 shows the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value that QoS uses internally to represent the priority of the traffic.
Chapter 38 Configuring Standard QoS Information About Standard QoS The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value. The default policed-DSCP map is a null map, which maps an incoming DSCP value to the same DSCP value (no markdown). Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch.
Chapter 38 Configuring Standard QoS Information About Standard QoS • Perform the classification based on a configured IP standard or an extended ACL, which examines various fields in the IP header. If no ACL is configured, the packet is assigned 0 as the DSCP and CoS values, which means best-effort traffic. Otherwise, the policy-map action specifies a DSCP or CoS value to assign to the incoming frame. For information on the maps described in this section, see the “Mapping Tables” section on page 38-18.
Chapter 38 Configuring Standard QoS Information About Standard QoS Figure 38-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet. Check if packet came with CoS label (tag). Yes (Optional) Modify the DSCP by using the DSCP-to-DSCP-mutation map.
Chapter 38 Configuring Standard QoS Information About Standard QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 38 Configuring Standard QoS Information About Standard QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command. You can apply a nonhierarchical policy map to a physical port or an SVI.
Chapter 38 Configuring Standard QoS Information About Standard QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command.
Chapter 38 Configuring Standard QoS Information About Standard QoS Figure 38-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 38 Configuring Standard QoS Information About Standard QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 38 Configuring Standard QoS Information About Standard QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 38 Configuring Standard QoS Information About Standard QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 38-6.
Chapter 38 Configuring Standard QoS Information About Standard QoS CoS 6-7 CoS 4-5 CoS 0-3 WTD and Queue Operation 100% 1000 60% 600 40% 400 0 86692 Figure 38-7 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 38-49, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 38-52, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 38-53.
Chapter 38 Configuring Standard QoS Information About Standard QoS Queueing and Scheduling on Ingress Queues Figure 38-8 shows the queueing and scheduling flowchart for ingress ports. Figure 38-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? No Yes Drop packet. Send packet to the internal ring. Note 90564 Queue the packet.
Chapter 38 Configuring Standard QoS Information About Standard QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 38 Configuring Standard QoS Information About Standard QoS Figure 38-9 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the internal ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label. Are thresholds being exceeded? No Yes Drop packet. Queue the packet. Service the queue according to the SRR weights. Rewrite DSCP and/or CoS value as appropriate. Done 90565 Send the packet out the port.
Chapter 38 Configuring Standard QoS Information About Standard QoS buffers) or not empty (free buffers). If the queue is not over-limit, the switch can allocate buffer space from the reserved pool or from the common pool (if it is not empty). If there are no free buffers in the common pool or if the queue is over-limit, the switch drops the frame.
Chapter 38 Configuring Standard QoS Information About Standard QoS modify it. You map a port to queue-set by using the queue-set qset-id interface configuration command. Modify the queue-set configuration to change the WTD threshold percentages. For more information about how WTD works, see the “Weighted Tail Drop” section on page 38-19. Shaped or Shared Mode SRR services each queue-set in shared or shaped mode.
Chapter 38 Configuring Standard QoS Information About Standard QoS Classification Using Port Trust States Trust State on Ports within the QoS Domain Packets entering a QoS domain are classified at the edge of the QoS domain. When the packets are classified at the edge, the switch port within the QoS domain can be configured to one of the trusted states because there is no need to classify the packets at every switch within the QoS domain. Figure 38-11 shows a sample network topology.
Chapter 38 Configuring Standard QoS Information About Standard QoS For most Cisco IP phone configurations, the traffic sent from the telephone to the switch should be trusted to ensure that voice traffic is properly prioritized over other types of traffic in the network. By using the mls qos trust cos interface configuration command, you configure the switch port to which the telephone is connected to trust the CoS labels of all traffic received on that port.
Chapter 38 Configuring Standard QoS Information About Standard QoS Figure 38-12 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic QoS Policies Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 38 Configuring Standard QoS Information About Standard QoS • You can configure a separate second-level policy map for each class defined for the port. The second-level policy map specifies the police action to take for each traffic class. For information on configuring a hierarchical policy map, see Classifying, Policing, and Marking Traffic on SVIs by Using Hierarchical Policy Maps, page 38-29. • A policy map and a port trust state can both run on a physical interface.
Chapter 38 Configuring Standard QoS Information About Standard QoS • When VLAN-based QoS is enabled, the switch supports VLAN-based features, such as the VLAN map. • You can configure a hierarchical policy map only on the primary VLAN of a private VLAN. DSCP Maps For default DSCP mapping, see “Default Mapping Table Settings” section on page 38-8.
Chapter 38 Configuring Standard QoS Information About Standard QoS Egress Queue Characteristics Depending on the complexity of your network and your QoS solution, you might need to perform all of the tasks in the next sections.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS How to Configure Standard QoS Enabling QoS Globally Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 mls qos Enables QoS globally. Step 3 end Returns to privileged EXEC mode. Enabling VLAN-Based QoS on Physical Ports By default, VLAN-based QoS is disabled on all physical switch ports. The switch applies QoS, including class maps and policy maps, only on a physical-port basis.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Configuring the Trust State on Ports Within the QoS Domain Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies the port to be trusted, and enters interface configuration mode. Valid interfaces include physical ports. Step 3 mls qos trust [cos | dscp | ip-precedence] Configures the port trust state. By default, the port is not trusted.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Step 3 Command Purpose mls qos cos {default-cos | override} Configures the default CoS value for the port. • default-cos—Specifies a default CoS value to be assigned to a port. If the packet is untagged, the default CoS value becomes the packet CoS value. The CoS range is 0 to 7. The default is 0.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS If you disable QoS by using the no mls qos global configuration command, the CoS and DSCP values are not changed (the default QoS setting). If you enter the no mls qos rewrite ip dscp global configuration command to enable DSCP transparency and then enter the mls qos trust [cos | dscp] interface configuration command, DSCP transparency is still enabled. Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Configuring a QoS Policy Configuring a QoS policy typically requires classifying traffic into classes, configuring policies applied to those traffic classes, and attaching policies to ports. These sections describe how to classify, police, and mark traffic.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Creating IP Extended ACLs Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Creates an IP extended ACL, repeating the command as many times as necessary. • access-list-number—Enters the access list number. The range is 100 to 199 and 2000 to 2699.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Command Step 3 Purpose {permit | deny} {host src-MAC-addr mask | Specifies the type of traffic to permit or deny if the conditions are any | host dst-MAC-addr | dst-MAC-addr matched, entering the command as many times as necessary. mask} [type mask] • src-MAC-addr—Enters the MAC address of the host from which the packet is being sent. You specify this by using the hexadecimal format (H.H.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Creates an IP standard or extended ACL for IP traffic or a Layer 2 MAC ACL for non-IP traffic, repeating the command as many times as necessary. or For more information, see the “Creating IP Standard ACLs” section on access-list access-list-number {deny | page 38-36.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Creating Nonhierarchical Policy Maps Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Creates a class map, and enters class-map configuration mode. By default, no class maps are defined. • (Optional) match-all—Performs a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configures the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Command Purpose Step 8 end Returns to global configuration mode. Step 9 interface interface-id Specifies the port to attach to the policy map, and enters interface configuration mode. Valid interfaces include physical ports. Step 10 service-policy input policy-map-name Specifies the policy-map name, and applies it to an ingress port. Only one policy map per ingress port is supported.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Step 5 Command Purpose class-map [match-all | match-any] class-map-name Creates an interface-level class map, and enters class-map configuration mode. By default, no class maps are defined. • (Optional) match-all—Performs a logical-AND of all matching statements under this class map. All match criteria in the class map must be matched. • (Optional) match-any—Performs a logical-OR of all matching statements under this class map.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Step 10 Command Purpose police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] Defines an individual policer for the classified traffic. By default, no policer is defined. For information on the number of policers supported, see the “Standard QoS Configuration Guidelines” section on page 38-5. • rate-bps—Specifies average traffic rate in bits per second (b/s). The range is 8000 to 1000000000.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Step 14 Command Purpose trust [cos | dscp | ip-precedence] Configures the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Step 19 Command Purpose service-policy input policy-map-name Specifies the VLAN-level policy-map name, and applies it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Command Purpose Step 7 exit Returns to global configuration mode. Step 8 interface interface-id Specifies the port to attach to the policy map, and enters interface configuration mode. Valid interfaces include physical ports. Step 9 service-policy input policy-map-name Specifies the policy-map name, and applies it to an ingress port. Only one policy map per ingress port is supported. Step 10 end Returns to privileged EXEC mode.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Configuring the IP-Precedence-to-DSCP Map Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modifies the IP-precedence-to-DSCP map. • dscp1...dscp8—Enters eight DSCP values that correspond to the IP precedence values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 end Returns to privileged EXEC mode.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Configuring the DSCP-to-DSCP-Mutation Map Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp Modifies the DSCP-to-DSCP-mutation map. • dscp-mutation-name—Enters the mutation map name. You can create more than one map by specifying a new name. • in-dscp—Enters up to eight DSCP values separated by spaces. Then enter the to keyword.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 mls qos srr-queue input dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Maps DSCP or CoS values to an ingress queue and to a threshold ID. or mls qos srr-queue input cos-map queue queue-id threshold threshold-id cos1...
