Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide Cisco IOS Release 12.2(40)EX2 April 2008 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xliii Audience Purpose xliii xliii Conventions xliv Related Publications xliv Obtaining Documentation and Submitting a Service Request CHAPTER 1 Overview xlv 1-1 Features 1-1 Deployment Features 1-3 Performance Features 1-4 Management Options 1-5 Manageability Features 1-6 Availability and Redundancy Features VLAN Features 1-8 Security Features 1-9 QoS and CoS Features 1-10 Layer 3 Features 1-12 Monitoring Features 1-13 1-7 Default Settings After Initial Switch Configuration
Contents Changing the Command History Buffer Size 2-6 Recalling Commands 2-6 Disabling the Command History Feature 2-7 Using Editing Features 2-7 Enabling and Disabling Editing Features 2-7 Editing Commands through Keystrokes 2-8 Editing Command Lines that Wrap 2-9 Searching and Filtering Output of show and more Commands 2-10 Accessing the CLI 2-10 Accessing the CLI through a Console Connection or through Telnet CHAPTER 3 Assigning the Switch IP Address and Default Gateway Understanding the Boot Proce
Contents Default Boot Configuration 3-18 Automatically Downloading a Configuration File 3-18 Specifying the Filename to Read and Write the System Configuration Booting Manually 3-19 Booting a Specific Software Image 3-20 Controlling Environment Variables 3-21 3-18 Scheduling a Reload of the Software Image 3-23 Configuring a Scheduled Reload 3-23 Displaying Scheduled Reload Information 3-24 CHAPTER 4 Configuring Cisco IOS CNS Agents 4-1 Understanding Cisco Configuration Engine Software 4-1 Configurat
Contents Switch Stack Offline Configuration 5-9 Effects of Adding a Provisioned Switch to a Switch Stack 5-10 Effects of Replacing a Provisioned Switch in a Switch Stack 5-11 Effects of Removing a Provisioned Switch from a Switch Stack 5-11 Hardware Compatibility and SDM Mismatch Mode in Switch Stacks 5-11 Switch Stack Software Compatibility Recommendations 5-12 Stack Protocol Version Compatibility 5-12 Major Version Number Incompatibility Among Switches 5-12 Minor Version Number Incompatibility Among Swit
Contents Configuring NTP Broadcast Service 6-6 Configuring NTP Access Restrictions 6-8 Configuring the Source IP Address for NTP Packets 6-10 Displaying the NTP Configuration 6-11 Configuring Time and Date Manually 6-11 Setting the System Clock 6-11 Displaying the Time and Date Configuration 6-12 Configuring the Time Zone 6-12 Configuring Summer Time (Daylight Saving Time) 6-13 Configuring a System Name and Prompt 6-14 Default System Name and Prompt Configuration Configuring a System Name 6-15 Understandin
Contents Disabling Password Recovery 7-5 Setting a Telnet Password for a Terminal Line 7-6 Configuring Username and Password Pairs 7-6 Configuring Multiple Privilege Levels 7-7 Setting the Privilege Level for a Command 7-8 Changing the Default Privilege Level for Lines 7-9 Logging into and Exiting a Privilege Level 7-9 Controlling Switch Access with TACACS+ 7-10 Understanding TACACS+ 7-10 TACACS+ Operation 7-12 Configuring TACACS+ 7-12 Default TACACS+ Configuration 7-13 Identifying the TACACS+ Server Host
Contents Configuring the Switch for Secure Shell 7-37 Understanding SSH 7-37 SSH Servers, Integrated Clients, and Supported Versions Limitations 7-38 Configuring SSH 7-39 Configuration Guidelines 7-39 Setting Up the Switch to Run SSH 7-39 Configuring the SSH Server 7-40 Displaying the SSH Configuration and Status 7-41 7-38 Configuring the Switch for Secure Socket Layer HTTP 7-41 Understanding Secure HTTP Servers and Clients 7-42 Certificate Authority Trustpoints 7-42 CipherSuites 7-43 Configuring Secure
Contents IEEE 802.1x Authentication and Switch Stacks 9-8 IEEE 802.1x Host Mode 9-8 IEEE 802.1x Accounting 9-9 IEEE 802.1x Accounting Attribute-Value Pairs 9-9 Using IEEE 802.1x Authentication with VLAN Assignment 9-10 Using IEEE 802.1x Authentication with Per-User ACLs 9-12 Using IEEE 802.1x Authentication with Guest VLAN 9-13 Using IEEE 802.1x Authentication with Restricted VLAN 9-14 Using IEEE 802.1x Authentication with Inaccessible Authentication Bypass Using IEEE 802.
Contents Configuring Web Authentication 9-42 Disabling IEEE 802.1x Authentication on the Port 9-44 Resetting the IEEE 802.1x Authentication Configuration to the Default Values Displaying IEEE 802.
Contents Shutting Down and Restarting the Interface CHAPTER 11 Configuring Smartports Macros 10-25 11-1 Understanding Smartports Macros 11-1 Configuring Smartports Macros 11-2 Default Smartports Macro Configuration 11-2 Smartports Macro Configuration Guidelines 11-3 Creating Smartports Macros 11-4 Applying Smartports Macros 11-5 Applying Cisco-Default Smartports Macros 11-6 Displaying Smartports Macros CHAPTER 12 Configuring VLANs 11-8 12-1 Understanding VLANs 12-1 Supported VLANs 12-2 VLAN P
Contents Interaction with Other Features 12-20 Configuring a Trunk Port 12-21 Defining the Allowed VLANs on a Trunk 12-22 Changing the Pruning-Eligible List 12-23 Configuring the Native VLAN for Untagged Traffic Configuring Trunk Ports for Load Sharing 12-24 Load Sharing Using STP Port Priorities 12-25 Load Sharing Using STP Path Cost 12-27 12-24 Configuring VMPS 12-28 Understanding VMPS 12-28 Dynamic-Access Port VLAN Membership 12-29 Default VMPS Client Configuration 12-30 VMPS Configuration Guidelines
Contents VTP Version 13-9 Configuration Requirements 13-9 Configuring a VTP Server 13-9 Configuring a VTP Client 13-11 Disabling VTP (VTP Transparent Mode) 13-12 Enabling VTP Version 2 13-13 Enabling VTP Pruning 13-14 Adding a VTP Client Switch to a VTP Domain 13-14 Monitoring VTP CHAPTER 14 13-16 Configuring Voice VLAN 14-1 Understanding Voice VLAN 14-1 Cisco IP Phone Voice Traffic 14-2 Cisco IP Phone Data Traffic 14-2 Configuring Voice VLAN 14-3 Default Voice VLAN Configuration 14-3 Voice VLAN Conf
Contents Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port 15-13 Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface 15-14 Monitoring Private VLANs CHAPTER 16 15-15 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling 16-1 16-1 Configuring IEEE 802.1Q Tunneling 16-4 Default IEEE 802.1Q Tunneling Configuration 16-4 IEEE 802.1Q Tunneling Configuration Guidelines 16-4 Native VLANs 16-4 System MTU 16-5 IEEE 802.
Contents Supported Spanning-Tree Instances 17-10 Spanning-Tree Interoperability and Backward Compatibility STP and IEEE 802.1Q Trunks 17-11 VLAN-Bridge Spanning Tree 17-11 Spanning Tree and Switch Stacks 17-12 17-11 Configuring Spanning-Tree Features 17-12 Default Spanning-Tree Configuration 17-13 Spanning-Tree Configuration Guidelines 17-13 Changing the Spanning-Tree Mode.
Contents Rapid Convergence 18-10 Synchronization of Port Roles 18-11 Bridge Protocol Data Unit Format and Processing 18-12 Processing Superior BPDU Information 18-13 Processing Inferior BPDU Information 18-13 Topology Changes 18-13 Configuring MSTP Features 18-14 Default MSTP Configuration 18-15 MSTP Configuration Guidelines 18-15 Specifying the MST Region Configuration and Enabling MSTP Configuring the Root Switch 18-17 Configuring a Secondary Root Switch 18-19 Configuring Port Priority 18-20 Configuring
Contents Optional Spanning-Tree Configuration Guidelines 19-12 Enabling Port Fast 19-12 Enabling BPDU Guard 19-13 Enabling BPDU Filtering 19-14 Enabling UplinkFast for Use with Redundant Links 19-15 Enabling Cross-Stack UplinkFast 19-16 Enabling BackboneFast 19-16 Enabling EtherChannel Guard 19-17 Enabling Root Guard 19-18 Enabling Loop Guard 19-18 Displaying the Spanning-Tree Status CHAPTER 20 19-19 Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the M
Contents Configuring the DHCP Relay Agent 21-11 Specifying the Packet Forwarding Address 21-11 Enabling DHCP Snooping and Option 82 21-12 Enabling DHCP Snooping on Private VLANs 21-14 Enabling the Cisco IOS DHCP Server Database 21-14 Enabling the DHCP Snooping Binding Database Agent 21-14 Displaying DHCP Snooping Information 21-15 Understanding IP Source Guard 21-16 Source IP Address Filtering 21-16 Source IP and MAC Address Filtering 21-17 Configuring IP Source Guard 21-17 Default IP Source Guard Conf
Contents IGMP Report Suppression 23-6 IGMP Snooping and Switch Stacks 23-7 Configuring IGMP Snooping 23-7 Default IGMP Snooping Configuration 23-7 Enabling or Disabling IGMP Snooping 23-8 Setting the Snooping Method 23-9 Configuring a Multicast Router Port 23-10 Configuring a Blade Server Statically to Join a Group 23-10 Enabling IGMP Immediate Leave 23-11 Configuring the IGMP Leave Timer 23-12 Configuring TCN-Related Commands 23-12 Controlling the Multicast Flooding Time After a TCN Event Recovering fro
Contents MLD Reports 24-4 MLD Done Messages and Immediate-Leave 24-4 Topology Change Notification Processing 24-5 MLD Snooping in Switch Stacks 24-5 Configuring IPv6 MLD Snooping 24-5 Default MLD Snooping Configuration 24-6 MLD Snooping Configuration Guidelines 24-6 Enabling or Disabling MLD Snooping 24-7 Configuring a Static Multicast Group 24-8 Configuring a Multicast Router Port 24-9 Enabling MLD Immediate Leave 24-9 Configuring MLD Snooping Queries 24-10 Disabling MLD Listener Message Suppression 24-11
Contents CHAPTER 26 Configuring CDP 26-1 Understanding CDP 26-1 CDP and Switch Stacks 26-2 Configuring CDP 26-2 Default CDP Configuration 26-2 Configuring the CDP Characteristics 26-2 Disabling and Enabling CDP 26-3 Disabling and Enabling CDP on an Interface CHAPTER 27 Monitoring and Maintaining CDP 26-5 Configuring LLDP and LLDP-MED 27-1 26-4 Understanding LLDP and LLDP-MED 27-1 Understanding LLDP 27-1 Understanding LLDP-MED 27-2 Configuring LLDP and LLDP-MED 27-3 Default LLDP Configuration
Contents SPAN and RSPAN Concepts and Terminology 29-4 SPAN Sessions 29-4 Monitored Traffic 29-5 Source Ports 29-6 Source VLANs 29-7 VLAN Filtering 29-7 Destination Port 29-8 RSPAN VLAN 29-9 SPAN and RSPAN Interaction with Other Features 29-9 SPAN and RSPAN and Switch Stacks 29-10 Configuring SPAN and RSPAN 29-10 Default SPAN and RSPAN Configuration 29-11 Configuring Local SPAN 29-11 SPAN Configuration Guidelines 29-11 Creating a Local SPAN Session 29-12 Creating a Local SPAN Session and Configuring Incomin
Contents Default System Message Logging Configuration 31-4 Disabling Message Logging 31-4 Setting the Message Display Destination Device 31-5 Synchronizing Log Messages 31-6 Enabling and Disabling Time Stamps on Log Messages 31-8 Enabling and Disabling Sequence Numbers in Log Messages 31-8 Defining the Message Severity Level 31-9 Limiting Syslog Messages Sent to the History Table and to SNMP 31-10 Enabling the Configuration-Change Logger 31-11 Configuring UNIX Syslog Servers 31-12 Logging Messages to a UNI
Contents Router ACLs 34-4 VLAN Maps 34-5 Handling Fragmented and Unfragmented Traffic ACLs and Switch Stacks 34-6 34-5 Configuring IPv4 ACLs 34-7 Creating Standard and Extended IPv4 ACLs 34-7 Access List Numbers 34-8 ACL Logging 34-9 Creating a Numbered Standard ACL 34-10 Creating a Numbered Extended ACL 34-11 Resequencing ACEs in an ACL 34-15 Creating Named Standard and Extended ACLs 34-15 Using Time Ranges with ACLs 34-17 Including Comments in ACLs 34-19 Applying an IPv4 ACL to a Terminal Line 34-19 Ap
Contents ACLs and Multicast Packets Displaying IPv4 ACL Configuration CHAPTER 35 Configuring IPv6 ACLs 35-1 Supported IPv6 ACLs 35-2 34-38 34-39 Understanding IPv6 ACLs 35-2 Supported ACL Features 35-2 IPv6 ACL Limitations 35-3 IPv6 ACLs and Switch Stacks 35-4 Configuring IPv6 ACLs 35-4 Default IPv6 ACL Configuration 35-5 Interaction with Other Features and Switches Creating IPv6 ACLs 35-5 Applying an IPv6 ACL to an Interface 35-8 Displaying IPv6 ACLs CHAPTER 36 Configuring QoS 35-5 35-9 36-1
Contents Configuring Standard QoS 36-29 Default Standard QoS Configuration 36-30 Default Ingress Queue Configuration 36-30 Default Egress Queue Configuration 36-31 Default Mapping Table Configuration 36-32 Standard QoS Configuration Guidelines 36-32 QoS ACL Guidelines 36-32 Applying QoS on Interfaces 36-32 Policing Guidelines 36-33 General QoS Guidelines 36-33 Enabling QoS Globally 36-34 Enabling VLAN-Based QoS on Physical Ports 36-34 Configuring Classification Using Port Trust States 36-35 Configuring the
Contents Configuring SRR Shared Weights on Egress Queues 36-76 Configuring the Egress Expedite Queue 36-76 Limiting the Bandwidth on an Egress Interface 36-77 Displaying Standard QoS Information CHAPTER 37 36-78 Configuring EtherChannels and Link-State Tracking 37-1 Understanding EtherChannels 37-1 EtherChannel Overview 37-2 Port-Channel Interfaces 37-4 Port Aggregation Protocol 37-5 PAgP Modes 37-5 PAgP Interaction with Other Features 37-6 Link Aggregation Control Protocol 37-6 LACP Modes 37-6 LACP
Contents CHAPTER 38 Configuring IP Unicast Routing Supported IPv4 Features 38-1 38-2 Understanding IP Routing 38-3 Types of Routing 38-3 IP Routing and Switch Stacks Steps for Configuring Routing 38-4 38-6 Configuring IP Addressing 38-6 Default Addressing Configuration 38-7 Assigning IP Addresses to Network Interfaces 38-8 Use of Subnet Zero 38-8 Classless Routing 38-9 Configuring Address Resolution Methods 38-10 Define a Static ARP Cache 38-11 Set ARP Encapsulation 38-12 Enable Proxy ARP 38-13 Rou
Contents Configuring OSPF 38-31 Default OSPF Configuration 38-32 OSPF Nonstop Forwarding 38-33 Configuring Basic OSPF Parameters 38-35 Configuring OSPF Interfaces 38-35 Configuring OSPF Area Parameters 38-36 Configuring Other OSPF Parameters 38-38 Changing LSA Group Pacing 38-39 Configuring a Loopback Interface 38-40 Monitoring OSPF 38-40 Configuring EIGRP 38-41 Default EIGRP Configuration 38-43 EIGRP Nonstop Forwarding 38-44 Configuring Basic EIGRP Parameters 38-45 Configuring EIGRP Interfaces 38-46 Confi
Contents User Interface for ARP 38-75 User Interface for PING 38-75 User Interface for SNMP 38-76 User Interface for HSRP 38-76 User Interface for uRPF 38-76 User Interface for Syslog 38-77 User Interface for Traceroute 38-77 User Interface for FTP and TFTP 38-78 Configuring Multicast VRFs 38-78 Configuring a VPN Routing Session 38-79 Configuring BGP PE to CE Routing Sessions 38-80 Multi-VRF CE Configuration Example 38-80 Displaying Multi-VRF CE Status 38-84 Configuring Unicast Reverse Path Forwarding 38-
Contents Neighbor Discovery 39-5 IPv6 Stateless Autoconfiguration and Duplicate Address Detection IPv6 Applications 39-7 Dual IPv4 and IPv6 Protocol Stacks 39-7 EIGRP IPv6 39-8 Unsupported IPv6 Host Functions and Unicast Routing Features 39-11 Limitations 39-12 IPv6 and Switch Stacks 39-12 SDM Templates 39-13 Dual IPv4-and IPv6 SDM Templates 39-14 39-6 Configuring IPv6 39-15 Default IPv6 Configuration 39-15 Configuring IPv6 Addressing and Enabling IPv6 Host Functions or Routing 39-16 Configuring IPv4 and
Contents Response Time Computation for IP SLAs IP SLAs Operation Scheduling 41-5 IP SLAs Operation Threshold Monitoring 41-4 41-5 Configuring IP SLAs Operations 41-6 Default Configuration 41-6 Configuration Guidelines 41-6 Configuring the IP SLAs Responder 41-8 Analyzing IP Service Levels by Using the UDP Jitter Operation 41-8 Analyzing IP Service Levels by Using the ICMP Echo Operation 41-11 Monitoring IP SLAs Operations CHAPTER 42 41-14 Configuring Enhanced Object Tracking 42-1 Understanding Enh
Contents CHAPTER 44 Configuring IP Multicast Routing 44-1 Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP 44-3 IGMP Version 1 44-3 IGMP Version 2 44-3 Understanding PIM 44-4 PIM Versions 44-4 PIM Modes 44-4 PIM Stub Routing 44-5 IGMP Helper 44-6 Auto-RP 44-7 Bootstrap Router 44-7 Multicast Forwarding and Reverse Path Check 44-8 Understanding DVMRP 44-9 Understanding CGMP 44-9 Multicast Routing and Switch Stacks 44-2 44-10 Configuring IP Multicast Routing 44-10 Default
Contents Modifying the IGMP Host-Query Message Interval 44-32 Changing the IGMP Query Timeout for IGMPv2 44-33 Changing the Maximum Query Response Time for IGMPv2 Configuring the Switch as a Statically Connected Member 44-34 44-34 Configuring Optional Multicast Routing Features 44-35 Enabling CGMP Server Support 44-35 Configuring sdr Listener Support 44-36 Enabling sdr Listener Support 44-37 Limiting How Long an sdr Cache Entry Exists 44-37 Configuring an IP Multicast Boundary 44-37 Configuring Basic DVM
Contents Redistributing Sources 45-9 Filtering Source-Active Request Messages 45-10 Controlling Source Information that Your Switch Forwards 45-11 Using a Filter 45-12 Using TTL to Limit the Multicast Data Sent in SA Messages 45-13 Controlling Source Information that Your Switch Receives 45-13 Configuring an MSDP Mesh Group 45-15 Shutting Down an MSDP Peer 45-15 Including a Bordering PIM Dense-Mode Region in MSDP 45-16 Configuring an Originating Address other than the RP Address 45-17 Monitoring and Mainta
Contents Executing Ping 47-10 Using Layer 2 Traceroute 47-11 Understanding Layer 2 Traceroute 47-11 Usage Guidelines 47-12 Displaying the Physical Path 47-13 Using IP Traceroute 47-13 Understanding IP Traceroute 47-13 Executing IP Traceroute 47-14 Using TDR 47-15 Understanding TDR 47-15 Running TDR and Displaying the Results 47-15 Using Debug Commands 47-16 Enabling Debugging on a Specific Feature 47-16 Enabling All-System Diagnostics 47-17 Redirecting Debug and Error Message Output 47-17 Using the sho
Contents APPENDIX B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System B-1 Displaying Available File Systems B-2 Setting the Default File System B-3 Displaying Information about Files on a File System B-3 Changing Directories and Displaying the Working Directory Creating and Removing Directories B-5 Copying Files B-5 Deleting Files B-6 Creating, Displaying, and Extracting Files B-6 B-1 B-4 Working with Configuration Files B-9 Guidelines
Contents Downloading an Image File By Using TFTP B-27 Uploading an Image File By Using TFTP B-29 Copying Image Files By Using FTP B-29 Preparing to Download or Upload an Image File By Using FTP B-30 Downloading an Image File By Using FTP B-31 Uploading an Image File By Using FTP B-33 Copying Image Files By Using RCP B-34 Preparing to Download or Upload an Image File By Using RCP B-35 Downloading an Image File By Using RCP B-36 Uploading an Image File By Using RCP B-38 Copying an Image File from One Stack M
Contents Unsupported Global Configuration Commands C-6 Interface Commands C-6 Unsupported Privileged EXEC Commands C-6 Unsupported Global Configuration Commands C-6 Unsupported Interface Configuration Commands C-6 IP Multicast Routing C-6 Unsupported Privileged EXEC Commands C-6 Unsupported Global Configuration Commands C-7 Unsupported Interface Configuration Commands C-7 IP Unicast Routing C-8 Unsupported Privileged EXEC or User EXEC Commands C-8 Unsupported Global Configuration Commands C-8 Unsupported
Contents Unsupported Global Configuration Command C-13 Unsupported Interface Configuration Command C-13 VLAN C-13 Unsupported Global Configuration Command Unsupported User EXEC Commands C-13 VTP C-13 C-13 Unsupported Privileged EXEC Command C-13 INDEX Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide OL-12189-01 xli
Contents Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide xlii OL-12189-01
Preface Audience This guide is for the networking professional using the Cisco IOS command-line interface (CLI) to manage the standalone Cisco Catalyst Switch Module 3110 for IBM BladeCenter, the switch stack, or the Cisco Catalyst Switch Module 3012 for IBM BladeCenter, referred to as the switch. Before using this guide, you should have experience working with the Cisco IOS commands and the switch software features.
Preface Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. • Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.
Preface • Release Notes for the Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter • Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide • Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Command Reference • Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter System Message Guide • Cisco Software Activation Document for IBM • Device manager online help (available on the switch) • Cisco Catalyst Switch Module 3110G, 31
Preface Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide xlvi OL-12189-01
CH A P T E R 1 Overview This chapter provides these topics about the switch software: • Features, page 1-1 • Default Settings After Initial Switch Configuration, page 1-14 • Network Configuration Examples, page 1-16 • Where to Go Next, page 1-20 The term switch refers to a standalone switch and to a switch stack. In this document, IP refers to IP Version 4 (IPv4) unless there is a specific reference to IP Version 6 (IPv6). Note The examples in this document are for a stacking-capable switch.
Chapter 1 Overview Features The switch can support one of these feature sets: • IP base feature set, which provides Layer 2+ features (enterprise-class intelligent services). These features include access control lists (ACLs), quality of service (QoS), static routing, EIGRP stub routing, PIM stub routing, the Hot Standby Router Protocol (HSRP), Routing Information Protocol (RIP), and basic IPv6 management. Switches with the IP base feature set can be upgraded to the IP services feature set.
Chapter 1 Overview Features Deployment Features The switch ships with these features: • Express Setup for quickly configuring a switch for the first time with basic IP information, contact information, switch and Telnet passwords, and Simple Network Management Protocol (SNMP) information through a browser-based program only in switch stacks. For more information about Express Setup, see the getting started guide.
Chapter 1 Overview Features – Provisioning a new member for a switch stack with the offline configuration feature. You can configure in advance the interface configuration for a specific stack member number and for a specific switch type of a new switch that is not part of the stack. The switch stack retains this information across stack reloads whether or not the provisioned switch is part of the stack.
Chapter 1 Overview Features • Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network.
Chapter 1 Overview Features Manageability Features These are the manageability features: • CNS embedded agents for automating switch management, configuration storage, and delivery • DHCP for automating configuration of switch information (such as IP address, default gateway, hostname, and Domain Name System [DNS] and TFTP server names) • DHCP relay for forwarding User Datagram Protocol (UDP) broadcasts, including IP address requests, from DHCP clients • DHCP server for automatic assignment of IP
Chapter 1 Overview Features Note • SNMP can be configured over IPv6 transport so that an IPv6 host can send SNMP queries and receive SNMP notifications from a device running IPv6. • IPv6 supports stateless autoconfiguration to manage link, subnet, and site addressing changes, such as management of host and mobile IP addresses. For additional descriptions of the management interfaces, see the “Network Configuration Examples” section on page 1-16.
Chapter 1 Overview Features – Root guard for preventing switches outside the network core from becoming the spanning-tree root – Loop guard for preventing alternate or root ports from becoming designated ports because of a failure that leads to a unidirectional link • Equal-cost routing for link-level and switch-level redundancy • Flex Link Layer 2 interfaces to back up one another as an alternative to STP for basic link redundancy • Link-state tracking to mirror the state of the ports that carry
Chapter 1 Overview Features Security Features The switch ships with these security features: • Web authentication to allow a supplicant (client) that does not support IEEE 802.1x functionality to be authenticated using a web browser.
Chapter 1 Overview Features – Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized or unauthorized state of the port – IP phone detection enhancement to detect and recognize a Cisco IP phone – Guest VLAN to provide limited services to non-IEEE 802.1x-compliant users – Restricted VLAN to provide limited services to users who are IEEE 802.1x compliant, but do not have the credentials to authenticate via the standard IEEE 802.1x processes – IEEE 802.
Chapter 1 Overview Features • Classification – IP type-of-service/Differentiated Services Code Point (IP ToS/DSCP) and IEEE 802.1p CoS marking priorities on a per-port basis for protecting the performance of mission-critical applications – IP ToS/DSCP and IEEE 802.
Chapter 1 Overview Features Layer 3 Features These are the Layer 3 features: Note Some features noted in this section are available only in the IP services feature set.
Chapter 1 Overview Features • IPv6 unicast routing capability for forwarding IPv6 traffic through configured interfaces (only the Catalyst Switch Module 3110 running the advanced IP services feature set) • Support for EIGRP IPv6, which utilizes IPv6 transport, communicates with IPv6 peers, and advertises IPv6 routes (only the Catalyst Switch Module 3110) • IP unicast reverse path forwarding (unicast RPF) for confirming source packet IP addresses (only the Catalyst Switch Module 3110) • Nonstop forw
Chapter 1 Overview Default Settings After Initial Switch Configuration Default Settings After Initial Switch Configuration The switch is designed for plug-and-play operation, requiring only that you assign basic IP information to the switch and connect it to the other devices in your network. If you have specific network needs, you can change the interface-specific and system- and stack-wide settings.
Chapter 1 Overview Default Settings After Initial Switch Configuration – Auto-MDIX is enabled. For more information, see Chapter 10, “Configuring Interface Characteristics.” – Flow control is off. For more information, see Chapter 10, “Configuring Interface Characteristics.” • No Smartports macros are defined. For more information, see Chapter 11, “Configuring Smartports Macros.” • VLANs – Default VLAN is VLAN 1. For more information, see Chapter 12, “Configuring VLANs.
Chapter 1 Overview Network Configuration Examples – Unicast and multicast traffic flooding is not blocked. For more information, see Chapter 25, “Configuring Port-Based Traffic Control.” – No secure ports are configured. For more information, see Chapter 25, “Configuring Port-Based Traffic Control.” • CDP is enabled. For more information, see Chapter 26, “Configuring CDP.” • UDLD is disabled. For more information, see Chapter 28, “Configuring UDLD.” • SPAN and RSPAN are disabled.
Chapter 1 Overview Network Configuration Examples Table 1-1 describes what can cause network performance to degrade and how you can configure your network to increase the bandwidth available to your network users.
Chapter 1 Overview Network Configuration Examples Table 1-2 Providing Network Services (continued) Network Demands Suggested Design Methods An evolving demand for IP telephony • Use QoS to prioritize applications such as IP telephony during congestion and to help control both delay and jitter within the network. • Use switches that support at least two queues per port to prioritize voice and data traffic as either high- or low-priority, based on IEEE 802.1p/Q.
Chapter 1 Overview Network Configuration Examples QoS and policing on the switches provide preferential treatment for certain data streams. They segment traffic streams into different paths for processing. Security features on the switch ensure rapid handling of packets. Fault tolerance from the server racks to the core is achieved through dual homing of servers connected to dual switch stacks or the switches, which have redundant Gigabit EtherChannels and cross-stack EtherChannels.
Chapter 1 Overview Where to Go Next When an end station in one VLAN needs to communicate with an end station in another VLAN, a router or Layer 3 switch routes the traffic to the destination VLAN. In this network, the switch stack is providing inter-VLAN routing. VLAN access control lists (VLAN maps) on the switch stack or switch provide intra-VLAN security and prevent unauthorized users from accessing critical areas of the network.
CH A P T E R 2 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) and how to use it to configure your standalone switch or a switch stack, referred to as the switch.
Chapter 2 Using the Command-Line Interface Understanding Command Modes Table 2-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the hostname Switch. Table 2-1 Command Mode Summary Mode Access Method Prompt User EXEC Begin a session with Switch> your switch. Exit Method About This Mode Enter logout or quit. Use this mode to • Change terminal settings. • Perform basic tests.
Chapter 2 Using the Command-Line Interface Understanding the Help System Table 2-1 Command Mode Summary (continued) Mode Access Method Prompt Exit Method Interface configuration While in global configuration mode, enter the interface command (with a specific interface). Switch(config-if)# Use this mode to configure To exit to global configuration mode, parameters for the Ethernet ports. enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.
Chapter 2 Using the Command-Line Interface Understanding Abbreviated Commands Table 2-2 Help Summary (continued) Command Purpose ? List all commands available for a particular command mode. For example: Switch> ? command ? List the associated keywords for a command. For example: Switch> show ? command keyword ? List the associated arguments for a keyword.
Chapter 2 Using the Command-Line Interface Understanding CLI Error Messages Understanding CLI Error Messages Table 2-3 lists some error messages that you might encounter while using the CLI to configure your switch. Table 2-3 Common CLI Error Messages Error Message Meaning How to Get Help % Ambiguous command: "show con" You did not enter enough characters for your switch to recognize the command.
Chapter 2 Using the Command-Line Interface Using Command History Using Command History The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists.
Chapter 2 Using the Command-Line Interface Using Editing Features Disabling the Command History Feature The command history feature is automatically enabled. You can disable it for the current terminal session or for the command line. These procedures are optional. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.
Chapter 2 Using the Command-Line Interface Using Editing Features Editing Commands through Keystrokes Table 2-5 shows the keystrokes that you need to edit command lines. These keystrokes are optional. Table 2-5 Editing Commands through Keystrokes Capability Keystroke1 Move around the command line to make changes or corrections. Press Ctrl-B, or press the Move the cursor back one character. left arrow key. Purpose Press Ctrl-F, or press the right arrow key. Move the cursor forward one character.
Chapter 2 Using the Command-Line Interface Using Editing Features Table 2-5 Editing Commands through Keystrokes (continued) Capability Keystroke1 Purpose Scroll down a line or screen on displays that are longer than the terminal screen can display. Press the Return key. Scroll down one line. Press the Space bar. Scroll down one screen. Press Ctrl-L or Ctrl-R. Redisplay the current command line.
Chapter 2 Using the Command-Line Interface Searching and Filtering Output of show and more Commands Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands through Keystrokes” section on page 2-8. Searching and Filtering Output of show and more Commands You can search and filter the output for show and more commands.
Chapter 2 Using the Command-Line Interface Accessing the CLI Accessing the CLI through a Console Connection or through Telnet Before you can access the CLI, you must connect a terminal or a PC to the switch console or connect a PC to the Ethernet management port and then power on the switch, as described in the hardware installation guide that shipped with your switch.
Chapter 2 Using the Command-Line Interface Accessing the CLI Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 2-12 OL-12189-01
CH A P T E R 3 Assigning the Switch IP Address and Default Gateway This chapter describes how to create the initial switch configuration (for example, assigning the IP address and default gateway information) by using a variety of automatic and manual methods. It also describes how to modify the switch startup configuration. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information The normal boot process involves the operation of the boot loader software, which performs these activities: • Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, its quantity, its speed, and so forth. • Performs power-on self-test (POST) for the CPU subsystem.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note Stack members retain their IP address when you remove them from a switch stack. To avoid a conflict by having two devices with the same IP address in your network, change the IP address of the switch that you removed from the switch stack. Use a DHCP server for centralized control and automatic assignment of IP information after the server is configured.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information During DHCP-based autoconfiguration, your switch (DHCP client) is automatically configured at startup with IP address information and a configuration file. With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your switch. However, you need to configure the DHCP server for various lease options associated with IP addresses.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (a configuration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Depending on the settings of the DHCP server, the switch can receive IP address information, the configuration file, or both. If you do not configure the DHCP server with the lease options described previously, it replies to client requests with only those parameters that are configured. If the IP address and the subnet mask are not in the reply, the switch is not configured.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Configuring the Relay Device You must configure a relay device, also referred to as a relay agent, when a switch sends broadcast packets that require a response from a host on a different LAN. Examples of broadcast packets that the switch might send are DHCP, DNS, and in some cases, TFTP packets. You must configure this relay device to forward received broadcast packets on an interface to the destination host.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information • The IP address and the configuration filename is reserved for the switch, but the TFTP server address is not provided in the DHCP reply (one-file read method). The switch receives its IP address, subnet mask, and the configuration filename from the DHCP server.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Table 3-2 shows the configuration of the reserved leases on the DHCP server. Table 3-2 DHCP Server Configuration Switch A Switch B Switch C Switch D Binding key (hardware address) 00e0.9f1e.2001 00e0.9f1e.2002 00e0.9f1e.2003 00e0.9f1e.2004 IP address 10.0.0.21 10.0.0.22 10.0.0.23 10.0.0.24 Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Router address 10.0.0.10 10.0.0.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Switches B through D retrieve their configuration files and IP addresses in the same way. Understanding DHCP-based Autoconfiguration and Image Update You can use the DHCP image upgrade features to configure a DHCP server to download both a new image and a new configuration file to one or more switches in a network. This helps ensure that each new switch added to a network receives the same image and configuration.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Note The configuration file that is downloaded from TFTP is merged with the existing configuration in the running configuration but is not saved in the NVRAM unless you enter the write memory or copy running-configuration startup-configuration privileged EXEC command. Note that if the downloaded configuration is saved to the startup configuration, the feature is not triggered during subsequent system restarts.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information This example shows how to configure a switch as a DHCP server so that it will download a configuration file: Switch# configure terminal Switch(config)# ip dhcp pool pool1 Switch(dhcp-config)# network 10.10.10.0 255.255.255.0 Switch(dhcp-config)# bootfile config-boot.text Switch(dhcp-config)# default-router 10.10.10.1 Switch(dhcp-config)# option 150 10.10.10.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Command Purpose Step 16 ip address address mask Specify the IP address and mask for the interface. Step 17 end Return to privileged EXEC mode. Step 18 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 3 Assigning the Switch IP Address and Default Gateway Assigning Switch Information Switch(config-vlan)# interface vlan 99 Switch(config-if)# no shutdown Switch(config-if)# end Switch# show boot BOOT path-list: Config file: flash:/config.text Private Config file: flash:/private-config.
Chapter 3 Assigning the Switch IP Address and Default Gateway Configuring Protected Mode Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show interfaces vlan vlan-id Verify the configured IP address. Step 9 show ip redirects Verify the configured default gateway. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the switch IP address, use the no ip address interface configuration command.
Chapter 3 Assigning the Switch IP Address and Default Gateway Configuring Protected Mode Although you cannot enable protected mode on a stack member, if protected mode is enabled on the stack master, this feature is enabled on all stack members. Before using protected mode on a switch stack, consider the feature interactions.
Chapter 3 Assigning the Switch IP Address and Default Gateway Checking and Saving the Running Configuration Checking and Saving the Running Configuration You can check the configuration settings you entered or changes you made by entering this privileged EXEC command: Switch# show running-config Building configuration... Current configuration: 1363 bytes ! version 12.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Modifying the Startup Configuration These sections describe how to modify the switch startup configuration: • Default Boot Configuration, page 3-18 • Automatically Downloading a Configuration File, page 3-18 • Booting Manually, page 3-19 • Booting a Specific Software Image, page 3-20 • Controlling Environment Variables, page 3-21 See also Appendix B, “Working with the Cisco IOS File System, Configu
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Note This command only works properly from a standalone switch. Beginning in privileged EXEC mode, follow these steps to specify a different configuration filename: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 boot config-file flash:/file-url Specify the configuration file to load during the next boot cycle.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 4 Command Purpose show boot Verify your entries. The boot manual global command changes the setting of the MANUAL_BOOT environment variable. The next time you reboot the system, the switch is in boot loader mode, shown by the switch: prompt. To boot up the system, use the boot filesystem:/file-url boot loader command. • For filesystem:, use flash: for the system board flash device.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Step 5 Command Purpose show boot Verify your entries. The boot system global command changes the setting of the BOOT environment variable. During the next boot cycle, the switch attempts to automatically boot up the system using information in the BOOT environment variable. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 3 Assigning the Switch IP Address and Default Gateway Modifying the Startup Configuration Table 3-4 describes the function of the most common environment variables. Table 3-4 Environment Variables Variable Boot Loader Command Cisco IOS Global Configuration Command BOOT set BOOT filesystem:/file-url ... boot system {filesystem:/file-url ...| switch {number | all}} A semicolon-separated list of executable files to try to load and execute when automatically booting.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image When the switch is connected to a PC through the internal Ethernet management port, you can download or upload a configuration file to the boot loader by using TFTP. Make sure the environment variables in Table 3-5 are configured. Table 3-5 Environment Variables for TFTP Variable Description MAC_ADDR Specifies the MAC address of the switch. Note We recommend that you do not modify this variable.
Chapter 3 Assigning the Switch IP Address and Default Gateway Scheduling a Reload of the Software Image Note Use the at keyword only if the switch system clock has been set (through Network Time Protocol (NTP), the hardware calendar, or manually). The time is relative to the configured time zone on the switch. To schedule reloads across several switches to occur simultaneously, the time on each switch must be synchronized with NTP. The reload command halts the system.
CH A P T E R 4 Configuring Cisco IOS CNS Agents This chapter describes how to configure the Cisco IOS Cisco Network Services (CNS) agents on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete configuration information for the Cisco Configuration Engine, see this URL on Cisco.com http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/tsd_products_support_series_home.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Figure 4-1 Configuration Engine Architectural Overview Service provider network Configuration engine Data service directory Configuration server Event service 141327 Web-based user interface Order entry configuration management These sections contain this conceptual information: • Configuration Service, page 4-2 • Event Service, page 4-3 • What You Should Know About the CNS IDs and Device Hostnames, p
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software Event Service The Configuration Engine uses the Event Service for receipt and generation of configuration events. The event agent is on the switch and facilitates the communication between the switch and the event gateway on the Configuration Engine. The Event Service is a highly capable publish-and-subscribe communication method.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco Configuration Engine Software DeviceID Each configured switch participating on the event bus has a unique DeviceID, which is analogous to the switch source address so that the switch can be targeted as a specific destination on the bus. All switches configured with the cns config partial global configuration command must access the event bus.