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Allocating Bandwidth Between the Ingress Queues You need to specify how much of the available bandwidth is allocated between the ingress queues. The ratio of the weights is the ratio of the frequency in which the SRR scheduler sends packets from each queue. The bandwidth and the buffer allocation control how much data can be buffered before packets are dropped. On ingress queues, SRR operates only in shared mode.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Configuring Egress Queue Characteristics These sections contain this configuration information: • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 38-52 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 38-52 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 38-53 (optional) • Configuring SRR Shaped Weights on Egress Queues, p
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Step 3 Command Purpose mls qos queue-set output qset-id threshold queue-id drop-threshold1 drop-threshold2 reserved-threshold maximum-threshold Configures the WTD thresholds, guarantees the availability of buffers, and configures the maximum memory allocation for the queue-set (four egress queues per port). By default, the WTD thresholds for queues 1, 3, and 4 are set to 100 percent. The thresholds for queue 2 are set to 200 percent.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Maps DSCP or CoS values to an egress queue and to a threshold ID. or mls qos srr-queue output cos-map queue queue-id threshold threshold-id cos1...cos8 Step 3 end By default, DSCP values 0–15 are mapped to queue 2 and threshold 1.
Chapter 38 Configuring Standard QoS How to Configure Standard QoS Step 3 Command Purpose srr-queue bandwidth shape weight1 weight2 weight3 weight4 Assigns SRR weights to the egress queues. By default, weight1 is set to 25; weight2, weight3, and weight4 are set to 0, and these queues are in shared mode. weight1 weight2 weight3 weight4—Enters the weights to control the percentage of the port that is shaped. The inverse ratio (1/weight) controls the shaping bandwidth for this queue.
Chapter 38 Configuring Standard QoS Monitoring and Maintaining Standard QoS Configuring the Egress Expedite Queue You can ensure that certain packets have priority over all others by queuing them in the egress expedite queue. SRR services this queue until it is empty before servicing the other queues. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 mls qos Enables QoS on a switch.
Chapter 38 Configuring Standard QoS Configuration Examples for Standard QoS Command Purpose show mls qos Displays global QoS configuration information. show mls qos aggregate-policer [aggregate-policer-name] Displays the aggregate policer configuration. show mls qos input-queue Displays QoS settings for the ingress queues.
Chapter 38 Configuring Standard QoS Configuration Examples for Standard QoS Configuring DSCP-Trusted State on a Port: Example This example shows how to configure a port to the DSCP-trusted state and to modify the DSCP-to-DSCP-mutation map (named gi0/2-mutation) so that incoming DSCP values 10 to 13 are mapped to DSCP 30: Switch(config)# mls qos map dscp-mutation gi1/2-mutation 10 11 12 13 to 30 Switch(config)# interface gigabitethernet1/2 Switch(config-if)# mls qos trust dscp Switch(config-if)# mls qos d
Chapter 38 Configuring Standard QoS Configuration Examples for Standard QoS This example shows how to create a class map called class3, which matches incoming traffic with IP-precedence values of 5, 6, and 7: Switch(config)# class-map class3 Switch(config-cmap)# match ip precedence 5 6 7 Switch(config-cmap)# end Switch# Creating a Policy Map: Example This example shows how to create a policy map and attach it to an ingress port. In the configuration, the IP standard ACL permits traffic from network 10.1.
Chapter 38 Configuring Standard QoS Configuration Examples for Standard QoS Creating an Aggregate Policer: Example This example shows how to create an aggregate policer and attach it to multiple classes within a policy map. In the configuration, the IP ACLs permit traffic from network 10.1.0.0 and from host 11.3.1.1. For traffic coming from network 10.1.0.0, the DSCP in the incoming packets is trusted. For traffic coming from host 11.3.1.1, the DSCP in the packet is changed to 56.
Chapter 38 Configuring Standard QoS Configuration Examples for Standard QoS Configuring DSCP Maps: Examples This example shows how to modify and display the IP-precedence-to-DSCP map: Switch(config)# mls qos map ip-prec-dscp 10 15 20 25 30 35 40 45 Switch(config)# end Switch# show mls qos maps ip-prec-dscp IpPrecedence-dscp map: ipprec: 0 1 2 3 4 5 6 7 -------------------------------dscp: 10 15 20 25 30 35 40 45 This example shows how to map DSCP 50 to 57 to a marked-down DSCP value of 0: Switch(config)#
Chapter 38 Configuring Standard QoS Configuration Examples for Standard QoS This example shows how to define the DSCP-to-DSCP mutation map.
Chapter 38 Configuring Standard QoS Configuration Examples for Standard QoS This example shows how to assign the ingress bandwidths to the queues. Queue 1 is the priority queue with 10 percent of the bandwidth allocated to it. The bandwidth ratios allocated to queues 1 and 2 is 4/(4+4). SRR services queue 1 (the priority queue) first for its configured 10 percent bandwidth.
Chapter 38 Configuring Standard QoS Additional References Switch(config-ext-macl)# permit 0001.0000.0001 0.0.0 0002.0000.0001 0.0.0 Switch(config-ext-macl)# permit 0001.0000.0002 0.0.0 0002.0000.0002 0.0.0 xns-idp ! (Note: all other access implicitly denied) Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 38 Configuring Standard QoS Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
Chapter 38 Configuring Standard QoS Additional References Cisco IE 2000 Switch Software Configuration Guide 38-66 OL-25866-01
CH A P T E R 39 Configuring Auto-QoS Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 39 Configuring Auto-QoS Information About Auto-QoS • Auto-QoS configures the switch for VoIP with Cisco IP phones on nonrouted and routed ports. Auto-QoS also configures the switch for VoIP with devices running the Cisco SoftPhone application. • When a device running Cisco SoftPhone is connected to a nonrouted or routed port, the switch supports only one Cisco SoftPhone application per port. • Auto-Qos VoIP uses the priority-queue interface configuration command for an egress interface.
Chapter 39 Configuring Auto-QoS Information About Auto-QoS • Configures egress queues Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 39-1.
Chapter 39 Configuring Auto-QoS Information About Auto-QoS When you enable the auto-QoS feature on the first port, these automatic actions occur: • QoS is globally enabled (mls qos global configuration command), and other global configuration commands are added. • When you enter the auto qos voip cisco-phone interface configuration command on a port at the edge of the network that is connected to a Cisco IP phone, the switch enables the trusted boundary feature.
Chapter 39 Configuring Auto-QoS Information About Auto-QoS Table 39-4 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps CoS values to an egress queue and to a threshold ID.
Chapter 39 Configuring Auto-QoS Information About Auto-QoS Table 39-4 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically sets up the ingress queues, with queue 2 as the priority queue and queue 1 in shared mode. The switch also configures the bandwidth and buffer size for the ingress queues.
Chapter 39 Configuring Auto-QoS Information About Auto-QoS Table 39-4 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command If you entered the auto qos voip cisco-softphone command, the switch automatically creates class maps and policy maps.
Chapter 39 Configuring Auto-QoS How to Configure Auto-QoS commands are successfully applied, any user-entered configuration that was not overridden remains in the running configuration. Any user-entered configuration that was overridden can be retrieved by reloading the switch without saving the current configuration to memory. If the generated commands fail to be applied, the previous running configuration is restored.
Chapter 39 Configuring Auto-QoS Monitoring and Maintaining Auto-QoS Configuring QoS to Prioritize VoIP Traffic This task explains how to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enables debugging for auto-QoS. When debugging is enabled, the switch displays the QoS configuration that is automatically generated when auto-QoS is enabled. Step 2 configure terminal Enters global configuration mode.
Chapter 39 Configuring Auto-QoS Configuration Examples for Auto-QoS Configuration Examples for Auto-QoS Auto-QoS Network: Example This is an illustrated example that shows you how to implement auto-QoS in a network in which the VoIP traffic is prioritized over all other traffic. Auto-QoS is enabled on the switches in the wiring closets at the edge of the QoS domain. For optimum QoS performance, enable auto-QoS on all the devices in the network.
Chapter 39 Configuring Auto-QoS Additional References Enabling Auto-QoS VOIP Trust: Example This example shows how to enable auto-QoS and to trust the QoS labels received in incoming packets when the switch or router connected to a port is a trusted device: Switch(config)# interface gigabitethernet1/1 Switch(config-if)# auto qos voip trust Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 comma
Chapter 39 Configuring Auto-QoS Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
CH A P T E R 40 Configuring EtherChannels Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels EtherChannels An EtherChannel consists of individual Fast Ethernet or Gigabit Ethernet links bundled into a single logical link as shown in Figure 40-1.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. By using PAgP, the switch learns the identity of partners capable of supporting PAgP and the capabilities of each port.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels PAgP Learn Method and Priority Network devices are classified as PAgP physical learners or aggregate-port learners. A device is a physical learner if it learns addresses by physical ports and directs transmissions based on that knowledge. A device is an aggregate-port learner if it learns addresses by aggregate (logical) ports. The learn method must be configured the same at both ends of the link.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels PAgP Interaction with Other Features The Dynamic Trunking Protocol (DTP) and the Cisco Discovery Protocol (CDP) send and receive packets over the physical ports in the EtherChannel. Trunk ports send and receive PAgP protocol data units (PDUs) on the lowest numbered VLAN. In Layer 2 EtherChannels, the first port in the channel that comes up provides its MAC address to the EtherChannel.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels LACP Hot-Standby Ports When enabled, LACP tries to configure the maximum number of LACP-compatible ports in a channel, up to a maximum of 16 ports. Only eight LACP links can be active at one time. The software places any additional links in a hot-standby mode. If one of the active links becomes inactive, a link that is in the hot-standby mode becomes active in its place.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels EtherChannel On Mode EtherChannel on mode can be used to manually configure an EtherChannel. The on mode forces a port to join an EtherChannel without negotiations. The on mode can be useful if the remote device does not support PAgP or LACP. In the on mode, a usable EtherChannel exists only when the switches at both ends of the link are configured in the on mode.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels With source-and-destination IP address-based forwarding, packets are sent to an EtherChannel and distributed across the EtherChannel ports, based on both the source and destination IP addresses of the incoming packet.
Chapter 40 Configuring EtherChannels Information About Configuring EtherChannels Default EtherChannel Settings Table 40-3 Default EtherChannel Settings Feature Default Setting Channel groups None assigned. Port-channel logical interface None defined. PAgP mode No default. PAgP learn method Aggregate-port learning on all ports. PAgP priority 128 on all ports. LACP mode No default. LACP learn method Aggregate-port learning on all ports. LACP port priority 32768 on all ports.
Chapter 40 Configuring EtherChannels How to Configure EtherChannels • Do not configure a Switched Port Analyzer (SPAN) destination port as part of an EtherChannel. • Do not configure a secure port as part of an EtherChannel or the reverse. • Do not configure a private-VLAN port as part of an EtherChannel. • Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an IEEE 802.1x port. If you try to enable IEEE 802.
Chapter 40 Configuring EtherChannels How to Configure EtherChannels This required task explains how to configure a Layer 2 Ethernet port to a Layer 2 EtherChannel. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface interface-id Specifies a physical port, and enter interface configuration mode. Valid interfaces include physical ports. For a PAgP EtherChannel, you can configure up to eight ports of the same type and speed for the same group.
Chapter 40 Configuring EtherChannels How to Configure EtherChannels Step 4 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assigns the port to a channel group, and specifies the PAgP or the LACP mode. For channel-group-number, the range is 1 to 6. For mode, select one of these keywords: • auto—Enables PAgP only if a PAgP device is detected.
Chapter 40 Configuring EtherChannels How to Configure EtherChannels Configuring EtherChannel Load Balancing This task is optional. Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 port-channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac} Configures an EtherChannel load-balancing method. The default is src-mac. Select one of these load-distribution methods: Step 3 end • dst-ip—Specifies the destination-host IP address.
Chapter 40 Configuring EtherChannels Monitoring and Maintaining EtherChannels on the IE 2000 Switch Step 4 Command Purpose pagp port-priority priority Assigns a priority so that the selected port is chosen for packet transmission. For priority, the range is 0 to 255. The default is 128. The higher the priority, the more likely that the port will be used for PAgP transmission. Step 5 end Returns to privileged EXEC mode. Configuring the LACP Hot-Standby Ports This task is optional.
Chapter 40 Configuring EtherChannels Configuration Examples for Configuring EtherChannels Configuration Examples for Configuring EtherChannels Configuring EtherChannels: Examples This example shows how to configure an EtherChannel and assign two ports as static-access ports in VLAN 10 to channel 5 with the PAgP mode desirable: Switch# configure terminal Switch(config)# interface range gigabitethernet1/1 -2 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 10
Chapter 40 Configuring EtherChannels Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
Chapter 40 Configuring EtherChannels Additional References Cisco IE 2000 Switch Software Configuration Guide 40-18 OL-25866-01
CH A P T E R 41 Configuring Static IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) static IP unicast routing on the switch. Static routing is supported only on switched virtual interfaces (SVIs) and not on physical interfaces. The switch does not support routing protocols. Finding Feature Information Your software release may not support all the features documented in this chapter.
Chapter 41 Configuring Static IP Unicast Routing IP Routing IP Routing In some network environments, VLANs are associated with individual networks or subnetworks. In an IP network, each subnetwork is mapped to an individual VLAN. Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local. However, network devices in different VLANs cannot communicate with one another without a Layer 3 device to route traffic between the VLANs, referred to as inter-VLAN routing.
Chapter 41 Configuring Static IP Unicast Routing How to Configure Static IP Unicast Routing How to Configure Static IP Unicast Routing Steps for Configuring Routing In these procedures, the specified interface must be a switch virtual interface (SVI)—a VLAN interface created by using the interface vlan vlan_id global configuration command and by default a Layer 3 interface. All Layer 3 interfaces on which routing will occur must have IP addresses assigned to them.
Chapter 41 Configuring Static IP Unicast Routing Configuring Static Unicast Routes This task explains how to assign an IP address and a network mask to an SVI Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 interface vlan vlan_id Enters interface configuration mode, and specifies the Layer 3 VLAN to configure. Step 3 ip address ip-address subnet-mask Configures the IP address and IP subnet mask. Step 4 end Returns to privileged EXEC mode.
Chapter 41 Configuring Static IP Unicast Routing Additional References for Configuring IP Unicast Routing Additional References for Configuring IP Unicast Routing The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.
Chapter 41 Configuring Static IP Unicast Routing Additional References for Configuring IP Unicast Routing RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools.
CH A P T E R 42 Configuring IPv6 Host Functions Note To use IPv6 host functions, the switch must be running the LAN Base image. This chapter describes how to configure IPv6 host functions on the switch. Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release.
Chapter 42 Configuring IPv6 Host Functions Information About Configuring IPv6 Host Functions For information about IPv6 and other features in this chapter • See the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/en/US//docs/ios-xml/ios/ipv6/configuration/15-1mt/ipv6-15-1mt-book.html This section describes IPv6 implementation on the switch.
Chapter 42 Configuring IPv6 Host Functions Information About Configuring IPv6 Host Functions • SNMP and Syslog Over IPv6, page 42-5 • HTTP over IPv6, page 42-6 Support on the switch includes expanded address capability, header format simplification, improved support of extensions and options, and hardware parsing of the extension header. The switch supports hop-by-hop extension header packets, which are routed or bridged in software.
Chapter 42 Configuring IPv6 Host Functions Information About Configuring IPv6 Host Functions Neighbor discovery throttling ensures that the switch CPU is not unnecessarily burdened while it is in the process of obtaining the next hop forwarding information to route an IPv6 packet. The switch drops any additional IPv6 packets whose next hop is the same neighbor that the switch is actively trying to resolve. This drop avoids further load on the CPU.