Chapter 4 Configuring Cisco IOS CNS Agents Understanding Cisco IOS Agents Understanding Cisco IOS Agents The CNS event agent feature allows the switch to publish and subscribe to events on the event bus and works with the Cisco IOS agent.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Incremental (Partial) Configuration After the network is running, new services can be added by using the Cisco IOS agent. Incremental (partial) configurations can be sent to the switch. The actual configuration can be sent as an event payload by way of the event gateway (push operation) or as a signal event that triggers the switch to initiate a pull operation. The switch can check the syntax of the configuration before applying it.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Table 4-1 Prerequisites for Enabling Automatic Configuration (continued) Device Required Configuration DHCP server TFTP server CNS Configuration Engine Note • IP address assignment • TFTP server IP address • Path to bootstrap configuration file on the TFTP server • Default gateway IP address • A bootstrap configuration file that includes the CNS configuration commands that enable the switch to communicate with the Con
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Beginning in privileged EXEC mode, follow these steps to enable the CNS event agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cns event {hostname | ip-address} [port-number] [backup] [failover-time seconds] [keepalive seconds retry-count] [reconnect time] [source ip-address] Enable the event agent, and enter the gateway parameters.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Enabling the Cisco IOS CNS Agent After enabling the CNS event agent, start the Cisco IOS CNS agent on the switch. You can enable the Cisco IOS agent with these commands: • The cns config initial global configuration command enables the Cisco IOS agent and initiates an initial configuration on the switch.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 7 Command Purpose discover {controller controller-type | dlci [subinterface subinterface-number] | interface [interface-type] | line line-type} Specify the interface parameters in the CNS connect profile. • For controller controller-type, enter the controller type. • For dlci, enter the active data-link connection identifiers (DLCIs).
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 13 Command Purpose cns id interface num {dns-reverse | ipaddress | mac-address} [event] [image] (Optional) Set the unique EventID or ConfigID used by the Configuration Engine. or • For interface num, enter the type of interface–for example, ethernet, group-async, loopback, or virtual-template. This setting specifies from which interface the IP or MAC address should be retrieved to define the unique ID.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents Step 14 Command Purpose cns config initial {hostname | ip-address} [port-number] [event] [no-persist] [page page] [source ip-address] [syntax-check] Enable the Cisco IOS agent, and initiate an initial configuration. • For {hostname | ip-address}, enter the hostname or the IP address of the configuration server. • (Optional) For port-number, enter the port number of the configuration server. The default port number is 80.
Chapter 4 Configuring Cisco IOS CNS Agents Configuring Cisco IOS Agents This example shows how to configure an initial configuration on a remote switch when the switch IP address is known. The Configuration Engine IP address is 172.28.129.22. Switch(config)# cns template connect template-dhcp Switch(config-tmpl-conn)# cli ip address dhcp Switch(config-tmpl-conn)# exit Switch(config)# cns template connect ip-route Switch(config-tmpl-conn)# cli ip route 0.0.0.0 0.0.0.
Chapter 4 Configuring Cisco IOS CNS Agents Displaying CNS Configuration Displaying CNS Configuration You can use the privileged EXEC commands in Table 4-2 to display CNS configuration information. Table 4-2 Displaying CNS Configuration Command Purpose show cns config connections Displays the status of the CNS Cisco IOS agent connections. show cns config outstanding Displays information about incremental (partial) CNS configurations that have started but are not yet completed.
CH A P T E R 5 Managing Switch Stacks This chapter provides the concepts and procedures to manage switch stacks. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks All stack members are eligible to be stack masters. If the stack master becomes unavailable, the remaining stack members elect a new stack master from among themselves. The switch with the highest stack member priority value becomes the new stack master. The system-level features supported on the stack master are supported on the entire switch stack.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks – Switch Stack Management Connectivity, page 5-17 – Switch Stack Configuration Scenarios, page 5-19 Switch Stack Membership A switch stack has up to nine stack members connected through their StackWise Plus ports. A switch stack always has one stack master. A standalone switch is a switch stack with one stack member that also operates as the stack master.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks For more information about cabling and powering switch stacks, see the “Switch Installation” chapter in the hardware installation guide.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Figure 5-2 Creating a Switch Stack from Two Standalone Switches in the Same Enclosures Enclosure Stack member 1 Blade switch 2 1 Blade switch Stack member 1 Blade switch 2 Enclosure Stack member 1 Blade switch Blade switch Stack member 2 and stack master 202008 Blade switch Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide OL-12189-01 5-5
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Figure 5-3 Adding a Standalone Switch to a Switch Stack Enclosure 1 Stack member 1 and stack master Blade switch 2 Blade switch Enclosure 2 Blade switch 1 1 Stack member 2 Blade switch Blade switch Stack member 1 Stack member 3 Blade switch Blade switch Stack member 1 and stack master 2 Enclosure 1 Blade switch Stack member 2 Blade switch Stack member 3 Blade switch Enclosure 2 Blade switch Blade switch Stack member 4 1 Adv
Chapter 5 Managing Switch Stacks Understanding Switch Stacks 3. The switch that is not using the default interface-level configuration. 4. The switch with the higher priority feature set and software image combination.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Switch Stack Bridge ID and Router MAC Address The bridge ID and router MAC address identify the switch stack in the network. When the switch stack initializes, the MAC address of the stack master determines the bridge ID and router MAC address. If the stack master changes, the MAC address of the new stack master determines the new bridge ID and router MAC address.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Stack Member Priority Values A higher priority value for a stack member increases its likelihood of being elected stack master and retaining its stack member number. The priority value can be 1 to 15. The default priority value is 1. You can display the stack member priority value by using the show switch user EXEC command. Note We recommend assigning the highest priority value to the switch that you prefer to be the stack master.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Effects of Adding a Provisioned Switch to a Switch Stack When you add a provisioned switch to the switch stack, the stack applies either the provisioned configuration or the default configuration. Table 5-1 lists the events that occur when the switch stack compares the provisioned configuration with the provisioned switch.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-1 Results of Comparing the Provisioned Configuration with the Provisioned Switch (continued) Scenario Result The stack member number of the provisioned switch is not found in the provisioned configuration. The switch stack applies the default configuration to the provisioned switch and adds it to the stack.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks All stack members use the SDM template configured on the stack master. Version-mismatch (VM) mode has priority over SDM-mismatch mode. If a VM-mode condition and an SDM-mismatch mode exist, the switch stack first attempts to resolve the VM-mode condition. You can use the show switch privileged EXEC command to see if any stack members are in SDM-mismatch mode.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks switch stack image or with a tar file image from the switch stack flash memory. The software uses the automatic upgrade (auto-upgrade) and the automatic advise (auto-advise) features. For more information, see the “Understanding Auto-Upgrade and Auto-Advise” section on page 5-13. To see if there are switches in VM mode, use the show switch user EXEC command. The port LEDs on switches in VM mode stay off.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks (including the switch in VM mode). If an appropriate image is not found in the stack flash file systems, the auto-advise process tells you to install new software on the switch stack. Auto-advise cannot be disabled, and there is no command to check its status. The auto-advise software does not give suggestions when the switch stack software and the software of the switch in VM mode do not contain the same feature sets.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Image Feature:IP|LAYER_3|PLUS|MIN_DRAM_MEG=128 *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW:Old image for switch 1:flash1:cbs31x0-universal-mz.122-40.xx *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: Old image will be deleted after download. *Mar 11 20:36:15.038:%IMAGEMGR-6-AUTO_COPY_SW: *Mar 11 20:36:15.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: archive download-sw /force-reload /overwrite /dest 1 flash1:cbs31x0-universal-mz.122-40.xx.tar *Mar 1 00:04:22.537:%IMAGEMGR-6-AUTO_ADVISE_SW: For information about using the archive download-sw privileged EXEC command, see the “Working with Software Images” section on page B-23.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks If a stack member fails and you replace with it with an identical model, the replacement switch automatically uses the same interface-specific configuration as the failed switch. Hence, you do not need to reconfigure the interface settings. The replacement switch must have the same stack member number as the failed switch.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks These sections provide switch stack connectivity information: • Connectivity to the Switch Stack Through an IP Address, page 5-18 • Connectivity to the Switch Stack Through an SSH Session, page 5-18 • Connectivity to the Switch Stack Through Console Ports or Ethernet Management Ports, page 5-18 • Connectivity to Specific Stack Members, page 5-18 Connectivity to the Switch Stack Through an IP Address The switch stack is managed through a
Chapter 5 Managing Switch Stacks Understanding Switch Stacks To debug a specific stack member, you can access it from the stack master by using the session stack-member-number privileged EXEC command. The stack member number is appended to the system prompt. For example, Switch-2# is the prompt in privileged EXEC mode for stack member 2, and the system prompt for the stack master is Switch. Only the show and debug commands are available in a CLI session to a specific stack member.
Chapter 5 Managing Switch Stacks Understanding Switch Stacks Table 5-2 Switch Stack Configuration Scenarios (continued) Scenario Result Assuming that all stack members have the The stack member with the cryptographic image and Stack master election same priority value: the IP base feature set is elected stack master. specifically determined by the cryptographic 1.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Configuring the Switch Stack These sections contain this configuration information: • Default Switch Stack Configuration, page 5-21 • Configuration Guidelines, page 5-21 • Enabling Persistent MAC Address, page 5-22 • Assigning Stack Member Information, page 5-24 Default Switch Stack Configuration Table 5-3 shows the default switch stack configuration.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Enabling Persistent MAC Address The switch stack MAC address is determined by the MAC address of the stack master. When a stack master is removed from the stack and a new stack master takes over, the default is for the MAC address of the new stack master to immediately become the new stack MAC router address. However, you can enable the persistent MAC address feature to allow a time delay before the stack MAC address changes.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Beginning in privileged EXEC mode, follow these steps to enable persistent MAC address. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 stack-mac persistent timer [0 | time-value] Enable a time delay after a stack-master change before the stack MAC address changes to that of the new stack master.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Mac persistency wait time: 7 mins H/W Current Switch# Role Mac Address Priority Version State ---------------------------------------------------------*1 Master 0016.4727.
Chapter 5 Managing Switch Stacks Configuring the Switch Stack Setting the Stack Member Priority Value Note This task is available only from the stack master. Beginning in privileged EXEC mode, follow these steps to assign a priority value to a stack member: This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 switch stack-member-number priority new-priority-number Specify the stack member number and the new priority for the stack member.
Chapter 5 Managing Switch Stacks Accessing the CLI of a Specific Stack Member Command Purpose Step 6 show switch stack-member-number Verify the status of the provisioned switch. For stack-member-number, enter the same number as in Step 1. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove provisioned information and to avoid receiving an error message, remove the specified switch from the stack before you use the no form of this command.
Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Displaying Switch Stack Information To display configuration changes that you save after you reset a specific stack member or the switch stack, use the privileged EXEC commands listed in Table 5-4. Table 5-4 Commands for Displaying Switch Stack Information Command Description show platform stack-manager all Displays all switch stack information.
Chapter 5 Managing Switch Stacks Displaying Switch Stack Information Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 5-28 OL-12189-01
CH A P T E R 6 Administering the Switch This chapter describes how to perform one-time operations to administer the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 6 Administering the Switch Managing the System Time and Date The system clock can provide time to these services: • User show commands • Logging and debugging messages The system clock keeps track of time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time appears correctly for the local time zone.
Chapter 6 Administering the Switch Managing the System Time and Date Figure 6-1 shows a typical network example using NTP. Switch A is the NTP master, with the Switch E, Switch B, and Switch C configured in NTP server mode, in server association with Switch A. Switch D is configured as an NTP peer to the upstream and downstream switches, Switch E and the blade switch, respectively.
Chapter 6 Administering the Switch Managing the System Time and Date These sections contain this configuration information: • Default NTP Configuration, page 6-4 • Configuring NTP Authentication, page 6-4 • Configuring NTP Associations, page 6-5 • Configuring NTP Broadcast Service, page 6-6 • Configuring NTP Access Restrictions, page 6-8 • Configuring the Source IP Address for NTP Packets, page 6-10 • Displaying the NTP Configuration, page 6-11 Default NTP Configuration Table 6-1 shows the
Chapter 6 Administering the Switch Managing the System Time and Date Step 3 Command Purpose ntp authentication-key number md5 value Define the authentication keys. By default, none are defined. • For number, specify a key number. The range is 1 to 4294967295. • md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5). • For value, enter an arbitrary string of up to eight characters for the key.
Chapter 6 Administering the Switch Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ntp peer ip-address [version number] [key keyid] [source interface] [prefer] Configure the switch system clock to synchronize a peer or to be synchronized by a peer (peer association).
Chapter 6 Administering the Switch Managing the System Time and Date The switch can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The switch can send NTP broadcast packets to a peer so that the peer can synchronize to it. The switch can also receive NTP broadcast packets to synchronize its own clock.
Chapter 6 Administering the Switch Managing the System Time and Date Step 5 Command Purpose ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the switch and the NTP broadcast server. The default is 3000 microseconds; the range is 1 to 999999. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 6 Administering the Switch Managing the System Time and Date Step 3 Command Purpose access-list access-list-number permit source [source-wildcard] Create the access list. • For access-list-number, enter the number specified in Step 2. • Enter the permit keyword to permit access if the conditions are matched. • For source, enter the IP address of the device that is permitted access to the switch. • (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.
Chapter 6 Administering the Switch Managing the System Time and Date Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.
Chapter 6 Administering the Switch Managing the System Time and Date Displaying the NTP Configuration You can use two privileged EXEC commands to display NTP information: • show ntp associations [detail] • show ntp status For detailed information about the fields in these displays, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 6 Administering the Switch Managing the System Time and Date Displaying the Time and Date Configuration To display the time and date configuration, use the show clock [detail] privileged EXEC command. The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes.
Chapter 6 Administering the Switch Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 6 Administering the Switch Configuring a System Name and Prompt Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 6 Administering the Switch Configuring a System Name and Prompt For complete syntax and usage information for the commands used in this section, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 and the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2.
Chapter 6 Administering the Switch Configuring a System Name and Prompt To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Chapter 6 Administering the Switch Creating a Banner Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. If you use the switch IP address as its hostname, the IP address is used and no DNS query occurs. If you configure a hostname that contains no periods (.
Chapter 6 Administering the Switch Creating a Banner Configuring a Message-of-the-Day Login Banner You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day.
Chapter 6 Administering the Switch Managing the MAC Address Table Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message. For c, enter the delimiting character of your choice, for example, a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Chapter 6 Administering the Switch Managing the MAC Address Table • Removing Dynamic Address Entries, page 6-22 • Configuring MAC Address Notification Traps, page 6-22 • Adding and Removing Static Address Entries, page 6-24 • Configuring Unicast MAC Address Filtering, page 6-25 • Displaying Address Table Entries, page 6-26 Building the Address Table With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers
Chapter 6 Administering the Switch Managing the MAC Address Table receives the addresses for each VLAN learned on the other stack members. When a stack member leaves the switch stack, the remaining stack members age out or remove all addresses learned by the former stack member. Default MAC Address Table Configuration Table 6-3 shows the default MAC address table configuration.
Chapter 6 Administering the Switch Managing the MAC Address Table Removing Dynamic Address Entries To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode.
Chapter 6 Administering the Switch Managing the MAC Address Table Step 5 Command Purpose mac address-table notification [interval value] | [history-size value] Enter the trap interval time and the history table size. • (Optional) For interval value, specify the notification trap interval in seconds between each set of traps that are generated to the NMS. The range is 0 to 2147483647 seconds; the default is 1 second.
Chapter 6 Administering the Switch Managing the MAC Address Table Adding and Removing Static Address Entries A static address has these characteristics: • It is manually entered in the address table and must be manually removed. • It can be a unicast or multicast address. • It does not age and is retained when the switch restarts. You can add and remove static addresses and define the forwarding behavior for them.
Chapter 6 Administering the Switch Managing the MAC Address Table This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified port: Switch(config)# mac address-table static c2f3.220a.
Chapter 6 Administering the Switch Managing the ARP Table Command Purpose Step 4 show mac address-table static Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable unicast MAC address filtering, use the no mac address-table static mac-addr vlan vlan-id global configuration command.
CH A P T E R 7 Configuring Switch-Based Authentication This chapter describes how to configure switch-based authentication on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands • If you want to use username and password pairs, but you want to store them centrally on a server instead of locally, you can store them in a database on a security server. Multiple networking devices can then use the same database to obtain user authentication (and, if necessary, authorization) information. For more information, see the “Controlling Switch Access with TACACS+” section on page 7-10.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting or Changing a Static Enable Password The enable password controls access to the privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to set or change a static enable password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Disabling Password Recovery By default, any end user with physical access to the switch can recover from a lost password by interrupting the bootup process while the switch is powering on and then by entering a new password.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting a Telnet Password for a Terminal Line When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access through a password.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 username name [privilege level] {password encryption-type password} Enter the username, privilege level, and password for each user.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Setting the Privilege Level for a Command Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 privilege mode level level command Set the privilege level for a command.
Chapter 7 Configuring Switch-Based Authentication Protecting Access to Privileged EXEC Commands Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line vty line Select the virtual terminal line on which to restrict access. Step 3 privilege level level Change the default privilege level for the line.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Controlling Switch Access with TACACS+ This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+), which provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only through AAA commands.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Figure 7-1 Typical TACACS+ Network Configuration UNIX workstation (TACACS+ server 1) Catalyst 6500 series switch 171.20.10.7 UNIX workstation (TACACS+ server 2) Servers Configure the blade switches with the TACACS+ server addresses. Set an authentication key (also configure the same key on the TACACS+ servers). Enable AAA. Create a login authentication method list. Apply the list to the terminal lines.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ TACACS+ Operation When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs: 1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 7-16 • Starting TACACS+ Accounting, page 7-17 Default TACACS+ Configuration TACACS+ and AAA are disabled by default. To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with TACACS+ Note To secure the switch for HTTP access by using AAA methods, you must configure the switch with the ip http authentication aaa global configuration command. Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.2.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Starting TACACS+ Accounting The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Transitioning from RADIUS to TACACS+ Services Remote PC R1 RADIUS server R2 RADIUS server T1 TACACS+ server T2 TACACS+ server Workstation 86891 Figure 7-2 RADIUS Operation When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events occur: 1. The user is prompted to enter a username and password. 2.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used (such as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the %RADIUS-4-RADIUS_DEAD message appears, and then the switch tries the second host entry configured on the same device for accounting services.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 8 Command Purpose copy running-config startup-config (Optional) Save your entries in the configuration file. Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 7-23. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Step 3 Command Purpose aaa authorization exec radius Configure the switch for user RADIUS authorization if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the switch and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the switch and all RADIUS servers.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“ This example shows how to specify an authorized VLAN in the RADIUS server database: cis
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Controlling Switch Access with Kerberos This section describes how to enable and configure the Kerberos security system, which authenticates requests for network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption) versions of the switch software must be installed on your switch. You can download the cryptographic software image from www.ibm.com/support.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5 to use the same Kerberos authentication database on the KDC that they are already using on their other network hosts (such as UNIX servers and PCs).
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos Table 7-2 Kerberos Terms (continued) Term KEYTAB Definition 3 Principal A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos versions, the network service authenticates an encrypted service credential by using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as SRVTAB4.
Chapter 7 Configuring Switch-Based Authentication Controlling Switch Access with Kerberos • The switch attempts to decrypt the TGT by using the password that the user entered. • If the decryption is successful, the user is authenticated to the switch. • If the decryption is not successful, the user repeats Step 2 either by re-entering the username and password (noting if Caps Lock or Num Lock is on or off) or by entering a different username and password.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Local Authentication and Authorization To set up a Kerberos-authenticated server-client system, follow these steps: • Configure the KDC by using Kerberos commands. • Configure the switch to use the Kerberos protocol. For instructions, see the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL: http://www.cisco.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Command Purpose Step 8 show running-config Verify your entries. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell This section consists of these topics: Note • SSH Servers, Integrated Clients, and Supported Versions, page 7-38 • Limitations, page 7-38 The SSH connection to the stack can be lost if a stack master running the cryptographic software image and the IP base or the IP services feature set fails and is replaced by a switch that is running a noncryptographic image and the same feature set.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Configuring SSH This section has this configuration information: • Configuration Guidelines, page 7-39 • Setting Up the Switch to Run SSH, page 7-39 (required) • Configuring the SSH Server, page 7-40 (required only if you are configuring the switch as an SSH server) Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client: • An RSA key pair generated by a SSHv
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Shell Command Purpose Step 3 ip domain-name domain_name Configure a host domain for your switch. Step 4 crypto key generate rsa Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair. We recommend that a minimum modulus size of 1024 bits. When you generate RSA keys, you are prompted to enter a modulus length.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Step 4 Command Purpose line vty line_number [ending_line_number] (Optional) Configure the virtual terminal line settings. • Enter line configuration mode to configure the virtual terminal line settings. For line_number and ending_line_number, specify a pair of lines. The range is 0 to 15. • Specify that the switch prevent non-SSH Telnet connections. This limits the router to only SSH connections.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP cryptographic (encrypted) software image must be installed on your switch. You can download the cryptographic software image from www.ibm.com/support. For more information about the cryptographic image, see the release notes for this release.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary or a persistent self-signed certificate for the secure HTTP server (or client) is automatically generated. • If the switch is not configured with a hostname and a domain name, a temporary self-signed certificate is generated.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP For the best possible encryption, you should use a client browser that supports 128-bit encryption, such as Microsoft Internet Explorer Version 5.5 (or later) or Netscape Communicator Version 4.76 (or later). The SSL_RSA_WITH_DES_CBC_SHA CipherSuite provides less security than the other CipherSuites, as it does not offer 128-bit encryption.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Configuring a CA Trustpoint For secure HTTP connections, we recommend that you configure an official CA trustpoint. A CA trustpoint is more secure than a self-signed certificate. Beginning in privileged EXEC mode, follow these steps to configure a CA trustpoint: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP server. After you have configured the server, you can configure options (path, access list to apply, maximum number of connections, or timeout policy) that apply to both standard and secure HTTP servers.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Socket Layer HTTP Command Purpose Step 12 end Return to privileged EXEC mode. Step 13 show ip http server secure status Display the status of the HTTP secure server to verify the configuration. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no ip http server global configuration command to disable the standard HTTP server.
Chapter 7 Configuring Switch-Based Authentication Configuring the Switch for Secure Copy Protocol Displaying Secure HTTP Server and Client Status To display the SSL secure server and client status, use the privileged EXEC commands in Table 7-4: Table 7-4 Commands for Displaying the SSL Secure Server and Client Status Command Purpose show ip http client secure status Shows the HTTP secure client configuration. show ip http server secure status Shows the HTTP secure server configuration.
CH A P T E R 8 Configuring SDM Templates This chapter describes how to configure the Switch Database Management (SDM) templates on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-1 lists the approximate numbers of each resource supported in each of the four templates. Table 8-1 Approximate Number of Feature Resources Allowed by Each Template Resource Access Default Routing VLAN Unicast MAC addresses 4K 6K 3K 12 K IGMP groups and multicast routes 1K 1K 1K 1K Unicast routes 6K 8K 11 K 0 • Directly connected hosts 4K 6K 3K 0 • Indirect routes 2K 2K 8K 0 0.5 K 0 0.
Chapter 8 Configuring SDM Templates Understanding the SDM Templates Table 8-2 defines the approximate feature resources allocated by each dual IPv4 and IPv6 template. Template estimations are based on a switch with 8 routed interfaces and 1024 VLANs. Table 8-2 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates Resource IPv4-and-IPv6 Default IPv4-and-IPv6 Routing IPv4-and-IPv6 VLAN Unicast MAC addresses 2K 1.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template 2d23h:%SDM-6-MISMATCH_ADVISE:System (#2) is incompatible with the SDM 2d23h:%SDM-6-MISMATCH_ADVISE:template currently running on the stack and 2d23h:%SDM-6-MISMATCH_ADVISE:will not function unless the stack is 2d23h:%SDM-6-MISMATCH_ADVISE:downgraded.
Chapter 8 Configuring SDM Templates Configuring the Switch SDM Template Setting the SDM Template Beginning in privileged EXEC mode, follow these steps to use the SDM template to maximize feature usage: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates On next reload, template will be “desktop vlan” template. To return to the default template, use the no sdm prefer global configuration command.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates This is an example of output from the show sdm prefer dual-ipv4-and-ipv6 routing command: Switch# show sdm prefer dual-ipv4-and-ipv6 routing The current template is "desktop IPv4 and IPv6 routing" template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs.
Chapter 8 Configuring SDM Templates Displaying the SDM Templates Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 8-8 OL-12189-01
CH A P T E R 9 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized devices (clients) from gaining access to the network.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • IEEE 802.1x Accounting, page 9-9 • IEEE 802.1x Accounting Attribute-Value Pairs, page 9-9 • Using IEEE 802.1x Authentication with VLAN Assignment, page 9-10 • Using IEEE 802.1x Authentication with Per-User ACLs, page 9-12 • Using IEEE 802.1x Authentication with Guest VLAN, page 9-13 • Using IEEE 802.1x Authentication with Restricted VLAN, page 9-14 • Using IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Authentication Protocol (EAP) extensions is the only supported authentication server. It is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If Multi Domain Authentication (MDA) is enabled on a port, this flow can be used with some exceptions that are applicable to voice authorization. For more information on MDA, see the “Using Multidomain Authentication” section on page 9-20. Figure 9-2 Authentication Flowchart Start IEEE 802.1x authentication process times out.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The Termination-Action RADIUS attribute (Attribute [29]) specifies the action to take during re-authentication. The actions are Initialize and ReAuthenticate. When the Initialize action is set (the attribute value is DEFAULT), the IEEE 802.1x session ends, and connectivity is lost during re-authentication.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication The specific exchange of EAP frames depends on the authentication method being used. Figure 9-3 shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Figure 9-4 Message Exchange During MAC Authentication Bypass Client Authentication server (RADIUS) Switch EAPOL Request/Identity EAPOL Request/Identity EAPOL Request/Identity RADIUS Access/Request RADIUS Access/Accept 201762 Ethernet packet Ports in Authorized and Unauthorized States During IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication If the client is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated client are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication In multiple-hosts mode, you can attach multiple hosts to a single IEEE 802.1x-enabled port. Figure 9-5 on page 9-9 shows IEEE 802.1x port-based authentication in a wireless LAN. In this mode, only one of the attached clients must be authorized for all clients to be granted network access.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Voice device authentication is supported. When a voice device is authorized and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on the assigned voice VLAN. Voice VLAN assignment behaves the same as data VLAN assignment on multidomain authentication (MDA)-enabled ports.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch: – [64] Tunnel-Type = VLAN – [65] Tunnel-Medium-Type = 802 – [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID Attribute [64] must contain the value VLAN (type 13). Attribute [65] must contain the value 802 (type 6).
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication For examples of vendor-specific attributes, see the “Configuring the Switch to Use Vendor-Specific RADIUS Attributes” section on page 7-29. For more information about configuring ACLs, see Chapter 34, “Configuring Network Security with ACLs.” To configure per-user ACLs, you need to perform these tasks: • Enable AAA authentication.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Any number of IEEE 802.1x-incapable clients are allowed access when the switch port is moved to the guest VLAN. If an IEEE 802.1x-capable client joins the same port on which the guest VLAN is configured, the port is put into the unauthorized state in the user-configured access VLAN, and authentication is restarted. Guest VLANs are supported on IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication After a port moves to the restricted VLAN, a simulated EAP success message is sent to the client. This prevents clients from indefinitely attempting authentication. Some clients (for example, devices running Windows XP) cannot implement DHCP without EAP success. Restricted VLANs are supported only on IEEE 802.1x ports in single-host mode and on Layer 2 ports.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Inaccessible authentication bypass interacts with these features: • Guest VLAN—Inaccessible authentication bypass is compatible with guest VLAN. When a guest VLAN is enabled on IEEE 8021.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • When an IEEE 802.1x client logs off, the port changes to an unauthenticated state, and all dynamic entries in the secure host table are cleared, including the entry for the client. Normal authentication then takes place. • If the port is administratively shut down, the port becomes unauthenticated, and all dynamic entries are removed from the secure host table.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured. If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication Network Admission Control Layer 2 IEEE 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks the antivirus condition or posture of endpoint systems or clients before granting the devices network access. With NAC Layer 2 IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Understanding IEEE 802.1x Port-Based Authentication • If more than one device attempts authorization on either the voice or the data domain of a port, it is error disabled. • Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication For example: proxyacl# proxyacl# proxyacl# proxyacl# Note 10=permit 20=permit 30=permit 40=permit ip any 10.0.0.0 255.0.0.0 ip any 11.1.0.0 255.255.0.0 udp any any eq syslog udp any any eq tftp The proxyacl entry determines the type of allowed network access. For more information, see the “Configuring Web Authentication” section on page 9-42.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication • Configuring IEEE 802.1x Authentication with WoL, page 9-39 (optional) • Configuring MAC Authentication Bypass, page 9-40 (optional) • Configuring NAC Layer 2 IEEE 802.1x Validation, page 9-41 (optional) • Configuring Web Authentication, page 9-42 • Disabling IEEE 802.1x Authentication on the Port, page 9-44 (optional) • Resetting the IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Table 9-2 Default IEEE 802.1x Authentication Configuration (continued) Feature Default Setting Client timeout period 30 seconds (when relaying a request from the authentication server to the client, the amount of time the switch waits for a response before resending the request to the client.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication • The IEEE 802.1x protocol is supported on Layer 2 static-access ports, voice VLAN ports, and Layer 3 routed ports, but it is not supported on these port types: – Trunk port—If you try to enable IEEE 802.1x authentication on a trunk port, an error message appears, and IEEE 802.1x authentication is not enabled. If you try to change the mode of an IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication the IEEE 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). The amount to decrease the settings depends on the connected IEEE 802.1x client type. • When configuring the inaccessible authentication bypass feature, follow these guidelines: – The feature is supported on IEEE 802.1x port in single-host mode and multihosts mode.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 The switch sends a start message to an accounting server. Step 5 Re-authentication is performed, as necessary. Step 6 The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication. Step 7 The user disconnects from the port. Step 8 The switch sends a stop message to the accounting server.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring the Switch-to-RADIUS-Server Communication RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation. Configuring the Host Mode Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) on an IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring Periodic Re-Authentication You can enable periodic IEEE 802.1x client re-authentication and specify how often it occurs. If you do not specify a time period before enabling re-authentication, the number of seconds between attempts is 3600.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Changing the Quiet Period When the switch cannot authenticate the client, the switch remains idle for a set period of time and then tries again. The dot1x timeout quiet-period interface configuration command controls the idle period. A failed authentication of the client might occur because the client provided an invalid password.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show dot1xinterface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default retransmission time, use the no dot1x timeout tx-period interface configuration command.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Note You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers. Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure IEEE 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be configured, and enter interface configuration mode.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 5 Command Purpose dot1x guest-vlan vlan-id Specify an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x guest VLAN. Step 6 end Return to privileged EXEC mode. Step 7 show dot1x interface interface-id Verify your entries.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 5 Command Purpose dot1x auth-fail vlan vlan-id Specify an active VLAN as an IEEE 802.1x restricted VLAN. The range is 1 to 4094. You can configure any active VLAN except an internal VLAN (routed port), an RSPAN VLAN, a primary private VLAN, or a voice VLAN as an IEEE 802.1x restricted VLAN. Step 6 end Return to privileged EXEC mode.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication This example shows how to set 2 as the number of authentication attempts allowed before the port moves to the restricted VLAN: Switch(config-if)# dot1x auth-fail max-attempts 2 Configuring the Inaccessible Authentication Bypass Feature You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA fail policy.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 4 Command Purpose radius-server host ip-address [acct-port udp-port] [auth-port udp-port][test username name [idle-time time] [ignore-acct-port] [ignore-auth-port]] [key string] (Optional) Configure the RADIUS server parameters by using these keywords: • acct-port udp-port—Specify the UDP port for the RADIUS accounting server. The range for the UDP port number is from 0 to 65536.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 6 interface interface-id Specify the port to be configured, and enter interface configuration mode. For the supported port types, see the “IEEE 802.1x Authentication Configuration Guidelines” section on page 9-24.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Step 3 Command Purpose dot1x control-direction {both | in} Enable IEEE 802.1x authentication with WoL on the port, and use these keywords to configure the port as bidirectional or unidirectional. • both—Sets the port as bidirectional. The port cannot receive packets from or send packets to the host. By default, the port is bidirectional. • in—Sets the port as unidirectional.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring NAC Layer 2 IEEE 802.1x Validation You can configure NAC Layer 2 IEEE 802.1x validation, which is also referred to as IEEE 802.1x authentication with a RADIUS server. Beginning in privileged EXEC mode, follow these steps to configure NAC Layer 2 IEEE 802.1x validation. The procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Configuring Web Authentication Beginning in privileged EXEC mode, follow these steps to configure authentication, authorization, accounting (AAA) and RADIUS on a switch before configuring web authentication. The steps enable AAA by using RADIUS authentication and enable device tracking. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Beginning in privileged EXEC mode, follow these steps to configure a port to use web authentication: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip admission name rule proxy http Define a web authentication rule. Note The same rule cannot be used for both web authentication and NAC Layer 2 IP validation.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Configuring IEEE 802.1x Authentication Command Purpose Step 9 dot1x port-control auto Enable IEEE 802.1x authentication on the interface. Step 10 dot1x fallback fallback-profile Configure the port to authenticate a client by using web authentication when no IEEE 802.1x supplicant is detected on the port. Any change to the fallback-profile global configuration takes effect the next time IEEE 802.1x fallback is invoked on the interface.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.1x Statistics and Status To configure the port as an IEEE 802.1x port access entity (PAE) authenticator, which enables IEEE 802.1x on the port but does not allow clients connected to the port to be authorized, use the dot1x pae authenticator interface configuration command. This example shows how to disable IEEE 802.
Chapter 9 Configuring IEEE 802.1x Port-Based Authentication Displaying IEEE 802.
CH A P T E R 10 Configuring Interface Characteristics This chapter defines the types of interfaces on the switch and describes how to configure them. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types • 10-Gigabit Ethernet Interfaces, page 10-6 • Connecting Interfaces, page 10-6 Port-Based VLANs A VLAN is a switched network that is logically segmented by function, team, or application, without regard to the physical location of the users. For more information about VLANs, see Chapter 12, “Configuring VLANs.” Packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Note When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information related to the affected interface might be lost, and the interface is returned to its default configuration. For detailed information about configuring access port and trunk port characteristics, see Chapter 12, “Configuring VLANs.” For more information about tunnel ports, see Chapter 16, “Configuring IEEE 802.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types traffic is forwarded to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded to or from the port. For more information about trunk ports, see Chapter 12, “Configuring VLANs.” Tunnel Ports Tunnel ports are used in IEEE 802.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types Switch Virtual Interfaces A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for a VLAN only when you wish to route between VLANs, to fallback-bridge nonroutable protocols between VLANs, or to provide IP host connectivity to the switch.
Chapter 10 Configuring Interface Characteristics Understanding Interface Types EtherChannel by using the channel-group interface configuration command. For Layer 2 interfaces, use the channel-group interface configuration command to dynamically create the port-channel logical interface. This command binds the physical and logical ports together. For more information, see Chapter 37, “Configuring EtherChannels and Link-State Tracking.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode • Fallback bridging forwards traffic that the switch does not route or traffic belonging to a nonroutable protocol, such as DECnet. Fallback bridging connects multiple VLANs into one bridge domain by bridging between two or more SVIs or routed ports. When configuring fallback bridging, you assign SVIs or routed ports to bridge groups with each SVI or routed port assigned to only one bridge group.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode You can identify physical interfaces by physically checking the interface location on the switch. You can also use the show privileged EXEC commands to display information about a specific interface or all the interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration procedures.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Configuring a Range of Interfaces You can use the interface range global configuration command to configure multiple interfaces with the same configuration parameters. When you enter the interface-range configuration mode, all command parameters that you enter are attributed to all interfaces within that range until you exit this mode.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode • The interface range command only works with VLAN interfaces that have been configured with the interface vlan command. The show running-config privileged EXEC command displays the configured VLAN interfaces. VLAN interfaces not displayed by the show running-config command cannot be used with the interface range command.
Chapter 10 Configuring Interface Characteristics Using Interface Configuration Mode Use the no define interface-range macro_name global configuration command to delete a macro.
Chapter 10 Configuring Interface Characteristics Using the Internal Ethernet Management Port Using the Internal Ethernet Management Port This section has this information: • Understanding the Internal Ethernet Management Port, page 10-12 • Supported Features on the Ethernet Management Port, page 10-13 • Layer 3 Routing Configuration Guidelines, page 10-14 • Monitoring the Ethernet Management Port, page 10-14 Understanding the Internal Ethernet Management Port The internal Ethernet management port
Chapter 10 Configuring Interface Characteristics Using the Internal Ethernet Management Port Figure 10-3 Connecting a Switch Stack to a PC Enclosure 1 PC Blade switch Blade switch 2 2 1 Stack member 1 Blade switch Blade switch Stack member 2 Enclosure 2 Stack member 3 2 Blade switch 1 Blade switch 2 Stack member 4 Blade switch Blade switch Stack member 5 Stack member 6 Blade switch 2 2 1 Blade switch Blade switch 1 Advanced Management Module (AMM) Note 2 2 202006 Stack member 7 All of
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces • TFTP • Secure Shell (SSH) • DHCP-based autoconfiguration • SMNP (only the ENTITY-MIB and the IF-MIB) • IP ping • Interface features – Speed—100 Mb/s (nonconfigurable) – Duplex mode—Full (nonconfigurable) – Loopback detection • Caution IPv4 and IPv6 access control lists (ACLs) Before enabling a feature on the Ethernet management port, make sure that the feature is supported.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Default Ethernet Interface Configuration Table 10-1 shows the Ethernet interface default configuration, including some features that apply only to Layer 2 interfaces. For more details on the VLAN parameters listed in the table, see Chapter 12, “Configuring VLANs.” For details on controlling traffic to the port, see Chapter 25, “Configuring Port-Based Traffic Control.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Table 10-1 Default Layer 2 Ethernet Interface Configuration (continued) Feature Default Setting Port Fast Disabled. See the “Default Optional Spanning-Tree Configuration” section on page 19-12. Auto-MDIX Note Enabled. Configuring Interface Speed and Duplex Mode Ethernet interfaces on the switch operate at 10, 100, 1000, or 10,000 Mb/s and in either full- or half-duplex mode.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Setting the Interface Speed and Duplex Parameters Beginning in privileged EXEC mode, follow these steps to set the speed and duplex mode for a physical interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces This example shows how to set the interface speed to 100 Mb/s on an external 10/100/1000 Mb/s port: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/17 Switch(config-if)# speed 100 Configuring IEEE 802.3x Flow Control Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end.
Chapter 10 Configuring Interface Characteristics Configuring Ethernet Interfaces Switch(config-if)# flowcontrol receive on Switch(config-if)# end Configuring Auto-MDIX on an Interface When automatic medium-dependent interface crossover (auto-MDIX) is enabled on an interface, the interface automatically detects the required cable connection type (straight through or crossover) and configures the connection appropriately.
Chapter 10 Configuring Interface Characteristics Configuring Layer 3 Interfaces Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end Adding a Description for an Interface You can add a description about an interface to help you remember its function. The description appears in the output of these privileged EXEC commands: show configuration, show running-config, and show interfaces.
Chapter 10 Configuring Interface Characteristics Configuring Layer 3 Interfaces • Routed ports: Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport interface configuration command. • Layer 3 EtherChannel ports: EtherChannel interfaces made up of routed ports. EtherChannel port interfaces are described in Chapter 37, “Configuring EtherChannels and Link-State Tracking.” A Layer 3 switch can have an IP address assigned to each routed port and SVI.