Chapter 42 Configuring IPv6 Host Functions Information About Configuring IPv6 Host Functions Figure 42-1 shows a router forwarding both IPv4 and IPv6 traffic through the same interface, based on the IP packet and destination addresses. Figure 42-1 Dual IPv4 and IPv6 Support on an Interface IPv4 122379 10.1.1.1 IPv6 3ffe:yyyy::1 Use the dual IPv4 and IPv6 switch database management (SDM) template to enable dual-stack environments (supporting both IPv4 and IPv6).
Chapter 42 Configuring IPv6 Host Functions Information About Configuring IPv6 Host Functions • Configuration of IPv6 hosts as trap receivers For support over IPv6, SNMP modifies the existing IP transport mapping to simultaneously support IPv4 and IPv6.
Chapter 42 Configuring IPv6 Host Functions How to Configure IPv6 Hosting How to Configure IPv6 Hosting Configuring IPv6 Addressing and Enabling IPv6 Host This section describes how to assign IPv6 addresses to individual Layer 3 interfaces and to globally forward IPv6 traffic on the switch. Before configuring IPv6 on the switch, consider these guidelines: • Be sure to select a dual IPv4 and IPv6 SDM template.
Chapter 42 Configuring IPv6 Host Functions How to Configure IPv6 Hosting Command Step 7 Purpose ipv6 address ipv6-prefix/prefix length eui-64 • Specifies a global IPv6 address with an extended unique identifier (EUI) in the low-order 64 bits of the IPv6 address. • Specifies only the network prefix; the last 64 bits are automatically computed from the switch MAC address. This enables IPv6 processing on the interface.
Chapter 42 Configuring IPv6 Host Functions Monitoring and Maintaining IPv6 Host Information Configuring IPv6 ICMP Rate Limiting ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10. Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 42 Configuring IPv6 Host Functions Configuration Examples for IPv6 Host Functions Configuration Examples for IPv6 Host Functions Enabling IPv6: Example This example shows how to enable IPv6 with both a link-local address and a global address based on the IPv6 prefix 2001:0DB8:c18:1::/64. The EUI-64 interface ID is used in the low-order 64 bits of both addresses.
Chapter 42 Configuring IPv6 Host Functions Configuration Examples for IPv6 Host Functions Displaying Show Command Output: Examples This is an example of the output from the show ipv6 interface privileged EXEC command: Switch# show ipv6 interface Vlan1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940 MTU is 150
Chapter 42 Configuring IPv6 Host Functions Configuration Examples for IPv6 Host Functions 0 unknown protocol, 0 not a router 0 fragments, 0 total reassembled 0 reassembly timeouts, 0 reassembly failures Sent: 36861 generated, 0 forwarded 0 fragmented into 0 fragments, 0 failed 0 encapsulation failed, 0 no route, 0 too big 0 RPF drops, 0 RPF suppressed drops Mcast: 1 received, 36861 sent ICMP statistics: Rcvd: 1 input, 0 checksum errors, 0 too short 0 unknown info type, 0 unknown error type unreach: 0 rou
Chapter 42 Configuring IPv6 Host Functions Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release15.0(1)EY Cisco IOS basic commands Cisco IOS Configuration Fundamentals Command Reference Cisco IOS static IPv6 routing “Implementing Static Routes for IPv6” chapter in the Cisco IOS IPv6 Configuration Library on Cisco.
Chapter 42 Configuring IPv6 Host Functions Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.
CH A P T E R 43 Configuring Link State Tracking Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 43 Configuring Link State Tracking Link State Tracking Figure 43-1 on page 43-3 shows a network configured with link state tracking. To enable link state tracking, create a link state group, and specify the interfaces that are assigned to the link state group. In a link state group, these interfaces are bundled together. The downstream interfaces are bound to the upstream interfaces.
Chapter 43 Configuring Link State Tracking Link State Tracking downstream ports changes to the link-down state. Connectivity to server 1 and server 2 is then changed from link state group1 to link state group 2. The downstream ports 3 and 4 do not change state because they are in link-group 2. • If the link state group is configured, link state tracking is disabled, and the upstream interfaces lose connectivity, the link states of the downstream interfaces remain unchanged.
Chapter 43 Configuring Link State Tracking How to Configure Link State Tracking How to Configure Link State Tracking Configuring Link State Tracking Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 link state track number Creates a link state group, and enables link state tracking. The group number can be 1 to 2; the default is 1.
Chapter 43 Configuring Link State Tracking Additional References Link State Group: 1 Status: Enabled, Down Upstream Interfaces : Fa1/7(Dwn) Fa1/8(Dwn) Downstream Interfaces : Fa1/3(Dis) Fa1/4(Dis) Fa1/5(Dis) Fa1/6(Dis) Link State Group: 2 Status: Enabled, Down Upstream Interfaces : Fa1/6(Dwn) Fa1/7(Dwn) Fa1/8(Dwn) Downstream Interfaces : Fa1/2(Dis) Fa1/3(Dis) Fa1/4(Dis) Fa1/5(Dis) (Up):Interface up (Dwn):Interface Down (Dis):Interface disabled Creating a Link State Group: Example This example shows how t
Chapter 43 Configuring Link State Tracking Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
CH A P T E R 44 Configuring IPv6 MLD Snooping Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 44 Configuring IPv6 MLD Snooping Information About Configuring IPv6 MLD Snooping MLD is a protocol used by IPv6 multicast routers to discover the presence of multicast listeners (nodes that want to receive IPv6 multicast packets) on its directly attached links and to discover which multicast packets are of interest to neighboring nodes. MLD is derived from IGMP; MLD version 1 (MLDv1) is equivalent to IGMPv2 and MLD version 2 (MLDv2) is equivalent to IGMPv3.
Chapter 44 Configuring IPv6 MLD Snooping Information About Configuring IPv6 MLD Snooping Note When the IPv6 multicast router is a Catalyst 6500 switch and you are using extended VLANs (in the range 1006 to 4096), IPv6 MLD snooping must be enabled on the extended VLAN on the Catalyst 6500 switch in order for the switch to receive queries on the VLAN. For normal-range VLANs (1 to 1005), it is not necessary to enable IPv6 MLD snooping on the VLAN on the Catalyst 6500 switch.
Chapter 44 Configuring IPv6 MLD Snooping Information About Configuring IPv6 MLD Snooping When MLD snooping is enabled, MLD report suppression, called listener message suppression, is automatically enabled. With report suppression, the switch forwards the first MLDv1 report received by a group to IPv6 multicast routers; subsequent reports for the group are not sent to the routers. When MLD snooping is disabled, report suppression is disabled, and all MLDv1 reports are flooded to the ingress VLAN.
Chapter 44 Configuring IPv6 MLD Snooping Information About Configuring IPv6 MLD Snooping Default MLD Snooping Configuration Table 44-1 Default MLD Snooping Configuration Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place. IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured. MLD snooping Immediate Leave Disabled.
Chapter 44 Configuring IPv6 MLD Snooping How to Configure IPv6 MLD Snooping Enabling or Disabling MLD Snooping By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD snooping is globally disabled, it is also disabled on all VLANs. When you globally enable MLD snooping, the VLAN configuration overrides the global configuration. That is, MLD snooping is enabled only on VLAN interfaces in the default state (enabled).
Chapter 44 Configuring IPv6 MLD Snooping How to Configure IPv6 MLD Snooping Step 3 Command Purpose ipv6 mld snooping vlan vlan-id (Optional) Enables MLD snooping on the VLAN.The VLAN ID range is 1 to 1001 and 1006 to 4096. MLD snooping must be globally enabled for VLAN snooping to be enabled. Step 4 end Returns to privileged EXEC mode. Step 5 reload Reloads the operating system.
Chapter 44 Configuring IPv6 MLD Snooping How to Configure IPv6 MLD Snooping Enabling MLD Immediate Leave Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 ipv6 mld snooping vlan vlan-id immediate-leave Enables MLD Immediate Leave on the VLAN interface. Step 3 end Returns to privileged EXEC mode. Configuring MLD Snooping Queries Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 44 Configuring IPv6 MLD Snooping Monitoring and Maintaining IPv6 MLD Snooping Disabling MLD Listener Message Suppression Command Purpose Step 1 configure terminal Enters global configuration mode. Step 2 no ipv6 mld snooping listener-message-suppression Disables MLD message suppression. Step 3 end Returns to privileged EXEC mode.