Chapter 10 Configuring Interface Characteristics Configuring the System MTU Step 7 Command Purpose show interfaces [interface-id] Verify the configuration. show ip interface [interface-id] show running-config interface [interface-id] Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an IP address from an interface, use the no ip address interface configuration command.
Chapter 10 Configuring Interface Characteristics Configuring the System MTU The upper limit of the system routing MTU value is based on the switch or switch stack configuration and refers to either the currently applied system MTU or the system jumbo MTU value. For more information about setting the MTU sizes, see the system mtu global configuration command in the command reference for this release.
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Monitoring and Maintaining the Interfaces These sections contain interface monitoring and maintenance information: • Monitoring Interface Status, page 10-24 • Clearing and Resetting Interfaces and Counters, page 10-25 • Shutting Down and Restarting the Interface, page 10-25 Monitoring Interface Status Commands entered at the privileged EXEC prompt display information about the interface, including the version
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Clearing and Resetting Interfaces and Counters Table 10-4 lists the privileged EXEC mode clear commands that you can use to clear counters and reset interfaces. Table 10-4 Clear Commands for Interfaces Command Purpose clear counters [interface-id] Clear interface counters. clear interface interface-id Reset the hardware logic on an interface.
Chapter 10 Configuring Interface Characteristics Monitoring and Maintaining the Interfaces Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 10-26 OL-12189-01
CH A P T E R 11 Configuring Smartports Macros This chapter describes how to configure and apply Smartports macros on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Table 11-1 Cisco-Default Smartports Macros (continued) Macro Name1 Description cisco-phone Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Smartports Macro Configuration Guidelines Follow these guidelines when configuring macros on your switch: • When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This could cause commands that follow exit, end, or interface interface-id to execute in a different command mode. • When creating a macro, all CLI commands should be in the same configuration mode.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Follow these guidelines when you apply a Cisco-default Smartports macro on an interface: • Display all macros on the switch by using the show parser macro user EXEC command. Display the contents of a specific macro by using the show parser macro macro-name user EXEC command. • Keywords that begin with $ mean that a unique parameter value is required.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Applying Smartports Macros Beginning in privileged EXEC mode, follow these steps to apply a Smartports macro: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 macro global {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Apply each individual command defined in the macro to the switch by entering macro global apply macro-name.
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros This example shows how to apply the user-created macro called snmp, to set the hostname address to test-server, and to set the IP precedence value to 7: Switch(config)# macro global apply snmp ADDRESS test-server VALUE 7 This example shows how to debug the user-created macro called snmp by using the macro global trace global configuration command to find any syntax or configuration errors in the macro when it is applied to the switch
Chapter 11 Configuring Smartports Macros Configuring Smartports Macros Step 7 Command Purpose macro {apply | trace} macro-name [parameter {value}] [parameter {value}] [parameter {value}] Append the Cisco-default macro with the required values by using the parameter value keywords, and apply the macro to the interface. Keywords that begin with $ mean that a unique parameter value is required. You can use the macro apply macro-name ? command to display a list of any required values in the macro.
Chapter 11 Configuring Smartports Macros Displaying Smartports Macros Displaying Smartports Macros To display the Smartports macros, use one or more of the privileged EXEC commands in Table 11-2. Table 11-2 Commands for Displaying Smartports Macros Command Purpose show parser macro Displays all configured macros. show parser macro name macro-name Displays a specific macro. show parser macro brief Displays the configured macro names.
CH A P T E R 12 Configuring VLANs This chapter describes how to configure normal-range VLANs (VLAN IDs 1 to 1005) and extended-range VLANs (VLAN IDs 1006 to 4094) on the switch. It includes information about VLAN membership modes, VLAN configuration modes, VLAN trunks, and dynamic VLAN assignment from a VLAN Membership Policy Server (VMPS). Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 12 Configuring VLANs Understanding VLANs Figure 12-1 shows an example of VLANs segmented into logically defined networks. Figure 12-1 VLANs as Logically Defined Networks Engineering VLAN Marketing VLAN Accounting VLAN Cisco router Enclosure 3 Gigabit Ethernet Enclosure 1 201766 Enclosure 2 VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet belong to the same VLAN.
Chapter 12 Configuring VLANs Understanding VLANs Although the switch or switch stack supports a total of 1005 (normal range and extended range) VLANs, the number of routed ports, SVIs, and other configured features affects the use of the switch hardware. The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Table 12-1 Port Membership Modes and Characteristics (continued) Membership Mode VLAN Membership Characteristics VTP Characteristics Dynamic access A dynamic-access port can belong to one VLAN (VLAN ID 1 to 4094) and is dynamically assigned by a VMPS. The VMPS can be a Catalyst 5000 or Catalyst 6500 series switch, for example, but never a blade switch. The switch is a VMPS client. VTP is required.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Caution You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you want to modify the VLAN configuration, use the commands described in these sections and in the command reference for this release. To change the VTP configuration, see Chapter 13, “Configuring VTP.” You use the interface configuration mode to define the port membership mode and to add and remove ports from VLANs.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Token Ring VLANs Although the switch does not support Token Ring connections, a remote device such as a Catalyst 5000 series switch with Token Ring connections could be managed from one of the supported switches.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs VLAN Configuration Mode Options You can configure normal-range VLANs (with VLAN IDs 1 to 1005) by using these two configuration modes: • VLAN Configuration in config-vlan Mode, page 12-7 You access config-vlan mode by entering the vlan vlan-id global configuration command. • VLAN Configuration in VLAN Database Configuration Mode, page 12-7 You access VLAN database configuration mode by entering the vlan database privileged EXEC command.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs When you save VLAN and VTP information (including extended-range VLAN configuration information) in the startup configuration file and reboot the switch, the switch configuration is selected as follows: Caution • If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain name from the VLAN database matches that in the startup configuration file, the VLAN database is ignored (cleared), and the VTP and
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Creating or Modifying an Ethernet VLAN Each Ethernet VLAN in the VLAN database has a unique, 4-digit ID that can be a number from 1 to 1001. VLAN IDs 1002 to 1005 are reserved for Token Ring and FDDI VLANs. To create a normal-range VLAN to be added to the VLAN database, assign a number and name to the VLAN. Note When the switch is in VTP transparent mode, you can assign VLAN IDs greater than 1006, but they are not added to the VLAN database.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs You can also create or modify Ethernet VLANs by using the VLAN database configuration mode. Note VLAN database configuration mode does not support RSPAN VLAN configuration or extended-range VLANs. Beginning in privileged EXEC mode, follow these steps to use VLAN database configuration mode to create or modify an Ethernet VLAN: Command Purpose Step 1 vlan database Enter VLAN database configuration mode.
Chapter 12 Configuring VLANs Configuring Normal-Range VLANs Caution When you delete a VLAN, any ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN. Beginning in privileged EXEC mode, follow these steps to delete a VLAN on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no vlan vlan-id Remove the VLAN by entering the VLAN ID.
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs To return an interface to its default configuration, use the default interface interface-id interface configuration command. This example shows how to configure a port as an access port in VLAN 2: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Extended-Range VLAN Configuration Guidelines Follow these guidelines when creating extended-range VLANs: • To add an extended-range VLAN, you must use the vlan vlan-id global configuration command and access config-vlan mode. You cannot add extended-range VLANs in VLAN database configuration mode (accessed by entering the vlan database privileged EXEC command).
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs Creating an Extended-Range VLAN You create an extended-range VLAN in global configuration mode by entering the vlan global configuration command with a VLAN ID from 1006 to 4094. This command accesses the config-vlan mode. The extended-range VLAN has the default Ethernet VLAN characteristics (see Table 12-2) and the MTU size, private VLAN, and RSPAN configuration are the only parameters you can change.
Chapter 12 Configuring VLANs Configuring Extended-Range VLANs This example shows how to create a new extended-range VLAN with all default characteristics, enter config-vlan mode, and save the new VLAN in the switch startup configuration file: Switch(config)# vtp mode transparent Switch(config)# vlan 2000 Switch(config-vlan)# end Switch# copy running-config startup config Creating an Extended-Range VLAN with an Internal VLAN ID If you enter an extended-range VLAN ID that is already assigned to an internal
Chapter 12 Configuring VLANs Displaying VLANs Displaying VLANs Use the show vlan privileged EXEC command to display a list of all VLANs on the switch, including extended-range VLANs. The display includes VLAN status, ports, and configuration information. To view normal-range VLANs in the VLAN database (1 to 1005), use the show VLAN database configuration command (accessed by entering the vlan database privileged EXEC command). Table 12-3 lists the commands for monitoring VLANs.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Figure 12-2 shows a network of switches that are connected by ISL trunks. Figure 12-2 Switches in an ISL Trunking Environment Catalyst 6500 series switch ISL trunk ISL trunk ISL trunk ISL trunk Blade switch Blade switch Blade switch VLAN1 VLAN3 VLAN2 VLAN2 VLAN1 VLAN3 119945 Blade switch Figure 12-3 shows a network of switches that are connected by IEEE 802.1Q trunks. Figure 12-3 Switches in an IEEE 802.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Ethernet trunk interfaces support different trunking modes (see Table 12-4). You can set an interface as trunking or nontrunking or to negotiate trunking with the neighboring interface. To autonegotiate trunking, the interfaces must be in the same VTP domain. Trunk negotiation is managed by the Dynamic Trunking Protocol (DTP), which is a Point-to-Point Protocol.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Encapsulation Types Table 12-5 lists the Ethernet trunk encapsulation types and keywords. Table 12-5 Ethernet Trunk Encapsulation Types Encapsulation Function switchport trunk encapsulation isl Specifies ISL encapsulation on the trunk link. switchport trunk encapsulation dot1q Specifies IEEE 802.1Q encapsulation on the trunk link.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Default Layer 2 Ethernet Interface VLAN Configuration Table 12-6 shows the default Layer 2 Ethernet interface VLAN configuration.
Chapter 12 Configuring VLANs Configuring VLAN Trunks – STP Port Fast setting. – trunk status: if one port in a port group ceases to be a trunk, all ports cease to be trunks. • We recommend that you configure no more than 24 trunk ports in PVST mode and no more than 40 trunk ports in MST mode. • If you try to enable IEEE 802.1x on a trunk port, an error message appears, and IEEE 802.1x is not enabled. If you try to change the mode of an IEEE 802.1x-enabled port to trunk, the port mode is not changed.
Chapter 12 Configuring VLANs Configuring VLAN Trunks To return an interface to its default configuration, use the default interface interface-id interface configuration command. To reset all trunking characteristics of a trunking interface to the defaults, use the no switchport trunk interface configuration command. To disable trunking, use the switchport mode access interface configuration command to configure the port as a static-access port. This example shows how to configure a port as an IEEE 802.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Step 4 Command Purpose switchport trunk allowed vlan {add | all | except | remove} vlan-list (Optional) Configure the list of VLANs allowed on the trunk. For explanations about using the add, all, except, and remove keywords, see the command reference for this release. The vlan-list parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN numbers, the lower one first, separated by a hyphen.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Command Purpose Step 5 show interfaces interface-id switchport Verify your entries in the Pruning VLANs Enabled field of the display. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default pruning-eligible list of all VLANs, use the no switchport trunk pruning vlan interface configuration command.
Chapter 12 Configuring VLANs Configuring VLAN Trunks You configure load sharing on trunk ports by using STP port priorities or STP path costs. For load sharing using STP port priorities, both load-sharing links must be connected to the same switch. For load sharing using STP path costs, each load-sharing link can be connected to the same switch or to two different switches. For more information about STP, see Chapter 17, “Configuring STP.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Beginning in privileged EXEC mode, follow these steps to configure the network shown in Figure 12-4. Command Purpose Step 1 configure terminal Enter global configuration mode on Switch A. Step 2 vtp domain domain-name Configure a VTP administrative domain. The domain name can be 1 to 32 characters. Step 3 vtp mode server Configure Switch A as the VTP server. Step 4 end Return to privileged EXEC mode.
Chapter 12 Configuring VLANs Configuring VLAN Trunks Load Sharing Using STP Path Cost You can configure parallel trunks to share VLAN traffic by setting different path costs on a trunk and associating the path costs with different sets of VLANs, blocking different ports for different VLANs. The VLANs keep the traffic separate and maintain redundancy in the event of a lost link. In Figure 12-5, Trunk ports 1 and 2 are configured as 100BASE-T ports.
Chapter 12 Configuring VLANs Configuring VMPS Command Purpose Step 12 spanning-tree vlan 2-4 cost 30 Set the spanning-tree path cost to 30 for VLANs 2 through 4. Step 13 end Return to global configuration mode. Step 14 Repeat Steps 9 through 13 on the other configured trunk interface on Switch A, and set the spanning-tree path cost to 30 for VLANs 8, 9, and 10. Step 15 exit Return to privileged EXEC mode. Step 16 show running-config Verify your entries.
Chapter 12 Configuring VLANs Configuring VMPS If the port is currently unassigned (that is, it does not yet have a VLAN assignment), the VMPS provides one of these responses: • If the host is allowed on the port, the VMPS sends the client a vlan-assignment response containing the assigned VLAN name and allowing access to the host. • If the host is not allowed on the port and the VMPS is in open mode, the VMPS sends an access-denied response.
Chapter 12 Configuring VLANs Configuring VMPS Default VMPS Client Configuration Table 12-7 shows the default VMPS and dynamic-access port configuration on client switches.
Chapter 12 Configuring VLANs Configuring VMPS Entering the IP Address of the VMPS You must first enter the IP address of the server to configure the switch as a client. Beginning in privileged EXEC mode, follow these steps to enter the IP address of the VMPS: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vmps server ipaddress primary Enter the IP address of the switch acting as the primary VMPS server.
Chapter 12 Configuring VLANs Configuring VMPS To return an interface to its default configuration, use the default interface interface-id interface configuration command. To return an interface to its default switchport mode (dynamic auto), use the no switchport mode interface configuration command. To reset the access mode to the default VLAN for the switch, use the no switchport access vlan interface configuration command.
Chapter 12 Configuring VLANs Configuring VMPS To return the switch to its default setting, use the no vmps retry global configuration command. Monitoring the VMPS You can display information about the VMPS by using the show vmps privileged EXEC command. The switch displays this information about the VMPS: • VMPS VQP Version—the version of VQP used to communicate with the VMPS. The switch queries the VMPS that is using VQP Version 1.
Chapter 12 Configuring VLANs Configuring VMPS VMPS Configuration Example Figure 12-6 shows a network with a VMPS server switch and VMPS client switches with dynamic-access ports. In this example, these assumptions apply: • The VMPS server and the VMPS client are separate switches. • The Catalyst 6500 series Switch A is the primary VMPS server. • The Catalyst 6500 series Switch C and Switch J are secondary VMPS servers. • End stations are connected to the clients, Switch B and Switch I.
CH A P T E R 13 Configuring VTP This chapter describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database for managing VLANs with the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 13 Configuring VTP Understanding VTP The switch supports 1005 VLANs, but the number of routed ports, SVIs, and other configured features affects the usage of the switch hardware. If the switch is notified by VTP of a new VLAN and the switch is already using the maximum available hardware resources, it sends a message that there are not enough hardware resources available and shuts down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a suspended state.
Chapter 13 Configuring VTP Understanding VTP For domain name and password configuration guidelines, see the “VTP Configuration Guidelines” section on page 13-8. VTP Modes You can configure a supported switch or switch stack to be in one of the VTP modes listed in Table 13-1. Table 13-1 VTP Modes VTP Mode Description VTP server In VTP server mode, you can create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain.
Chapter 13 Configuring VTP Understanding VTP VTP advertisements distribute this global domain information: • VTP domain name • VTP configuration revision number • Update identity and update timestamp • MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for each VLAN. • Frame format VTP advertisements distribute this VLAN information for each configured VLAN: • VLAN IDs (ISL and IEEE 802.
Chapter 13 Configuring VTP Understanding VTP VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are included in the pruning-eligible list. Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2 through 1001 are pruning eligible switch trunk ports. If the VLANs are configured as pruning-ineligible, the flooding continues. VTP pruning is supported with VTP Version 1 and Version 2. Figure 13-1 shows a switched network without VTP pruning enabled.
Chapter 13 Configuring VTP Configuring VTP Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain). See the “Enabling VTP Pruning” section on page 13-14. VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible.
Chapter 13 Configuring VTP Configuring VTP Default VTP Configuration Table 13-2 shows the default VTP configuration. Table 13-2 Default VTP Configuration Feature Default Setting VTP domain name Null. VTP mode Server. VTP version Version 1 (Version 2 is disabled). VTP password None. VTP pruning Disabled. VTP Configuration Options You can configure VTP by using these configuration modes.
Chapter 13 Configuring VTP Configuring VTP VTP Configuration in VLAN Database Configuration Mode You can configure all VTP parameters in VLAN database configuration mode, which you access by entering the vlan database privileged EXEC command. For more information about available keywords, see the vtp VLAN database configuration command description in the command reference for this release.
Chapter 13 Configuring VTP Configuring VTP VTP Version Follow these guidelines when deciding which VTP version to implement: • All switches in a VTP domain must run the same VTP version. • A VTP Version 2-capable switch can operate in the same VTP domain as a switch running VTP Version 1 if Version 2 is disabled on the Version 2-capable switch (Version 2 is disabled by default). • Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP domain are Version-2-capable.
Chapter 13 Configuring VTP Configuring VTP Step 4 Command Purpose vtp password password (Optional) Set the password for the VTP domain. The password can be 8 to 64 characters. If you configure a VTP password, the VTP domain does not function properly if you do not assign the same password to each switch in the domain. Step 5 end Return to privileged EXEC mode. Step 6 show vtp status Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.
Chapter 13 Configuring VTP Configuring VTP This example shows how to use VLAN database configuration mode to configure the switch as a VTP server with the domain name eng_group and the password mypassword: Switch# vlan database Switch(vlan)# vtp server Switch(vlan)# vtp domain eng_group Switch(vlan)# vtp password mypassword Switch(vlan)# exit APPLY completed. Exiting.... Switch# Configuring a VTP Client When a switch is in VTP client mode, you cannot change its VLAN configuration.
Chapter 13 Configuring VTP Configuring VTP Use the no vtp mode global configuration command to return the switch to VTP server mode. To return the switch to a no-password state, use the no vtp password privileged EXEC command. When you configure a domain name, it cannot be removed; you can only reassign a switch to a different domain.
Chapter 13 Configuring VTP Configuring VTP Note You can also configure VTP transparent mode by using the vlan database privileged EXEC command to enter VLAN database configuration mode and by entering the vtp transparent command, similar to the second procedure under the “Configuring a VTP Server” section on page 13-9. Use the no vtp transparent VLAN database configuration command to return the switch to VTP server mode.
Chapter 13 Configuring VTP Configuring VTP Enabling VTP Pruning Pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the destination devices. You can only enable VTP pruning on a switch in VTP server mode. Beginning in privileged EXEC mode, follow these steps to enable VTP pruning in the VTP domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring VTP Configuring VTP Beginning in privileged EXEC mode, follow these steps to verify and reset the VTP configuration revision number on a switch before adding it to a VTP domain: Step 1 Command Purpose show vtp status Check the VTP configuration revision number. If the number is 0, add the switch to the VTP domain. If the number is greater than 0, follow these steps: a. Write down the domain name. b. Write down the configuration revision number. c.
Chapter 13 Configuring VTP Monitoring VTP Monitoring VTP You monitor VTP by displaying VTP configuration information: the domain name, the current VTP revision, and the number of VLANs. You can also display statistics about the advertisements sent and received by the switch. Table 13-3 shows the privileged EXEC commands for monitoring VTP activity. Table 13-3 VTP Monitoring Commands Command Purpose show vtp status Display the VTP switch configuration information.
CH A P T E R 14 Configuring Voice VLAN This chapter describes how to configure the voice VLAN feature on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Voice VLAN is referred to as an auxiliary VLAN in some Catalyst 6500 family switch documentation. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 14 Configuring Voice VLAN Understanding Voice VLAN Figure 14-1 shows one way to connect a Cisco 7960 IP Phone. Figure 14-1 Cisco 7960 IP Phone Connected to a Switch Cisco IP Phone 7960 Phone ASIC P2 3-port switch P3 Access port 101351 P1 PC Cisco IP Phone Voice Traffic You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN Note Untagged traffic from the device attached to the Cisco IP Phone passes through the phone unchanged, regardless of the trust state of the access port on the phone.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN • If the Cisco IP Phone and a device attached to the phone are in the same VLAN, they must be in the same IP subnet. These conditions indicate that they are in the same VLAN: – They both use IEEE 802.1p or untagged frames. – The Cisco IP Phone uses IEEE 802.1p frames, and the device uses untagged frames. – The Cisco IP Phone uses untagged frames, and the device uses IEEE 802.1p frames. – The Cisco IP Phone uses IEEE 802.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN Configuring Cisco IP Phone Voice Traffic You can configure a port connected to the Cisco IP Phone to send CDP packets to the phone to configure the way in which the phone sends voice traffic. The phone can carry voice traffic in IEEE 802.1Q frames for a specified voice VLAN with a Layer 2 CoS value. It can use IEEE 802.1p priority tagging to give voice traffic a higher priority and forward all voice traffic through the native (access) VLAN.
Chapter 14 Configuring Voice VLAN Configuring Voice VLAN This example shows how to configure a port connected to a Cisco IP Phone to use the CoS value to classify incoming traffic, to use IEEE 802.1p priority tagging for voice traffic, and to use the default native VLAN (VLAN 0) to carry all traffic: Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 14 Configuring Voice VLAN Displaying Voice VLAN Step 3 Command Purpose switchport priority extend {cos value | trust} Set the priority of data traffic received from the Cisco IP Phone access port: • cos value—Configure the phone to override the priority received from the PC or the attached device with the specified CoS value. The value is a number from 0 to 7, with 7 as the highest priority. The default priority is cos 0.
Chapter 14 Configuring Voice VLAN Displaying Voice VLAN Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 14-8 OL-12189-01
CH A P T E R 15 Configuring Private VLANs This chapter describes how to configure private VLANs on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 15 Configuring Private VLANs Understanding Private VLANs Figure 15-1 Private-VLAN Domain Private VLAN domain Subdomain Subdomain Secondary isolated VLAN 201784 Secondary community VLAN Primary VLAN There are two types of secondary VLANs: • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Chapter 15 Configuring Private VLANs Understanding Private VLANs Primary and secondary VLANs have these characteristics: • Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports. • Isolated VLAN —A private VLAN has only one isolated VLAN.
Chapter 15 Configuring Private VLANs Understanding Private VLANs Private VLANs across Multiple Switches As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B. See Figure 15-2.
Chapter 15 Configuring Private VLANs Understanding Private VLANs You should also see the “Secondary and Primary VLAN Configuration” section on page 15-7 under the “Private-VLAN Configuration Guidelines” section. Private VLANs and Unicast, Broadcast, and Multicast Traffic In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level.
Chapter 15 Configuring Private VLANs Configuring Private VLANs • If two stacks merge, private VLANs on the winning stack are not affected, but private-VLAN configuration on the losing switch is lost when that switch reboots. For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Private-VLAN Configuration Guidelines Guidelines for configuring private VLANs fall into these categories: • Secondary and Primary VLAN Configuration, page 15-7 • Private-VLAN Port Configuration, page 15-8 • Limitations with Other Features, page 15-9 Secondary and Primary VLAN Configuration Follow these guidelines when configuring private VLANs: • Set VTP to transparent mode.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Connecting a device with a different MAC address but with the same IP address generates a message, and the ARP entry is not created. You must manually remove private-VLAN port ARP entries if a MAC address changes. – You can remove a private-VLAN ARP entry by using the no arp ip-address global configuration command. – You can add a private-VLAN ARP entry by using the arp ip-address hardware-address type global configuration command.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Limitations with Other Features When configuring private VLANs, remember these limitations with other features: Note In some cases, the configuration is accepted with no error messages, but the commands have no effect. • Do not configure fallback bridging on switches with private VLANs. • When IGMP snooping is enabled on the switch (the default), the switch or switch stack supports no more than 20 private-VLAN domains.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Configuring and Associating VLANs in a Private VLAN Beginning in privileged EXEC mode, follow these steps to configure a private VLAN: Note The private-vlan commands do not take effect until you exit VLAN configuration mode. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vtp mode transparent Set VTP mode to transparent (disable VTP).
Chapter 15 Configuring Private VLANs Configuring Private VLANs When you associate secondary VLANs with a primary VLAN, note this syntax information: • The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs. • The secondary_vlan_list parameter can contain multiple community VLAN IDs but only one isolated VLAN ID.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Command Purpose Step 3 switchport mode private-vlan host Configure the Layer 2 port as a private-VLAN host port. Step 4 switchport private-vlan host-association primary_vlan_id secondary_vlan_id Associate the Layer 2 port with a private VLAN. Step 5 end Return to privileged EXEC mode. Step 6 show interfaces [interface-id] switchport Verify the configuration.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs: Note Isolated and community VLANs are both secondary VLANs. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 15 Configuring Private VLANs Configuring Private VLANs Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI. Note Isolated and community VLANs are both secondary VLANs.
Chapter 15 Configuring Private VLANs Monitoring Private VLANs Monitoring Private VLANs Table 15-1 shows the privileged EXEC commands for monitoring private-VLAN activity. Table 15-1 Private VLAN Monitoring Commands Command Purpose show interfaces status Displays the status of interfaces, including the VLANs to which they belongs. show vlan private-vlan [type] Display the private-VLAN information for the switch. show interface switchport Display private-VLAN configuration on interfaces.
Chapter 15 Configuring Private VLANs Monitoring Private VLANs Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 15-16 OL-12189-01
CH A P T E R 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Virtual private networks (VPNs) provide enterprise-scale connectivity on a shared infrastructure, often Ethernet-based, with the same security, prioritization, reliability, and manageability requirements of private networks.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Customer traffic tagged in the normal way with appropriate VLAN IDs comes from an IEEE 802.1Q trunk port on the customer device and into a tunnel port on the service-provider edge switch. The link between the customer device and the edge switch is asymmetric because one end is configured as an IEEE 802.1Q trunk port, and the other end is configured as a tunnel port.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding IEEE 802.1Q Tunneling Original (Normal), IEEE 802.1Q, and Double-Tagged Ethernet Packet Formats Source address Destination Length/ address EtherType DA SA Len/Etype DA SA Etype DA SA Etype Frame Check Sequence Data Tag Tag FCS Len/Etype Etype Tag Original Ethernet frame Data Len/Etype FCS IEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling These sections contain this configuration information: • Default IEEE 802.1Q Tunneling Configuration, page 16-4 • IEEE 802.1Q Tunneling Configuration Guidelines, page 16-4 • IEEE 802.1Q Tunneling and Other Features, page 16-6 • Configuring an IEEE 802.1Q Tunneling Port, page 16-6 Default IEEE 802.1Q Tunneling Configuration By default, IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling These are some ways to solve this problem: • Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be IEEE 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. • Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling and Other Features Although IEEE 802.1Q tunneling works well for Layer 2 packet switching, there are incompatibilities between some Layer 2 features and Layer 3 switching. • A tunnel port cannot be a routed port. • IP routing is not supported on a VLAN that includes IEEE 802.1Q ports. Packets received from a tunnel port are forwarded based only on Layer 2 information.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling Command Purpose Step 5 exit Return to global configuration mode. Step 6 vlan dot1q tag native (Optional) Set the switch to enable tagging of native VLAN packets on all IEEE 802.1Q trunk ports. When not set, and a customer VLAN ID is the same as the native VLAN, the trunk port does not apply a metro tag, and packets could be sent to the wrong destination.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling as normal packets. Layer 2 protocol data units (PDUs) for CDP, STP, or VTP cross the service-provider network and are delivered to customer switches on the outbound side of the service-provider network.
Chapter 16 Configuring IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling For example, in Figure 16-6, Customer A has two switches in the same VLAN that are connected through the SP network. When the network tunnels PDUs, switches on the far ends of the network can negotiate the automatic creation of EtherChannels without needing dedicated lines. See the “Configuring Layer 2 Tunneling for EtherChannels” section on page 16-14 for instructions.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling See Figure 16-4, with Customer X and Customer Y in access VLANs 30 and 40, respectively. Asymmetric links connect the customers in Site 1 to edge switches in the service-provider network. The Layer 2 PDUs (for example, BPDUs) coming into Switch B from Customer Y in Site 1 are forwarded to the infrastructure as double-tagged packets with the well-known MAC address as the destination MAC address.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Layer 2 Protocol Tunneling Configuration Guidelines These are some configuration guidelines and operating characteristics of Layer 2 protocol tunneling: • The switch supports tunneling of CDP, STP, including multiple STP (MSTP), and VTP. Protocol tunneling is disabled by default but can be enabled for the individual protocols on IEEE 802.1Q tunnel ports or access ports.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Beginning in privileged EXEC mode, follow these steps to configure a port for Layer 2 protocol tunneling: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and enter the interface to be configured as a tunnel port.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Use the no l2protocol-tunnel [cdp | stp | vtp] interface configuration command to disable protocol tunneling for one of the Layer 2 protocols or for all three. Use the no l2protocol-tunnel shutdown-threshold [cdp | stp | vtp] and the no l2protocol-tunnel drop-threshold [cdp | stp | vtp] commands to return the shutdown and drop thresholds to the default settings.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Step 5 Command Purpose l2protocol-tunnel shutdown-threshold [point-to-point [pagp | lacp | udld]] value (Optional) Configure the threshold for packets-per-second accepted for encapsulation. The interface is disabled if the configured threshold is exceeded. If no protocol option is specified, the threshold applies to each of the tunneled Layer 2 protocol types. The range is 1 to 4096.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Configuring Layer 2 Protocol Tunneling Configuring the Customer Switch After configuring the SP edge switch, begin in privileged EXEC mode and follow these steps to configure a customer switch for Layer 2 protocol tunneling for EtherChannels: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter the interface configuration mode. This should be the customer switch port.
Chapter 16 Configuring IEEE 802.
Chapter 16 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Monitoring and Maintaining Tunneling Status Monitoring and Maintaining Tunneling Status Table 16-2 shows the privileged EXEC commands for monitoring and maintaining IEEE 802.1Q and Layer 2 protocol tunneling. Table 16-2 Commands for Monitoring and Maintaining Tunneling Command Purpose clear l2protocol-tunnel counters Clear the protocol counters on Layer 2 protocol tunneling ports. show dot1q-tunnel Display IEEE 802.
CH A P T E R 17 Configuring STP This chapter describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on the switch. The switch can use either the per-VLAN spanning-tree plus (PVST+) protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard. A switch stack appears as a single spanning-tree node to the rest of the network, and all stack members use the same bridge ID.
Chapter 17 Configuring STP Understanding Spanning-Tree Features • Supported Spanning-Tree Instances, page 17-10 • Spanning-Tree Interoperability and Backward Compatibility, page 17-11 • STP and IEEE 802.1Q Trunks, page 17-11 • VLAN-Bridge Spanning Tree, page 17-11 (only the Catalyst Switch Module 3110) • Spanning Tree and Switch Stacks, page 17-12 (only the Catalyst Switch Module 3110) For configuration information, see the “Configuring Spanning-Tree Features” section on page 17-12.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: • The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. • The spanning-tree path cost to the root switch.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 17-1. • The shortest distance to the root switch is calculated for each switch based on the path cost. • A designated switch for each LAN segment is selected.
Chapter 17 Configuring STP Understanding Spanning-Tree Features The switch supports the IEEE 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID.
Chapter 17 Configuring STP Understanding Spanning-Tree Features • From learning to forwarding or to disabled • From forwarding to disabled Figure 17-2 illustrates how an interface moves through the states.
Chapter 17 Configuring STP Understanding Spanning-Tree Features • Does not learn addresses • Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding.
Chapter 17 Configuring STP Understanding Spanning-Tree Features How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 17-3, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning Tree and Redundant Connectivity Active link Blocked link Blade servers 201769 Figure 17-4 You can also create redundant links between switches by using EtherChannel groups. For more information, see Chapter 37, “Configuring EtherChannels and Link-State Tracking.” Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C2000000 to 0x0180C2000010, to be used by different bridge protocols.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Modes and Protocols The switch supports these spanning-tree modes and protocols: • PVST+—This spanning-tree mode is based on the IEEE 802.1D standard and Cisco proprietary extensions. It is the default spanning-tree mode used on all Ethernet port-based VLANs. The PVST+ runs on each VLAN on the switch up to the maximum supported, ensuring that each has a loop-free path through the network.
Chapter 17 Configuring STP Understanding Spanning-Tree Features Spanning-Tree Interoperability and Backward Compatibility Table 17-2 lists the interoperability and compatibility among the supported spanning-tree modes in a network.
Chapter 17 Configuring STP Configuring Spanning-Tree Features VLAN spanning trees to prevent loops from forming if there are multiple connections among VLANs. It also prevents the individual spanning trees from the VLANs being bridged from collapsing into a single spanning tree. To support VLAN-bridge spanning tree, some of the spanning-tree timers are increased. To use the fallback bridging feature, you must have the IP services feature set enabled on your switch.
Chapter 17 Configuring STP Configuring Spanning-Tree Features • Configuring the Switch Priority of a VLAN, page 17-21 (optional) • Configuring Spanning-Tree Timers, page 17-22 (optional) Default Spanning-Tree Configuration Table 17-3 shows the default spanning-tree configuration. Table 17-3 Default Spanning-Tree Configuration Feature Default Setting Enable state Enabled on VLAN 1. For more information, see the “Supported Spanning-Tree Instances” section on page 17-10. Spanning-tree mode PVST+.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Caution Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running spanning tree.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Changing the Spanning-Tree Mode. The switch supports three spanning-tree modes: PVST+, rapid PVST+, or MSTP. By default, the switch runs the PVST+ protocol. Beginning in privileged EXEC mode, follow these steps to change the spanning-tree mode. If you want to enable a mode that is different from the default mode, this procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Disabling Spanning Tree Spanning tree is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit specified in the “Supported Spanning-Tree Instances” section on page 17-10. Disable spanning tree only if you are sure there are no loops in the network topology.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Note The root switch for each spanning-tree instance should be a backbone or distribution switch. Do not configure an access switch as the spanning-tree primary root. Use the diameter keyword to specify the Layer 2 network diameter (that is, the maximum number of switch hops between any two end stations in the Layer 2 network).
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring a Secondary Root Switch When you configure a switch as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified VLAN if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Note If your switch is a member of a switch stack, you must use the spanning-tree [vlan vlan-id] cost cost interface configuration command instead of the spanning-tree [vlan vlan-id] port-priority priority interface configuration command to select an interface to put in the forwarding state. Assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 17 Configuring STP Configuring Spanning-Tree Features To return to the default setting, use the no spanning-tree [vlan vlan-id] port-priority interface configuration command. For information on how to configure load sharing on trunk ports by using spanning-tree port priorities, see the “Configuring Trunk Ports for Load Sharing” section on page 12-24. Configuring Path Cost The spanning-tree path cost default value is derived from the media speed of an interface.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Note The show spanning-tree interface interface-id privileged EXEC command displays information only for ports that are in a link-up operative state. Otherwise, you can use the show running-config privileged EXEC command to confirm the configuration. To return to the default setting, use the no spanning-tree [vlan vlan-id] cost interface configuration command.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring Spanning-Tree Timers Table 17-4 describes the timers that affect the entire spanning-tree performance. Table 17-4 Spanning-Tree Timers Variable Description Hello timer Controls how often the switch broadcasts hello messages to other switches. Forward-delay timer Controls how long each of the listening and learning states last before the interface begins forwarding.
Chapter 17 Configuring STP Configuring Spanning-Tree Features Configuring the Forwarding-Delay Time for a VLAN Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for a VLAN. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree vlan vlan-id forward-time seconds Configure the forward time of a VLAN.
Chapter 17 Configuring STP Displaying the Spanning-Tree Status Configuring the Transmit Hold-Count You can configure the BPDU burst size by changing the transmit hold count value. Note Changing this parameter to a higher value can have a significant impact on CPU utilization, especially in Rapid-PVST mode. Lowering this value can slow down convergence in certain scenarios. We recommend that you maintain the default setting.
CH A P T E R 18 Configuring MSTP This chapter describes how to configure the Cisco implementation of the IEEE 802.1s Multiple STP (MSTP) on the switch. Note The multiple spanning-tree (MST) implementation is based on the IEEE 802.1s standard. The MSTP enables multiple VLANs to be mapped to the same spanning-tree instance, reducing the number of spanning-tree instances needed to support a large number of VLANs. The MSTP provides for multiple forwarding paths for data traffic and enables load-balancing.
Chapter 18 Configuring MSTP Understanding MSTP Understanding MSTP MSTP, which uses RSTP for rapid convergence, enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology independent of other spanning-tree instances. This architecture provides multiple forwarding paths for data traffic, enables load-balancing, and reduces the number of spanning-tree instances required to support a large number of VLANs.
Chapter 18 Configuring MSTP Understanding MSTP The IST is the only spanning-tree instance that sends and receives BPDUs. All of the other spanning-tree instance information is contained in M-records, which are encapsulated within MSTP BPDUs. Because the MSTP BPDU carries information for all instances, the number of BPDUs that need to be processed to support multiple spanning-tree instances is significantly reduced.
Chapter 18 Configuring MSTP Understanding MSTP The IST connects all the MSTP switches in the region and appears as a subtree in the CIST that encompasses the entire switched domain. The root of the subtree is the CIST regional root. The MST region appears as a virtual switch to adjacent STP switches and MST regions. Figure 18-1 shows a network with three MST regions and a legacy IEEE 802.1D switch (D). The CIST regional root for region 1 (A) is also the CIST root.
Chapter 18 Configuring MSTP Understanding MSTP IEEE 802.1s Terminology Some MST naming conventions used in Cisco’s prestandard implementation have been changed to identify some internal or regional parameters. These parameters are significant only within an MST region, as opposed to external parameters that are relevant to the whole network.
Chapter 18 Configuring MSTP Understanding MSTP Boundary Ports In the Cisco prestandard implementation, a boundary port connects an MST region to a single spanning-tree region running RSTP, to a single spanning-tree region running PVST+ or rapid PVST+, or to another MST region with a different MST configuration. A boundary port also connects to a LAN, the designated switch of which is either a single spanning-tree switch or a switch with a different MST configuration.
Chapter 18 Configuring MSTP Understanding MSTP • The boundary port is not the root port of the CIST regional root—The MSTI ports follow the state and role of the CIST port. The standard provides less information, and it might be difficult to understand why an MSTI port can be alternately blocking when it receives no BPDUs (MRecords). In this case, although the boundary role no longer exists, the show commands identify a port as boundary in the type column of the output.
Chapter 18 Configuring MSTP Understanding MSTP Figure 18-3 illustrates a unidirectional link failure that typically creates a bridging loop. Switch A is the root switch, and its BPDUs are lost on the link leading to switch B. RSTP and MST BPDUs include the role and state of the sending port. With this information, switch A can detect that switch B does not react to the superior BPDUs it sends and that switch B is the designated, not root switch.
Chapter 18 Configuring MSTP Understanding RSTP to a port when the switch to which this switch is connected has joined the region. To restart the protocol migration process (force the renegotiation with neighboring switches), use the clear spanning-tree detected-protocols privileged EXEC command. If all the legacy switches on the link are RSTP switches, they can process MSTP BPDUs as if they are RSTP BPDUs.
Chapter 18 Configuring MSTP Understanding RSTP In a stable topology with consistent port roles throughout the network, the RSTP ensures that every root port and designated port immediately transition to the forwarding state while all alternate and backup ports are always in the discarding state (equivalent to blocking in IEEE 802.1D). The port state controls the operation of the forwarding and learning processes. Table 18-2 provides a comparison of IEEE 802.1D and RSTP port states.
Chapter 18 Configuring MSTP Understanding RSTP When Switch C is connected to Switch B, a similar set of handshaking messages are exchanged. Switch C selects the port connected to Switch B as its root port, and both ends immediately transition to the forwarding state. With each iteration of this handshaking process, one more switch joins the active topology. As the network converges, this proposal-agreement handshaking progresses from the root toward the leaves of the spanning tree.
Chapter 18 Configuring MSTP Understanding RSTP After ensuring that all of the ports are synchronized, the switch sends an agreement message to the designated switch corresponding to its root port. When the switches connected by a point-to-point link are in agreement about their port roles, the RSTP immediately transitions the port states to forwarding. The sequence of events is shown in Figure 18-5. Figure 18-5 Sequence of Events During Rapid Convergence 4. Agreement 1. Proposal 5.
Chapter 18 Configuring MSTP Understanding RSTP The sending switch sets the proposal flag in the RSTP BPDU to propose itself as the designated switch on that LAN. The port role in the proposal message is always set to the designated port. The sending switch sets the agreement flag in the RSTP BPDU to accept the previous proposal. The port role in the agreement message is always set to the root port. The RSTP does not have a separate topology change notification (TCN) BPDU.
Chapter 18 Configuring MSTP Configuring MSTP Features • Propagation—When an RSTP switch receives a TC message from another switch through a designated or root port, it propagates the change to all of its nonedge, designated ports and to the root port (excluding the port on which it is received). The switch starts the TC-while timer for all such ports and flushes the information learned on them. • Protocol migration—For backward compatibility with IEEE 802.1D switches, RSTP selectively sends IEEE 802.
Chapter 18 Configuring MSTP Configuring MSTP Features Table 18-4 Default MSTP Configuration (continued) Feature Default Setting Spanning-tree port priority (configurable on a per-CIST port basis) 128. Spanning-tree port cost (configurable on a per-CIST port basis) 1000 Mb/s: 4. 100 Mb/s: 19. 10 Mb/s: 100. Hello time 2 seconds. Forward-delay time 15 seconds. Maximum-aging time 20 seconds. Maximum hop count 20 hops.
Chapter 18 Configuring MSTP Configuring MSTP Features • All MST boundary ports must be forwarding for load-balancing between a PVST+ and an MST cloud or between a rapid-PVST+ and an MST cloud. For this to occur, the IST master of the MST cloud should also be the root of the CST.
Chapter 18 Configuring MSTP Configuring MSTP Features Step 8 Command Purpose spanning-tree mode mst Enable MSTP. RSTP is also enabled. Caution Changing spanning-tree modes can disrupt traffic because all spanning-tree instances are stopped for the previous mode and restarted in the new mode. You cannot run both MSTP and PVST+ or both MSTP and rapid PVST+ at the same time. Step 9 end Return to privileged EXEC mode. Step 10 show running-config Verify your entries.
Chapter 18 Configuring MSTP Configuring MSTP Features If any root switch for the specified instance has a switch priority lower than 24576, the switch sets its own priority to 4096 less than the lowest switch priority. (4096 is the value of the least-significant bit of a 4-bit switch priority value as shown in Table 17-1 on page 17-5.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring a Secondary Root Switch When you configure a switch with the extended system ID support as the secondary root, the switch priority is modified from the default value (32768) to 28672. The switch is then likely to become the root switch for the specified instance if the primary root switch fails. This is assuming that the other network switches use the default switch priority of 32768 and therefore are unlikely to become the root switch.
Chapter 18 Configuring MSTP Configuring MSTP Features Note If your switch is a member of a switch stack, you must use the spanning-tree mst [instance-id] cost cost interface configuration command instead of the spanning-tree mst [instance-id] port-priority priority interface configuration command to select a port to put in the forwarding state. Assign lower cost values to ports that you want selected first and higher cost values to ports that you want selected last.
Chapter 18 Configuring MSTP Configuring MSTP Features Configuring Path Cost The MSTP path cost default value is derived from the media speed of an interface. If a loop occurs, the MSTP uses cost when selecting an interface to put in the forwarding state. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
Chapter 18 Configuring MSTP Configuring MSTP Features Note Exercise care when using this command. For most situations, we recommend that you use the spanning-tree mst instance-id root primary and the spanning-tree mst instance-id root secondary global configuration commands to modify the switch priority. Beginning in privileged EXEC mode, follow these steps to configure the switch priority. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring MSTP Configuring MSTP Features Command Purpose Step 4 show spanning-tree mst Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default setting, use the no spanning-tree mst hello-time global configuration command. Configuring the Forwarding-Delay Time Beginning in privileged EXEC mode, follow these steps to configure the forwarding-delay time for all MST instances.
Chapter 18 Configuring MSTP Configuring MSTP Features To return the switch to its default setting, use the no spanning-tree mst max-age global configuration command. Configuring the Maximum-Hop Count Beginning in privileged EXEC mode, follow these steps to configure the maximum-hop count for all MST instances. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 18 Configuring MSTP Configuring MSTP Features Command Purpose Step 5 show spanning-tree mst interface interface-id Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the port to its default setting, use the no spanning-tree link-type interface configuration command. Designating the Neighbor Type A topology could contain both prestandard and IEEE 802.1s standard compliant devices.
Chapter 18 Configuring MSTP Displaying the MST Configuration and Status To restart the protocol migration process on a specific interface, use the clear spanning-tree detected-protocols interface interface-id privileged EXEC command.
CH A P T E R 19 Configuring Optional Spanning-Tree Features This chapter describes how to configure optional spanning-tree features on the switch. You can configure all of these features when your switch is running the per-VLAN spanning-tree plus (PVST+). You can configure only the noted features when your switch or switch stack is running the Multiple Spanning Tree Protocol (MSTP) or the rapid per-VLAN spanning-tree plus (rapid-PVST+) protocol.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Port Fast immediately brings an interface configured as an access or trunk port to the forwarding state from a blocking state, bypassing the listening and learning states.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features At the interface level, you enable BPDU guard on any port by using the spanning-tree bpduguard enable interface configuration command without also enabling the Port Fast feature. When the port receives a BPDU, it is put in the error-disabled state. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the interface back in service.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-2 Switches in a Hierarchical Network Backbone switches Root bridge 126763 Distribution switches Active link Blocked link Blade switches If a switch loses connectivity, it begins using the alternate paths as soon as the spanning tree selects a new root port.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Figure 19-3 UplinkFast Example Before Direct Link Failure Switch A (Root) Switch B L1 L2 L3 43575 Blocked port Switch C If Switch C detects a link failure on the currently active link L2 on the root port (a direct link failure), UplinkFast unblocks the blocked interface on Switch C and transitions it to the forwarding state without going through the listening and learning states, as shown in Figure
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features How CSUF Works CSUF ensures that one link in the stack is elected as the path to the root. As shown in Figure 19-5, the stack-root port on Switch 1 provides the path to the root of the spanning tree. The alternate stack-root ports on Switches 2 and 3 can provide an alternate path to the spanning-tree root if the current stack-root switch fails or if its link to the spanning-tree root fails.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Each switch in the stack decides if the sending switch is a better choice than itself to be the stack root of this spanning-tree instance by comparing the root, cost, and bridge ID. If the sending switch is the best choice as the stack root, each switch in the stack returns an acknowledgement; otherwise, it sends a fast-transition request.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features BackboneFast, which is enabled by using the spanning-tree backbonefast global configuration command, starts when a root port or blocked interface on a switch receives inferior BPDUs from its designated switch. An inferior BPDU identifies a switch that declares itself as both the root bridge and the designated switch.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features If link L1 fails as shown in Figure 19-7, Switch C cannot detect this failure because it is not connected directly to link L1. However, because Switch B is directly connected to the root switch over L1, it detects the failure, elects itself the root, and begins sending BPDUs to Switch C, identifying itself as the root.
Chapter 19 Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding EtherChannel Guard You can use EtherChannel guard to detect an EtherChannel misconfiguration between the switch and a connected device. A misconfiguration can occur if the switch interfaces are configured in an EtherChannel, but the interfaces on the other device are not. A misconfiguration can also occur if the channel parameters are not the same at both ends of the EtherChannel.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Figure 19-9 Root Guard in a Data-Center Network Data-center network Customer network Potential spanning-tree root without root guard enabled Desired root switch 201771 Enable the root-guard feature on these interfaces to prevent switches in the customer network from becoming the root switch or being in the path to the root.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features • Enabling Cross-Stack UplinkFast, page 19-16 (optional and only on the Catalyst Switch Module 3110) • Enabling BackboneFast, page 19-16 (optional) • Enabling EtherChannel Guard, page 19-17 (optional) • Enabling Root Guard, page 19-18 (optional) • Enabling Loop Guard, page 19-18 (optional) Default Optional Spanning-Tree Configuration Table 19-1 shows the default optional spanning-tree configuratio
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features If you enable the voice VLAN feature, the Port Fast feature is automatically enabled. When you disable voice VLAN, the Port Fast feature is not automatically disabled. For more information, see Chapter 14, “Configuring Voice VLAN.” You can enable this feature if your switch is running PVST+, rapid PVST+, or MSTP. Beginning in privileged EXEC mode, follow these steps to enable Port Fast.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features To prevent the port from shutting down, you can use the errdisable detect cause bpduguard shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred. The BPDU guard feature provides a secure response to invalid configurations because you must manually put the port back in service.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Caution Configure Port Fast only on interfaces that connect to end stations; otherwise, an accidental topology loop could cause a data packet loop and disrupt switch and network operation. You can also use the spanning-tree bpdufilter enable interface configuration command to enable BPDU filtering on any interface without also enabling the Port Fast feature.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Beginning in privileged EXEC mode, follow these steps to enable UplinkFast and CSUF. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 spanning-tree uplinkfast [max-update-rate Enable UplinkFast. pkts-per-second] (Optional) For pkts-per-second, the range is 0 to 32000 packets per second; the default is 150.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Note If you use BackboneFast, you must enable it on all switches in the network. BackboneFast is not supported on Token Ring VLANs. This feature is supported for use with third-party switches. You can configure the BackboneFast feature for rapid PVST+ or for the MSTP, but the feature remains disabled (inactive) until you change the spanning-tree mode to PVST+.
Chapter 19 Configuring Optional Spanning-Tree Features Configuring Optional Spanning-Tree Features Enabling Root Guard Root guard enabled on an interface applies to all the VLANs to which the interface belongs. Do not enable the root guard on interfaces to be used by the UplinkFast feature. With UplinkFast, the backup interfaces (in the blocked state) replace the root port in the case of a failure.
Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Step 3 Command Purpose spanning-tree loopguard default Enable loop guard. By default, loop guard is disabled. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To globally disable loop guard, use the no spanning-tree loopguard default global configuration command.
Chapter 19 Configuring Optional Spanning-Tree Features Displaying the Spanning-Tree Status Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 19-20 OL-12189-01
CH A P T E R 20 Configuring Flex Links and the MAC Address-Table Move Update Feature This chapter describes how to configure Flex Links, a pair of interfaces on the switch that provide a mutual backup. It also describes how to configure the MAC address-table move update feature, also referred to as the Flex Links bidirectional fast convergence feature. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 20 Understanding Flex Links and the MAC Address-Table Move Update Configuring Flex Links and the MAC Address-Table Move Update Feature You configure Flex Links on one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. On stacking-capable switches, the Flex Link can be on the same switch or on another switch in the stack.
Configuring Flex Links and the MAC Address-Table Move Update Feature Understanding Flex Links and the MAC Address-Table Move Update Figure 20-2 VLAN Flex Links Load Balancing Configuration Example Uplink switch B Uplink switch C Forwarding Not Forwarding gi2/0/6 gi2/0/8 Switch A 201398 Chapter 20 MAC Address-Table Move Update The MAC address-table move update feature allows the switch to provide rapid bidirectional convergence when a primary (forwarding) link goes down and the standby link begins f
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Figure 20-3 MAC Address-Table Move Update Example Server Switch C Port 4 Port 3 Switch B Switch D Port 1 Port 2 141223 Switch A PC Configuring Flex Links and MAC Address-Table Move Update These sections contain this information: • Configuration Guidelines, page 20-5 • Default Configuration, page 20-5 • Configuring Flex Links, page 20-6 • Configuring
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuration Guidelines Follow these guidelines to configure Flex Links: • You can configure only one Flex Link backup link for any active link, and it must be a different interface from the active interface. • An interface can belong to only one Flex Link pair. An interface can be a backup link for only one active link.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring Flex Links Beginning in privileged EXEC mode, follow these steps to configure a pair of Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Step 4 Step 5 Command Purpose switchport backup interface interface-id preemption mode [forced | bandwidth | off] Configure a preemption mechanism and delay for a Flex Link interface pair. You can configure the preemption as: switchport backup interface interface-id preemption delay delay-time • Forced—the active interface always preempts the backup.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Configuring VLAN Load Balancing on Flex Links Beginning in privileged EXEC mode, follow these steps to configure VLAN load balancing on Flex Links: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface, and enter interface configuration mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update When a Flex Link interface comes up, VLANs preferred on this interface are blocked on the peer interface and moved to the forwarding state on the interface that has just come up. In this example, if interface Gi2/0/6 comes up, VLANs preferred on this interface are blocked on the peer interface Gi2/0/8 and forwarded on Gi2/0/6.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Configuring Flex Links and MAC Address-Table Move Update Command Purpose Step 4 end Return to global configuration mode. Step 5 mac address-table move update transmit Enable the access switch to send MAC address-table move updates to other switches in the network if the primary link goes down and the switch starts forwarding traffic through the standby link. Step 6 end Return to privileged EXEC mode.
Chapter 20 Configuring Flex Links and the MAC Address-Table Move Update Feature Monitoring Flex Links and the MAC Address-Table Move Update Information Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show mac address-table move update Verify the configuration. Step 5 copy running-config startup config (Optional) Save your entries in the switch startup configuration file.
Chapter 20 Monitoring Flex Links and the MAC Address-Table Move Update Information Configuring Flex Links and the MAC Address-Table Move Update Feature Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 20-12 OL-12189-01
CH A P T E R 21 Configuring DHCP Features and IP Source Guard This chapter describes how to configure DHCP snooping and the option-82 data insertion features on the switch. It also describes how to configure the IP source guard feature.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features For information about the DHCP client, see the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.2. DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The switch drops a DHCP packet when one of these situations occurs: • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall. • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Figure 21-1 is an example of a blade switch in an enclosure in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features • Remote-ID suboption fields – Suboption type – Length of the suboption type – Remote-ID type – Length of the remote-ID type In the port field of the circuit ID suboption, the port numbers start at 1. For example, on a Catalyst Switch Module 3110X, which has 15 ports, port 1 is the internal Gigabit Ethernet 1/0/1 port, port 2 is the internal Gigabit Ethernet 1/0/2 port, and so on.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features The values for these fields in the packets change from the default values when you configure the remote-ID and circuit-ID suboptions: • Circuit-ID suboption fields – The circuit-ID type is 1. – The length values are variable, depending on the length of the string that you configure. • Remote-ID suboption fields – The remote-ID type is 1.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding DHCP Features Each database entry (binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database agent stores the bindings in a file at a configured location.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features DHCP Snooping and Switch Stacks DHCP snooping is managed on the stack master. When a new switch joins the stack, the switch receives the DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. All snooping statistics are generated on the stack master. If a new stack master is elected, the statistics counters reset.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Table 21-1 Default DHCP Configuration (continued) Feature Default Setting DHCP snooping option to accept packets on untrusted input interfaces3 Disabled DHCP snooping limit rate None configured DHCP snooping trust Untrusted DHCP snooping VLAN Disabled DHCP snooping MAC address verification Enabled Cisco IOS DHCP server binding database Enabled in Cisco IOS software, requires configuration.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features • Before configuring the DHCP relay agent on your switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, configure DHCP options for devices, or set up the DHCP database agent. • If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data insertion feature is not supported.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Configuring the DHCP Relay Agent Beginning in privileged EXEC mode, follow these steps to enable the DHCP relay agent on the switch: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service dhcp Enable the DHCP server and relay agent on your switch. By default, this feature is enabled. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Command Purpose interface range port-range Configure multiple physical ports that are connected to the DHCP clients, and enter interface range configuration mode. or or interface interface-id Configure a single physical port that is connected to the DHCP client, and enter interface configuration mode. Step 7 switchport mode access Define the VLAN membership mode for the port.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Step 6 Command Purpose ip dhcp snooping information option allow-untrusted (Optional) If the switch is an aggregation switch connected to an edge switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch. The default setting is disabled. Note Enter this command only on aggregation switches that are connected to trusted devices.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring DHCP Features Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip dhcp snooping limit rate 100 Enabling DHCP Snooping on Private VLANs You can enable DHCP snooping on private VLANs. If DHCP snooping is enabled, the configuration is propagated to both a primary VLAN and its associated secondary VLANs. If DHCP snooping is enabled on the primary VLAN, it is also configured on the secondary VLANs.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying DHCP Snooping Information Step 3 Command Purpose ip dhcp snooping database timeout seconds Specify (in seconds) how long to wait for the database transfer process to finish before stopping the process. The default is 300 seconds. The range is 0 to 86400. Use 0 to define an infinite duration, which means to continue trying the transfer indefinitely.
Chapter 21 Configuring DHCP Features and IP Source Guard Understanding IP Source Guard Note If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings. Understanding IP Source Guard IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard Source IP and MAC Address Filtering When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table. When IP source guard with source IP and MAC address filtering is enabled, the switch filters IP and non-IP traffic.
Chapter 21 Configuring DHCP Features and IP Source Guard Configuring IP Source Guard • When configuring IP source guard on interfaces on which a private VLAN is configured, port security is not supported. • IP source guard is not supported on EtherChannels. • You can enable this feature when IEEE 802.1x port-based authentication is enabled. • If the number of hardware entries exceeds the maximum available, the CPU usage increases.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Command Purpose Step 8 show ip source binding [ip-address] [mac-address] [dhcp-snooping | static] [inteface interface-id] [vlan vlan-id] Display the IP source bindings on the switch, on a specific VLAN, or on a specific interface. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 21 Configuring DHCP Features and IP Source Guard Displaying IP Source Guard Information Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 21-20 OL-12189-01
CH A P T E R 22 Configuring Dynamic ARP Inspection This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Figure 22-1 Host A (IA, MA) ARP Cache Poisoning A B Host B (IB, MB) Host C (man-in-the-middle) (IC, MC) 111750 C Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section on page 22-11.
Chapter 22 Configuring Dynamic ARP Inspection Understanding Dynamic ARP Inspection Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Logging of Dropped Packets When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Table 22-1 Default Dynamic ARP Inspection Configuration (continued) Feature Default Setting Log buffer When dynamic ARP inspection is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. Per-VLAN logging All denied or dropped ARP packets are logged.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection The rate of incoming packets on a physical port is checked against the port-channel configuration rather than the physical-ports configuration. The rate-limit configuration on a port channel is independent of the configuration on its physical ports. If the EtherChannel receives more ARP packets than the configured rate, the channel (including all physical ports) is placed in the error-disabled state.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 5 Command Purpose ip arp inspection trust Configure the connection between the switches as trusted. By default, all interfaces are untrusted. The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets. For untrusted interfaces, the switch intercepts all ARP requests and responses.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 arp access-list acl-name Define an ARP ACL, and enter ARP access-list configuration mode. By default, no ARP access lists are defined.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Step 7 Command Purpose no ip arp inspection trust Configure the Switch A interface that is connected to Switch B as untrusted. By default, all interfaces are untrusted. For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section on page 22-6. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip arp inspection validate {[src-mac] [dst-mac] [ip]} Perform a specific check on incoming ARP packets. By default, no checks are performed.
Chapter 22 Configuring Dynamic ARP Inspection Configuring Dynamic ARP Inspection If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A -- in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Step 3 Command Purpose ip arp inspection vlan vlan-range logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}} Control the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 22-3: Table 22-3 Commands for Clearing or Displaying Dynamic ARP Inspection Statistics Command Description clear ip arp inspection statistics Clears dynamic ARP inspection statistics.
Chapter 22 Configuring Dynamic ARP Inspection Displaying Dynamic ARP Inspection Information Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 22-16 OL-12189-01
CH A P T E R 23 Configuring IGMP Snooping and MVR This chapter describes how to configure Internet Group Management Protocol (IGMP) snooping on the switch, including an application of local IGMP snooping, Multicast VLAN Registration (MVR). It also includes procedures for controlling multicast group membership by using IGMP filtering and procedures for configuring the IGMP throttling action. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Understanding IGMP Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions The switch supports IGMP Version 1, IGMP Version 2, and IGMP Version 3. These versions are interoperable on the switch. For example, if IGMP snooping is enabled on an IGMPv2 switch and the switch receives an IGMPv3 report from a host, the switch can forward the IGMPv3 report to the multicast router. Note The switch supports IGMPv3 snooping based only on the destination multicast MAC address.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping the group if it is not already present. The CPU also adds the interface where the join message was received to the forwarding-table entry. The blade server associated with that interface receives multicast traffic for that multicast group. See Figure 23-1. Figure 23-1 Initial IGMP Join Message Router A 19 IGMP report 224.1.2.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping If another blade server (for example, Blade Server 4) sends an unsolicited IGMP join message for the same group (Figure 23-2), the CPU receives that message and adds the port number of Blade Server 4 to the forwarding table as shown in Table 23-2. Note that because the forwarding table directs IGMP messages only to the CPU, the message is not flooded to other ports on the switch.
Chapter 23 Configuring IGMP Snooping and MVR Understanding IGMP Snooping Immediate Leave Immediate Leave is only supported on IGMP Version 2 hosts. The switch uses IGMP snooping Immediate Leave to remove from the forwarding table an interface that sends a leave message without the switch sending group-specific queries to the interface. The VLAN interface is pruned from the multicast tree for the multicast group specified in the original leave message.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping IGMP Snooping and Switch Stacks IGMP snooping functions across the switch stack; that is, IGMP control information from one switch is distributed to all switches in the stack. (See Chapter 5, “Managing Switch Stacks,” for more information about switch stacks.) Regardless of the stack member through which IGMP multicast data enters the stack, the data reaches the hosts that have registered for that group.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Table 23-3 Default IGMP Snooping Configuration (continued) Feature Default Setting IGMP snooping querier Disabled IGMP report suppression Enabled 1. TCN = Topology Change Notification Enabling or Disabling IGMP Snooping By default, IGMP snooping is globally enabled on the switch. When globally enabled or disabled, it is also enabled or disabled in all existing VLAN interfaces.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Setting the Snooping Method Multicast-capable router ports are added to the forwarding table for every Layer 2 multicast entry.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Configuring a Multicast Router Port To add a multicast router port (add a static connection to a multicast router), use the ip igmp snooping vlan mrouter global configuration command on the switch. Note Static connections to multicast routers are supported only on switch ports.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Beginning in privileged EXEC mode, follow these steps to add a Layer 2 port as a member of a multicast group: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip igmp snooping vlan vlan-id static ip_address Statically configure a Layer 2 port as a member of a multicast interface interface-id group: • vlan-id is the multicast group VLAN ID. The range is 1 to 1001 and 1006 to 4094.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To disable IGMP Immediate Leave on a VLAN, use the no ip igmp snooping vlan vlan-id immediate-leave global configuration command.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping Controlling the Multicast Flooding Time After a TCN Event You can control the time that multicast traffic is flooded after a TCN event by using the ip igmp snooping tcn flood query count global configuration command. This command configures the number of general queries for which multicast data traffic is flooded after a TCN event.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping To return to the default query solicitation, use the no ip igmp snooping tcn query solicit global configuration command. Disabling Multicast Flooding During a TCN Event When the switch receives a TCN, multicast traffic is flooded to all the ports until 2 general queries are received.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Snooping • When it is administratively enabled, the IGMP snooping querier moves to the operationally disabled state under these conditions: – IGMP snooping is disabled in the VLAN. – PIM is enabled on the SVI of the corresponding VLAN. Beginning in privileged EXEC mode, follow these steps to enable the IGMP snooping querier feature in a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information This example shows how to set the IGMP snooping querier feature to Version 2: Switch# configure terminal Switch(config)# no ip igmp snooping querier version 2 Switch(config)# end Disabling IGMP Report Suppression Note IGMP report suppression is supported only when the multicast query has IGMPv1 and IGMPv2 reports. This feature is not supported when the query includes IGMPv3 reports.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Snooping Information To display IGMP snooping information, use one or more of the privileged EXEC commands in Table 23-4. Table 23-4 Commands for Displaying IGMP Snooping Information Command Purpose show ip igmp snooping [vlan vlan-id] Display the snooping configuration information for all VLANs on the switch or for a specified VLAN. (Optional) Enter vlan vlan-id to display information for a single VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration Understanding Multicast VLAN Registration Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of multicast traffic across an Ethernet ring-based service-provider network (for example, the broadcast of multiple television channels over a service-provider network).
Chapter 23 Configuring IGMP Snooping and MVR Understanding Multicast VLAN Registration switch to join the appropriate multicast. If the IGMP report matches one of the configured IP multicast group addresses, the switch CPU modifies the hardware address table to include this receiver port and VLAN as a forwarding destination of the specified multicast stream when it is received from the multicast VLAN.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR dynamically register for streams of multicast traffic in the multicast VLAN on the Layer 3 device. The access layer blade switch modifies the forwarding behavior to allow the traffic to be forwarded from the multicast VLAN to the subscriber port in a different VLAN, selectively allowing traffic to cross between two VLANs. IGMP reports are sent to the same IP multicast group address as the multicast data.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR • Do not configure MVR on private VLAN ports. • MVR is not supported when multicast routing is enabled on a switch. If you enable multicast routing and a multicast routing protocol while MVR is enabled, MVR is disabled, and you receive a warning message. If you try to enable MVR while multicast routing and a multicast routing protocol are enabled, the operation to enable MVR is cancelled, and you receive an error message.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR Command Purpose Step 8 show mvr or show mvr members Verify the configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To return the switch to its default settings, use the no mvr [mode | group ip-address | querytime | vlan] global configuration commands.
Chapter 23 Configuring IGMP Snooping and MVR Configuring MVR Command Step 5 Purpose mvr vlan vlan-id group [ip-address] (Optional) Statically configure a port to receive multicast traffic sent to the multicast VLAN and the IP multicast address. A port statically configured as a member of a group remains a member of the group until statically removed. Note In compatible mode, this command applies to only receiver ports. In dynamic mode, it applies to receiver ports and source ports.
Chapter 23 Configuring IGMP Snooping and MVR Displaying MVR Information Displaying MVR Information You can display MVR information for the switch or for a specified interface.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling IGMP filtering is applicable only to the dynamic learning of IP multicast group addresses, not static configuration. With the IGMP throttling feature, you can set the maximum number of IGMP groups that a Layer 2 interface can join.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling • permit: Specifies that matching addresses are permitted. • range: Specifies a range of IP addresses for the profile. You can enter a single IP address or a range with a start and an end address. The default is for the switch to have no IGMP profiles configured. When a profile is configured, if neither the permit nor deny keyword is included, the default is to deny access to the range of IP addresses.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Applying IGMP Profiles To control access as defined in an IGMP profile, use the ip igmp filter interface configuration command to apply the profile to the appropriate interfaces. You can apply IGMP profiles only to Layer 2 access ports; you cannot apply IGMP profiles to routed ports or SVIs. You cannot apply profiles to ports that belong to an EtherChannel port group.
Chapter 23 Configuring IGMP Snooping and MVR Configuring IGMP Filtering and Throttling Command Purpose Step 3 ip igmp max-groups number Set the maximum number of IGMP groups that the interface can join. The range is 0 to 4294967294. The default is to have no maximum set. Step 4 end Return to privileged EXEC mode. Step 5 show running-config interface interface-id Verify the configuration. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Beginning in privileged EXEC mode, follow these steps to configure the throttling action when the maximum number of entries is in the forwarding table: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the physical interface to be configured, and enter interface configuration mode.
Chapter 23 Configuring IGMP Snooping and MVR Displaying IGMP Filtering and Throttling Configuration Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 23-30 OL-12189-01
CH A P T E R 24 Configuring IPv6 MLD Snooping You can use Multicast Listener Discovery (MLD) snooping to enable efficient distribution of IP Version 6 (IPv6) multicast data to clients and routers in a switched network on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note To use IPv6, you must configure the dual IPv4 and IPv6 Switch Database Management (SDM) template on the switch.
Chapter 24 Configuring IPv6 MLD Snooping Understanding MLD Snooping Version 1 (MLDv1) is equivalent to IGMPv2, and MLD Version 2 (MLDv2) is equivalent to IGMPv3. MLD is a subprotocol of Internet Control Message Protocol Version 6 (ICMPv6), and MLD messages are a subset of ICMPv6 messages, identified in IPv6 packets by a preceding Next Header value of 58.
Chapter 24 Configuring IPv6 MLD Snooping Understanding MLD Snooping MLDv2 supports MLDv2 queries and reports, as well as MLDv1 Report and Done messages. Message timers and state transitions resulting from messages being sent or received are the same as those of IGMPv2 messages. MLD messages that do not have valid link-local IPv6 source addresses are ignored by MLD routers and switches.
Chapter 24 Configuring IPv6 MLD Snooping Understanding MLD Snooping Multicast Router Discovery Like IGMP snooping, MLD snooping performs multicast router discovery, with these characteristics: • Ports configured by a user never age out. • Dynamic port learning results from MLDv1 snooping queries and IPv6 PIMv2 packets. • If there are multiple routers on the same Layer 2 interface, MLD snooping tracks a single multicast router on the port (the router that most recently sent a router control packet).
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping The number of MASQs generated is configured by using the ipv6 mld snooping last-listener-query count global configuration command. The default number is 2. The MASQ is sent to the IPv6 multicast address for which the Done message was sent.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Default MLD Snooping Configuration Table 24-1 shows the default MLD snooping configuration. Table 24-1 Default MLD Snooping Configuration Feature Default Setting MLD snooping (Global) Disabled. MLD snooping (per VLAN) Enabled. MLD snooping must be globally enabled for VLAN MLD snooping to take place. IPv6 Multicast addresses None configured. IPv6 Multicast router ports None configured.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping • The maximum number of multicast entries allowed on the switch or switch stack is determined by the configured SDM template. • The maximum number of address entries allowed for the switch or switch stack is 1000. Enabling or Disabling MLD Snooping By default, IPv6 MLD snooping is globally disabled on the switch and enabled on all VLANs. When MLD snooping is globally disabled, it is also disabled on all VLANs.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Step 3 Command Purpose ipv6 mld snooping vlan vlan-id Enable MLD snooping on the VLAN.The VLAN ID range is 1 to 1001 and 1006 to 4094. MLD snooping must be globally enabled for VLAN snooping to be enabled. Note Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Configuring a Multicast Router Port Although MLD snooping learns about router ports through MLD queries and PIMv6 queries, you can also use the command-line interface (CLI) to add a multicast router port to a VLAN. To add a multicast router port (add a static connection to a multicast router), use the ipv6 mld snooping vlan mrouter global configuration command on the switch.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Command Purpose Step 4 show ipv6 mld snooping vlan vlan-id Verify that Immediate Leave is enabled on the VLAN interface. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable MLD Immediate Leave on a VLAN, use the no ipv6 mld snooping vlan vlan-id immediate-leave global configuration command.
Chapter 24 Configuring IPv6 MLD Snooping Configuring IPv6 MLD Snooping Command Purpose Step 8 ipv6 mld snooping tcn query solicit (Optional) Enable topology change notification (TCN) solicitation, which means that VLANs flood all IPv6 multicast traffic for the configured number of queries before sending multicast data to only those ports requesting to receive it. The default is for TCN to be disabled.
Chapter 24 Configuring IPv6 MLD Snooping Displaying MLD Snooping Information To re-enable MLD message suppression, use the ipv6 mld snooping listener-message-suppression global configuration command. Displaying MLD Snooping Information You can display MLD snooping information for dynamically learned and statically configured router ports and VLAN interfaces. You can also display MAC address multicast entries for a VLAN configured for MLD snooping.
CH A P T E R 25 Configuring Port-Based Traffic Control This chapter describes how to configure the port-based traffic control features on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Storm control uses one of these methods to measure traffic activity: • Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic • Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received • Traffic rate in bits per second at which broadcast, multicast, or unicast packets are received With each method, the p
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control You use the storm-control interface configuration commands to set the threshold value for each traffic type. Default Storm Control Configuration By default, unicast, broadcast, and multicast storm control are disabled on the switch interfaces; that is, the suppression level is 100 percent.
Chapter 25 Configuring Port-Based Traffic Control Configuring Storm Control Step 3 Command Purpose storm-control {broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]} Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled. The keywords have these meanings: • For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth.
Chapter 25 Configuring Port-Based Traffic Control Configuring Protected Ports Command Purpose Step 6 show storm-control [interface-id] [broadcast | Verify the storm control suppression levels set on the interface for multicast | unicast] the specified traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Blocking Protected Port Configuration Guidelines You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Default Port Blocking Configuration The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Blocking Flooded Traffic on an Interface Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security These sections contain this conceptual and configuration information: • Understanding Port Security, page 25-8 • Default Port Security Configuration, page 25-10 • Port Security Configuration Guidelines, page 25-10 • Enabling and Configuring Port Security, page 25-12 • Enabling and Configuring Port Security Aging, page 25-16 • Port Security and Switch Stacks, page 25-17 • Port Security and Private VLANs, page 25-17 U
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Table 25-1 shows the violation mode and the actions taken when you configure an interface for port security.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security • A secure port cannot be a private-VLAN port. • When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Enabling and Configuring Port Security Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Step 7 Command Purpose switchport port-security violation {protect | restrict | shutdown | shutdown vlan} (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these: • Note protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Step 8 Command Purpose switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}] (Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# switchport switchport switchport switchport switchport port-security port-security port-security port-security port-security mac-address 0000.0000.0003 mac-address sticky 0000.0000.0001 vlan voice mac-address 0000.0000.
Chapter 25 Configuring Port-Based Traffic Control Configuring Port Security To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.
Chapter 25 Configuring Port-Based Traffic Control Displaying Port-Based Traffic Control Settings This example shows how to configure port security on a PVLAN host and promiscuous ports Switch(config)# interface gigabitethernet 1/0/8 Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport port-security maximum 288 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security v
CH A P T E R 26 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the “System Management Commands” section in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Chapter 26 Configuring CDP Configuring CDP CDP and Switch Stacks A switch stack appears as a single switch in the network. Therefore, CDP discovers the switch stack, not the individual stack members. The switch stack sends CDP messages to neighboring network devices when there are changes to the switch stack membership, such as stack members being added or removed.
Chapter 26 Configuring CDP Configuring CDP Step 3 Command Purpose cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is 10 to 255 seconds; the default is 180 seconds. Step 4 cdp advertise-v2 (Optional) Configure CDP to send Version-2 advertisements. This is the default state. Step 5 end Return to privileged EXEC mode. Step 6 show cdp Verify your settings.
Chapter 26 Configuring CDP Configuring CDP Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and to receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are disabling CDP, and enter interface configuration mode.
Chapter 26 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, use one or more of the privileged EXEC commands in Table 26-2. Table 26-2 Commands for Displaying CDP Information Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors.
Chapter 26 Configuring CDP Monitoring and Maintaining CDP Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 26-6 OL-12189-01
CH A P T E R 27 Configuring LLDP and LLDP-MED This chapter describes how to configure the Link Layer Discovery Protocol (LLDP) and LLDP Media Endpoint Discovery (LLDP-MED) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Carrier Ethernet s Command Reference at this URL: http://www.cisco.
Chapter 27 Configuring LLDP and LLDP-MED Understanding LLDP and LLDP-MED LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP supported devices can use TLVs to receive and send information to their neighbors. Details such as configuration information, device capabilities, and device identity can be advertised using this protocol. The switch supports these basic management TLVs.
Chapter 27 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED • Location TLV Provides location information from the switch to the endpoint device. The location TLV can send this information: – Civic location information Provides the civic address information and postal information. Examples of civic location information are street address, road name, and postal community name information. – ELIN location information Provides the location information of a caller.
Chapter 27 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Table 27-1 Default LLDP Configuration (continued) Feature Default Setting LLDP transmit Enabled LLDP med-tlv-select Enabled to send all LLDP-MED TLVs Configuring LLDP Characteristics You can configure the frequency of LLDP updates, the amount of time to hold the information before discarding it, and the initialization delay time. You can also select the LLDP and LLDP-MED TLVs to be sent and received.
Chapter 27 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Beginning in privileged EXEC mode, follow these steps to globally disable LLDP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 no lldp run Disable LLDP. Step 3 end Return to privileged EXEC mode. Beginning in privileged EXEC mode, follow these steps to globally enable LLDP-MED when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 27 Configuring LLDP and LLDP-MED Configuring LLDP and LLDP-MED Beginning in privileged EXEC mode, follow these steps to enable LLDP on an interface when it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are enabling LLDP-MED, and enter interface configuration mode. Step 3 lldp transmit LLDP packets are sent on the interface.
Chapter 27 Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Beginning in privileged EXEC mode, follow these steps to enable a TLV on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface on which you are configuring an LLDP-MED TLV, and enter interface configuration mode. Step 3 lldp med-tlv-select tlv Specify the TLV to enable. Step 4 end Return to privileged EXEC mode.
Chapter 27 Configuring LLDP and LLDP-MED Monitoring and Maintaining LLDP and LLDP-MED Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 27-8 OL-12189-01
CH A P T E R 28 Configuring UDLD This chapter describes how to configure the UniDirectional Link Detection (UDLD) protocol on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 28 Configuring UDLD Understanding UDLD In normal mode, UDLD detects a unidirectional link when fiber strands in a fiber-optic port are misconnected and the Layer 1 mechanisms do not detect this misconnection. If the ports are connected correctly but the traffic is one way, UDLD does not detect the unidirectional link because the Layer 1 mechanism, which is supposed to detect this condition, does not do so.
Chapter 28 Configuring UDLD Configuring UDLD If the detection window ends and no valid reply message is received, the link might shut down, depending on the UDLD mode. When UDLD is in normal mode, the link might be considered undetermined and might not be shut down. When UDLD is in aggressive mode, the link is considered unidirectional, and the port is disabled.
Chapter 28 Configuring UDLD Configuring UDLD Default UDLD Configuration Table 28-1 shows the default UDLD configuration.
Chapter 28 Configuring UDLD Configuring UDLD Enabling UDLD Globally Beginning in privileged EXEC mode, follow these steps to enable UDLD in the aggressive or normal mode and to set the configurable message timer on all fiber-optic ports on the switch and all members in the switch stack: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 28 Configuring UDLD Configuring UDLD Enabling UDLD on an Interface Beginning in privileged EXEC mode, follow these steps either to enable UDLD in the aggressive or normal mode or to disable UDLD on a port: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port to be enabled for UDLD, and enter interface configuration mode. Step 3 udld port [aggressive] UDLD is disabled by default.
Chapter 28 Configuring UDLD Displaying UDLD Status Displaying UDLD Status To display the UDLD status for the specified port or for all ports, use the show udld [interface-id] privileged EXEC command. For detailed information about the fields in the command output, see the command reference for this release.