Chapter 44 Configuring IPv6 MLD Snooping Configuration Examples for Configuring IPv6 MLD Snooping Command Purpose show ipv6 mld snooping mrouter [vlan vlan-id] Verifies that IPv6 MLD snooping is enabled on the VLAN interface. show ipv6 mld snooping Verifies that IPv6 MLD snooping report suppression is disabled.
Chapter 44 Configuring IPv6 MLD Snooping Configuration Examples for Configuring IPv6 MLD Snooping Switch(config)# ipv6 mld snooping last-listener-query-interval 2000 Switch(config)# exit Cisco IE 2000 Switch Software Configuration Guide OL-25866-01 44-11
Chapter 44 Configuring IPv6 MLD Snooping Additional References Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, Release 15.0(1)EY Cisco IOS basic commands Cisco IOS Configuration Fundamentals Command Reference SDM templates Chapter 11, “Configuring SDM Templates.
Chapter 44 Configuring IPv6 MLD Snooping Additional References Cisco IE 2000 Switch Software Configuration Guide OL-25866-01 44-13
Chapter 44 Configuring IPv6 MLD Snooping Additional References Cisco IE 2000 Switch Software Configuration Guide 44-14 OL-25866-01
CH A P T E R 45 Configuring Cisco IOS IP SLAs Operations Finding Feature Information Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Information About Configuring Cisco IOS IP SLAs Operations Cisco IOS IP SLAs Cisco IOS IP SLAs sends data across the network to measure performance between multiple network locations or across multiple network paths. It simulates network data and IP services and collects network performance information in real time.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Information About Configuring Cisco IOS IP SLAs Operations Cisco IOS IP SLAs to Measure Network Performance You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and edge—without deploying a physical probe. It uses generated traffic to measure network performance between two networking devices. Figure 45-1 shows how IP SLAs begins when the source device sends a generated packet to the destination device.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Information About Configuring Cisco IOS IP SLAs Operations the responder accepts the requests and responds to them. It disables the port after it responds to the IP SLAs packet, or when the specified time expires. MD5 authentication for control messages is available for added security. You do not need to enable the responder on the destination device for all IP SLAs operations.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Information About Configuring Cisco IOS IP SLAs Operations The pending option is an internal state of the operation that is visible through SNMP. The pending state is also used when an operation is a reaction (threshold) operation waiting to be triggered. You can schedule a single IP SLAs operation or a group of operations at one time.
Chapter 45 Configuring Cisco IOS IP SLAs Operations How to Configure Cisco IOS IP SLAs Operations • Round-trip delay (average round-trip time) Because the paths for the sending and receiving of data can be different (asymmetric), you can use the per-direction data to more readily identify where congestion or other problems are occurring in the network.
Chapter 45 Configuring Cisco IOS IP SLAs Operations How to Configure Cisco IOS IP SLAs Operations Configuring the IP SLAs Responder Before You Begin For the IP SLAs responder to function, you must also configure a source device, such as a Catalyst 3750 or Catalyst 3560 switch running the IP services image, that has full IP SLAs support. Refer to the documentation for the source device for configuration information. Command Purpose Step 1 configure terminal Enters global configuration mode.
Chapter 45 Configuring Cisco IOS IP SLAs Operations How to Configure Cisco IOS IP SLAs Operations Command Step 3 Purpose udp-jitter {destination-ip-address Configures the IP SLAs operation as a UDP jitter operation, and enters UDP | destination-hostname} jitter configuration mode. destination-port [source-ip • destination-ip-address | destination-hostname—Specifies the destination {ip-address | hostname}] IP address or hostname.
Chapter 45 Configuring Cisco IOS IP SLAs Operations How to Configure Cisco IOS IP SLAs Operations Step 6 Command Purpose ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring] Configures the scheduling parameters for an individual IP SLAs operation. • operation-number—Enters the RTR entry number.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Monitoring and Maintaining Cisco IP SLAs Operations Command Purpose Step 5 exit Exits UDP jitter configuration mode, and returns to global configuration mode. Step 6 ip sla schedule operation-number [life {forever | seconds}] [start-time {hh:mm [:ss] [month day | day month] | pending | now | after hh:mm:ss] [ageout seconds] [recurring] Configures the scheduling parameters for an individual IP SLAs operation.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuration Examples for Configuring Cisco IP SLAs Operations Command Purpose show ip sla mpls-lsp-monitor {collection-statistics | configuration | ldp operational-state | scan-queue | summary [entry-number] | neighbors} Displays MPLS label switched path (LSP) Health Monitor operations.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Configuration Examples for Configuring Cisco IP SLAs Operations Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 History Statistics: Number of history Lives kept: 0 Number of history Buckets kept: 15 History Filter Type: None Enhanced History: Sample Output for Show IP SLA Command: Example This is an example of the output from the command: Switch# show ip sla applicati
Chapter 45 Configuring Cisco IOS IP SLAs Operations Additional References Switch(config)# ip sla schedule 5 start-time now life forever Switch(config)# end Switch# show ip sla configuration 10 IP SLAs, Infrastructure Engine-II. Entry number: 10 Owner: Tag: Type of operation to perform: udp-jitter Target address/Source address: 1.1.1.1/0.0.0.
Chapter 45 Configuring Cisco IOS IP SLAs Operations Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
CH A P T E R 46 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the switch. Depending on the nature of the problem, you can use the command-line interface (CLI), Device Manager, or Network Assistant to identify and solve problems. For additional troubleshooting information, such as LED descriptions, see the Cisco IE 2000 Switch Hardware Installation Guide.
Chapter 46 Troubleshooting Information for Troubleshooting Note If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The speed parameter can adjust itself even if the connected port does not autonegotiate. SFP Module Security and Identification Cisco small form-factor pluggable (SFP) modules have a serial EEPROM that contains the module serial number, the vendor name and ID, a unique security code, and cyclic redundancy check (CRC).
Chapter 46 Troubleshooting Information for Troubleshooting Layer 2 Traceroute The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source device to a destination device. Layer 2 traceroute supports only unicast source and destination MAC addresses. It finds the path by using the MAC address tables of the switches in the path.
Chapter 46 Troubleshooting Information for Troubleshooting • When multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are detected on a port), the Layer 2 traceroute feature is not supported. When more than one CDP neighbor is detected on a port, the Layer 2 path is not identified, and an error message appears. IP Traceroute You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis.
Chapter 46 Troubleshooting Information for Troubleshooting Use TDR to diagnose and resolve cabling problems in these situations: • Replacing a switch • Setting up a wiring closet • Troubleshooting a connection between two devices when a link cannot be established or when it is not operating properly Crashinfo Files The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash).
Chapter 46 Troubleshooting Information for Troubleshooting You can configure the switch to not create the extended creashinfo file by using the no exception crashinfo global configuration command. CPU Utilization This section lists some possible symptoms that could be caused by the CPU being too busy and shows how to verify a CPU utilization problem. Table 46-1 lists the primary types of CPU utilization problems that you can identify.
Chapter 46 Troubleshooting How to Troubleshoot Table 46-1 Troubleshooting CPU Utilization Problems Type of Problem Cause Corrective Action Interrupt percentage value is almost The CPU is receiving too many packets as high as total CPU utilization value. from the network. Determine the source of the network packet. Stop the flow, or change the switch configuration. See the section on “Analyzing Network Traffic.” Total CPU utilization is greater than 50% with minimal time spent on interrupts.
Chapter 46 Troubleshooting How to Troubleshoot switch% ls -l image_filename.bin-rwxr-xr-x 13:03 -rw-r--r-- 1 boba 1 bschuett eng 6365325 May 19 3970586 Apr 21 12:00 image_name.bin Step 3 Connect your PC with terminal-emulation software supporting the Xmodem Protocol to the switch console port. Step 4 Set the line speed on the emulation software to 9600 baud. Step 5 Unplug the switch power cord.
Chapter 46 Troubleshooting How to Troubleshoot • You have physical access to the switch. • At least one switch port is enabled and is not connected to a device. To delete the switch password and set a new one, follow these steps: Step 1 Press the Express Setup button until the SETUP LED blinks green and the LED of an available switch downlink port blinks green. If no switch downlink port is available for your PC or laptop connection, disconnect a device from one of the switch downlink ports.