Chapter 28 Configuring UDLD Displaying UDLD Status Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 28-8 OL-12189-01
CH A P T E R 29 Configuring SPAN and RSPAN This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN These sections contain this conceptual information: • Local SPAN, page 29-2 • Remote SPAN, page 29-3 • SPAN and RSPAN Concepts and Terminology, page 29-4 • SPAN and RSPAN Interaction with Other Features, page 29-9 • SPAN and RSPAN and Switch Stacks, page 29-10 Local SPAN Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 29-2 Example of Local SPAN Configuration on a Switch Stack Blade switch stack Switch 1 1/0/4 Port 4 on switch 1 in the stack mirrored on port 15 on switch 2 2/0/15 Network analyzer Switch 2 Switch 3 202310 Stackwise Plus port connections Remote SPAN RSPAN supports source ports, source VLANs, and destination ports on different switches (or different switch stacks), enabling remote monitoring of multiple switches across your
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Figure 29-3 Example of RSPAN Configuration RSPAN destination ports RSPAN destination session Switch C Intermediate switches must support RSPAN VLAN RSPAN VLAN RSPAN source session A RSPAN source ports Switch B RSPAN source session B RSPAN source ports 101366 Switch A SPAN and RSPAN Concepts and Terminology This section describes concepts and terminology associated with SPAN and RSPAN configuration.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN An RSPAN source session is very similar to a local SPAN session, except for where the packet stream is directed. In an RSPAN source session, SPAN packets are relabeled with the RSPAN VLAN ID and directed over normal trunk ports to the destination switch. An RSPAN destination session takes all packets received on the RSPAN VLAN, strips off the VLAN tagging, and presents them on the destination port.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Features that can cause a packet to be dropped during receive processing have no effect on ingress SPAN; the destination port receives a copy of the packet even if the actual incoming packet is dropped. These features include IP standard and extended input access control lists (ACLs), ingress QoS policing, VLAN ACLs, and egress QoS policing.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN A source port has these characteristics: • It can be monitored in multiple SPAN sessions. • Each source port can be configured with a direction (ingress, egress, or both) to monitor. • It can be any port type (for example, EtherChannel, Gigabit Ethernet, and so forth). • For EtherChannel sources, you can monitor traffic for the entire EtherChannel or individually on a physical port as it participates in the port channel.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN Destination Port Each local SPAN session or RSPAN destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets to the user, usually a network analyzer. A destination port has these characteristics: • For a local SPAN session, the destination port must reside on the same switch or switch stack as the source port.
Chapter 29 Configuring SPAN and RSPAN Understanding SPAN and RSPAN RSPAN VLAN The RSPAN VLAN carries SPAN traffic between RSPAN source and destination sessions. It has these special characteristics: • All traffic in the RSPAN VLAN is always flooded. • No MAC address learning occurs on the RSPAN VLAN. • RSPAN VLAN traffic only flows on trunk ports. • RSPAN VLANs must be configured in VLAN configuration mode by using the remote-span VLAN configuration mode command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN A physical port that belongs to an EtherChannel group can be configured as a SPAN source port and still be a part of the EtherChannel. In this case, data from the physical port is monitored as it participates in the EtherChannel. However, if a physical port that belongs to an EtherChannel group is configured as a SPAN destination, it is removed from the group.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Default SPAN and RSPAN Configuration Table 29-1 shows the default SPAN and RSPAN configuration. Table 29-1 Default SPAN and RSPAN Configuration Feature Default Setting SPAN state (SPAN and RSPAN) Disabled. Source port traffic to monitor Both received and sent traffic (both). Encapsulation type (destination port) Native form (untagged packets).
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can limit SPAN traffic to specific VLANs by using the filter vlan keyword. If a trunk port is being monitored, only traffic on the VLANs specified with this keyword is monitored. By default, all VLANs are monitored on a trunk port. • You cannot mix source VLANs and filter VLANs within a single SPAN session.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 4 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in step 3. Note For local SPAN, you must use the same session number for the source and destination interfaces. For interface-id, specify the destination port.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN This example shows how to remove any existing configuration on SPAN session 2, configure SPAN session 2 to monitor received traffic on all ports belonging to VLANs 1 through 3, and send it to destination Gigabit Ethernet port 2. The configuration is then modified to also monitor all traffic on all ports belonging to VLAN 10.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination {interface interface-id [, | -] [encapsulation replicate]} Specify the SPAN session and the destination port (monitoring port). For session_number, specify the session number entered in Step 3. For interface-id, specify the destination port. The destination interface must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN • You can apply an output ACL to RSPAN traffic to selectively filter or monitor specific packets. Specify these ACLs on the RSPAN VLAN in the RSPAN source switches. • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network. • RSPAN does not support BPDU packet monitoring or other Layer 2 switch protocols.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN To remove the remote SPAN characteristic from a VLAN and convert it back to a normal VLAN, use the no remote-span VLAN configuration command. This example shows how to create RSPAN VLAN 901.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose show monitor [session session_number] Verify the configuration. show running-config Step 7 copy running-config startup-config (Optional) Save the configuration in the configuration file. To delete a SPAN session, use the no monitor session session_number global configuration command.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 5 Command Purpose monitor session session_number destination remote vlan vlan-id Specify the RSPAN session and the destination remote VLAN (RSPAN VLAN). For session_number, enter the session number specified in step 3. For vlan-id, specify the RSPAN VLAN to carry the monitored traffic to the destination port. Step 6 end Return to privileged EXEC mode. Step 7 show monitor [session session_number] Verify the configuration.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 6 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 7 monitor session session_number destination interface interface-id Specify the RSPAN session and the destination interface. For session_number, enter the number defined in Step 6.
Chapter 29 Configuring SPAN and RSPAN Configuring SPAN and RSPAN Step 3 Command Purpose monitor session session_number source remote vlan vlan-id Specify the RSPAN session and the source RSPAN VLAN. For session_number, the range is 1 to 66. For vlan-id, specify the source RSPAN VLAN to monitor. Step 4 Specify the SPAN session, the destination port, the packet monitor session session_number encapsulation, and the incoming VLAN and encapsulation.
Chapter 29 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Displaying SPAN and RSPAN Status To display the current SPAN or RSPAN configuration, use the show monitor user EXEC command. You can also use the show running-config privileged EXEC command to display configured SPAN or RSPAN sessions.
Chapter 29 Configuring SPAN and RSPAN Displaying SPAN and RSPAN Status Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 29-24 OL-12189-01
CH A P T E R 30 Configuring RMON This chapter describes how to configure Remote Network Monitoring (RMON) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. RMON is a standard monitoring specification that defines a set of statistics and functions that can be exchanged between RMON-compliant console systems and network probes. RMON provides you with comprehensive network-fault diagnosis, planning, and performance-tuning information.
Chapter 30 Configuring RMON Configuring RMON Figure 30-1 Remote Monitoring Example Network management station with generic RMON console application RMON history and statistic collection enabled. Blade Servers RMON alarms and events configured. SNMP configured.
Chapter 30 Configuring RMON Configuring RMON Default RMON Configuration RMON is disabled by default; no alarms or events are configured. Configuring RMON Alarms and Events You can configure your switch for RMON by using the command-line interface (CLI) or an SNMP-compatible network management station. We recommend that you use a generic RMON console application on the network management station (NMS) to take advantage of the RMON network management capabilities.
Chapter 30 Configuring RMON Configuring RMON Command Step 3 Purpose rmon event number [description string] [log] [owner string] Add an event in the RMON event table that is [trap community] associated with an RMON event number. • For number, assign an event number. The range is 1 to 65535. • (Optional) For description string, specify a description of the event. • (Optional) Use the log keyword to generate an RMON log entry when the event is triggered.
Chapter 30 Configuring RMON Configuring RMON Collecting Group History Statistics on an Interface You must first configure RMON alarms and events to display collection information. Beginning in privileged EXEC mode, follow these steps to collect group history statistics on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 30 Configuring RMON Displaying RMON Status Command Step 3 Purpose rmon collection stats index [owner ownername] Enable RMON statistic collection on the interface. • For index, specify the RMON group of statistics. The range is from 1 to 65535. • (Optional) For owner ownername, enter the name of the owner of the RMON group of statistics. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries.
CH A P T E R 31 Configuring System Message Logging This chapter describes how to configure system message logging on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command References.
Chapter 31 Configuring System Message Logging Configuring System Message Logging You can set the severity level of the messages to control the type of messages displayed on the consoles and each of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-time debugging and management. For information on possible messages, see the system message guide for this release.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Table 31-1 describes the elements of syslog messages. Table 31-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 31-8. Date and time of the message or event.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Default System Message Logging Configuration Table 31-2 shows the default system message logging configuration. Table 31-2 Default System Message Logging Configuration Feature Default Setting System message logging to the console Enabled. Console severity Debugging (and numerically lower levels; see Table 31-3 on page 31-10). Logging file configuration No filename specified. Logging buffer size 4096 bytes.
Chapter 31 Configuring System Message Logging Configuring System Message Logging The logging synchronous global configuration command also affects the display of messages to the console. When this command is enabled, messages appear only after you press Return. For more information, see the “Synchronizing Log Messages” section on page 31-6. To re-enable message logging after it has been disabled, use the logging on global configuration command.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 terminal monitor Log messages to a nonconsole terminal during the current session. Terminal parameter-setting commands are set locally and do not remain in effect after the session has ended. You must perform this step for each session to see the debugging messages. Step 7 show running-config Verify your entries.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to configure synchronous logging. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number [ending-line-number] Specify the line to be configured for synchronous logging of messages.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Time Stamps on Log Messages By default, log messages are not time-stamped. Beginning in privileged EXEC mode, follow these steps to enable time-stamping of log messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log time stamps.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable sequence numbers, use the no service sequence-numbers global configuration command. This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Table 31-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults. This procedure is optional. Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 31-3 on page 31-10 for a list of level keywords.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to enable configuration logging: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 archive Enter archive configuration mode. Step 3 log config Enter configuration-change logger configuration mode. Step 4 logging enable Enable configuration change logging.
Chapter 31 Configuring System Message Logging Configuring System Message Logging Log in as root, and perform these steps: Note Step 1 Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to decide what options must be added to or removed from the syslog command line to enable logging of remote syslog messages. Add a line such as the following to the file /etc/syslog.conf: local7.
Chapter 31 Configuring System Message Logging Displaying the Logging Configuration Command Purpose Step 6 show running-config Verify your entries. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command.
CH A P T E R 32 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release and the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.
Chapter 32 Configuring SNMP Understanding SNMP These sections contain this conceptual information: • SNMP Versions, page 32-2 • SNMP Manager Functions, page 32-3 • SNMP Agent Functions, page 32-4 • SNMP Community Strings, page 32-4 • Using SNMP to Access MIB Variables, page 32-4 • SNMP Notifications, page 32-5 • SNMP ifIndex MIB Object Values, page 32-5 SNMP Versions This software release supports these SNMP versions: • SNMPv1—The Simple Network Management Protocol, a Full Internet Standar
Chapter 32 Configuring SNMP Understanding SNMP Table 32-1 identifies the characteristics of the different combinations of security models and levels. Table 32-1 SNMP Security Models and Levels Model Level Authentication Encryption Result SNMPv1 noAuthNoPriv Community string No Uses a community string match for authentication. SNMPv2C noAuthNoPriv Community string No Uses a community string match for authentication.
Chapter 32 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 32 Configuring SNMP Understanding SNMP SNMP Notifications SNMP allows the switch to send notifications to SNMP managers when particular events occur. SNMP notifications can be sent as traps or inform requests. In command syntax, unless there is an option in the command to select either traps or informs, the keyword traps refers to either traps or informs, or both. Use the snmp-server host command to specify whether to send SNMP notifications as traps or informs.
Chapter 32 Configuring SNMP Configuring SNMP Configuring SNMP These sections contain this configuration information: • Default SNMP Configuration, page 32-6 • SNMP Configuration Guidelines, page 32-6 • Disabling the SNMP Agent, page 32-7 • Configuring Community Strings, page 32-8 • Configuring SNMP Groups and Users, page 32-9 • Configuring SNMP Notifications, page 32-11 • Setting the Agent Contact and Location Information, page 32-15 • Limiting TFTP Servers Used Through SNMP, page 32-15 •
Chapter 32 Configuring SNMP Configuring SNMP When configuring SNMP, follow these guidelines: • When configuring an SNMP group, do not specify a notify view. The snmp-server host global configuration command autogenerates a notify view for the user and then adds it to the group associated with that user. Modifying the group's notify view affects all users associated with that group. See the Cisco IOS Configuration Fundamentals Command Reference, Release 12.
Chapter 32 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the switch.
Chapter 32 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note To disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command.
Chapter 32 Configuring SNMP Configuring SNMP Command Step 3 Purpose snmp-server group groupname {v1 | v2c | v3 Configure a new SNMP group on the remote device. {auth | noauth | priv}} [read readview] • For groupname, specify the name of the group. [write writeview] [notify notifyview] [access • Specify a security model: access-list] – v1 is the least secure of the possible security models. – v2c is the second least secure model. It allows transmission of informs and integers twice the normal width.
Chapter 32 Configuring SNMP Configuring SNMP Command Step 4 Purpose Add a new user for an SNMP group. snmp-server user username groupname {remote host [udp-port port]} {v1 [access • The username is the name of the user on the host that connects access-list] | v2c [access access-list] | v3 to the agent. [encrypted] [access access-list] [auth {md5 | • The groupname is the name of the group to which the user is sha} auth-password]} associated.
Chapter 32 Configuring SNMP Configuring SNMP Table 32-5 Switch Notification Types (continued) Notification Type Keyword Description cluster Generates a trap when the cluster configuration changes. config Generates a trap for SNMP configuration changes. copy-config Generates a trap for SNMP copy configuration changes. entity Generates a trap for SNMP entity changes. envmon Generates environmental monitor traps.
Chapter 32 Configuring SNMP Configuring SNMP Table 32-5 Note Switch Notification Types (continued) Notification Type Keyword Description syslog Generates SNMP syslog traps. tty Generates a trap for TCP connections. This trap is enabled by default. vlan-membership Generates a trap for SNMP VLAN membership changes. vlancreate Generates SNMP VLAN created traps. vlandelete Generates SNMP VLAN deleted traps. vtp Generates a trap for VLAN Trunking Protocol (VTP) changes.
Chapter 32 Configuring SNMP Configuring SNMP Step 5 Command Purpose snmp-server host host-addr [informs | traps] [version {1 | 2c | 3 {auth | noauth | priv}}] community-string [notification-type] Specify the recipient of an SNMP trap operation. • For host-addr, specify the name or Internet address of the host (the targeted recipient). • (Optional) Enter informs to send SNMP informs to the host. • (Optional) Enter traps (the default) to send SNMP traps to the host.
Chapter 32 Configuring SNMP Configuring SNMP To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. The no snmp-server host command with no keywords disables traps, but not informs, to the host. To disable informs, use the no snmp-server host informs global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command.
Chapter 32 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 32 Configuring SNMP Displaying SNMP Status This example shows how to send Entity MIB traps to the host cisco.com. The community string is restricted. The first line enables the switch to send Entity MIB traps in addition to any traps previously enabled. The second line specifies the destination of these traps and overwrites any previous snmp-server host commands for the host cisco.com. Switch(config)# snmp-server enable traps entity Switch(config)# snmp-server host cisco.
Chapter 32 Configuring SNMP Displaying SNMP Status Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 32-18 OL-12189-01
CH A P T E R 34 Configuring Network Security with ACLs This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. Note Information in this chapter about IP ACLs is specific to IP Version 4 (IPv4). For information about IPv6 ACLs, see Chapter 35, “Configuring IPv6 ACLs.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • When an output router ACL and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are filtered by the port ACL. Outgoing routed IP packets are filtered by the router ACL. Other packets are not filtered. • When a VLAN map, input router ACL, and input port ACL exist in an SVI, incoming packets received on the ports to which a port ACL is applied are only filtered by the port ACL.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs Figure 34-1 Using ACLs to Control Traffic to a Network Blade Server A Blade Server B Research & Development network = ACL denying traffic from Blade Server B and permitting traffic from Blade Server A = Packet 119651 Human Resources network When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs As with port ACLs, the switch examines ACLs associated with features configured on a given interface. However, router ACLs are supported in both directions. As packets enter the switch on an interface, ACLs associated with all inbound features configured on that interface are examined.
Chapter 34 Configuring Network Security with ACLs Understanding ACLs • Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information. Consider access list 102, configured with these commands, applied to three fragmented packets: Switch(config)# Switch(config)# Switch(config)# Switch(config)# Note access-list access-list access-list access-list 102 102 102 102 permit tcp any host 10.1.1.1 eq smtp deny tcp any host 10.1.1.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Stack members perform these ACL functions: • They receive the ACL information from the master switch and program their hardware. • They act as standby switches, ready to take over the role of the stack master if the existing master were to fail and they were to be elected as the new stack master. When a stack master fails and a new stack master is elected, the newly elected master reparses the backed up running configuration.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs The software supports these types of ACLs or access lists for IPv4: • Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information for finer granularity of control.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Note In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} Define a standard IPv4 access list by using a source address and source [source-wildcard] [log] wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs or or Step 2b Command Purpose access-list access-list-number {deny | permit} protocol any any [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] In access-list configuration mode, define an extended IP access list using an abbreviation for a source and source wildcard of 0.0.0.0 255.255.255.255 and an abbreviation for a destination and destination wildcard of 0.0.0.0 255.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Step 2d Step 2e Command Purpose access-list access-list-number {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [log] [log-input] [time-range time-range-name] [dscp dscp] (Optional) Define an extended ICMP access list and the access conditions. Enter icmp for Internet Control Message Protocol.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs After creating a numbered extended ACL, you can apply it to terminal lines (see the “Applying an IPv4 ACL to a Terminal Line” section on page 34-19), to interfaces (see the “Applying an IPv4 ACL to an Interface” section on page 34-20), or to VLANs (see the “Configuring VLAN Maps” section on page 34-29).
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to create a standard ACL using names: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip access-list standard name Define a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask. After you create an ACL, any additions are placed at the end of the list.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 time-range time-range-name Assign a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs This example uses named ACLs to permit and deny the same traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 line [console | vty] line-number Identify a specific line to configure, and enter in-line configuration mode. • console—Specify the console terminal line. The console port is DCE.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Beginning in privileged EXEC mode, follow these steps to control access to an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Identify a specific interface for configuration, and enter interface configuration mode. The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL).
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Hardware and Software Treatment of IP ACLs ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. If the hardware reaches its capacity to store ACL configurations, packets are sent to the CPU for forwarding. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Use router ACLs to do this in one of two ways: • Create a standard ACL, and filter traffic coming to the server from port 1. • Create an extended ACL, and filter traffic coming from the server into port 1. Figure 34-3 Using Router ACLs to Control Traffic Blade server B Port 2 Port 1 Accounting 172.20.128.64-95 201775 Human Resources 172.20.128.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Numbered ACLs In this example, network 36.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 36.0.0.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Named ACLs This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4. Switch(config)# ip access-list standard Internet_filter Switch(config-ext-nacl)# permit 1.2.3.4 Switch(config-ext-nacl)# exit The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.
Chapter 34 Configuring Network Security with ACLs Configuring IPv4 ACLs Switch(config)# access-list 1 remark Do not allow Smith server through Switch(config)# access-list 1 deny 171.69.3.13 In this example of a numbered ACL, the Winter and Smith servers are not allowed to browse the web: Switch(config)# Switch(config)# Switch(config)# Switch(config)# access-list access-list access-list access-list 100 100 100 100 remark Do deny host remark Do deny host not allow Winter to browse the web 171.69.3.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# ip access-group ext1 in This is a an example of a log for an extended ACL: 01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted packet 01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted packets 01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp packet 01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp packets icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 icmp 10.1.1.
Chapter 34 Configuring Network Security with ACLs Creating Named MAC Extended ACLs Step 3 Command Purpose {deny | permit} {any | host source MAC address | source MAC address mask} {any | host destination MAC address | destination MAC address mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat | lavc-sca | mop-console | mop-dump | msdos | mumps | netbios | vines-echo |vines-ip | xns-idp | 0-65535] [cos cos] In extended MAC acce
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets. • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps To create a VLAN map and apply it to one or more VLANs, perform these steps: Step 1 Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. See the “Creating Standard and Extended IPv4 ACLs” section on page 34-7 and the “Creating a VLAN Map” section on page 34-31. Step 2 Enter the vlan access-map global configuration command to create a VLAN ACL map entry.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps • On a Catalyst Switch Module 3012, if VLAN map configuration cannot be applied in hardware, all packets in that VLAN must be routed by software. • You can configure VLAN maps on primary and secondary VLANs. However, we recommend that you configure the same VLAN maps on private-VLAN primary and secondary VLANs.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Use the no action access-map configuration command to enforce the default action, which is to forward. VLAN maps do not use the specific permit or deny keywords. To deny a packet by using VLAN maps, create an ACL that would match the packet, and set the action to drop. A permit in the ACL counts as a match. A deny in the ACL means no match.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# vlan access-map drop-ip-default 30 Switch(config-access-map)# match ip address tcp-match Switch(config-access-map)# action forward Example 3 In this example, the VLAN map has a default action of drop for MAC packets and a default action of forward for IP packets.
Chapter 34 Configuring Network Security with ACLs Configuring VLAN Maps Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 vlan filter mapname vlan-list list Apply the VLAN map to one or more VLAN IDs. The list can be a single VLAN ID (22), a consecutive list (10-22), or a string of VLAN IDs (12, 22, 30).
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs This example shows how to deny access to a server on another VLAN by creating the VLAN map SERVER 1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic. The final step is to apply the map SERVER1 to VLAN 10. Step 1 Define the IP ACL that will match the correct packets. Switch(config)# ip access-list extended SERVER1_ACL Switch(config-ext-nacl))# permit ip 10.1.2.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs The switch hardware provides one lookup for security ACLs for each direction (input and output); therefore, you must merge a router ACL and a VLAN map when they are configured on the same VLAN. Merging the router ACL with the VLAN map might significantly increase the number of ACEs.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs Figure 34-5 Applying ACLs on Switched Packets VLAN 10 map Input router ACL Output router ACL VLAN 20 map Frame Blade server A (VLAN 10) Routing function or fallback bridge VLAN 10 Packet VLAN 20 201776 Blade server B (VLAN 10) ACLs and Bridged Packets Figure 34-6 shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN.
Chapter 34 Configuring Network Security with ACLs Using VLAN Maps with Router ACLs ACLs and Routed Packets Figure 34-7 shows how ACLs are applied on routed packets. For routed packets, the ACLs are applied in this order: 1. VLAN map for input VLAN 2. Input router ACL 3. Output router ACL 4.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration Figure 34-8 Applying ACLs on Multicast Packets VLAN 10 map Input router ACL Output router ACL VLAN 20 map Frame Blade server A (VLAN 10) Blade server B (VLAN 20) Routing function VLAN 10 Packet VLAN 20 201779 Blade server C (VLAN 10) Displaying IPv4 ACL Configuration You can display the ACLs that are configured on the switch, and you can display the ACLs that have been applied to interfaces and VLANs.
Chapter 34 Configuring Network Security with ACLs Displaying IPv4 ACL Configuration You can also display information about VLAN access maps or VLAN filters. Use the privileged EXEC commands in Table 34-3 to display VLAN map information. Table 34-3 Commands for Displaying VLAN Map Information Command Purpose show vlan access-map [mapname] Show information about all VLAN access maps or the specified access map.
CH A P T E R 35 Configuring IPv6 ACLs When the switch is running the advanced IP services feature set, you can filter IP Version 6 (IPv6) traffic by creating IPv6 access control lists (ACLs) and applying them to interfaces as you would create and apply IP Version 4 (IPv4) named ACLs. You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP services or IP base feature set.
Chapter 35 Configuring IPv6 ACLs Supported IPv6 ACLs Supported IPv6 ACLs Table 35-1 shows the supported IPv6 ACLs on each switch.
Chapter 35 Configuring IPv6 ACLs Understanding IPv6 ACLs • If you create or apply an output router ACL or an input port ACL on a switch running the IP base or IP services feature set, the ACL is added to the switch configuration but does not take effect; an error message appears. If you want to use the output router ACL or input port ACL, save the switch configuration and enable the advanced IP services feature set, which supports the ACL.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs • The switch does not apply MAC-based ACLs on IPv6 frames. • You cannot apply IPv6 port ACLs to Layer 2 EtherChannels. • Output router ACLs and input port ACLs for IPv6 are supported only when the Catalyst Switch Module 3110 is running the advanced IP services feature set. A switch running the IP services or IP base feature set supports only input router ACLs for IPv6 management traffic.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Default IPv6 ACL Configuration No IPv6 ACLs are configured or applied. Interaction with Other Features and Switches Configuring IPv6 ACLs causes these interactions with other features or switch characteristics: • If an IPv6 router ACL is configured to deny a packet, the packet is not routed. A copy of the packet is sent to the Internet Control Message Protocol (ICMP) queue to generate an ICMP unreachable message for the frame.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3a Purpose Enter deny or permit to specify whether to deny or permit the packet if {deny | permit} protocol {source-ipv6-prefix/prefix-length | conditions are matched.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Command Step 3b Step 3c Step 3d Purpose (Optional) Define a TCP access list and the access conditions. {deny | permit} tcp {source-ipv6-prefix/prefix-length | Enter tcp for Transmission Control Protocol. The parameters are the same as any | host source-ipv6-address} those described in Step 3a, with these additional optional parameters: [operator [port-number]] • ack—Acknowledgment bit set.
Chapter 35 Configuring IPv6 ACLs Configuring IPv6 ACLs Use the no {deny | permit} IPv6 access-list configuration commands with keywords to remove the deny or permit conditions from the specified access list. This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport Switch(config-if)# ipv6 address 2001::/64 eui-64 Switch(config-if)# ipv6 traffic-filter CISCO out Displaying IPv6 ACLs You can display information about all configured access lists, all IPv6 access lists, or a specific access list by using either or both of the privileged EXE
Chapter 35 Configuring IPv6 ACLs Displaying IPv6 ACLs Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 35-10 OL-12189-01
CH A P T E R 36 Configuring QoS This chapter describes how to configure quality of service (QoS) by using automatic QoS (auto-QoS) commands or by using standard QoS commands on the switch. With QoS, you can provide preferential treatment to certain types of traffic at the expense of others. Without QoS, the switch offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 36 Configuring QoS Understanding QoS Understanding QoS Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 36 Configuring QoS Understanding QoS Figure 36-1 QoS Classification Layers in Frames and Packets Encapsulated Packet Layer 2 header IP header Data Layer 2 ISL Frame ISL header (26 bytes) Encapsulated frame 1... (24.5 KB) FCS (4 bytes) 3 bits used for CoS Layer 2 802.1Q and 802.
Chapter 36 Configuring QoS Understanding QoS Figure 36-2 shows the basic QoS model. Actions at the ingress port include classifying traffic, policing, marking, queueing, and scheduling: • Classifying a distinct path for a packet by associating it with a QoS label. The switch maps the CoS or DSCP in the packet to a QoS label to distinguish one kind of traffic from another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
Chapter 36 Configuring QoS Understanding QoS Classification Classification is the process of distinguishing one kind of traffic from another by examining the fields in the packet. Classification is enabled only if QoS is globally enabled on the switch. By default, QoS is globally disabled, so no classification occurs. During classification, the switch performs a lookup and assigns a QoS label to the packet.
Chapter 36 Configuring QoS Understanding QoS After classification, the packet is sent to the policing, marking, and the ingress queueing and scheduling stages. Figure 36-3 Classification Flowchart Start Trust CoS (IP and non-IP traffic). Read ingress interface configuration for classification. Trust DSCP (IP traffic). IP and non-IP traffic Trust DSCP or IP precedence (non-IP traffic). Trust IP precedence (IP traffic). Assign DSCP identical to DSCP in packet.
Chapter 36 Configuring QoS Understanding QoS Classification Based on QoS ACLs You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same characteristics (class). In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings than with security ACLs: Note • If a match with a permit action is encountered (first-match principle), the specified QoS-related action is taken.
Chapter 36 Configuring QoS Understanding QoS The policy map can contain the police and police aggregate policy-map class configuration commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the limits are exceeded. To enable the policy map, you attach it to a port by using the service-policy interface configuration command. You can apply a nonhierarchical policy map to a physical port or an SVI.
Chapter 36 Configuring QoS Understanding QoS Policing on Physical Ports In policy maps on physical ports, you can create these types of policers: • Individual—QoS applies the bandwidth limits specified in the policer separately to each matched traffic class. You configure this type of policer within a policy map by using the police policy-map class configuration command. • Aggregate—QoS applies the bandwidth limits specified in an aggregate policer cumulatively to all matched traffic flows.
Chapter 36 Configuring QoS Understanding QoS Figure 36-4 Policing and Marking Flowchart on Physical Ports Start Get the clasification result for the packet. No Is a policer configured for this packet? Yes Check if the packet is in profile by querying the policer. No Yes Pass through Check out-of-profile action configured for this policer. Drop Drop packet. Mark Done 86835 Modify DSCP according to the policed-DSCP map. Generate a new QoS label.
Chapter 36 Configuring QoS Understanding QoS When configuring policing on an SVI, you can create and configure a hierarchical policy map with these two levels: • VLAN level—Create this primary level by configuring class maps and classes that specify the port trust state or set a new DSCP or IP precedence value in the packet. The VLAN-level policy map applies only to the VLAN in an SVI and does not support policers.
Chapter 36 Configuring QoS Understanding QoS Mapping Tables During QoS processing, the switch represents the priority of all traffic (including non-IP traffic) with an QoS label based on the DSCP or CoS value from the classification stage: • During classification, QoS uses configurable mapping tables to derive a corresponding DSCP or CoS value from a received CoS, DSCP, or IP precedence value. These maps include the CoS-to-DSCP map and the IP-precedence-to-DSCP map.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling Overview The switch has queues at specific points to help prevent congestion as shown in Figure 36-6.
Chapter 36 Configuring QoS Understanding QoS CoS 6-7 CoS 4-5 CoS 0-3 WTD and Queue Operation 100% 1000 60% 600 40% 400 0 86692 Figure 36-7 For more information, see the “Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds” section on page 36-67, the “Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set” section on page 36-71, and the “Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID” section on page 36-73.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling on Ingress Queues Figure 36-8 shows the queueing and scheduling flowchart for ingress ports. Figure 36-8 Queueing and Scheduling Flowchart for Ingress Ports Start Read QoS label (DSCP or CoS value). Determine ingress queue number, buffer allocation, and WTD thresholds. Are thresholds being exceeded? Yes No Drop packet. Send packet to the stack ring. Note 86693 Queue the packet. Service the queue according to the SRR weights.
Chapter 36 Configuring QoS Understanding QoS You assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an ingress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue input dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue input cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 36 Configuring QoS Understanding QoS Queueing and Scheduling on Egress Queues Figure 36-9 shows the queueing and scheduling flowchart for egress ports. Note If the expedite queue is enabled, SRR services it until it is empty before servicing the other three queues. Figure 36-9 Queueing and Scheduling Flowchart for Egress Ports Start Receive packet from the stack ring. Read QoS label (DSCP or CoS value). Determine egress queue number and threshold based on the label.
Chapter 36 Configuring QoS Understanding QoS Figure 36-10 shows the egress queue buffer. The buffer space is divided between the common pool and the reserved pool. The switch uses a buffer allocation scheme to reserve a minimum amount of buffers for each egress queue, to prevent any queue or port from consuming all the buffers and depriving other queues, and to control whether to grant buffer space to a requesting queue.
Chapter 36 Configuring QoS Understanding QoS WTD Thresholds You can assign each packet that flows through the switch to a queue and to a threshold. Specifically, you map DSCP or CoS values to an egress queue and map DSCP or CoS values to a threshold ID. You use the mls qos srr-queue output dscp-map queue queue-id {dscp1...dscp8 | threshold threshold-id dscp1...dscp8} or the mls qos srr-queue output cos-map queue queue-id {cos1...cos8 | threshold threshold-id cos1...cos8} global configuration command.
Chapter 36 Configuring QoS Configuring Auto-QoS • During policing, IP and non-IP packets can have another DSCP assigned to them (if they are out of profile and the policer specifies a markdown DSCP). Once again, the DSCP in the packet is not modified, but an indication of the marked-down value is carried along. For IP packets, the packet modification occurs at a later stage; for non-IP packets the DSCP is converted to CoS and used for queueing and scheduling decisions.
Chapter 36 Configuring QoS Configuring Auto-QoS Generated Auto-QoS Configuration By default, auto-QoS is disabled on all ports. When auto-QoS is enabled, it uses the ingress packet label to categorize traffic, to assign packet labels, and to configure the ingress and egress queues as shown in Table 36-2.
Chapter 36 Configuring QoS Configuring Auto-QoS If the packet does not have a DSCP value of 24, 26, or 46 or is out of profile, the switch changes the DSCP value to 0. The switch configures ingress and egress queues on the port according to the settings in Table 36-3 and Table 36-4.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically maps DSCP values to an ingress queue and to a threshold ID.
Chapter 36 Configuring QoS Configuring Auto-QoS Table 36-5 Generated Auto-QoS Configuration (continued) Description Automatically Generated Command The switch automatically configures the egress queue buffer sizes. It configures the bandwidth and the SRR mode (shaped or shared) on the egress queues mapped to the port.
Chapter 36 Configuring QoS Configuring Auto-QoS Effects of Auto-QoS on the Configuration When auto-QoS is enabled, the auto qos voip interface configuration command and the generated configuration are added to the running configuration. The switch applies the auto-QoS-generated commands as if the commands were entered from the CLI. An existing user configuration can cause the application of the generated commands to fail or to be overridden by the generated commands. These actions occur without warning.
Chapter 36 Configuring QoS Configuring Auto-QoS Enabling Auto-QoS for VoIP Beginning in privileged EXEC mode, follow these steps to enable auto-QoS for VoIP within a QoS domain: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Auto-QoS Auto-QoS Configuration Example This section describes how you could implement auto-QoS in a network, as shown in Figure 36-11. For optimum QoS performance, enable auto-QoS on all the devices in the network. Figure 36-11 Auto-QoS Configuration Example Network Cisco router To Internet Trunk link Trunk link Video server 172.20.10.
Chapter 36 Configuring QoS Configuring Auto-QoS Note You should not configure any standard QoS commands before entering the auto-QoS commands. You can fine-tune the QoS configuration, but we recommend that you do so only after the auto-QoS configuration is completed. Beginning in privileged EXEC mode, follow these steps to configure the switch at the edge of the QoS domain to prioritize the VoIP traffic over all other traffic: Command Purpose Step 1 debug auto qos Enable debugging for auto-QoS.
Chapter 36 Configuring QoS Displaying Auto-QoS Information Displaying Auto-QoS Information To display the initial auto-QoS configuration, use the show auto qos [interface [interface-id]] privileged EXEC command. To display any user changes to that configuration, use the show running-config privileged EXEC command. You can compare the show auto qos and the show running-config command output to identify the user-defined QoS settings.
Chapter 36 Configuring QoS Configuring Standard QoS Default Standard QoS Configuration QoS is disabled. There is no concept of trusted or untrusted ports because the packets are not modified (the CoS, DSCP, and IP precedence values in the packet are not changed). Traffic is switched in pass-through mode (packets are switched without any rewrites and classified as best effort without any policing).
Chapter 36 Configuring QoS Configuring Standard QoS Default Egress Queue Configuration Table 36-9 shows the default egress queue configuration for each queue-set when QoS is enabled. All ports are mapped to queue-set 1. The port bandwidth limit is set to 100 percent and rate unlimited.
Chapter 36 Configuring QoS Configuring Standard QoS Default Mapping Table Configuration The default CoS-to-DSCP map is shown in Table 36-12 on page 36-60. The default IP-precedence-to-DSCP map is shown in Table 36-13 on page 36-61. The default DSCP-to-CoS map is shown in Table 36-14 on page 36-63. The default DSCP-to-DSCP-mutation map is a null map, which maps an incoming DSCP value to the same DSCP value.
Chapter 36 Configuring QoS Configuring Standard QoS • Follow these guidelines when configuring policy maps on physical ports or SVIs: – You cannot apply the same policy map to a physical port and to an SVI. – If VLAN-based QoS is configured on a physical port, the switch removes all the port-based policy maps on the port. The traffic on this physical port is now affected by the policy map attached to the SVI to which the physical port belongs.
Chapter 36 Configuring QoS Configuring Standard QoS • A switch that is running the IP services feature set supports QoS DSCP and IP precedence matching in policy-based routing (PBR) route maps with these limitations: – You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface. – You cannot configure DSCP transparency and PBR DSCP route maps on the same switch. Enabling QoS Globally By default, QoS is disabled on the switch.
Chapter 36 Configuring QoS Configuring Standard QoS Use the no mls qos vlan-based interface configuration command to disable VLAN-based QoS on the physical port. Configuring Classification Using Port Trust States These sections describe how to classify incoming traffic by using port trust states.
Chapter 36 Configuring QoS Configuring Standard QoS Figure 36-12 Port Trusted States within the QoS Domain Trusted interface Trunk Traffic classification performed here P1 201781 P3 Trusted boundary Beginning in privileged EXEC mode, follow these steps to configure the port to trust the classification of the traffic that it receives: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos trust [cos | dscp | ip-precedence] Configure the port trust state. By default, the port is not trusted. If no keyword is specified, the default is dscp. The keywords have these meanings: • cos—Classifies an ingress packet by using the packet CoS value. For an untagged packet, the port default CoS value is used. The default port CoS value is 0. • dscp—Classifies an ingress packet by using the packet DSCP value.
Chapter 36 Configuring QoS Configuring Standard QoS Step 3 Command Purpose mls qos cos {default-cos | override} Configure the default CoS value for the port. • For default-cos, specify a default CoS value to be assigned to a port. If the packet is untagged, the default CoS value becomes the packet CoS value. The CoS range is 0 to 7. The default is 0.
Chapter 36 Configuring QoS Configuring Standard QoS With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority queue if a user bypasses the telephone and connects the PC directly to the switch. Without trusted boundary, the CoS labels generated by the PC are trusted by the switch (because of the trusted CoS setting).
Chapter 36 Configuring QoS Configuring Standard QoS If DSCP transparency is enabled by using the no mls qos rewrite ip dscp command, the switch does not modify the DSCP field in the incoming packet, and the DSCP field in the outgoing packet is the same as that in the incoming packet. Note Enabling DSCP transparency does not affect the port trust settings on IEEE 802.1Q tunneling ports.
Chapter 36 Configuring QoS Configuring Standard QoS Figure 36-13 DSCP-Trusted State on a Port Bordering Another QoS Domain QoS Domain 1 QoS Domain 2 Set interface to the DSCP-trusted state. Configure the DSCP-to-DSCP-mutation map. 101235 IP traffic Beginning in privileged EXEC mode, follow these steps to configure the DSCP-trusted state on a port and modify the DSCP-to-DSCP-mutation map.
Chapter 36 Configuring QoS Configuring Standard QoS To return a port to its non-trusted state, use the no mls qos trust interface configuration command. To return to the default DSCP-to-DSCP-mutation map values, use the no mls qos map dscp-mutation dscp-mutation-name global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying Traffic by Using ACLs You can classify IP traffic by using IP standard or IP extended ACLs; you can classify non-IP traffic by using Layer 2 MAC ACLs. Beginning in privileged EXEC mode, follow these steps to create an IP standard ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create an IP extended ACL for IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended ACL, repeating the command as many times as necessary. • For access-list-number, enter the access list number.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a Layer 2 MAC ACL for non-IP traffic: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mac access-list extended name Create a Layer 2 MAC ACL by specifying the name of the list. After entering this command, the mode changes to extended MAC ACL configuration.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying Traffic by Using Class Maps You use the class-map global configuration command to name and to isolate a specific traffic flow (or class) from all other traffic. The class map defines the criteria to use to match against a specific traffic flow to further classify it. Match statements can include criteria such as an ACL, IP precedence values, or DSCP values.