Chapter 46 Troubleshooting How to Troubleshoot Beginning in privileged EXEC mode, use this command to ping another device on the network from the switch: Note Command Purpose ping ip host | address Pings a remote host through IP or by supplying the hostname or network address. Other protocol keywords are available with the ping command, but they are not supported in this release. This example shows how to ping an IP host: Switch# ping 172.20.52.3 Type escape sequence to abort.
Chapter 46 Troubleshooting How to Troubleshoot Note Other protocol keywords are available with the traceroute privileged EXEC command, but they are not supported in this release. This example shows how to perform a traceroute to an IP host: Switch# traceroute ip 171.9.15.10 Type escape sequence to abort. Tracing the route to 171.69.115.10 1 172.2.52.1 0 msec 0 msec 4 msec 2 172.2.1.203 12 msec 8 msec 0 msec 3 171.9.16.6 4 msec 0 msec 0 msec 4 171.9.4.5 0 msec 4 msec 0 msec 5 171.9.121.
Chapter 46 Troubleshooting How to Troubleshoot Enabling Debugging on a Specific Feature Caution Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic and fewer users.
Chapter 46 Troubleshooting Monitoring Information Redirecting Debug and Error Message Output By default, the network server sends the output from debug commands and system error messages to the console. If you use this default, you can use a virtual terminal connection to monitor debug output instead of connecting to the console port. Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog server. The syslog format is compatible with 4.
Chapter 46 Troubleshooting Troubleshooting Examples Troubleshooting Examples show platform forward Command The output from the show platform forward privileged EXEC command provides some useful information about the forwarding results if a packet entering an interface is sent through the system. Depending upon the parameters entered about the packet, the output provides lookup table results and port maps used to calculate forwarding destinations, bitmaps, and egress information.
Chapter 46 Troubleshooting Troubleshooting Examples This is an example of the output when the packet coming in on port 1 in VLAN 5 is sent to an address already learned on the VLAN on another port. It should be forwarded from the port on which the address was learned. Switch# show platform forward gigabitethernet1/1 vlan 5 1.1.1 0009.43a8.0145 ip 13.1.1.1 13.2.2.
Chapter 46 Troubleshooting Additional References Output Packets: -----------------------------------------Packet 1 Lookup Key-Used OutptACL 50_10010A05_0A010505-00_40000014_000A0000 Port Gi1/2 Vlan SrcMac 0007 XXXX.XXXX.0246 DstMac 0009.43A8.0147 Cos Index-Hit A-Data 01FFE 03000000 Dscpv Additional References The following sections provide references related to switch administration: Related Documents Related Topic Document Title Cisco IE 2000 commands Cisco IE 2000 Switch Command Reference, 15.
Chapter 46 Troubleshooting Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.
Chapter 46 Troubleshooting Additional References Cisco IE 2000 Switch Software Configuration Guide 46-18 OL-25866-01
A P P E N D I X A Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch. Note For complete syntax and usage information for the commands used in this chapter, see the switch command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 15.0 from the Cisco.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System * 134086656 524288 - 117346304 518334 - flash opaque opaque nvram opaque opaque opaque opaque network network network network network network opaque rw rw rw rw ro ro rw ro rw rw rw rw rw rw ro flash: system: tmpsys: nvram: xmodem: ymodem: null: tar: tftp: rcp: http: ftp: scp: https: cns: Switch# Detecting an Unsupported SD Flash Memory Card When the switch starts and dete
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Note When you enter the show platform sdflash privileged EXEC command, the name, date, and other fields that are displayed depend on the manufacturer of the SD flash memory card. However, if the SD flash memory card is unsupported, “Non IT” is displayed after the manufacturer’s name.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table A-2 show file systems Field Descriptions (continued) Field Value Flags Permission for file system. ro—read-only. rw—read/write.\ wo—write-only. Prefixes Alias for file system. flash:—Flash file system. nvram:—NVRAM. null:—Null destination for copies. You can copy a remote file to null to find its size. rcp:—Remote Copy Protocol (RCP) network server.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Changing Directories and Displaying the Working Directory Beginning in privileged EXEC mode, follow these steps to change directories and display the working directory: Step 1 Command Purpose dir filesystem: Displays the directories on the specified file system. For filesystem:, use flash: for the system board flash device.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Copying Files To copy a file from a source to a destination, use the copy source-url destination-url privileged EXEC command. For the source and destination URLs, you can use running-config and startup-config keyword shortcuts.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating, Displaying, and Extracting tar Files You can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System • For the TFTP, the syntax is tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to display. You can also limit the display of the files by specifying an optional list of files or directories after the tar file; then only those files appear. If none are specified, all files and directories appear.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Displaying the Contents of a File To display the contents of any readable file, including a file on a remote file system, use the more [/ascii | /binary | /ebcdic] file-url privileged EXEC command:.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Use these guidelines when creating a configuration file: Note • We recommend that you connect through the console port for the initial configuration of the switch.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 4 Copy the configuration file to the appropriate server location. For example, copy the file to the TFTP directory on the workstation (usually /tftpboot on a UNIX workstation). Step 5 Make sure the permissions on the file are set to world-read.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 2 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using TFTP” section on page A-11. Step 3 Log into the switch through the console port or a Telnet session. Step 4 Download the configuration file from the TFTP server to configure the switch.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using FTP You can copy configuration files to or from an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using FTP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using FTP: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page A-13.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files %SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by ftp from 172.16.101.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Copying Configuration Files By Using RCP The RCP provides another method of downloading, uploading, and copying configuration files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files ip rcmd remote-username User0 If the switch IP address translates to Switch1.company.com, the .rhosts file for User0 on the RCP server should contain this line: Switch1.company.com Switch1 For more information, see the documentation for your RCP server.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Address of remote host [255.255.255.255]? 172.16.101.101 Name of configuration file[rtr2-confg]? host2-confg Configure using host2-confg from 172.16.101.101?[confirm] Connected to 172.16.101.101 Loading 1112 byte file host2-confg:![OK] [OK] Switch# %SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by rcp from 172.16.101.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Clearing Configuration Information You can clear the configuration information from the startup configuration. If you reboot the switch with no startup configuration, the switch enters the setup program so that you can reconfigure the switch with all new settings.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The Cisco IOS configuration archive, in which the configuration files are stored and available for use with the configure replace command, is in any of these file systems: FTP, HTTP, RCP, TFTP. Replacing a Configuration The configure replace privileged EXEC command replaces the running configuration with any saved configuration file.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files – The interface interface-id command line cannot be added to the running configuration if no such interface is physically present on the device. • Note When using the configure replace command, you must specify a saved configuration as the replacement configuration file for the running configuration.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 1 Command Purpose archive config (Optional) Saves the running configuration file to the configuration archive. Note Step 2 configure terminal Step 3 Enter the path archive configuration command before using this command. Enters global configuration mode. Makes necessary changes to the running configuration. Step 4 exit Returns to privileged EXEC mode.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files. You can download a switch image file from a TFTP, FTP, or RCP server to upgrade the switch software.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images stacking_number:x info_end: version_suffix:xxxx version_directory:image-name image_system_type_id:0x00000000 image_name:image-nameB.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using TFTP Before you begin downloading or uploading an image file by using TFTP, do these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name.tar Downloads the image file from the TFTP server to the switch, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Uploading an Image File By Using TFTP You can upload an image from the switch to a TFTP server. You can later download this image to the switch or to another switch of the same type. Use the upload feature only if the web management pages associated with the embedded Device Manager have been installed with the existing image.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using FTP You can copy images files to or from an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Downloading an Image File By Using FTP You can download a new image file and overwrite the current image or keep the current image. Beginning in privileged EXEC mode, follow Steps 1 through 7 to download a new image from an FTP server and overwrite the existing image. To keep the current image, go to Step 7.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Step 8 Purpose archive download-sw /leave-old-sw /reload Downloads the image file from the FTP server to the switch, ftp:[[//username[:password]@location]/directory] and keep the current image. /image-name.tar • The /leave-old-sw option keeps the old software version after a download.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow these steps to upload an image to an FTP server: Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using FTP” section on page A-13. Step 2 Log into the switch through the console port or a Telnet session.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images • When you upload an image to the RCP to the server, it must be properly configured to accept the RCP write request from the user on the switch. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Command Purpose archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Downloads the image file from the RCP server to the switch, and keep the current image. • The /leave-old-sw option keeps the old software version after a download.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode, follow these steps to upload an image to an RCP server: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page A-16. Step 2 Log into the switch through the console port or a Telnet session.
Appendix A Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Cisco IE 2000 Switch Software Configuration Guide A-36 OL-25866-01
I N D EX ACLs Numerics ACEs 802.
Index matching VTP 37-5, 37-9 named, IPv4 age timer, REP 37-7 number per QoS class map port 37-2 QoS 38-13, 38-36 38-5 creating 37-7 37-11 matching criteria 1-10 aging, accelerating 20-8 20-8 MAC address table 37-2 37-1 7-13 alarm profiles creating or modifying 24-4, 24-10, 24-11 3-8 alarms 24-1 address aging time for VLANs 45-1 displaying 3-9 power supply 7-6 temperature 28-2 addresses 3-2 3-2 allowed-VLAN list dynamic 17-12 ARP accelerated aging defined 20-8 ch
Index authentication compatibility with Catalyst 6500 switches 13-7 B authentication failed VLAN BackboneFast See restricted VLAN described authentication manager CLI commands overview backup interfaces 13-8 See Flex Links 13-6 backup links authoritative time source, described 7-2 configuring with RADIUS 12-16, 12-37 with TACACS+ login 12-6, 12-7, 12-33 authorized ports with IEEE 802.
Index BPDU filtering described switch support of CIP, enabling 22-3 support for BPDU guard CipherSuites described 10-1 12-24 Cisco 7960 IP Phone 22-2 support for 10-2 CIP configuration 1-6 1-2 19-1 Cisco Discovery Protocol 1-6 bridge protocol data unit See CDP See BPDU Cisco Group Management Protocol broadcast storm-control command broadcast storms See CGMP 29-9 Cisco IOS DHCP server 29-1 See DHCP, Cisco IOS DHCP server Cisco IOS File System C See IFS cables, monitoring for un
Index keystroke editing wrapped lines error messages cluster standby group 2-7 defined 2-9 requirements 2-5 filtering command output getting help 6-3 CNS 2-10 6-2 1-4 Configuration Engine 2-3 history configID, deviceID, hostname changing the buffer size configuration service 2-6 described 2-6 event service disabling 2-7 embedded agents recalling commands managing clusters described 2-6 no and default forms of commands 2-4 Client Information Signalling Protocol See CISP 5-3
Index configurable leave timer, IGMP configuration logging 28-5 configuration, initial defaults configuration replacement configuration rollback 1-11 Express Setup 1-2 configuration changes, logging 35-9 configuration conflicts, recovering from lost member connectivity 46-9 configuration examples, network 1-14 creating using a text editor A-19 configure terminal command 15-13 configuring 802.
Index enabling all system diagnostics enabling for a specific feature 46-13 DHCP 19-3 18-9 4-14, 4-15 default router preference See DRP 13-30 auto-QoS VTP default gateway 2-4 default configuration 802.1x 17-15 voice VLAN 46-12 redirecting error message output default commands VMPS 46-12 default web-based authentication configuration 39-3 802.
Index relationship to BOOTP relay support support for location 4-5 bindings 1-4 DHCP binding database described See DHCP snooping binding database 25-6 status and statistics See DHCP snooping binding database entry DHCP option 82 25-14 25-6 DHCP snooping binding table circuit ID suboption See DHCP snooping binding database 25-4 configuration guidelines default configuration helper address Differentiated Services architecture, QoS 25-8 Differentiated Services Code Point 25-7 forwardi
Index deleting old image preparing ARP spoofing attack A-26 configuration guidelines A-25, A-28, A-32 reasons for ACLs for non-DHCP environments A-29 using HTTP in DHCP environments A-23 using RCP log buffer A-33 using TFTP DRP 26-6 26-11 described 26-4, 26-9 26-1 DHCP snooping binding database 26-2 displaying configuring described IPv6 42-8 ARP ACLs 42-4 trust state and rate limit 1-10, 38-2 DSCP-to-CoS map for QoS DSCP transparency 38-27, 38-34 38-24 function of 40-5 in
Index described E 40-4 interaction with other features editing features interaction with virtual switches enabling and disabling keystrokes used modes 2-9 1-2 with dual-action detection 12-3 enabling SNMP traps described 3-9 port groups 12-24 encryption for passwords environment variables, function of 40-3 15-4 EtherChannel guard 12-3, 12-27 error-disabled state, BPDU described 4-11 22-7 Ethernet VLANs 22-2 error messages during command entry adding 2-5 17-17 defaults and ran
Index connecting interfaces with VLAN-bridge STP Fast Convergence overview 15-6 Flex Link Multicast Fast Convergence 20-10 defined configuration guidelines 24-6 configuring preferred VLAN 3-8 default configuration 3-3 FCS error hysteresis threshold features, incompatible description 3-2 VLANs 33-1 files 24-12 24-5 24-1 link load balancing 29-7 fiber-optic, detecting unidirectional links 24-2 24-2 flow-based packet classification basic crashinfo copying QoS classification 46-5
Index global status monitoring alarms guest VLAN and 802.1x IP SLAs 3-2 45-6 ICMP ping 13-20 GUIs See device manager and Network Assistant executing 46-9 overview 46-2 ICMPv6 42-3 IEEE 802.1D H See STP hardware limitations and Layer 3 interfaces help, for the command line hierarchical policy maps and trunk ports 38-14 17-10 native VLAN for untagged traffic See MSTP changing the buffer size IEEE 802.1w 2-6 described 2-6 See RSTP disabling 2-7 IEEE 802.
Index IGMP filtering interface command configuring interface configuration mode 28-13 default configuration described auto-MDIX, configuring 1-2 configuration guidelines IGMP groups duplex and speed configuring filtering 28-1 IGMP Immediate Leave 15-8 15-17 displaying information about 28-13 configuration mode 28-13 IGMP snooping 15-9, 15-16 management 1-3 range of 28-2 default configuration definition flow control physical, identifying and address aliasing Immediate Leave 28-1
Index cluster access 6-3 command switch discovering 45-3 response time 45-4 scheduling 7-8 for IP routing IPv6 6-1, 6-11 described 45-4 SNMP support 41-3 45-2 supported metrics 42-2 standby command switch 6-11 See also IP information ip igmp profile command 45-2 threshold monitoring 45-5 UDP jitter operation 45-5 IP source guard 28-13 IP information and 802.