Chapter 36 Configuring QoS Configuring Standard QoS Command Step 4 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL created in Step 2.
Chapter 36 Configuring QoS Configuring Standard QoS Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to create a nonhierarchical policy map: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 class-map [match-all | match-any] class-map-name Create a class map, and enter class-map configuration mode. By default, no class maps are defined. • (Optional) Use the match-all keyword to perform a logical-AND of all matching statements under this class map.
Chapter 36 Configuring QoS Configuring Standard QoS Step 5 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, go to Step 6. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 36 Configuring QoS Configuring Standard QoS Command Purpose Step 8 exit Return to policy map configuration mode. Step 9 exit Return to global configuration mode. Step 10 interface interface-id Specify the port to attach to the policy map, and enter interface configuration mode. Valid interfaces include physical ports. Step 11 service-policy input policy-map-name Specify the policy-map name, and apply it to an ingress port. Only one policy map per ingress port is supported.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-ext-mac)# exit Switch(config)# class-map macclass1 Switch(config-cmap)# match access-group maclist1 Switch(config-cmap)# exit Switch(config)# policy-map macpolicy1 Switch(config-pmap)# class macclass1 Switch(config-pmap-c)# set dscp 63 Switch(config-pmap-c)# exit Switch(config-pmap)# class macclass2 maclist2 Switch(config-pmap-c)# set dscp 45 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet1/0
Chapter 36 Configuring QoS Configuring Standard QoS • When configuring a hierarchical policy map on trunk ports, the VLAN ranges must not overlap. If the ranges overlap, the actions specified in the policy map affect the incoming and outgoing traffic on the overlapped VLANs. • Aggregate policers are not supported in hierarchical policy maps. • When VLAN-based QoS is enabled, the switch supports VLAN-based features, such as the VLAN map.
Chapter 36 Configuring QoS Configuring Standard QoS Command Step 3 Purpose match {access-group acl-index-or-name | Define the match criterion to classify traffic. ip dscp dscp-list | ip precedence By default, no match criterion is defined. ip-precedence-list} Only one match criterion per class map is supported, and only one ACL per class map is supported. • For access-group acl-index-or-name, specify the number or name of the ACL.
Chapter 36 Configuring QoS Configuring Standard QoS Step 10 Command Purpose policy-map policy-map-name Create an interface-level policy map by entering the policy-map name, and enter policy-map configuration mode. By default, no policy maps are defined, and no policing is performed. Step 11 class-map class-map-name Define an interface-level traffic classification, and enter policy-map configuration mode. By default, no policy-map class-maps are defined.
Chapter 36 Configuring QoS Configuring Standard QoS Step 17 Command Purpose trust [cos | dscp | ip-precedence] Configure the trust state, which QoS uses to generate a CoS-based or DSCP-based QoS label. Note This command is mutually exclusive with the set command within the same policy map. If you enter the trust command, omit Step 18. By default, the port is not trusted. If no keyword is specified when the command is entered, the default is dscp.
Chapter 36 Configuring QoS Configuring Standard QoS Step 23 Command Purpose service-policy input policy-map-name Specify the VLAN-level policy-map name, and apply it to the SVI. Repeat the previous step and this command to apply the policy map to other SVIs. If the hierarchical VLAN-level policy map has more than one interface-level policy map, all class maps must be configured to the same VLAN-level policy map specified in the service-policy policy-map-name command.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# exit Switch(config-pmap)# class-map cm-2 Switch(config-pmap-c)# match ip dscp 2 Switch(config-pmap-c)# service-policy port-plcmap-1 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-3 Switch(config-pmap-c)# match ip dscp 3 Switch(config-pmap-c)# service-policy port-plcmap-2 Switch(config-pmap)# exit Switch(config-pmap)# class-map cm-4 Switch(config-pmap-c)# trust dscp Switch(config-pmap)# exit Switch(config)# interface v
Chapter 36 Configuring QoS Configuring Standard QoS Step 4 Command Purpose policy-map policy-map-name Create a policy map by entering the policy map name, and enter policy-map configuration mode. For more information, see the “Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps” section on page 36-48. Step 5 class class-map-name Define a traffic classification, and enter policy-map class configuration mode.
Chapter 36 Configuring QoS Configuring Standard QoS Switch(config-pmap-c)# trust dscp Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# class ipclass2 Switch(config-pmap-c)# set dscp 56 Switch(config-pmap-c)# police aggregate transmit1 Switch(config-pmap-c)# exit Switch(config-pmap)# exit Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# service-policy input aggflow1 Switch(config-if)# exit Configuring DSCP Maps These sections contain this
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the CoS-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map cos-dscp dscp1...dscp8 Modify the CoS-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to CoS values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63. Step 3 end Return to privileged EXEC mode.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the IP-precedence-to-DSCP map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map ip-prec-dscp dscp1...dscp8 Modify the IP-precedence-to-DSCP map. For dscp1...dscp8, enter eight DSCP values that correspond to the IP precedence values 0 to 7. Separate each DSCP value with a space. The DSCP range is 0 to 63.
Chapter 36 Configuring QoS Configuring Standard QoS To return to the default map, use the no mls qos policed-dscp global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-CoS map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-cos dscp-list to cos Modify the DSCP-to-CoS map. • For dscp-list, enter up to eight DSCP values separated by spaces. Then enter the to keyword. • For cos, enter the CoS value to which the DSCP values correspond.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to modify the DSCP-to-DSCP-mutation map. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos map dscp-mutation dscp-mutation-name in-dscp to out-dscp Modify the DSCP-to-DSCP-mutation map. • For dscp-mutation-name, enter the mutation map name. You can create more than one map by specifying a new name.
Chapter 36 Configuring QoS Configuring Standard QoS Note In the above DSCP-to-DSCP-mutation map, the mutated values are shown in the body of the matrix. The d1 column specifies the most-significant digit of the original DSCP; the d2 row specifies the least-significant digit of the original DSCP. The intersection of the d1 and d2 values provides the mutated value. For example, a DSCP value of 12 corresponds to a mutated value of 10.
Chapter 36 Configuring QoS Configuring Standard QoS Mapping DSCP or CoS Values to an Ingress Queue and Setting WTD Thresholds You can prioritize traffic by placing packets with particular DSCPs or CoSs into certain queues and adjusting the queue thresholds so that packets with lower priorities are dropped. Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an ingress queue and to set WTD thresholds. This procedure is optional.
Chapter 36 Configuring QoS Configuring Standard QoS This example shows how to map DSCP values 0 to 6 to ingress queue 1 and to threshold 1 with a drop threshold of 50 percent.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to allocate bandwidth between the ingress queues. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input bandwidth weight1 weight2 Assign shared round robin weights to the ingress queues. The default setting for weight1 and weight2 is 4 (1/2 of the bandwidth is equally shared between the two queues).
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the priority queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue input priority-queue queue-id bandwidth weight Assign a queue as the priority queue and guarantee bandwidth on the stack or internal ring if the ring is congested.
Chapter 36 Configuring QoS Configuring Standard QoS These sections contain this configuration information: • Configuration Guidelines, page 36-71 • Allocating Buffer Space to and Setting WTD Thresholds for an Egress Queue-Set, page 36-71 (optional) • Mapping DSCP or CoS Values to an Egress Queue and to a Threshold ID, page 36-73 (optional) • Configuring SRR Shaped Weights on Egress Queues, page 36-75 (optional) • Configuring SRR Shared Weights on Egress Queues, page 36-76 (optional) • Configuri
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to configure the memory allocation and to drop thresholds for a queue-set. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos queue-set output qset-id buffers allocation1 ... allocation4 Allocate buffers to a queue-set. By default, all allocation values are equally mapped among the four queues (25, 25, 25, 25).
Chapter 36 Configuring QoS Configuring Standard QoS Command Purpose Step 7 show mls qos interface [interface-id] buffers Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no mls qos queue-set output qset-id buffers global configuration command. To return to the default WTD threshold percentages, use the no mls qos queue-set output qset-id threshold [queue-id] global configuration command.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to map DSCP or CoS values to an egress queue and to a threshold ID. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos srr-queue output dscp-map queue queue-id threshold threshold-id dscp1...dscp8 Map DSCP or CoS values to an egress queue and to a threshold ID.
Chapter 36 Configuring QoS Configuring Standard QoS Configuring SRR Shaped Weights on Egress Queues You can specify how much of the available bandwidth is allocated to each queue. The ratio of the weights is the ratio of frequency in which the SRR scheduler sends packets from each queue. You can configure the egress queues for shaped or shared weights, or both. Use shaping to smooth bursty traffic or to provide a smoother output over time.
Chapter 36 Configuring QoS Configuring Standard QoS Configuring SRR Shared Weights on Egress Queues In shared mode, the queues share the bandwidth among them according to the configured weights. The bandwidth is guaranteed at this level but not limited to it. For example, if a queue empties and does not require a share of the link, the remaining queues can expand into the unused bandwidth and share it among them.
Chapter 36 Configuring QoS Configuring Standard QoS Beginning in privileged EXEC mode, follow these steps to enable the egress expedite queue. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 mls qos Enable QoS on a switch. Step 3 interface interface-id Specify the egress port, and enter interface configuration mode. Step 4 priority-queue out Enable the egress expedite queue, which is disabled by default.
Chapter 36 Configuring QoS Displaying Standard QoS Information Command Purpose Step 5 show mls qos interface [interface-id] queueing Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no srr-queue bandwidth limit interface configuration command.
CH A P T E R 37 Configuring EtherChannels and Link-State Tracking This chapter describes how to configure EtherChannels on Layer 2 and Layer 3 ports on the switch. EtherChannel provides fault-tolerant high-speed links between switches, routers, and servers. You can use it to increase the bandwidth between the wiring closets and the data center, and you can deploy it anywhere in the network where bottlenecks are likely to occur.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels EtherChannel Overview An EtherChannel consists of individual Gigabit Ethernet links bundled into a single logical link as shown in Figure 37-1.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 37-2 Single-Switch EtherChannel Blade switch stack Switch 1 Channel group 1 StackWise Plus port connections Switch A Channel group 2 201782 Switch 2 Switch 3 Figure 37-3 Cross-Stack EtherChannel Blade switch stack Switch 1 StackWise Plus port connections Switch A Switch 2 Switch 3 201783 Channel group 1 Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guid
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Port-Channel Interfaces When you create an EtherChannel, a port-channel logical interface is involved: • With Layer 2 ports, use the channel-group interface configuration command to dynamically create the port-channel logical interface.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Port Aggregation Protocol The Port Aggregation Protocol (PAgP) is a Cisco-proprietary protocol that can be run only on Cisco switches and on those switches licensed by vendors to support PAgP. PAgP facilitates the automatic creation of EtherChannels by exchanging PAgP packets between Ethernet ports. You can use PAgP only in single-switch EtherChannel configurations; PAgP cannot be enabled on cross-stack EtherChannels.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Use the silent mode when the switch is connected to a device that is not PAgP-capable and seldom, if ever, sends packets. An example of a silent partner is a file server or a packet analyzer that is not generating traffic. In this case, running PAgP on a physical port connected to a silent partner prevents that switch port from ever becoming operational.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Ports can form an EtherChannel when they are in different LACP modes as long as the modes are compatible. For example: • A port in the active mode can form an EtherChannel with another port that is in the active or passive mode. • A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels With destination-MAC address forwarding, when packets are forwarded to an EtherChannel, they are distributed across the ports in the channel based on the destination host’s MAC address of the incoming packet. Therefore, packets to the same destination are forwarded over the same port, and packets to a different destination are sent on a different port in the channel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding EtherChannels Figure 37-5 Blade Server 1 Load Distribution and Forwarding Methods Blade Server 16 Blade Switch with source-based forwarding enabled EtherChannel 119705 Cisco router with destination-based forwarding enabled Client Client EtherChannel and Switch Stacks If a stack member that has ports participating in an EtherChannel fails or leaves the stack, the stack master removes the failed stack member switch ports fro
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels With LACP, the system-id uses the stack MAC address from the stack master, and if the stack master changes, the LACP system-id can change. If the LACP system-id changes, the entire EtherChannel will flap, and there will be an STP reconvergence. Use the stack-mac persistent timer command to control whether or not the stack MAC address changes during a master failover.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Table 37-3 Default EtherChannel Configuration (continued) Feature Default Setting LACP system ID LACP system priority and the switch MAC address. Load-balancing Load distribution on the switch is based on the source-MAC address of the incoming packet. EtherChannel Configuration Guidelines If improperly configured, some EtherChannel ports are automatically disabled to avoid network loops and other problems.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels • For Layer 2 EtherChannels: – Assign all ports in the EtherChannel to the same VLAN, or configure them as trunks. Ports with different native VLANs cannot form an EtherChannel. – If you configure an EtherChannel from trunk ports, verify that the trunking mode (ISL or IEEE 802.1Q) is the same on all the trunks. Inconsistent trunk modes on EtherChannel ports can have unexpected results.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 3 Command Purpose switchport mode {access | trunk} Assign all ports as static-access ports in the same VLAN, or configure them as trunks. switchport access vlan vlan-id If you configure the port as a static-access port, assign it to only one VLAN. The range is 1 to 4094.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels To remove a port from the EtherChannel group, use the no channel-group interface configuration command. This example shows how to configure an EtherChannel on a single switch in the stack.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to create a port-channel interface for a Layer 3 EtherChannel. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface port-channel port-channel-number Specify the port-channel logical interface, and enter interface configuration mode. For port-channel-number, the range is 1 to 48.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Step 5 Command Purpose channel-group channel-group-number mode {auto [non-silent] | desirable [non-silent] | on} | {active | passive} Assign the port to a channel group, and specify the PAgP or the LACP mode. For channel-group-number, the range is 1 to 48. This number must be the same as the port-channel-number (logical port) configured in the “Creating Port-Channel Logical Interfaces” section on page 37-14.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels This example shows how to configure an EtherChannel. It assigns two ports to channel 5 with the LACP mode active: Switch# configure terminal Switch(config)# interface range gigabitethernet2/0/1 -2 Switch(config-if-range)# no ip address Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# end This example shows how to configure a cross-stack EtherChannel.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show etherchannel load-balance Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To return EtherChannel load-balancing to the default configuration, use the no port-channel load-balance global configuration command.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Beginning in privileged EXEC mode, follow these steps to configure your switch as a PAgP physical-port learner and to adjust the priority so that the same port in the bundle is selected for sending packets. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the port for transmission, and enter interface configuration mode.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels If you configure more than eight links for an EtherChannel group, the software automatically decides which of the hot-standby ports to make active based on the LACP priority.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring EtherChannels Configuring the LACP Port Priority By default, all ports use the same port priority. If the local system has a lower value for the system priority and the system ID than the remote system, you can affect which of the hot-standby links become active first by changing the port priority of LACP EtherChannel ports to a lower value than the default.
Chapter 37 Configuring EtherChannels and Link-State Tracking Displaying EtherChannel, PAgP, and LACP Status Displaying EtherChannel, PAgP, and LACP Status To display EtherChannel, PAgP, and LACP status information, use the privileged EXEC commands described in Table 37-4: Table 37-4 Commands for Displaying EtherChannel, PAgP, and LACP Status Command Description show etherchannel [channel-group-number {detail | port | port-channel | protocol | summary}] {detail | load-balance | port | port-channel | p
Chapter 37 Configuring EtherChannels and Link-State Tracking Understanding Link-State Tracking Figure 37-6 Typical Link-State Tracking Configuration Layer 3 link Distribution switch 1 Distribution switch 2 Link-state group 1 (Port-channel 1) Link-state group 2 (Port-channel 2) Enclosure Blade switch 1 Link-state group 2 201917 Link-state group 1 Blade switch 2 Blade server 1 Blade server 2 Blade server n–1 Blade server n The configuration in Figure 37-6 ensures that when server NIC adapte
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking In a link-state group, the upstream ports can become unavailable or lose connectivity because the distribution switch or router fails, the cables are disconnected, or the link is lost.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking • Do not configure an EtherChannel as a downstream interface. • Only interfaces gigabitethernetn/0/1 through gigabitethernetn/0/14, where n is the stack member number from 1 to 9, can be configured as downstream ports in a specific link-state group.
Chapter 37 Configuring EtherChannels and Link-State Tracking Configuring Link-State Tracking Displaying Link-State Tracking Status Use the show link state group command to display the link-state group information. Enter this command without keywords to display information about all link-state groups. Enter the group number to display information specific to the group. Enter the detail keyword to display detailed information about the group.
CH A P T E R 38 Configuring IP Unicast Routing This chapter describes how to configure IP Version 4 (IPv4) unicast routing on the switch. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack. A switch stack operates and appears as a single router to the rest of the routers in the network. Basic routing functions, including static routing and the Routing Information Protocol (RIP), are available with both the IP base feature set and the IP services feature set.
Chapter 38 Configuring IP Unicast Routing Supported IPv4 Features Note • Configuring Multi-VRF CE, page 38-70 (only the Catalyst Switch Module 3110) • Configuring Protocol-Independent Features, page 38-85 • Monitoring and Maintaining the IP Network, page 38-101 When configuring routing parameters on the switch and to allocate system resources to maximize the number of unicast routes allowed, you can use the sdm prefer routing global configuration command to set the Switch Database Management (SDM)
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing 6. BGP = Border Gateway Protocol. 7. VRF = Virtual Private Networks routing/forwarding. 8. CE = customer edge. 9. CEF = Cisco Express Forwarding. 10. dCEF = distributed CEF. 11. PBR = policy-based routing. Understanding IP Routing In some network environments, VLANs are associated with individual networks or subnetworks. In an IP network, each subnetwork is mapped to an individual VLAN.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Default routing refers to sending traffic with a destination unknown to the router to a default outlet or destination. Static unicast routing forwards packets from predetermined ports through a single path into and out of a network. Static routing is secure and uses little bandwidth, but it does not automatically respond to changes in the network, such as link failures. Therefore, network changes might result in unreachable destinations.
Chapter 38 Configuring IP Unicast Routing Understanding IP Routing Stack members perform these functions: • They act as routing standby switches, ready to take over in case they are elected as the new stack master if the stack master fails. • They program the routes into hardware. The routes programmed by the stack members are the same that are downloaded by the stack master as part of the dCEF database.
Chapter 38 Configuring IP Unicast Routing Steps for Configuring Routing Steps for Configuring Routing By default, IP routing is disabled on the switch, and you must enable it before routing can take place. For detailed IP routing configuration information, see the Cisco IOS IP Configuration Guide, Release 12.2 from the Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Configuration Guides.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing • Configuring Address Resolution Methods, page 38-10 • Routing Assistance When IP Routing is Disabled, page 38-13 • Configuring Broadcast Packet Handling, page 38-15 • Monitoring and Maintaining IP Addressing, page 38-19 Default Addressing Configuration Table 38-2 shows the default addressing configuration. Table 38-2 Default Addressing Configuration Feature Default Setting IP address None defined.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Assigning IP Addresses to Network Interfaces An IP address identifies a location to which IP packets can be sent. Some IP addresses are reserved for special uses and cannot be used for host, subnet, or network addresses. RFC 1166, “Internet Numbers,” contains the official description of IP addresses. An interface can have one primary IP address. A mask identifies the bits that denote the network number in an IP address.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Classless Routing By default, classless routing is enabled when the switch is configured to route. With classless routing, if a router receives packets for a subnet of a network with no default route, the router forwards the packet to the best supernet route.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Figure 38-3 No IP Classless Routing 128.0.0.0/8 128.20.4.1 128.20.0.0 Bit bucket 128.20.1.0 128.20.3.0 128.20.4.1 Host 45748 128.20.2.0 To prevent the switch from forwarding packets destined for unrecognized subnets to the best supernet route possible, you can disable classless routing behavior.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing The switch uses these types of address resolution: • Address Resolution Protocol (ARP) associates IP address with MAC addresses. Using an IP address as input, ARP learns the associated MAC address and then stores the IP address/MAC address association in an ARP cache for rapid retrieval. Then the IP datagram is encapsulated in a link-layer frame and sent over the network.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 3 arp ip-address hardware-address type [alias] (Optional) Specify that the switch respond to ARP requests as if it were the owner of the specified IP address. Step 4 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 5 arp timeout seconds (Optional) Set the length of time that an ARP cache entry stays in the cache. The range is 0 to 2147483 seconds.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Enable Proxy ARP By default, the switch uses proxy ARP to help hosts learn MAC addresses of hosts on other networks or subnets. Beginning in privileged EXEC mode, follow these steps to enable proxy ARP if it has been disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to define a default gateway (router) when IP routing is disabled: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip default-gateway ip-address Set up a default gateway (router). Step 3 end Return to privileged EXEC mode. Step 4 show ip redirects Display the address of the default gateway router to verify the setting.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Command Purpose Step 6 ip irdp maxadvertinterval seconds (Optional) Set the IRDP maximum interval between advertisements. The default is 600 seconds. Step 7 ip irdp minadvertinterval seconds (Optional) Set the IRDP minimum interval between advertisements. The default is 0.75 times the maxadvertinterval. If you change the maxadvertinterval, this value changes to the new default (0.75 of maxadvertinterval).
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Enabling Directed Broadcast-to-Physical Broadcast Translation By default, IP directed broadcasts are dropped; they are not forwarded. Dropping IP-directed broadcasts makes routers less susceptible to denial-of-service attacks. You can enable forwarding of IP-directed broadcasts on an interface when the broadcast becomes a physical (MAC-layer) broadcast.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Forwarding UDP Broadcast Packets and Protocols User Datagram Protocol (UDP) is an IP host-to-host layer protocol. UDP provides a connectionless session between two end systems and does not acknowledge received datagrams. Network hosts can use UDP broadcasts to find address, configuration, and name information. If such a host is on a network segment that does not include a server, UDP broadcasts might not be forwarded.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to set the IP broadcast address on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to configure. Step 3 ip broadcast-address ip-address Enter a broadcast address different from the default, for example 128.1.255.255.
Chapter 38 Configuring IP Unicast Routing Configuring IP Addressing Beginning in privileged EXEC mode, follow these steps to use the bridging spanning-tree database to flood UDP datagrams: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip forward-protocol spanning-tree Use the bridging spanning-tree database to flood UDP datagrams. Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entry.
Chapter 38 Configuring IP Unicast Routing Enabling IP Unicast Routing You can display specific statistics, such as the contents of IP routing tables, caches, and databases; the reachability of nodes; and the routing path that packets are taking through the network. Table 38-4 lists the privileged EXEC commands for displaying IP statistics. Table 38-4 Commands to Display Caches, Tables, and Databases Command Purpose show arp Display the entries in the ARP table.
Chapter 38 Configuring IP Unicast Routing Configuring RIP This example shows how to enable IP routing by using RIP as the routing protocol: Switch# configure terminal Enter configuration commands, one per line. Switch(config)# ip routing Switch(config)# router rip Switch(config-router)# network 10.0.0.0 Switch(config-router)# end End with CNTL/Z.
Chapter 38 Configuring IP Unicast Routing Configuring RIP • Configuring RIP Authentication, page 38-24 • Configuring Summary Addresses and Split Horizon, page 38-24 Default RIP Configuration Table 38-5 shows the default RIP configuration. Table 38-5 Default RIP Configuration Feature Default Setting Auto summary Enabled. Default-information originate Disabled. Default metric Built-in; automatic metric translations. IP RIP authentication key-chain No authentication.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Step 4 Command Purpose network network number Associate a network with a RIP routing process. You can specify multiple network commands. RIP routing updates are sent and received through interfaces only on these networks. Note You must configure a network number for RIP commands to take effect. Step 5 neighbor ip-address (Optional) Define a neighboring router with which to exchange routing information.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Command Purpose Step 13 show ip protocols Verify your entries. Step 14 copy running-config startup-config (Optional) Save your entries in the configuration file. To turn off the RIP routing process, use the no router rip global configuration command. To display the parameters and current state of the active routing protocol process, use the show ip protocols privileged EXEC command.
Chapter 38 Configuring IP Unicast Routing Configuring RIP Note In general, we do not recommend disabling split horizon unless you are certain that your application requires it to properly advertise routes. If you want to configure an interface running RIP to advertise a summarized local IP address pool on a network access server for dial-up clients, use the ip summary-address rip interface configuration command.
Chapter 38 Configuring IP Unicast Routing Configuring Stub Routing Configuring Split Horizon Routers connected to broadcast-type IP networks and using distance-vector routing protocols normally use the split-horizon mechanism to reduce the possibility of routing loops. Split horizon blocks information about routes from being advertised by a router on any interface from which that information originated. This feature can optimize communication among multiple routers, especially when links are broken.
Chapter 38 Configuring IP Unicast Routing Configuring Stub Routing When using PIM stub routing, you should configure the distribution and remote routers to use IP multicast routing and configure only the switch as a PIM stub router. The switch does not route transit traffic between distribution routers. You also need to configure a routed uplink port on the switch. The switch uplink port cannot be used with SVIs. You must also configure EIGRP stub routing when configuring PIM stub routing on the switch.
Chapter 38 Configuring IP Unicast Routing Configuring Stub Routing PIM Stub Routing Configuration Guidelines Follow these guidelines when enabling PIM stub routing on an interface: • Before configuring PIM stub routing, you must have IP multicast routing configured on both the stub router and the central router. You must also have PIM mode (dense-mode, sparse-mode, or dense-sparse-mode) configured on the uplink interface of the stub router.
Chapter 38 Configuring IP Unicast Routing Configuring Stub Routing Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# no switchport ip address 10.1.1.1 255.255.255.0 ip pim passive end To verify that PIM stub is enabled, use the show ip pim interface privileged EXEC command: Switch# show ip pim interface Address Interface Ver/ Nbr Query DR DR Mode Count Intvl Prior 3.1.1.2 GigabitEthernet1/0/25 v2/SD 1 30 1 3.1.1.2 100.1.1.1 Vlan100 v2/P 0 30 1 100.1.1.1 10.1.1.
Chapter 38 Configuring IP Unicast Routing Configuring Stub Routing Figure 38-5 EIGRP Stub Router Configuration Routed to WAN Switch B Switch C 145776 Switch A Host A Host B Host C When configuring the distribution router to send only a default route to the remote router, you must use the ip classless global configuration command on the remote router. By default, the ip classless command is enabled in all Cisco IOS images that support the EIGRP stub routing feature.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Step 4 Command Purpose eigrp stub [receive-only | connected | static | summary] Configure a remote router as an EIGRP stub router. The keywords have these meanings: • receive-only to set the router as a receive-only neighbor. • connected to advertise connected routes. • static to advertise static routes. • summary to advertise summary routes. Step 5 end Return to privileged EXEC mode.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF OSPF typically requires coordination among many internal routers, area border routers (ABRs) connected to multiple areas, and autonomous system boundary routers (ASBRs). The minimum configuration would use all default parameter values, no authentication, and interfaces assigned to areas. If you customize your environment, you must ensure coordinated configuration of all routers.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Table 38-6 Default OSPF Configuration (continued) Feature Default Setting Default metric Built-in, automatic metric translation, as appropriate for each routing protocol. Distance OSPF dist1 (all routes within an area): 110. dist2 (all routes from one area to another): 110. dist3 (routes from other routing domains): 110. OSPF database filter Disabled. All outgoing link-state advertisements (LSAs) are flooded to the interface.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF OSPF NSF Awareness The IP-services feature set supports OSPF NSF awareness for IPv4. When the neighboring router is NSF-capable, the Layer 3 switch continues to forward packets from the neighboring router during the interval between the primary route processor in a router failure and the take-over of the backup route processor, or while the primary route processor is manually reloaded for a nondisruptive software upgrade.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Configuring Basic OSPF Parameters Enabling OSPF requires that you create an OSPF routing process, specify the range of IP addresses to be associated with the routing process, and assign area IDs to be associated with that range. Beginning in privileged EXEC mode, follow these steps to enable OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 5 ip ospf transmit-delay seconds (Optional) Set the estimated number of seconds to wait before sending a link state update packet. The range is 1 to 65535 seconds. The default is 1 second. Step 6 ip ospf priority number (Optional) Set priority to help find the OSPF designated router for a network. The range is from 0 to 255. The default is 1.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF border router (ABR) generates a default external route into the stub area for destinations outside the autonomous system. An NSSA does not flood all LSAs from the core into the area, but can import autonomous-system external routes within the area by redistribution. Route summarization consolidates advertised addresses into a single summary route to be advertised by other areas.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Configuring Other OSPF Parameters You can optionally configure other OSPF parameters from router configuration mode. • Route summarization: When redistributing routes from other protocols, as described in the “Using Route Maps to Redistribute Routing Information” section on page 38-89, each route is advertised individually in an external LSA.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 4 area area-id virtual-link router-id [hello-interval seconds] [retransmit-interval seconds] [trans] [[authentication-key key] | message-digest-key keyid md5 key]] (Optional) Establish a virtual link, and set its parameters. See the “Configuring OSPF Interfaces” section on page 38-35 for parameter definitions and Table 38-6 on page 38-32 for virtual link defaults.
Chapter 38 Configuring IP Unicast Routing Configuring OSPF Command Purpose Step 3 timers lsa-group-pacing seconds Change the group pacing of LSAs. Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default value, use the no timers lsa-group-pacing router configuration command.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Table 38-7 lists some of the privileged EXEC commands for displaying statistics. For more show ip ospf database privileged EXEC command options and for explanations of fields in the resulting display, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. Table 38-7 Show IP OSPF Statistics Commands Command Purpose show ip ospf [process-id] Display general information about OSPF routing processes.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP IP EIGRP provides increased network width. With RIP, the largest possible width of your network is 15 hops. Because the EIGRP metric is large enough to support thousands of hops, the only barrier to network expansion is the transport-layer hop counter. EIGRP increments the transport control field only when an IP packet has traversed 15 routers and the next hop to the destination was learned through EIGRP.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP These sections contain this configuration information: • Default EIGRP Configuration, page 38-43 • Configuring Basic EIGRP Parameters, page 38-45 • Configuring EIGRP Interfaces, page 38-46 • Configuring EIGRP Route Authentication, page 38-47 • Monitoring and Maintaining EIGRP, page 38-48 For information about EIGRP stub routing, see the “Understanding EIGRP Stub Routing” section on page 38-29 and the “Configuring EIGRP Stub Routing” sec
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Table 38-8 Default EIGRP Configuration (continued) Feature Default Setting IP hold-time For low-speed NBMA networks: 180 seconds; all other networks: 15 seconds. IP split-horizon Enabled. IP summary address No summary aggregate addresses are predefined. Metric weights tos: 0; k1 and k3: 1; k2, k4, and k5: 0 Network None specified. 1 NSF awareness Enabled2.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP This feature cannot be disabled. For more information on this feature, see the “EIGRP Nonstop Forwarding (NSF) Awareness” section of the Cisco IOS IP Routing Protocols Configuration Guide, Release 12.4 at this URL: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804529 72.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 5 eigrp log-neighbor-changes (Optional) Enable logging of EIGRP neighbor changes to monitor routing system stability. Step 6 metric weights tos k1 k2 k3 k4 k5 (Optional) Adjust the EIGRP metric. Although the defaults have been carefully set to provide excellent operation in most networks, you can adjust them.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Command Purpose Step 5 ip hello-interval eigrp autonomous-system-number seconds (Optional) Change the hello-time interval for an EIGRP routing process. The range is 1 to 65535 seconds. The default is 60 seconds for low-speed NBMA networks and 5 seconds for all other networks. Step 6 ip hold-time eigrp autonomous-system-number seconds (Optional) Change the hold-time interval for an EIGRP routing process. The range is 1 to 65535 seconds.
Chapter 38 Configuring IP Unicast Routing Configuring EIGRP Command Step 9 Purpose accept-lifetime start-time {infinite | end-time | duration (Optional) Specify the time period during which the key seconds} can be received. The start-time and end-time syntax can be either hh:mm:ss Month date year or hh:mm:ss date Month year. The default is forever with the default start-time and the earliest acceptable date as January 1, 1993. The default end-time and duration is infinite.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring BGP This section applies only to the Catalyst Switch Module 3110. The Border Gateway Protocol (BGP) is an exterior gateway protocol for an interdomain routing system that guarantees the loop-free exchange of routing information between autonomous systems.
Chapter 38 Configuring IP Unicast Routing Configuring BGP The network has these characteristics: • Routers A and B are running EBGP, and Routers B and C are running IBGP. Note that the EBGP peers are directly connected and that the IBGP peers are not. As long as an IGP allows the two neighbors to reach one another, IBGP peers do not have to be directly connected. • All BGP speakers within an autonomous system must establish a peer relationship.
Chapter 38 Configuring IP Unicast Routing Configuring BGP For detailed descriptions of BGP configuration, see the “Configuring BGP” chapter in the “IP Routing Protocols” part of the Cisco IOS IP Configuration Guide, Release 12.2. For details about specific commands, see the Cisco IOS IP Command Reference, Volume 2 of 3: Routing Protocols, Release 12.2. For a list of BGP commands that are visible but not supported by the switch, see Appendix C, “Unsupported Commands in Cisco IOS Release 12.2(40)EX2.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-10 Default BGP Configuration (continued) Feature Default Setting Distribute list • In (filter networks received in updates): Disabled. • Out (suppress networks from being advertised in updates): Disabled. Internal route redistribution Disabled. IP prefix list None defined. Multi-exit discriminator (MED) Neighbor • Always compare: Disabled. Does not compare MEDs for paths from neighbors in different autonomous systems.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Table 38-10 Default BGP Configuration (continued) Feature Default Setting Table map update Disabled. Timers Keepalive: 60 seconds; holdtime: 180 seconds. 1. NSF = nonstop forwarding. 2. NSF awareness can be enabled for IPv4 on switches with the IP services feature set by enabling graceful restart. Nonstop Forwarding Awareness The BGP NSF awareness feature is supported for IPv4 in the IP services feature set.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to enable BGP routing, establish a BGP routing process, and specify a neighbor: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip routing Enable IP routing (required only if IP routing is disabled). Step 3 router bgp autonomous-system Enable a BGP routing process, assign it an autonomous-system number, and enter router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 12 Command Purpose show ip bgp network network-number Verify the configuration. or show ip bgp neighbor Verify that NSF awareness (graceful restart) is enabled on the neighbor.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Sent 2826 messages, 0 notifications, 0 in queue Connections established 11; dropped 10 Anything other than BGP state = established means that the peers are not running. The remote router ID is the highest IP address on that router (or the highest loopback interface). Each time the table is updated with new information, the table version number increments.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, follow these steps to learn if a BGP peer supports the route-refresh capability and to reset the BGP session: Step 1 Command Purpose show ip bgp neighbors Display whether a neighbor supports the route-refresh capability. When supported, this message appears for the router: Received route refresh capability from peer.
Chapter 38 Configuring IP Unicast Routing Configuring BGP 3. Prefer the route with the highest local preference. Local preference is part of the routing update and is exchanged among routers in the same autonomous system. The default value of the local preference attribute is 100. You can set local preference by using the bgp default local-preference router configuration command or by using a route map. 4. Prefer the route that was originated by BGP running on the local router. 5.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 7 bgp bestpath med missing-as-worst (Optional) Configure the switch to consider a missing MED as having a value of infinity, making the path without a MED value the least desirable path. Step 8 bgp always-compare med (Optional) Configure the switch to compare MEDs for paths from neighbors in different autonomous systems. By default, MED comparison is only done among paths in the same autonomous system.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 3 Command Purpose set ip next-hop ip-address [...ip-address] [peer-address] (Optional) Set a route map to disable next-hop processing • In an inbound route map, set the next hop of matching routes as the neighbor peering address, overriding third-party next hops. • In an outbound route map of a BGP peer, set the next hop to the peering address of the local router, disabling the next-hop calculation.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 6 show ip bgp neighbors Verify the configuration. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no neighbor distribute-list command to remove the access list from the neighbor. Use the no neighbor route-map map-tag router configuration command to remove the route map from the neighbor.
Chapter 38 Configuring IP Unicast Routing Configuring BGP By default, sequence numbers are generated automatically and incremented in units of five. If you disable the automatic generation of sequence numbers, you must specify the sequence number for each entry. You can specify sequence values in any increment. If you specify increments of one, you cannot insert additional entries into the list. If you choose very large increments, you might run out of values.
Chapter 38 Configuring IP Unicast Routing Configuring BGP A community is a group of destinations that share some common attribute. Each destination can belong to multiple communities. Autonomous-system administrators can define to which communities a destination belongs. By default, all destinations belong to the general Internet community. The community is identified by the COMMUNITIES attribute, an optional, transitive, global attribute in the numerical range from 1 to 4294967200.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Step 9 Step 10 Command Purpose show ip bgp community Verify the configuration. copy running-config startup-config (Optional) Save your entries in the configuration file. Configuring BGP Neighbors and Peer Groups Often many BGP neighbors are configured with the same update policies (that is, the same outbound route maps, distribute lists, filter lists, update source, and so on).
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 11 neighbor {ip-address | peer-group-name} local-as number (Optional) Specify an autonomous-system number to use as the local autonomous system. The range is 1 to 65535. Step 12 neighbor {ip-address | peer-group-name} advertisement-interval seconds (Optional) Set the minimum interval between sending BGP routing updates.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Configuring Aggregate Addresses Classless interdomain routing (CIDR) creates aggregate routes (or supernets) to minimize the size of routing tables. You can configure aggregate routes in BGP either by redistributing an aggregate route into BGP or by creating an aggregate entry in the BGP routing table. An aggregate address is added to the BGP table when there is at least one more specific entry in the BGP table.
Chapter 38 Configuring IP Unicast Routing Configuring BGP To configure a BGP confederation, you must specify a confederation identifier that acts as the autonomous-system number for the autonomous-system group. Beginning in privileged EXEC mode, use these commands to configure a BGP confederation: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Beginning in privileged EXEC mode, use these commands to configure a route reflector and clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 router bgp autonomous-system Enter BGP router configuration mode. Step 3 neighbor {ip-address | peer-group-name} route-reflector-client Configure the local router as a BGP route reflector and the specified neighbor as a client.