Index steps to configure subnet mask with SVIs KDC 41-3 network services 41-3 configuring 41-3 IPv4 ACLs extended, creating described KDC 37-7, 37-15 IPv4 and IPv6 42-4 IPv6 12-17 12-19 realm 12-18 server 12-19 support for addresses terms 42-2 address formats applications TGT 42-2 assigning address 42-7 autoconfiguration 42-4 ICMP 42-4 L 42-7 42-3 LACP neighbor discovery SDM templates 12-17 See KDC 42-1 forwarding 12-19 key distribution center default router prefere
Index Leaking IGMP Reports login banners 24-4 LEDs, switch 7-4 loop guard See hardware installation guide described lightweight directory access protocol 22-8 support for See LDAP 1-6 LRE profiles, considerations in switch clusters line configuration mode 2-3 Link Aggregation Control Protocol M See EtherChannel link failure, detecting unidirectional link fault alarm 21-7 MAB 3-3 See MAC authentication bypass link integrity, verifying with REP link local unicast addresses 23-4 MAB a
Index creating 37-11 defined 37-11 exceptions with authentication process membership mode, VLAN port for QoS classification magic packet automatic discovery defined 1-4 management access in-band browser session CLI session SNMP 1-5 1-3 36-2 36-5 mirroring traffic for analysis 30-2 mismatches, autonegotiation 46-1 alarms 6-8 discovery through different management VLANs manual preemption, REP, configuring 23-12 6-8 3-9 cables for unidirectional links CDP 33-1 32-3 features mapping t
Index described IST 21-5 BPDU filtering defined described master 22-3 BPDU guard 21-3 operations within a region described described 21-3 CIST regional root CIST 21-13 configuring 21-3 configuring link type for rapid convergence MST region 21-15 IST 21-15 root switch 21-5 21-2 optional features supported 21-15 overview 21-14, 21-17 secondary root switch 1-6 21-2 described 22-1 preventing root switch selection 21-3 operations between regions default configuration enabli
Index multicast television application multicast VLAN neighbor discovery, IPv6 28-9 neighbor offset numbers, REP 28-8 Multicast VLAN Registration 23-5 Network Admission Control See MVR NAC multidomain authentication Network Assistant See MDA benefits multiple authentication configuring 1-2 described 13-11 multiple authentication mode 1-3 upgrading a switch A-23 network configuration examples 13-38 MVR increasing network performance and address aliasing and IGMPv3 described provid
Index stratum MSTP 7-2 support for STP 1-4 time 21-15 20-13, 20-16 performance, network design services performance features 7-2 synchronizing 1-14 1-2 persistent self-signed certificate 7-2 per-user ACLs and Filter-Ids 12-23 13-7 per-VLAN spanning-tree plus O See PVST+ off mode, VTP physical ports 18-3 15-2 PIM-DVMRP, as snooping method open1x configuring ping 13-50 character output description open1x authentication overview 13-28 Open DeviceNet Vendors Association (ODVA)
Index described guidelines 38-15 port ACLs 13-33 initiation and message exchange 13-4 defined 37-2 magic packet types of 37-2 maximum number of allowed devices per port Port Aggregation Protocol method lists See EtherChannel authentication server client, defined 13-42 13-4, 13-30, 14-10 configuring downloadable ACLs and redirect URLs 13-14 13-2, 14-3 RADIUS client 13-4 13-4 13-4 14-10, 14-12 configuring flexible authentication ordering overview 13-47 13-28 user distribution g
Index voice VLAN displaying described 13-23 29-16 on trunk ports 29-13 29-5 PVID 13-23 sticky learning VVID 13-23 violations wake-on-LAN, described port-shutdown response, VMPS 13-24 with ACLs and RADIUS Filter-Id attribute 13-29 port-based authentication configuration process 13-34 port-based authentication methods, supported port blocking 13-6 port description TLV described 31-2 support for 3-3 port not operating alarm 17-3 31-2 power management TLV 31-2, 31-5 preempt delay
Index proxy reports in frames and packets 24-3 pruning, VTP 38-3 IP ACLs, described enabling 38-11, 38-13 MAC ACLs, described in VTP domain on a port options for IP traffic 18-13 38-10, 38-13 38-10 options for non-IP traffic 17-19 38-10 examples 18-8 policy maps, described overview 18-7 trust DSCP, described 38-10 pruning-eligible list trusted CoS, described 38-10 changing trust IP precedence, described 17-19 for VTP pruning configuring displaying 8-3 default configuration
Index WTD, described enabling globally described 38-24 38-32 flowcharts classification egress queueing and scheduling policing and marking number of 38-6 38-15 38-14 policing 38-21 described 38-16 38-4, 38-14 token bucket algorithm 38-13 ingress queues 38-15 policy maps allocating bandwidth characteristics of 38-51 allocating buffer space displaying 38-50 buffer and bandwidth allocation, described configuring shared weights for SRR configuring the priority queue described flowchart
Index vendor-specific deleting old image 12-16 configuring downloading accounting default configuration described 12-15, 12-35 overview redirect URL 40-2 STP 12-16 12-15 12-9 backbone 20-7 path cost 17-13 port priority 12-8 suggested network environments support for 17-16 13-18, 13-19, 13-48 EtherChannel limiting the services to the user operation of 13-14 redundancy 12-14 6-12 method list, defined 13-14 reconfirmation interval, VMPS, changing 12-10 identifying the server
Index segments groups supported 23-2 characteristics overview 23-3 SNMP traps, configuring supported interfaces collecting group Ethernet triggering VLAN load balancing VLAN blocking collecting group history 23-6 support for 23-4 described 23-4 report suppression, IGMP MSTP 37-7 resetting a UDLD-shutdown interface 33-5 Resilient Ethernet Protocol 1-6 STP 21-14, 21-17 20-11, 20-15 routed ports See REP defined responder, IP SLAs 15-3 in switch clusters 45-4 restricted VLAN 15-1
Index described configuring 21-8 restarting migration process topology changes overview 12-44 secure MAC addresses 21-16 maximum number of 21-12 types of 21-8 port roles 29-5 29-4 secure ports, configuring described secure remote connections 21-8 synchronized rapid convergence point-to-point links 21-9 21-9, 21-15 29-4 security features 1-7 sequence numbers in log messages 21-8 server mode, VTP running configuration 35-8 18-3 service-provider network, MSTP and RSTP set-reques
Index applying global parameter values configuration guidelines default configuration tracing SNAP described 16-3 36-4, 36-5 differences from informs 16-2 enabling 16-1 36-6, 36-12 enabling MAC address notification 16-2 overview 32-1 SNMP types of accessing MIB variables with users 36-5 agent 36-7 36-1, 36-10 36-2 described 36-4 SNMP and Syslog Over IPv6 disabling 36-8 SNMP traps 45-2 authentication level 36-11 community strings configuring for cluster switches overview host
Index source ports static access ports 30-5 transmitted traffic VLAN-based assigning to VLAN 30-4 defined 30-6 spanning tree and native VLANs 17-7, 17-17 15-3, 17-3 static addresses 17-10 Spanning Tree Protocol See addresses See STP static MAC addressing SRR 1-7 static routes configuring configuring shaped weights on egress queues 38-54 shared weights on egress queues 38-55 shared weights on ingress queues described 38-51 41-4 understanding 42-5 static VLAN membership 17-2
Index switch priority optional features supported 20-17 default configuration path costs 20-11 default optional feature configuration designated port, defined described protocols supported 22-5 EtherChannel guard described extended system ID 20-3 root switch 20-11 effects on the secondary root switch configuring 20-12 20-12 effects of extended system ID 20-3 unexpected behavior election 20-12 IEEE 802.1D and bridge ID IEEE 802.1D and multicast addresses IEEE 802.
Index switched ports manual configuration 15-2 switch information assignment switchport backup interface See also DNS 4-4 switchport block multicast command switchport command system name TLV 24-4, 24-10 switchport block unicast command 31-2 system prompt, default setting 29-11 system resources, optimizing 29-11 29-11 20-17 TACACS+ switch software features 1-1 accounting, defined system capabilities TLV 31-2 authentication, defined system clock manually time zones 7-10 accounting
Index TFTP multicast traffic configuration files multiple devices on a port downloading unicast traffic A-11 preparing the server uploading A-11 A-12 configuration files in base directory configuring for autoconfiguration 4-8 4-7 image files downloading 46-3 traceroute command 46-10 See also IP traceroute traffic uploading traffic policing A-25 37-3 1-10 traffic suppression A-27 limiting access by servers 36-15 29-11 37-3 unfragmented A-25 preparing the server 29-1 transpare
Index trunk ports defined and adding static addresses and broadcast MAC addresses 15-4, 17-3 trunks and CPU packets allowed-VLAN list configuration guidelines 17-13 using STP port priorities described 7-7 unicast storm 29-1 17-13 native VLAN for untagged traffic 17-12, 17-20 pruning-eligible list 7-7 daemon configuration 17-9 trusted boundary for QoS 29-9 UNIX syslog servers 17-19 to non-DTP device facilities supported 38-26, 38-34 trusted port states 35-4 35-4 message loggin
Index VLAN 1, disabling on a trunk port VLAN 1 minimization described 17-12 extended-range 17-12 vlan-assignment response, VMPS VLAN blocking, REP features 17-14 saving internal 17-5 VLAN configuration saved in 17-5 VLANs saved in 17-4 parameters 1-6 17-5 port membership modes static-access ports 30-6 vlan global configuration command VLAN ID, discovering 17-12, 17-20 number supported 17-4 VLAN filtering and SPAN supported 7-8 17-2 VLAN-bridge STP 23-6 20-10 VLAN Trunking Pro
Index Cisco 7960 phone, port connections configuration guidelines pruning 19-1 19-3 configuring IP phones for data traffic override CoS of incoming frame 19-4 trust CoS priority of incoming frame 802.
Index setting thresholds egress queue-sets ingress queues support for 38-31, 38-52 38-49 1-10, 1-11 X Xmodem protocol 46-7 Cisco IE 2000 Switch Software Configuration Guide IN-36 OL-25866-01