Chapter 38 Configuring IP Unicast Routing Configuring BGP Command Purpose Step 8 clear ip bgp flap-statistics [{regexp regexp} | (Optional) Clear BGP flap statistics to make it less likely that a {filter-list list} | {address mask [longer-prefix]} route is dampened. Step 9 clear ip bgp dampening (Optional) Clear route dampening information, and unsuppress the suppressed routes. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Table 38-12 IP BGP Clear and Show Commands (continued) Command Purpose show ip bgp neighbors [address] Display detailed information on the BGP and TCP connections to individual neighbors. show ip bgp neighbors [address] [advertised-routes | dampened-routes | flap-statistics | paths regular-expression | received-routes | routes] Display routes learned from a particular BGP neighbor.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Understanding Multi-VRF CE Multi-VRF CE is a feature that allows a service provider to support two or more VPNs overlapping IP addresses among the VPNs. Multi-VRF CE uses input interfaces to distinguish routes for different VPNs and forms virtual-packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 38-7 Switches Acting as Multiple Virtual CEs VPN 1 VPN 1 CE1 PE1 PE2 CE2 Service provider VPN 2 101385 VPN 2 CE = Customer-edge device PE = Provider-edge device When the CE switch receives a command to add a Layer 3 interface to a VRF, it sets up the mapping between the VLAN ID and the policy label (PL) in multi-VRF-CE-related data structures and adds the VLAN ID and PL to the VLAN database.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE • VPN forwarding—transports all traffic between all VPN community members across a VPN service-provider network. Default Multi-VRF CE Configuration Table 38-13 shows the default multi-VRF CE configuration. Table 38-13 Default Multi-VRF CE Configuration Feature Default Setting VRF Disabled. No VRFs are defined. Maps No import maps, export maps, or route maps are defined.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE • Multi-VRF CE does not affect the packet switching rate. • VPN multicast is not supported. • You can configure 104 policies whether or not VRFs are configured on the switch or the switch stack. • You can enable VRF on a private VLAN and the reverse. • You cannot enable VRF when policy-based routing (PBR) is enabled on an interface and the reverse.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Configuring VRF-Aware Services IP services can be configured on global interfaces that run within the global routing instance. IP services are enhanced to run on multiple routing instances; they are VRF-aware. Any configured VRF in the system can be specified for a VRF-aware service. VRF-aware services are implemented in platform-independent modules. VRF means multiple routing instances in Cisco IOS.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for SNMP Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for SNMP. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Beginning in privileged EXEC mode, follow these steps to configure VRF-aware services for uRPF. For complete syntax and usage information for the commands, refer to the switch command reference for this release and the Cisco IOS Switching Services Command Reference, Release 12.2. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE User Interface for FTP and TFTP So that FTP and TFTP are VRF-aware, you must configure command-line interface (CLI) commands for FTP/TFTP. For example, if you want to use a VRF table that is attached to an interface, say E1/0, you need to configure the CLI ip [t]ftp source-interface E1/0 to inform [t]ftp to use a specific routing table. In this example, the VRF table looks up the destination IP address.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Command Purpose Step 5 route-target {export | import | both} route-target-ext-community Create a list of import, export, or import and export route target communities for the specified VRF. Enter either an autonomous-system number and an arbitrary number (nnn:y) or an IP address and an arbitrary number (A.B.C.D:y). The route-target-ext-community should be the same as the route-distinguisher entered in Step 4.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Use the no router ospf process-id vrf vrf-name global configuration command to disassociate the VPN forwarding table from the OSPF routing process. Configuring BGP PE to CE Routing Sessions Beginning in privileged EXEC mode, follow these steps to configure a BGP PE to CE routing session: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Figure 38-8 Multi-VRF CE Configuration Example Switch A Switch B Switch C VPN1 Switch D VPN1 208.0.0.0 Fast Ethernet 8 Switch H Switch E 108.0.0.0 VPN2 Fast Ethernet 7 CE1 Switch F 118.0.0.0 Fast Ethernet 11 VPN2 PE CE2 Switch J Gigabit Ethernet 1 Global network Switch K Global network 168.0.0.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config)# interface gigabitethernet1/0/5 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# no ip address Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/8 Switch(config-if)# switchport access vlan 208 Switch(config-if)# no ip address Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/11 Switch(config-if)# switchport trunk encapsu
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Switch(config-router-af)# Switch(config-router-af)# Switch(config-router-af)# Switch(config-router-af)# neighbor 38.0.0.3 remote-as 100 neighbor 38.0.0.3 activate network 8.8.1.0 mask 255.255.255.0 end Configuring Switch D Switch D belongs to VPN 1. Configure the connection to Switch A by using these commands. Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Chapter 38 Configuring IP Unicast Routing Configuring Multi-VRF CE Router(config-if)# ip vrf forwarding v1 Router(config-if)# ip address 3.3.1.3 255.255.255.0 Router(config-if)# exit Router(config)# interface loopback2 Router(config-if)# ip vrf forwarding v2 Router(config-if)# ip address 3.3.2.3 255.255.255.0 Router(config-if)# exit Router(config)# interface gigabitethernet1/1/0.10 Router(config-if)# encapsulation dot1q 10 Router(config-if)# ip vrf forwarding v1 Router(config-if)# ip address 38.0.0.
Chapter 38 Configuring IP Unicast Routing Configuring Unicast Reverse Path Forwarding Configuring Unicast Reverse Path Forwarding The unicast reverse path forwarding (uRPF) feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network. uRPF discards IP packets without a verifiable IP source address.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features causes traffic to be process-switched using the routing table, instead of fast-switched using the route cache. CEF and dCEF use the Forwarding Information Base (FIB) lookup table for destination-based switching of IP packets. The two main components in CEF and dCEF are the distributed FIB and the distributed adjacency tables.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 7 Command Purpose show cef linecard [detail] Display CEF-related interface information on a standalone switch, or or show cef linecard [stack-member-number] [detail] display dCEF-related interface information for all switches in the stack or for the specified stack member. (Optional) For stack-member-number, specify the stack member.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Configuring Static Unicast Routes Static unicast routes are user-defined routes that cause packets moving between a source and a destination to take a specified path. Static routes can be important if the router cannot dynamically build a route to a particular destination and are useful for specifying a gateway of last resort to which all unroutable packets are sent.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features When an interface goes down, all static routes through that interface are removed from the IP routing table. When the software can no longer find a valid next hop for the address specified as the forwarding-router address in a static route, the static route is also removed from the IP routing table. Specifying Default Routes and Networks A router might not be able to learn the routes to all other networks.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features a criterion must be matched. The set command specifies an action to be taken if the routing update meets the conditions defined by the match command. Although redistribution is a protocol-independent feature, some of the match and set route-map configuration commands are specific to a particular protocol. One or more match commands and one or more set commands follow a route-map command.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 5 match ip address {access-list-number | access-list-name} [...access-list-number | ...access-list-name] Match a standard access list by specifying the name or number. It can be an integer from 1 to 199. Step 6 match metric metric-value Match the specified route metric. The metric-value can be an EIGRP metric with a specified value from 0 to 4294967295.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Step 18 Command Purpose set metric bandwidth delay reliability loading mtu Set the metric value to give the redistributed routes (only for EIGRP) only on a Catalyst Switch Module 3110: • bandwidth—Metric value or IGRP bandwidth of the route in Kb/s in the range 0 to 4294967295 • delay—Route delay in tens of microseconds in the range 0 to 4294967295.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 3 redistribute protocol [process-id] {level-1 | level-1-2 | level-2} [metric metric-value] [metric-type type-value] [match internal | external type-value] [tag tag-value] [route-map map-tag] [weight weight] [subnets] Redistribute routes from one routing protocol to another routing protocol. If no route maps are specified, all routes are redistributed.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features With PBR, you classify traffic using access control lists (ACLs) and then make traffic go through a different path. PBR is applied to incoming packets. All packets received on an interface with PBR enabled are passed through route maps. Based on the criteria defined in the route maps, packets are forwarded (routed) to the appropriate next hop.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features • To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN and default templates. For more information on the SDM templates, see Chapter 8, “Configuring SDM Templates.” • VRF and PBR are mutually exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Beginning in privileged EXEC mode, follow these steps to configure PBR: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 route-map map-tag [permit] [sequence number] Define any route maps used to control from where packets are sent, and enter route-map configuration mode. • map-tag—A meaningful name for the route map.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 11 end Return to privileged EXEC mode. Step 12 show route-map [map-name] (Optional) Display all configured route maps or only the one specified to verify configuration. Step 13 show ip policy (Optional) Display policy route maps attached to interfaces. Step 14 show ip local policy (Optional) Display whether or not local policy routing is enabled and, if so, the route map being used.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Command Purpose Step 5 no passive-interface interface type (Optional) Activate only those interfaces that need to have adjacencies sent. Step 6 network network-address (Optional) Specify the list of networks for the routing process. The network-address is an IP address. Step 7 end Return to privileged EXEC mode. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features Filtering Sources of Routing Information Because some routing information might be more accurate than others, you can use filtering to prioritize information coming from different sources. An administrative distance is a rating of the trustworthiness of a routing information source, such as a router or group of routers. In a large network, some routing protocols can be more reliable than others.
Chapter 38 Configuring IP Unicast Routing Configuring Protocol-Independent Features You can configure multiple keys with life times. Only one authentication packet is sent, regardless of how many valid keys exist. The software examines the key numbers in order from lowest to highest and uses the first valid key it encounters. The lifetimes allow for overlap during key changes. Note that the router must know these lifetimes.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Monitoring and Maintaining the IP Network You can remove all contents of a particular cache, table, or database. You can also display specific statistics. Use the privileged EXEC commands in Table 38-16 to clear routes or display status: Table 38-16 Commands to Clear IP Routes or Display Route Status Command Purpose clear ip route {network [mask | *]} Clear one or more routes from the IP routing table.
Chapter 38 Configuring IP Unicast Routing Monitoring and Maintaining the IP Network Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 38-102 OL-12189-01
CH A P T E R 39 Configuring IPv6 Host Functions and Unicast Routing Internet Protocol Version 6 (IPv6) is the network-layer Internet Protocol intended to replace Version 4 (IPv4) in the TCP/IP suite of protocols. This chapter describes how to configure IPv6 host functions and unicast routing on the switch. For information about configuring IPv4 unicast routing, see Chapter 38, “Configuring IP Unicast Routing.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Supported IPv6 Host Functions and Unicast Routing Features Supported IPv6 Host Functions and Unicast Routing Features Table 39-1 shows the supported IPv6 features on each switch.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 IPv6 also provides these advantages over IPv4: • Address management and delegation • Address autoconfiguration with stateless autoconfiguration, which is similar to DHCP but does not require a specified DHCP application or server • Embedded IPsec (encrypted security) • Routing optimized for mobile devices • Duplicate Address Detection (DAD) feature For information about how Cisco Systems implements IPv6, go to this
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 • IPv6 Address Output Display • Simplified IPv6 Packet Header Supported IPv6 Host Functions and Unicast Routing Features These sections describe the IPv6 protocol features supported by the switch: • 128-Bit Wide Unicast Addresses, page 39-4 • DNS for IPv6, page 39-5 • Path MTU Discovery for IPv6 Unicast, page 39-5 (only the Catalyst Switch Module 3110) • ICMPv6, page 39-5 • Neighbor Discovery, page 39-5 • IPv
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 See the section on IPv6 Unicast Addresses in the “Implementing Addressing and Basic Connectivity for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00807fcf4b.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 Neighbor discovery throttling ensures that the switch CPU is not unnecessarily burdened while it is in the process of obtaining the next-hop forwarding information to route an IPv6 packet. The switch drops any additional IPv6 packets whose next hop is the same neighbor the CPU is actively resolving. This drop avoids adding further load on the CPU.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 IPv6 nodes with a 48-bit MAC address generate an identifier for the autoconfigured address by inserting 0xFF and 0xFE in the MAC address and reversing the universal/local bit. For example, if an interface MAC address is 000b.462e.9047, the identifier would be 020b:46ff:fe2e:9047, and the autogenerated IPv6 ink address would be FE80::20B:46FF:FE2E:9047.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 Figure 39-1 Dual IPv4 and IPv6 Support on an Interface IPv4 201786 10.1.1.1 IPv6 3ffe:yyyy::1 The switch uses hardware memory to store unicast routes, MAC addresses, access control lists (ACLs), and other features, and provides the switch database management (SDM) templates to allocate memory resources depending on how the switch is used.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 Prefix Lists Use the distribute-list prefix-list command to define which networks running EIGRP IPv6 are to receive routing updates. The route-map command is not supported for route filtering with a distributed list. Router ID An instance of EIGRP IPv6 requires that you have a router ID before it can run. As with IPv4, EIGRP IPv6 supports implicit and explicit router IDs.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 Table 39-3 shows the supported EIGRP IPv6 router configuration commands. Table 39-3 EIGRP IPv6 Router-mode Commands Command Purpose ipv6 router eigrp as-number Specifies the EIGRP IPv6 routing process to be configured. default-metric bandwidth delay reliability loading mtu Sets metrics for EIGRP IPv6.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 Table 39-4 EIGRP IPv6 Show and Debug Commands (continued) Command Purpose show ipv6 eigrp topology [as-number | ipv6-address] Displays EIGRP entries in the IPv6 topology table. [active | all-links | detail-links | pending | summary | zero-successors] debug ipv6 eigrp [as-number] [neighbor ipv6-address Displays information about EIGRP IPv6.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 Limitations This section applies only to the Catalyst Switch Module 3110. Because IPv6 is implemented in hardware in the switch, some limitations occur due to the use of IPv6 compressed addresses in the hardware memory. These hardware limitations result in some loss of functionality and limits some features. These are feature limitations.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 ipv6-prefix/prefix length eui-64 interface configuration command, the address is based on the interface MAC address. Changing the MAC address also changes the IPv6 address. See the “Configuring IPv6 Addressing and Enabling IPv6 Host Functions or Routing” section on page 39-16.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Understanding IPv6 If you try to configure IPv6 without first selecting a dual IPv4 and IPv6 template, a warning message appears. Note Using the dual stack templates allows less hardware memory capacity for each resource, so do not use if you plan to forward only IPv4 traffic.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Table 39-5 Approximate Feature Resources Allowed by Dual IPv4-IPv6 Templates (continued) Resource IPv4-and-IPv6 Default IPv4-and-IPv6 Routing IPv4-and-IPv6 VLAN IPv4 or MAC QoS ACEs (total) 0.5 K 0.5 K 0.5 K IPv4 or MAC security ACEs (total) 1K 0.5 K 1K IPv6 security ACEs 1K 1K 1K 1. IPv6 policy-based routing is not supported on the Catalyst Switch Module 3012.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Configuring IPv6 Addressing and Enabling IPv6 Host Functions or Routing This section describes how to assign IPv6 addresses to a Layer 3 interface and to enable the forwarding of IPv6 traffic globally on the switch. Note In the ipv6 address interface configuration command, you must enter the ipv6-address and ipv6-prefix variables with the address specified in hexadecimal using 16-bit values between colons.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Command Purpose Step 6 interface interface-id Enter interface configuration mode, and specify the Layer 3 interface to configure. The interface can be a physical interface, a switch virtual interface (SVI), or a Layer 3 EtherChannel. Step 7 no switchport Remove the interface from Layer 2 configuration mode (if it is a physical interface).
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Switch(config-if)# ipv6 address 2001:0DB8:c18:1::/64 eui 64 Switch(config-if)# end Switch# show ipv6 interface gigabitethernet1/0/1 GigabitEthernet1/0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 2001:0DB8:c18:1:20B:46FF:FE2F:D940, subnet is 2001:0DB8:c18:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940 MTU is 1500 bytes ICMP e
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Step 7 Command Purpose ipv6 address ipv6-prefix/prefix length eui-64 Specify a global IPv6 address with an interface identifier in the low-order 64 bits of the IPv6 address. Specify only the network prefix; the last 64 bits are automatically computed from the switch MAC address. This enables IPv6 processing on the interface.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 empty. When the bucket is empty, IPv6 ICMP error messages are not sent until a new token is placed in the bucket. This method does not increase the average rate-limiting time interval, but it provides more flexibility than fixed-time intervals. ICMP rate limiting is enabled by default with a default interval between error messages of 100 milliseconds and a bucket size (maximum number of tokens to be stored in a bucket) of 10.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Configuring Static Routes for IPv6 Static routes are manually configured and define an explicit route between two networking devices. The benefits of static routes include security and resource efficiency. Static routes use less bandwidth than dynamic routing protocols because routes are not calculated and communicated.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these steps to configure an IPv6 static route: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 route ipv6-prefix/prefix length {ipv6-address | interface-id [ipv6-address]} [administrative distance] Configure a static IPv6 route. • ipv6-prefix—The IPv6 network that is the destination of the static route.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Step 4 Command Purpose show ipv6 static [ipv6-address | ipv6-prefix/prefix length] [interface interface-id] [recursive] [detail] Verify your entries by displaying the contents of the IPv6 routing table. or • interface interface-id—(Optional) Display only those static routes with the specified interface as an egress interface. • recursive—(Optional) Display only recursive static routes.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 RIP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router rip name Configure an IPv6 RIP routing process, and enter router configuration mode for the process. Step 3 maximum-paths number-paths (Optional) Define the maximum number of equal-cost routes that IPv6 RIP can support.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Configuring OSPF for IPv6 This section applies only to the Catalyst Switch Module 3110. Open Shortest Path First (OSPF) is a link-state protocol for IP, which means that routing decisions are based on the states of the links that connect the source and destination devices. The state of a link is a description of the interface and its relationship to its neighboring networking devices.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Configuring IPv6 Beginning in privileged EXEC mode, follow these required and optional steps to configure IPv6 OSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ipv6 router ospf process-id Enable OSPF router configuration mode for the process. The process ID is the number administratively assigned when enabling the OSPF for IPv6 routing process.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Displaying IPv6 To disable an OSPF routing process, use the no ipv6 router ospf process-id global configuration command. To disable the OSPF routing process for an interface, use the no ipv6 ospf process-id area area-id interface configuration command. For more information about configuring OSPF routing for IPv6, see the “Implementing OSPF for IPv6” chapter in the Cisco IOS IPv6 Configuration Library at this URL: http://www.cisco.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Displaying IPv6 This is an example of the output from the show ipv6 interface privileged EXEC command: Switch# show ipv6 interface Vlan1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20B:46FF:FE2F:D940 Global unicast address(es): 3FFE:C000:0:1:20B:46FF:FE2F:D940, subnet is 3FFE:C000:0:1::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FF2F:D940 MTU is 1500 bytes ICMP error messages limited to one every 10
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Displaying IPv6 Redistribution: None This is an example of the output from the show ipv6 rip privileged EXEC command on a Catalyst Switch Module 3110: Switch# show ipv6 rip RIP process "fer", port 521, multicast-group FF02::9, pid 190 Administrative distance is 120.
Chapter 39 Configuring IPv6 Host Functions and Unicast Routing Displaying IPv6 L via ::, Loopback10 3FFE:C000:16A:1:20B:46FF:FE2F:D900/128 [0/0] via ::, Loopback10
CH A P T E R 40 Configuring HSRP This chapter describes how to use Hot Standby Router Protocol (HSRP) on the switch to provide routing redundancy for routing IP traffic without being dependent on the availability of any single router.Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 40 Configuring HSRP Understanding HSRP HSRP is useful for hosts that do not support a router discovery protocol and cannot switch to a new router when their selected router reloads or loses power. When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among router interfaces in a group of router interfaces running HSRP.
Chapter 40 Configuring HSRP Understanding HSRP Figure 40-1 Typical HSRP Configuration Blade server B 172.20.130.5 Virtual router 172.20.128.1 Router A Standby router 172.20.128.3 172.20.128.2 Router B 172.20.128.55 172.20.128.32 Blade server C Blade server A 201787 Active router Multiple HSRP The switch supports Multiple HSRP (MHSRP), an extension of HSRP that allows load sharing between two or more HSRP groups.
Chapter 40 Configuring HSRP Configuring HSRP Figure 40-2 MHSRP Load Sharing Active router for group 1 Standby router for group 2 Active router for group 2 Standby router for group 1 Router A Router B 10.0.0.1 10.0.0.2 Active link Active link Standby link Blade switch enclosure with a management module 201791 Blade switch enclosure with a management module Standby link HSRP and Switch Stacks HSRP hello messages are generated by the stack master.
Chapter 40 Configuring HSRP Configuring HSRP • Configuring HSRP Authentication and Timers, page 40-10 • Enabling HSRP Support for ICMP Redirect Messages, page 40-11 Default HSRP Configuration Table 40-1 shows the default HSRP configuration. Table 40-1 Default HSRP Configuration Feature Default Setting HSRP groups None configured Standby group number 0 Standby MAC address System assigned as: 0000.0c07.
Chapter 40 Configuring HSRP Configuring HSRP When the standby ip command is enabled on an interface and proxy ARP is enabled, if the interface’s Hot Standby state is active, proxy ARP requests are answered using the Hot Standby group MAC address. If the interface is in a different state, proxy ARP responses are suppressed. Beginning in privileged EXEC mode, follow these steps to create or enable HSRP on a Layer 3 interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 40 Configuring HSRP Configuring HSRP Configuring HSRP Priority The standby priority, standby preempt, and standby track interface configuration commands are all used to set characteristics for finding active and standby routers and behavior regarding when a new active router takes over. When configuring HSRP priority, follow these guidelines: • Assigning a priority allows you to select the active and standby routers.
Chapter 40 Configuring HSRP Configuring HSRP Step 3 Command Purpose standby [group-number] priority priority [preempt [delay delay]] Set a priority value used in choosing the active router. The range is 1 to 255; the default priority is 100. The highest number represents the highest priority. • (Optional) group-number—The group number to which the command applies.
Chapter 40 Configuring HSRP Configuring HSRP This example activates a port, sets an IP address and a priority of 120 (higher than the default value), and waits for 300 seconds (5 minutes) before attempting to become the active router: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby ip 172.20.128.
Chapter 40 Configuring HSRP Configuring HSRP Configuring HSRP Authentication and Timers You can optionally configure an HSRP authentication string or change the hello-time interval and holdtime. When configuring these attributes, follow these guidelines: • The authentication string is sent unencrypted in all HSRP messages. You must configure the same authentication string on all routers and access servers on a cable to ensure interoperation.
Chapter 40 Configuring HSRP Displaying HSRP Configurations This example shows how to configure word as the authentication string required to allow Hot Standby routers in group 1 to interoperate: Switch# configure terminal Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# no switchport Switch(config-if)# standby 1 authentication word Switch(config-if)# end This example shows how to set the timers on standby group 1 with the time between hello packets at 5 seconds and the time after which a
Chapter 40 Configuring HSRP Displaying HSRP Configurations Standby router is unknown expired Standby virtual mac address is 0000.0c07.
CH A P T E R 41 Configuring Cisco IOS IP SLAs Operations This chapter describes how to use Cisco IOS IP Service Level Agreements (SLAs) on the switch. Cisco IP SLAs is a part of Cisco IOS software that allows Cisco customers to analyze IP service levels for IP applications and services by using active traffic monitoring—the generation of traffic in a continuous, reliable, and predictable manner—for measuring network performance.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs options such as source and destination IP address, User Datagram Protocol (UDP)/TCP port numbers, a type of service (ToS) byte (including Differentiated Services Code Point [DSCP] and IP Prefix bits), Virtual Private Network (VPN) routing/forwarding instance (VRF), and URL web address.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Using Cisco IOS IP SLAs to Measure Network Performance You can use IP SLAs to monitor the performance between any area in the network—core, distribution, and edge—without deploying a physical probe. It uses generated traffic to measure network performance between two networking devices. Figure 41-1 shows how IP SLAs begins when the source device sends a generated packet to the destination device.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs IP SLAs Responder and IP SLAs Control Protocol The IP SLAs responder is a component embedded in the destination Cisco device that allows the system to anticipate and respond to IP SLAs request packets. The responder provides accurate measurements without the need for dedicated probes.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Understanding Cisco IOS IP SLAs Figure 41-2 Cisco IOS IP SLAs Responder Time Stamping Source router T2 T1 Target router Responder =T3-T2 RTT (Round-trip time) = T4 (Time stamp 4) - T1 (Time stamp 1) - 121380 T3 T4 An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations • One-way mean opinion score (MOS) • One-way latency An IP SLAs threshold violation can also trigger another IP SLAs operation for further analysis. For example, the frequency could be increased or an ICMP path echo or ICMP path jitter operation could be initiated for troubleshooting. Determining the type of threshold and the level to set can be complex, and depends on the type of IP service being used in the network.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Note that not all of the IP SLAs commands or operations described in this guide are supported on the switch. The switch supports IP service level analysis by using UDP jitter, UDP echo, HTTP, TCP connect, ICMP echo, ICMP path echo, ICMP path jitter, FTP, DNS, and DHCP, as well as multiple operation scheduling and proactive threshold monitoring.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Configuring the IP SLAs Responder The IP SLAs responder is available only on Cisco IOS software-based devices, including some Layer 2 switches that do not support full IP SLAs functionality, such as the Catalyst 2960 switch, the Cisco ME 2400 switch, or the Catalyst Switch Module 3012.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations • Per-direction delay (one-way delay) • Round-trip delay (average round-trip time) Because the paths for the sending and receiving of data can be different (asymmetric), you can use the per-direction data to more readily identify where congestion or other problems are occurring in the network.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Step 3 Purpose udp-jitter {destination-ip-address Configure the IP SLAs operation as a UDP jitter operation, and enter UDP jitter configuration mode. | destination-hostname} destination-port [source-ip • destination-ip-address | destination-hostname—Specify the destination IP {ip-address | hostname}] address or hostname.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Purpose Step 7 end Return to privileged EXEC mode. Step 8 show ip sla configuration [operation-number] (Optional) Display configuration values, including all defaults for all IP SLAs operations or a specified operation. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Note This operation does not require the IP SLAs responder to be enabled. Beginning in privileged EXEC mode, follow these steps to configure an ICMP echo operation on the source device: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip sla operation-number Create an IP SLAs operation and enter IP SLAs configuration mode.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Configuring IP SLAs Operations Command Purpose Step 8 show ip sla configuration [operation-number] (Optional) Display configuration values including all defaults for all IP SLAs operations or a specified operation. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable the IP SLAs operation, enter the no ip sla operation-number global configuration command.
Chapter 41 Configuring Cisco IOS IP SLAs Operations Monitoring IP SLAs Operations Monitoring IP SLAs Operations Use the user EXEC or privileged EXEC commands in Table 41-1 to display IP SLAs operations configuration and results. Table 41-1 Monitoring IP SLAs Operations Command Purpose show ip sla application Display global information about Cisco IOS IP SLAs. show ip sla authentication Display IP SLAs authentication information.
CH A P T E R 42 Configuring Enhanced Object Tracking This chapter describes how to configure enhanced object tracking on the Catalyst Switch Module 3110. This feature provides a more complete alternative to the Hot Standby Routing Protocol (HSRP) tracking mechanism. which allows you to track the line-protocol state of an interface. If the line protocol state of an interface goes down, the HSRP priority of the interface is reduced and another HSRP device with a higher priority becomes active.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring Enhanced Object Tracking Features These sections describe configuring enhanced object tracking: • Default Configuration, page 42-2 • Tracking Interface Line-Protocol or IP Routing State, page 42-2 • Configuring a Tracked List, page 42-3 • Configuring HSRP Object Tracking, page 42-7 • Configuring Other Tracking Characteristics, page 42-8 • Configuring IP SLAs Object Tracking, page 42-9 Def
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Command Purpose Step 6 delay {up seconds [down seconds] (Optional) Specify a period of time in seconds to delay communicating state | [up seconds] down seconds} changes of a tracked object. The range is from 1 to 180 seconds. Step 7 end Return to privileged EXEC mode. Step 8 show track object-number Verify that the specified objects are being tracked.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects with a Boolean expression: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list boolean {and | or} Configure a tracked list object, and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a weight threshold and to configure a weight for each object: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold weight Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Beginning in privileged EXEC mode, follow these steps to configure a tracked list of objects by using a percentage threshold: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 track track-number list threshold percentage Configure a tracked list object and enter tracking configuration mode. The track-number can be from 1 to 500.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring HSRP Object Tracking Beginning in privileged EXEC mode, follow these steps to configure a standby HSRP group to track an object and change the HSRP priority based on the object state: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Step 6 Command Purpose standby [group-number] track object-number [decrement [priority-decrement]] Configure HSRP to track an object and change the hot standby priority based on the state of the object. • (Optional) group-number—Enter the group number to which the tracking applies. • object-number—Enter a number representing the object to be tracked. The range is from 1 to 500; the default is 1.
Chapter 42 Configuring Enhanced Object Tracking Configuring Enhanced Object Tracking Features Configuring IP SLAs Object Tracking Cisco IOS IP Service Level Agreements (IP SLAs) is a network performance measurement and diagnostics tool that uses active monitoring by generating traffic to measure network performance. Cisco IP SLAs operations collects real-time metrics that you can use for network troubleshooting, design, and analysis.
Chapter 42 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking Latest operation return code: over threshold Latest RTT (millisecs) 4 Tracked by: HSRP Ethernet0/1 3 This example output shows whether a route is reachable: Switch(config)# track 3 500 reachability Switch(config)# end Switch# show track 3 Track 3 Response Time Reporter 1 reachability Reachability is Up 1 change, last change 00:00:47 Latest operation return code: over threshold Latest RTT (millisecs) 4 Tracked by: HSRP Et
CH A P T E R 43 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst Switch Module 3110 to redirect traffic to wide-area application engines (such as the Cisco Cache Engine 550) by using the Web Cache Communication Protocol (WCCP). This software release supports only WCCP version 2 (WCCPv2). Note The Catalyst Switch Module 3012 does not support WCCP.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP enables supported Cisco routers and switches to transparently redirect content requests. With transparent redirection, users do not have to configure their browsers to use a web proxy. Instead, they can use the target URL to request content, and their requests are automatically redirected to an application engine.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP WCCP Negotiation In the exchange of WCCP protocol messages, the designated application engine and the WCCP-enabled switch negotiate these items: • Forwarding method (the method by which the switch forwards packets to the application engine). The switch rewrites the Layer 2 header by replacing the packet destination MAC address with the target application engine MAC address. It then forwards the packet to the application engine.
Chapter 43 Configuring Web Cache Services By Using WCCP Understanding WCCP You can configure up to 8 service groups on a switch and up to 32 clients per service group. WCCP maintains the priority of the service group in the group definition. WCCP uses the priority to configure the service groups in the switch hardware.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Unsupported WCCP Features These WCCP features are not supported in this software release: • Packet redirection on an outbound interface that is configured by using the ip wccp redirect out interface configuration command. This command is not supported. • The GRE forwarding method for packet redirection is not supported. • The hash assignment method for load balancing is not supported. • There is no SNMP support for WCCP.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP • The number of available policy-based routing (PBR) labels are reduced as more interfaces are enabled for WCCP ingress redirection. For every interface that supports service groups, one label is consumed. The WCCP labels are taken from the PBR labels. You need to monitor and manage the labels that are available between PBR and WCCP. When labels are not available, the switch cannot add service groups.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Beginning in privileged EXEC mode, follow these steps to enable the web cache service, to set a multicast group address or group list, to configure routed interfaces, to redirect inbound packets received from a client to the application engine, enable an interface to listen for a multicast address, and to set a password. This procedure is required.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Command Purpose Step 12 ip wccp {web-cache | service-number} redirect in Redirect packets received from the client to the application engine. Enable this on the interface connected to the client. Step 13 ip wccp {web-cache | service-number} group-listen (Optional) When using a multicast group address, group-listen enables the interface to listen for the multicast address.
Chapter 43 Configuring Web Cache Services By Using WCCP Configuring WCCP Switch(config-if)# ip address 175.20.50.40 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# ip wccp web-cache redirect in Switch(config-if)# exit Switch(config)# interface gigabitethernet1/0/6 Switch(config-if)# no switchport Switch(config-if)# ip address 175.20.60.50 255.255.255.
Chapter 43 Configuring Web Cache Services By Using WCCP Monitoring and Maintaining WCCP Monitoring and Maintaining WCCP To monitor and maintain WCCP, use one or more of the privileged EXEC commands in Table 43-2: Table 43-2 Commands for Monitoring and Maintaining WCCP Command Purpose clear ip wccp web-cache Removes statistics for the web-cache service. show ip wccp web-cache Displays global information related to WCCP.
CH A P T E R 44 Configuring IP Multicast Routing This chapter describes how to configure IP multicast routing on the Catalyst Switch Module 3110. IP multicasting is a more efficient way to use network resources, especially for bandwidth-intensive services such as audio and video. IP multicast routing enables a host (source) to send packets to a group of hosts (receivers) anywhere within the IP network by using a special form of IP address called the IP multicast group address.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The Cisco IOS software supports these protocols to implement IP multicast routing: • Internet Group Management Protocol (IGMP) is used among hosts on a LAN and the routers (and multilayer switches) on that LAN to track the multicast groups of which hosts are members.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding IGMP To participate in IP multicasting, multicast hosts, routers, and multilayer switches must have the IGMP operating. This protocol defines the querier and host roles: • A querier is a network device that sends query messages to discover which network devices are members of a given multicast group.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Understanding PIM PIM is called protocol-independent: regardless of the unicast routing protocols used to populate the unicast routing table, PIM uses this information to perform multicast forwarding instead of maintaining a separate multicast routing table. PIM is defined in RFC 2362, Protocol-Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing When a new receiver on a previously pruned branch of the tree joins a multicast group, the PIM DM device detects the new receiver and immediately sends a graft message up the distribution tree toward the source.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing The redundant PIM stub router topology is not supported. The redundant topology exists when there is more than one PIM router forwarding multicast traffic to a single access domain. PIM messages are blocked, and the PIM asset and designated router election mechanisms are not supported on the PIM passive interfaces. Only the nonredundant access router topology is supported by the PIM stub feature.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Auto-RP This proprietary feature eliminates the need to manually configure the RP information in every router and multilayer switch in the network. For auto-RP to work, you configure a Cisco router or multilayer switch as the mapping agent. It uses IP multicast to learn which routers or switches in the network are possible candidate RPs to receive candidate RP announcements.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing Multicast Forwarding and Reverse Path Check With unicast routing, routers and multilayer switches forward traffic through the network along a single path from the source to the destination host whose IP address appears in the destination address field of the IP packet.
Chapter 44 Configuring IP Multicast Routing Understanding Cisco’s Implementation of IP Multicast Routing PIM uses both source trees and RP-rooted shared trees to forward datagrams (described in the “PIM DM” section on page 44-4 and the “PIM-SM” section on page 44-5).
Chapter 44 Configuring IP Multicast Routing Multicast Routing and Switch Stacks CGMP is necessary because the Layer 2 switch cannot distinguish between IP multicast data packets and IGMP report messages, which are both at the MAC-level and are addressed to the same group address. Multicast Routing and Switch Stacks For all multicast routing protocols, the entire stack appears as a single router to the network and operates as a single multicast router.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Default Multicast Routing Configuration Table 44-2 shows the default multicast routing configuration. Table 44-2 Default Multicast Routing Configuration Feature Default Setting Multicast routing Disabled on all interfaces. PIM version Version 2. PIM mode No mode is defined. PIM stub routing None configured. PIM RP address None configured. PIM domain border Disabled. PIM multicast boundary None.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Dense-mode groups in a mixed PIMv1 and PIMv2 region need no special configuration; they automatically interoperate. Sparse-mode groups in a mixed PIMv1 and PIMv2 region are possible because the Auto-RP feature in PIMv1 interoperates with the PIMv2 RP feature. Although all PIMv2 devices can also use PIMv1, we recommend that the RPs be upgraded to PIMv2.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing In populating the multicast routing table, dense-mode interfaces are always added to the table. Sparse-mode interfaces are added to the table only when periodic join messages are received from downstream devices or when there is a directly connected member on the interface. When forwarding from a LAN, sparse-mode operation occurs if there is an RP known for the group. If so, the packets are encapsulated and sent toward the RP.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim {dense-mode | sparse-mode | sparse-dense-mode} Enable a PIM mode on the interface. By default, no mode is configured. The keywords have these meanings: • dense-mode—Enables dense mode of operation. • sparse-mode—Enables sparse mode of operation. If you configure sparse mode, you must also configure an RP. For more information, see the “Configuring a Rendezvous Point” section on page 44-15.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing In this example, IP multicast routing is enabled, Switch A PIM uplink port 25 is configured as a routed uplink port with spare-dense-mode enabled. PIM stub routing is enabled on the VLAN 100 interfaces and on Gigabit Ethernet port 20 in Figure 44-2: Switch(config)# ip multicast-routing distributed Switch(config)# interface GigabitEthernet3/0/25 Switch(config-if)# no switchport Switch(config-if)# ip address 3.1.1.2 255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Manually Assigning an RP to Multicast Groups This section explains how to manually configure an RP. If the RP for a group is learned through a dynamic mechanism (such as auto-RP or BSR), you need not perform this task for that RP. Senders of multicast traffic announce their existence through register messages received from the source first-hop router (designated router) and forwarded to the RP.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove an RP address, use the no ip pim rp-address ip-address [access-list-number] [override] global configuration command. This example shows how to configure the address of the RP to 147.106.6.22 for multicast group 225.2.2.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Adding Auto-RP to an Existing Sparse-Mode Cloud This section contains some suggestions for the initial deployment of Auto-RP into an existing sparse-mode cloud to minimize disruption of the existing multicast infrastructure. Beginning in privileged EXEC mode, follow these steps to deploy Auto-RP in an existing sparse-mode cloud. This procedure is optional.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Step 5 Command Purpose ip pim send-rp-discovery scope ttl Find a switch whose connectivity is not likely to be interrupted, and assign it the role of RP-mapping agent. For scope ttl, specify the time-to-live value in hops to limit the RP discovery packets. All devices within the hop count from the source device receive the Auto-RP discovery messages.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Beginning in privileged EXEC mode, follow these steps to filter incoming RP announcement messages. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip pim rp-announce-filter rp-list access-list-number group-list access-list-number Filter incoming RP announcement messages. Enter this command on each mapping agent in the network.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Switch(config)# access-list 20 deny 239.0.0.0 0.0.255.255 Switch(config)# access-list 20 permit 224.0.0.0 15.255.255.255 In this example, the mapping agent accepts candidate RP announcements from only two devices, 172.16.5.1 and 172.16.2.1. The mapping agent accepts candidate RP announcements from these two devices only for multicast groups that fall in the group range of 224.0.0.0 to 239.255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Figure 44-4 Constraining PIMv2 BSR Messages PIMv2 sparse-mode network Configure the ip pim bsr-border command on this interface. Layer 3 switch BSR messages BSR Layer 3 switch Neighboring PIMv2 domain 101243 Neighboring PIMv2 domain BSR messages Configure the ip pim bsr-border command on this interface.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows a portion of an IP multicast boundary configuration that denies Auto-RP information: Switch(config)# access-list 1 deny 224.0.1.39 Switch(config)# access-list 1 deny 224.0.1.40 Switch(config)# access-list 1 permit all Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# ip multicast boundary 1 Configuring Candidate BSRs You can configure one or more candidate BSRs.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing Configuring Candidate RPs You can configure one or more candidate RPs. Similar to BSRs, the RPs should also have good connectivity to other devices and be in the backbone portion of the network. An RP can serve the entire IP multicast address space or a portion of it. Candidate RPs send candidate RP advertisements to the BSR.
Chapter 44 Configuring IP Multicast Routing Configuring IP Multicast Routing This example shows how to configure the switch to advertise itself as a candidate RP to the BSR in its PIM domain. Standard access list number 4 specifies the group prefix associated with the RP that has the address identified by a port. That RP is responsible for the groups with the prefix 239. Switch(config)# ip pim rp-candidate gigabitethernet1/0/2 group-list 4 Switch(config)# access-list 4 permit 239.0.0.0 0.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Monitoring the RP Mapping Information To monitor the RP mapping information, use these commands in privileged EXEC mode: • show ip pim bsr displays information about the elected BSR. • show ip pim rp-hash group displays the RP that was selected for the specified group. • show ip pim rp [group-name | group-address | mapping] displays how the switch learns of the RP (through the BSR or the Auto-RP mechanism).
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Figure 44-5 Shared Tree and Source Tree (Shortest-Path Tree) Source Source tree (shortest path tree) Router A Router B Shared tree from RP RP 44967 Router C Receiver If the data rate warrants, leaf routers (routers without any downstream connections) on the shared tree can use the data distribution tree rooted at the source. This type of distribution tree is called a shortest-path tree or source tree.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced PIM Features Delaying the Use of PIM Shortest-Path Tree The change from shared to source tree happens when the first data packet arrives at the last-hop router (Router C in Figure 44-5). This change occurs because the ip pim spt-threshold global configuration command controls that timing. The shortest-path tree requires more memory than the shared tree but reduces delay. You might want to postpone its use.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip pim spt-threshold {kbps | infinity} global configuration command.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features • Modifying the IGMP Host-Query Message Interval, page 44-32 (optional) • Changing the IGMP Query Timeout for IGMPv2, page 44-33 (optional) • Changing the Maximum Query Response Time for IGMPv2, page 44-34 (optional) • Configuring the Switch as a Statically Connected Member, page 44-34 (optional) Default IGMP Configuration Table 44-3 shows the default IGMP configuration.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To cancel membership in a group, use the no ip igmp join-group group-address interface configuration command. This example shows how to enable the switch to join multicast group 255.2.2.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 7 show ip igmp interface [interface-id] Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable groups on an interface, use the no ip igmp access-group interface configuration command. This example shows how to configure hosts attached to a port as able to join only group 255.2.2.2: Switch(config)# access-list 1 255.2.2.2 0.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features The switch elects a PIM designated router (DR) for the LAN (subnet). The DR is the router or multilayer switch with the highest IP address for IGMPv2. For IGMPv1, the DR is elected according to the multicast routing protocol that runs on the LAN. The designated router is responsible for sending IGMP host-query messages to all hosts on the LAN.
Chapter 44 Configuring IP Multicast Routing Configuring Optional IGMP Features Command Purpose Step 5 show ip igmp interface [interface-id] Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To return to the default setting, use the no ip igmp querier-timeout interface configuration command.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and enable fast switching). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface to be configured, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Step 3 Command Purpose ip cgmp [proxy] Enable CGMP on the interface. By default, CGMP is disabled on all interfaces. Enabling CGMP triggers a CGMP join message. Enable CGMP only on Layer 3 interfaces connected to Layer 2 Catalyst switches. (Optional) When you enter the proxy keyword, the CGMP proxy function is enabled.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features Enabling sdr Listener Support By default, the switch does not listen to session directory advertisements. Beginning in privileged EXEC mode, follow these steps to enable the switch to join the default session directory group (224.2.127.254) on the interface and listen to session directory advertisements. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Optional Multicast Routing Features administratively-scoped boundary on a routed interface, multicast traffic whose multicast group addresses fall in this range can not enter or exit this interface, thereby providing a firewall for multicast traffic in this address range. Note Multicast boundaries and TTL thresholds control the scoping of multicast domains; however, TTL thresholds are not supported by the switch.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to set up an administratively-scoped boundary. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 access-list access-list-number {deny | permit} source [source-wildcard] Create a standard access list, repeating the command as many times as necessary.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring DVMRP Interoperability Cisco multicast routers and multilayer switches using PIM can interoperate with non-Cisco multicast routers that use the DVMRP. PIM devices dynamically discover DVMRP multicast routers on attached networks by listening to DVMR probe messages.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Command Step 4 Purpose ip dvmrp metric metric [list Configure the metric associated with a set of destinations for DVMRP access-list-number] [[protocol process-id] reports. | [dvmrp]] • For metric, the range is 0 to 32. A value of 0 means that the route is not advertised. A value of 32 is equivalent to infinity (unreachable).
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Configuring a DVMRP Tunnel The software supports DVMRP tunnels to the MBONE. You can configure a DVMRP tunnel on a router or multilayer switch if the other end is running DVMRP. The software then sends and receives multicast packets through the tunnel. This strategy enables a PIM domain to connect to the DVMRP router when all routers on the path do not support multicast routing.
Chapter 44 Configuring IP Multicast Routing Configuring Basic DVMRP Interoperability Features Step 9 Command Purpose ip dvmrp accept-filter access-list-number [distance] neighbor-list access-list-number Configure an acceptance filter for incoming DVMRP reports. By default, all destination reports are accepted with a distance of 0. Reports from all neighbors are accepted. • For access-list-number, specify the access list number created in Step 2.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Beginning in privileged EXEC mode, follow these steps to advertise network 0.0.0.0 to DVMRP neighbors on an interface. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Specify the interface that is connected to the DVMRP router, and enter interface configuration mode.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features These sections contain this configuration information: • Enabling DVMRP Unicast Routing, page 44-45 (optional) • Rejecting a DVMRP Nonpruning Neighbor, page 44-46 (optional) • Controlling Route Exchanges, page 44-47 (optional) For information on basic DVMRP features, see the “Configuring Basic DVMRP Interoperability Features” section on page 44-39.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Rejecting a DVMRP Nonpruning Neighbor By default, Cisco devices accept all DVMRP neighbors as peers, regardless of their DVMRP capability. However, some non-Cisco devices run old versions of DVMRP that cannot prune, so they continuously receive forwarded packets, wasting bandwidth. Figure 44-7 shows this scenario.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 44-8 Router Rejects Nonpruning DVMRP Neighbor Source router or RP RP Router A Multicast traffic gets to receiver, not to leaf DVMRP device Router B Receiver Layer 3 switch Leaf nonpruning DVMRP device 101245 Configure the ip dvmrp reject-non-pruners command on this interface. Note that the ip dvmrp reject-non-pruners interface configuration command prevents peering with neighbors only.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features • Configuring a DVMRP Summary Address, page 44-49 (optional) • Disabling DVMRP Autosummarization, page 44-51 (optional) • Adding a Metric Offset to the DVMRP Route, page 44-51 (optional) Limiting the Number of DVMRP Routes Advertised By default, only 7000 DVMRP routes are advertised over an interface enabled to run DVMRP (that is, a DVMRP tunnel, an interface where a DVMRP neighbor has been discovered,
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features To return to the default setting use the no ip dvmrp routehog-notification global configuration command. Use the show ip igmp interface privileged EXEC command to display a running count of routes. When the count is exceeded, *** ALERT *** is appended to the line.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Figure 44-9 On Connected Unicast Routes Are Advertised by Default interface tunnel 0 ip unnumbered gigabitethernet1/0/1 DVMRP Report 151.16.0.0/16 m = 39 172.34.15.0/24 m = 42 202.13.3.0/24 m = 40 176.32.10.0/24 m=1 176.32.15.0/24 m=1 interface gigabitethernet1/0/1 ip addr 176.32.10.1 255.255.255.0 ip pim dense-mode DVMRP router interface gigabitethernet1/0/2 ip addr 176.32.15.1 255.255.255.
Chapter 44 Configuring IP Multicast Routing Configuring Advanced DVMRP Interoperability Features Disabling DVMRP Autosummarization By default, the software automatically performs some level of DVMRP summarization. Disable this function if you want to advertise all routes, not just a summary. In some special cases, you can use the neighboring DVMRP router with all subnet information to better control the flow of multicast traffic in the DVMRP network.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Step 3 Command Purpose ip dvmrp metric-offset [in | out] increment Change the metric added to DVMRP routes advertised in incoming reports. The keywords have these meanings: • (Optional) in—Specifies that the increment value is added to incoming DVMRP reports and is reported in mrinfo replies.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 44-4 Commands for Clearing Caches, Tables, and Databases (continued) Command Purpose clear ip igmp group [group-name | group-address | interface] Delete entries from the IGMP cache. clear ip mroute {* | group [source]} Delete entries from the IP multicast routing table. clear ip pim auto-rp rp-address Clear the auto-RP cache.
Chapter 44 Configuring IP Multicast Routing Monitoring and Maintaining IP Multicast Routing Table 44-5 Commands for Displaying System and Network Statistics (continued) Command Purpose show ip pim rp [group-name | group-address] Display the RP routers associated with a sparse-mode multicast group. This command is available in all software images.
CH A P T E R 45 Configuring MSDP This chapter describes how to configure the Multicast Source Discovery Protocol (MSDP) on the Catalyst Switch Module 3110. The MSDP connects multiple Protocol-Independent Multicast sparse-mode (PIM-SM) domains. MSDP is not fully supported in this software release because of a lack of support for Multicast Border Gateway Protocol (MBGP), which works closely with MSDP. However, it is possible to create default peers that MSDP can operate with if MBGP is not running.
Chapter 45 Configuring MSDP Understanding MSDP The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal, source-tree building mechanism in PIM-SM. MSDP is also used to announce sources sending to a group. These announcements must originate at the domain’s RP. MSDP depends heavily on the Border Gateway Protocol (BGP) or MBGP for interdomain operation.
Chapter 45 Configuring MSDP Configuring MSDP Figure 45-1 MSDP Running Between RP Peers MSDP peer RP + MSDP peer MSDP SA M SD P SA Peer RPF flooding MSDP SA TCP connection BGP Receiver MSDP peer 201788 Register Multicast (S,G) Join PIM DR Source PIM sparse-mode domain MSDP Benefits MSDP has these benefits: • It breaks up the shared multicast distribution tree. You can make the shared tree local to your domain.
Chapter 45 Configuring MSDP Configuring MSDP • Controlling Source Information that Your Switch Originates, page 45-8 (optional) • Controlling Source Information that Your Switch Forwards, page 45-11 (optional) • Controlling Source Information that Your Switch Receives, page 45-13 (optional) • Configuring an MSDP Mesh Group, page 45-15 (optional) • Shutting Down an MSDP Peer, page 45-15 (optional) • Including a Bordering PIM Dense-Mode Region in MSDP, page 45-16 (optional) • Configuring an Or
Chapter 45 Configuring MSDP Configuring MSDP Figure 45-2 Default MSDP Peer Network Router C Default MSDP peer ISP C PIM domain SA SA SA 10.1.1.1 Default MSDP peer Default MSDP peer ISP A PIM domain Customer PIM domain 86515 Switch B Router A Beginning in privileged EXEC mode, follow these steps to specify a default MSDP peer. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Step 4 Command Purpose ip prefix-list name [description string] | seq number {permit | deny} network length (Optional) Create a prefix list using the name specified in Step 2. ip msdp description {peer-name | peer-address} text • (Optional) For description string, enter a description of up to 80 characters to describe this prefix list. • For seq number, enter the sequence number of the entry. The range is 1 to 4294967294.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to enable the caching of source/group pairs. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp cache-sa-state [list access-list-number] Enable the caching of source/group pairs (create an SA state). Those pairs that pass the access list are cached. For list access-list-number, the range is 100 to 199.
Chapter 45 Configuring MSDP Configuring MSDP Requesting Source Information from an MSDP Peer Local RPs can send SA requests and get immediate responses for all active sources for a given group. By default, the switch does not send any SA request messages to its MSDP peers when a new member joins a group and wants to receive multicast traffic. The new member waits to receive the next periodic SA message.
Chapter 45 Configuring MSDP Configuring MSDP Redistributing Sources SA messages originate on RPs to which sources have registered. By default, any source that registers with an RP is advertised. The A flag is set in the RP when a source is registered, which means the source is advertised in an SA unless it is filtered. Beginning in privileged EXEC mode, follow these steps to further restrict which registered sources are advertised. This procedure is optional.
Chapter 45 Configuring MSDP Configuring MSDP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] Create an IP standard access list, repeating the command as many times as necessary. or or access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard Create an IP extended access list, repeating the command as many times as necessary.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to configure one of these options. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp filter-sa-request ip-address | name Filter all SA request messages from the specified MSDP peer.
Chapter 45 Configuring MSDP Configuring MSDP Using a Filter By creating a filter, you can perform one of these actions: • Filter all source/group pairs • Specify an IP extended access list to pass only certain source/group pairs • Filter based on match criteria in a route map Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the filter, use the no ip msdp sa-filter out {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to allow only (S,G) pairs that pass access list 100 to be forwarded in an SA message to the peer named switch.cisco.
Chapter 45 Configuring MSDP Configuring MSDP You can perform one of these actions: • Filter all incoming SA messages from an MSDP peer • Specify an IP extended access list to pass certain source/group pairs • Filter based on match criteria in a route map Beginning in privileged EXEC mode, follow these steps to apply a filter. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 45 Configuring MSDP Configuring MSDP To remove the filter, use the no ip msdp sa-filter in {ip-address | name} [list access-list-number] [route-map map-tag] global configuration command. This example shows how to filter all SA messages from the peer named switch.cisco.com: Switch(config)# ip msdp peer switch.cisco.com connect-source gigabitethernet1/0/1 Switch(config)# ip msdp sa-filter in switch.cisco.
Chapter 45 Configuring MSDP Configuring MSDP Beginning in privileged EXEC mode, follow these steps to shut down a peer. This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 ip msdp shutdown {peer-name | peer address} Administratively shut down the specified MSDP peer without losing configuration information. For peer-name | peer address, enter the IP address or name of the MSDP peer to shut down. Step 3 end Return to privileged EXEC mode.
Chapter 45 Configuring MSDP Configuring MSDP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Note that the ip msdp originator-id global configuration command also identifies an interface to be used as the RP address.
Chapter 45 Configuring MSDP Monitoring and Maintaining MSDP Monitoring and Maintaining MSDP To monitor MSDP SA messages, peers, state, or peer status, use one or more of the privileged EXEC commands in Table 45-1: Table 45-1 Commands for Monitoring and Maintaining MSDP Command Purpose debug ip msdp [peer-address | name] [detail] [routes] Debugs an MSDP activity. debug ip msdp resets Debugs MSDP peer reset reasons.
CH A P T E R 46 Configuring Fallback Bridging This chapter describes how to configure fallback bridging (VLAN bridging) on the Catalyst Switch Module 3110. With fallback bridging, you can forward non-IP packets that the switch does not route between VLAN bridge domains and routed ports. To use this feature, the switch or stack master must be running the IP services feature set. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 46 Configuring Fallback Bridging Understanding Fallback Bridging acts like a port on a router, but it is not connected to a router. A routed port is not associated with a particular VLAN, does not support VLAN subinterfaces, but behaves like a normal routed port. For more information about SVIs and routed ports, see Chapter 10, “Configuring Interface Characteristics.” A bridge group is an internal organization of network interfaces on a switch.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Fallback Bridging and Switch Stacks When the stack master fails, a stack member becomes the new stack master by using the election process described in Chapter 5, “Managing Switch Stacks.” The new stack master creates new VLAN-bridge spanning-tree instance, which temporarily puts the spanning-tree ports used for fallback bridging into a nonforwarding state.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Default Fallback Bridging Configuration Table 46-1 shows the default fallback bridging configuration. Table 46-1 Default Fallback Bridging Configuration Feature Default Setting Bridge groups None are defined or assigned to a port. No VLAN-bridge STP is defined. Switch forwards frames for stations that it has dynamically learned Enabled. Spanning tree parameters: • Switch priority • 32768. • Port priority • 128.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to create a bridge group and to assign an interface to it. This procedure is required. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group protocol vlan-bridge Assign a bridge group number, and specify the VLAN-bridge spanning-tree protocol to run in the bridge group. The ibm and dec keywords are not supported.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Switch(config-if)# bridge-group 10 Switch(config-if)# exit Adjusting Spanning-Tree Parameters You might need to adjust certain spanning-tree parameters if the default values are not suitable. You configure parameters affecting the entire spanning tree by using variations of the bridge global configuration command. You configure interface-specific parameters by using variations of the bridge-group interface configuration command.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging To return to the default setting, use the no bridge bridge-group priority global configuration command. To change the priority on a port, use the bridge-group priority interface configuration command (described in the next section). This example shows how to set the switch priority to 100 for bridge group 10: Switch(config)# bridge 10 priority 100 Changing the Interface Priority You can change the priority for a port.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Step 3 Command Purpose bridge-group bridge-group path-cost cost Assign the path cost of a port. • For bridge-group, specify the bridge group number. The range is 1 to 255. • For cost, enter a number from 0 to 65535. The higher the value, the higher the cost. – For 10 Mb/s, the default path cost is 100. – For 100 Mb/s, the default path cost is 19. – For 1000 Mb/s, the default path cost is 4.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Command Purpose Step 4 show running-config Verify your entry. Step 5 copy running-config startup-config (Optional) Save your entry in the configuration file. To return to the default setting, use the no bridge bridge-group hello-time global configuration command.
Chapter 46 Configuring Fallback Bridging Configuring Fallback Bridging Beginning in privileged EXEC mode, follow these steps to change the maximum-idle interval (maximum aging time). This procedure is optional. Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 bridge bridge-group max-age seconds Specify the interval that the switch waits to hear BPDUs from the root switch. • For bridge-group, specify the bridge group number. The range is 1 to 255.
Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Monitoring and Maintaining Fallback Bridging To monitor and maintain the network, use one or more of the privileged EXEC commands in Table 46-2: Table 46-2 Commands for Monitoring and Maintaining Fallback Bridging Command Purpose clear bridge bridge-group Removes any learned entries from the forwarding database. show bridge [bridge-group] group Displays details about the bridge group.
Chapter 46 Configuring Fallback Bridging Monitoring and Maintaining Fallback Bridging Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide 46-12 OL-12189-01
CH A P T E R 47 Troubleshooting This chapter describes how to identify and resolve software problems related to the Cisco IOS software on the switch. Depending on the nature of the problem, you can use the command-line interface (CLI), the device manager, or Network Assistant to identify and solve problems. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Chapter 47 Troubleshooting Recovering from a Software Failure Recovering from a Software Failure Switch software can be corrupted during an upgrade, by downloading the wrong file to the switch, and by deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there is no connectivity. This procedure uses the Xmodem Protocol to recover from a corrupt or wrong image file.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Step 6 Press the Mode button, and at the same time, power on the switch by using one of these methods: • If you powered off the switch by using the AMM GUI, use the GUI to power on the switch or the stack. • If you powered off the switch by removing the switch or stack members from the enclosure, re-insert the standalone switch or the stack members in the enclosure.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password These sections describes how to recover a forgotten or lost switch password: • Procedure with Password Recovery Enabled, page 47-5 • Procedure with Password Recovery Disabled, page 47-6 You enable or disable password recovery by using the service password-recovery global configuration command.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password On a stacking-capable switch: Switch> reload slot Proceed with reload? [confirm] y Step 6 For stacking-capable switches, power on the rest of the switch stack. Procedure with Password Recovery Enabled If the password-recovery mechanism is enabled, this message appears: The system has been interrupted prior to initializing the flash file system.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password Step 8 Rename the configuration file to its original name: Switch# rename flash:config.text.old flash:config.text Note Step 9 Before continuing to Step 9, power on any connected stack members and wait until they have completely initialized. Failure to follow this step can result in a lost configuration depending on how your switch is set up. Copy the configuration file into memory: Switch# copy flash:config.
Chapter 47 Troubleshooting Recovering from a Lost or Forgotten Password this point. However, if you agree to let the system be reset back to the default system configuration, access to the boot loader prompt can still be allowed. Would you like to reset the system back to the default configuration (y/n)? Caution Returning the switch to the default configuration results in the loss of all existing configurations.
Chapter 47 Troubleshooting Preventing Switch Stack Problems Note Step 9 Before continuing to Step 9, power on any connected stack members and wait until they have completely initialized. Write the running configuration to the startup configuration file: Switch# copy running-config startup-config The new password is now in the startup configuration. Note This procedure is likely to leave your switch virtual interface in a shutdown state.
Chapter 47 Troubleshooting Preventing Autonegotiation Mismatches If you replace a stack member with an identical model, the new switch functions with the exact same configuration as the replaced switch. This is also assuming the new switch is using the same member number as the replaced switch. Removing powered-on stack members causes the switch stack to divide (partition) into two or more switch stacks, each with the same configuration.
Chapter 47 Troubleshooting Using Ping Using Ping These sections contain this information: • Understanding Ping, page 47-10 • Executing Ping, page 47-10 Understanding Ping The switch supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo request packet to an address and waits for a reply. Ping returns one of these responses: • Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on network traffic.
Chapter 47 Troubleshooting Using Layer 2 Traceroute Switch# Table 47-1 describes the possible ping character output. Table 47-1 Ping Output Display Characters Character Description ! Each exclamation point means receipt of a reply. . Each period means the network server timed out while waiting for a reply. U A destination unreachable error PDU was received. C A congestion experienced packet was received. I User interrupted test. ? Unknown packet type. & Packet lifetime exceeded.
Chapter 47 Troubleshooting Using Layer 2 Traceroute Usage Guidelines These are the Layer 2 traceroute usage guidelines: • Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute to function properly, do not disable CDP. For a list of switches that support Layer 2 traceroute, see the “Usage Guidelines” section on page 47-12. If any devices in the physical path are transparent to CDP, the switch cannot identify the path through these devices.
Chapter 47 Troubleshooting Using IP Traceroute Displaying the Physical Path You can display physical path that a packet takes from a source device to a destination device by using one of these privileged EXEC commands: • tracetroute mac [interface interface-id] {source-mac-address} [interface interface-id] {destination-mac-address} [vlan vlan-id] [detail] • tracetroute mac ip {source-ip-address | source-hostname}{destination-ip-address | destination-hostname} [detail] For more information, see the com
Chapter 47 Troubleshooting Using IP Traceroute Executing IP Traceroute Beginning in privileged EXEC mode, follow this step to trace the path that packets take through the network: Note Command Purpose traceroute ip host Trace the path that packets take through the network. Though other protocol keywords are available with the traceroute privileged EXEC command, they are not supported in this release. This example shows how to perform a traceroute to an IP host: Switch# traceroute ip 171.9.15.
Chapter 47 Troubleshooting Using TDR Using TDR These sections contain this information: • Understanding TDR, page 47-15 • Running TDR and Displaying the Results, page 47-15 Understanding TDR You can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems. When running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial signal. TDR is supported only on 10/100/1000 copper Ethernet ports.
Chapter 47 Troubleshooting Using Debug Commands Using Debug Commands These sections explains how you use debug commands to diagnose and resolve internetworking problems: Caution Note • Enabling Debugging on a Specific Feature, page 47-16 • Enabling All-System Diagnostics, page 47-17 • Redirecting Debug and Error Message Output, page 47-17 Because debugging output is assigned high priority in the CPU process, it can render the system unusable.
Chapter 47 Troubleshooting Using the show platform forward Command Enabling All-System Diagnostics Beginning in privileged EXEC mode, enter this command to enable all-system diagnostics: Switch# debug all Caution Because debugging output takes priority over other network traffic, and because the debug all privileged EXEC command generates more output than any other debug command, it can severely diminish switch performance or even render it unusable.
Chapter 47 Troubleshooting Using the show platform forward Command Note For more syntax and usage information for the show platform forward command, see the switch command reference for this release. Most of the information in the output from the command is useful mainly for technical support personnel, who have access to detailed information about the switch application-specific integrated circuits (ASICs). However, packet forwarding information can also be helpful in troubleshooting.
Chapter 47 Troubleshooting Using the show platform forward Command InptACL 40_0D020202_0D010101-00_40000014_000A0000 01FFA 03000000 L2Local 80_00050009_43A80145-00_00000000_00000000 00086 02010197 Station Descriptor:F0050003, DestIndex:F005, RewriteIndex:0003 ========================================== Egress:Asic 3, switch 1 Output Packets: -----------------------------------------Packet 1 Lookup Key-Used OutptACL 50_0D020202_0D010101-00_40000014_000A0000 Port Gi1/0/2 Vlan SrcMac 0005 0001.0001.
Chapter 47 Troubleshooting Using the crashinfo Files Using the crashinfo Files The crashinfo files save information that helps Cisco technical support representatives to debug problems that caused the Cisco IOS image to fail (crash). The switch writes the crash information to the console at the time of the failure. The switch creates two types of crashinfo files: • Basic crashinfo file—The switch automatically creates this file the next time you boot up the Cisco IOS image after the failure.
Chapter 47 Troubleshooting Using On-Board Failure Logging Using On-Board Failure Logging You can use the on-board-failure logging (OBFL) feature to collect information about the switch. The information includes uptime, temperature, and voltage information and helps Cisco technical support representatives to troubleshoot switch problems. We recommend that you keep OBFL enabled and do not erase the data stored in the flash memory.
Chapter 47 Troubleshooting Using On-Board Failure Logging To disable OBFL, use the no hw-module module [switch-number] logging onboard [message level] global configuration command. To clear all the OBFL data in the flash memory except for the uptime and CLI command information, use the clear logging onboard privileged EXEC command.
CH A P T E R 48 Configuring Online Diagnostics This chapter describes how to configure the online diagnostics on the switch. Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics Configuring Online Diagnostics You must configure the failure threshold and the interval between tests before enabling diagnostic monitoring. This section has this information: • Scheduling Online Diagnostics, page 48-2 • Configuring Health-Monitoring Diagnostics, page 48-3 Scheduling Online Diagnostics You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis for a switch.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics This example shows how to schedule diagnostic testing to occur weekly at a specific time on member switch 6 when this command is entered on a stack master: Switch(config)# diagnostic schedule switch 6 test 1-4,7 weekly saturday 10:30 For more examples, see the “Examples” section of the diagnostic schedule command in the command reference for this release.
Chapter 48 Configuring Online Diagnostics Configuring Online Diagnostics Step 4 Command Purpose diagnostic monitor threshold switch number test {name | test-id | test-id-range | all} failure count count (Optional) Set the failure threshold for the health-monitoring tests. The switch number keyword is supported only on stacking-capable switches. The range is from 1 to 9.
Chapter 48 Configuring Online Diagnostics Running Online Diagnostic Tests • To configure the switch to not generate a syslog message when the health-monitoring test fails, use the no diagnostic monitor syslog global configuration command. • To return to the default failure threshold, use the no diagnostic monitor threshold switch number test {name | test-id | test-id-range | all} failure count count global configuration command.
Chapter 48 Configuring Online Diagnostics Running Online Diagnostic Tests This example shows how to start a diagnostic test by using the test name: Switch# diagnostic start switch 2 test TestInlinePwrCtlr This example shows how to start all of the basic diagnostic tests: Switch# diagnostic start switch 1 test all Displaying Online Diagnostic Tests and Test Results You can display the online diagnostic tests that are configured for the switch or switch stack and check the test results by using the privi
A P P E N D I X A Supported MIBs This appendix lists the supported management information base (MIBs) for this release on theswitch. It contains these sections: • MIB List, page A-1 • Using FTP to Access the MIB Files, page A-4 • BRIDGE-MIB MIB List Note The BRIDGE-MIB supports the context of a single VLAN. By default, SNMP messages using the configured community string always provide information for VLAN 1.
Appendix A Supported MIBs MIB List • CISCO-IETF-ISIS-MIB (Only with the IP services and advanced IP services feature sets) • CISCO-IF-EXTENSIONS-MIB • CISCO-IGMP-FILTER-MIB • CISCO-IMAGE-MIB (Only stack master feature set details are shown.) • CISCO IP-STAT-MIB • CISCO-L2L3-INTERFACE-CONFIG-MIB • CISCO-LAG-MIB • CISCO-MAC-NOTIFICATION-MIB • CISCO-MEMORY-POOL-MIB (Only stack master feature set details are shown.
Appendix A Supported MIBs MIB List Note • IEEE8023-LAG-MIB • IF-MIB (In and out counters for VLANs are not supported.) • IGMP-MIB • INET-ADDRESS-MIB • IPMROUTE-MIB • OLD-CISCO-CHASSIS-MIB (Partial support on stacking-capable switches; some objects reflect only the stack master.) • OLD-CISCO-CPU-MIB • OLD-CISCO-FLASH-MIB (Supports only the stack master in a switch stack. Use CISCO-FLASH_MIB.
Appendix A Supported MIBs Using FTP to Access the MIB Files Using FTP to Access the MIB Files You can get each MIB file by using this procedure: Step 1 Make sure that your FTP client is in passive mode. Note Some FTP clients do not support passive mode. Step 2 Use FTP to access the server ftp.cisco.com. Step 3 Log in with the username anonymous. Step 4 Enter your e-mail username when prompted for the password. Step 5 At the ftp> prompt, change directories to /pub/mibs/v1 and /pub/mibs/v2.
A P P E N D I X B Working with the Cisco IOS File System, Configuration Files, and Software Images This appendix describes how to manipulate the switch flash file system, how to copy configuration files, and how to archive (upload and download) software images to a switch or to a switch stack. Unless otherwise noted, the term switch refers to a standalone switch and to a switch stack.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System No more than one user at a time can manage the software images and configuration files for a switch stack.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Table B-1 show file systems Field Descriptions (continued) Field Value Type Type of file system. flash—The file system is for a flash memory device. nvram—The file system is for a NVRAM device. opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux. unknown—The file system is an unknown type.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table B-2: Table B-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board flash device. Step 2 mkdir old_configs Create a new directory.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Some invalid combinations of source and destination exist.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Beginning in privileged EXEC mode, follow these steps to create a file, display the contents, and extract it. Step 1 Command Purpose archive /create destination-url flash:/file-url Create a file and add files to it. For destination-url, specify the destination URL alias for the local or network file system and the name of the file to create. The -filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with the Flash File System Step 3 Command Purpose archive /xtract source-url flash:/file-url [dir/file...] Extract a file into a directory on the flash file system. For source-url, specify the source URL alias for the local file system. The -filename. is the file from which to extract files.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files service service service !
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Guidelines for Creating and Using Configuration Files Creating configuration files can aid in your switch configuration. Configuration files can contain some or all of the commands needed to configure one or more switches. For example, you might want to download the same configuration file to several switches that have the same hardware configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Creating a Configuration File By Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a switch to a server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and the destination filename.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files These sections contain this configuration information: • Preparing to Download or Upload a Configuration File By Using FTP, page B-14 • Downloading a Configuration File By Using FTP, page B-14 • Uploading a Configuration File By Using FTP, page B-15 Preparing to Download or Upload a Configuration File By Using FTP Before you begin downloading or uploading a configuration file
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 Using FTP, copy the configuration file from a network server copy ftp:[[[//[username[:password]@]location]/directory] to the running configuration or to the startup configuration file.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the switch to a server, the Cisco IOS software sends the first valid username in this list: • The username specified in the copy command if a username is specified.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Downloading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-17.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Uploading a Configuration File By Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File By Using RCP” section on page B-17.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files Clearing the Startup Configuration File To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. Caution You cannot restore the startup configuration file after it has been deleted.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files You use the archive config privileged EXEC command to save configurations in the configuration archive by using a standard location and filename prefix that is automatically appended with an incremental version number (and optional timestamp) as each consecutive file is saved. You can specify how many versions of the running configuration are kept in the archive.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Configuration Files • Make sure that the switch also has sufficient free memory to execute the configuration replacement or rollback configuration commands. • Certain configuration commands, such as those pertaining to physical components of a networking device (for example, physical interfaces), cannot be added or removed from the running configuration.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Performing a Configuration Replacement or Rollback Operation Starting in privileged EXEC mode, follow these steps to replace the running configuration file with a saved configuration file: Step 1 Command Purpose archive config (Optional) Save the running configuration file to the configuration archive.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note Instead of using the copy privileged EXEC command or the archive tar privileged EXEC command, we recommend using the archive download-sw and archive upload-sw privileged EXEC commands to download and upload software image files. For switch stacks, the archive download-sw and archive upload-sw privileged EXEC commands can only be used through the stack master.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Image Location on the Switch The Cisco IOS image is stored as a .bin file in a directory that shows the version number. A subdirectory contains the files needed for web management. The image is stored on the system board flash memory (flash:). You can use the show version privileged EXEC command to see the software version that is currently running on your switch.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Table B-3 info File Description (continued) Field Description total_image_file_size Specifies the size of all the images (the Cisco IOS image and the web management files) in the file, which is an approximate measure of the flash memory needed.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, see the documentation for your workstation.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 3 Step 4 Step 5 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the TFTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The algorithm installs the downloaded image on the system board flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images You upload a switch image file to a server for backup purposes. You can use this uploaded image for future downloads to the switch or another switch of the same type.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Before you begin downloading or uploading an image file by using FTP, do these tasks: • Ensure that the switch has a route to the FTP server. The switch and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 7 Step 8 Step 9 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] (Optional) Download the image files from the FTP server to the switch, and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the flash device, whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running switch image to the FTP server. ftp:[[//[username[:password]@]location]/directory]/ • For //username:password, specify the username and image-name.tar. password. These must be associated with an account on the FTP server.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Preparing to Download or Upload an Image File By Using RCP RCP provides another method of downloading and uploading image files between remote hosts and the switch. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images If the switch IP address translates to Switch1.company.com, the .rhosts file for User0 on the RCP server should contain this line: Switch1.company.com Switch1 For more information, see the documentation for your RCP server. Downloading an Image File By Using RCP You can download a new image file and replace or keep the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Step 6 Step 7 Step 8 Command Purpose archive download-sw /allow-feature-upgrade [/directory] /overwrite /reload tftp:[[//location]/directory]/image-name1.tar [image-name2.tar image-name3.tar image-name4.tar] Download the images file from the RCP server to the switch and overwrite the current image.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images The download algorithm verifies that the image is appropriate for the switch model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running switch image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, define an account on the network server for the remote username.
Appendix B Working with the Cisco IOS File System, Configuration Files, and Software Images Working with Software Images Beginning in privileged EXEC mode from the stack member that you want to upgrade, follow these steps to copy the running image file from the flash memory of a different stack member: Step 1 Command Purpose archive copy-sw /destination-system destination-stack-member-number /force-reload source-stack-member-number Copy the running image file from a stack member, and then unconditio
A P P E N D I X C Unsupported Commands in Cisco IOS Release 12.2(40)EX2 This appendix lists some of the command-line interface (CLI) commands that appear when you enter the question mark (?) at the switch prompt but are not supported in this release, either because they are not tested or because of switch hardware limitations. This is not a complete list. The unsupported commands are listed by software feature and command mode.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX2 Embedded Event Manager Unsupported Privileged EXEC Commands debug platform cli-redirection main debug platform configuration Embedded Event Manager Note This section applies only to the Catalyst Switch Module 3110.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX2 IP Multicast Routing The show ip mcache command displays entries in the cache for those packets that are sent to the switch CPU. Because most multicast packets are switched in hardware without CPU involvement, you can use this command, but multicast packet information is not displayed. The show ip mpacket commands are supported but are only useful for packets received at the switch CPU.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX2 MSDP Unsupported Global Configuration Commands errdisable recovery cause unicast flood l2protocol-tunnel global drop-threshold service compress-config stack-mac persistent timer (only on the Catalyst Switch Module 3110) track object-number rtr MSDP Note This section applies only to the Catalyst Switch Module 3110.
Appendix C Unsupported Commands in Cisco IOS Release 12.2(40)EX2 Network Address Translation (NAT) Commands Network Address Translation (NAT) Commands Unsupported Privileged EXEC Commands show ip nat statistics show ip nat translations QoS Unsupported Global Configuration Command priority-list Unsupported Interface Configuration Commands priority-group rate-limit Unsupported Policy-Map Configuration Command class class-default where class-default is the class-map-name.
Appendix C Unsupported Commands in Cisco IOS Release 12.
Appendix C Unsupported Commands in Cisco IOS Release 12.
INDEX ACEs Numerics and QoS 10-Gigabit Ethernet interfaces 10-6 defined 36-7 34-2 Ethernet IP A 34-2 34-2 ACLs AAA down policy, NAC Layer 2 IP validation abbreviating commands ABRs 1-10 ACEs 34-2 any keyword 2-4 34-13 applying 38-32 on bridged packets access templates 34-37 on multicast packets 8-1 access-class command on routed packets 34-20 34-38 on switched packets access control entries See ACEs access-denied response, VMPS 12-29 applying IPv4 ACLs to interfaces 34-17
Index ACLs (continued) ACLs (continued) IP (continued) matching criteria undefined router ACLs and VLAN map configuration guidelines 34-35 34-8 standard IP, configuring for QoS classification 34-21 standard IPv4 IPv4 applying to interfaces creating named creating 34-20 support for 34-8 time ranges 34-8 terminal lines, setting on unsupported features 35-4 applying to interfaces configuring matching criteria logging messages 35-3 34-36 35-3 displaying the MAC address table learning remov
Index Address Resolution Protocol ARP (continued) See ARP table adjacency tables, with CEF address resolution 38-86 administrative distances defined OSPF managing ASBRs 38-99 routing protocol defaults RIP vendor-proprietary vendor-specific 26-1 EIGRP HSRP 12-20, 13-3 aggregatable global unicast addresses aggregate addresses, BGP 39-4 38-47 40-10 local mode with AAA 7-36 6-4 RADIUS See EtherChannel aggregate policers 36-58 aggregate policing 1-11 aging, accelerating 17-9 key 7-
Index auto-MDIX BGP (continued) configuring default configuration 10-19 described described 10-19 autonegotiation enabling duplex mode interface configuration guidelines mismatches 38-50 38-53 monitoring 1-4 10-16 38-69 multipath support 38-57 neighbors, types of 47-9 autonomous system boundary routers See ASBRs path selection 38-53 38-57 peers, configuring autonomous systems, in BGP Auto-RP, described prefix filtering 38-53 autosensing, port speed 38-61 38-56 route dampening
Index boot loader C accessing 3-21 described 3-2 cables, monitoring for unidirectional links environment variables prompt CA trustpoint 3-21 configuring 3-21 trap-door mechanism defined 3-2 bootstrap router (BSR), described 44-7 7-42 CDP configuring See BGP 36-39 26-2 default configuration BPDU filtering 7-45 and trusted boundary Border Gateway Protocol error-disabled state 26-2 defined with LLDP 19-2 described 19-3 RSTP format 28-1 27-1 26-1 disabling for routing devic
Index Cisco Discovery Protocol CLI (continued) See CDP filtering command output Cisco Express Forwarding getting help See CEF 2-10 2-3 history Cisco Group Management Protocol changing the buffer size See CGMP Cisco IOS DHCP server See DHCP, Cisco IOS DHCP server Cisco IOS File System described 2-6 disabling 2-7 recalling commands client mode, VTP 1-3 See also stacks, switch 42-1 clock See system clock CNS 1-5, 32-4 CIST regional root Configuration Engine See MSTP configID, deviceI
Index compatibility, software configuration guidelines, multi-VRF CE See stacks, switch config.
Index cross-stack Uplink Fast, STP (continued) default configuration (continued) Fast Uplink Transition Protocol IEEE 802.
Index default configuration (continued) system name and prompt TACACS+ UDLD DHCP-based autoconfiguration client request message exchange 6-15 configuring 7-13 client side 28-4 VLAN, Layer 2 Ethernet interfaces VLANs 12-8 VMPS 12-30 VTP DNS 12-20 14-3 3-6 3-7 server side 3-5 server-side 21-10 TFTP server 13-7 WCCP 3-4 relay device voice VLAN example 43-5 default gateway 38-89 default routing 38-4 deleting VLANs overview description command relay support 25-1 support for
Index DHCP snooping DHCP snooping binding database (continued) accepting untrusted packets form edge switch 21-3, resetting 21-13 delay value and private VLANs 21-14 timeout value binding database configuration guidelines default configuration 21-9 option 82 data insertion trusted interface Differentiated Services Code Point 21-4 directed unicast requests 21-2 untrusted messages 21-2 changing DHCP snooping binding database 21-14 21-15 binding file B-5 displaying the working B-4 See
Index downloading DVMRP (continued) configuration files preparing interoperability with Cisco devices B-11, B-14, B-17 reasons for B-9 using FTP B-14 mrinfo requests, responding to using RCP B-18 neighbors using TFTP with Cisco IOS software B-12 image files deleting old image preparing reasons for B-24 using CMS 1-3 using FTP B-31 using RCP advertising all 44-46 44-51 44-51 advertising the default route to neighbors B-27 DSCP input queue threshold map for QoS 16-11 changing t
Index dynamic ARP inspection (continued) ARP spoofing attack dynamic ARP inspection (continued) statistics 22-1 clearing clearing log buffer statistics displaying 22-15 22-15 validation checks, performing 22-15 configuration guidelines dynamic auto trunking mode 22-6 configuring in DHCP environments log buffer 12-18 Dynamic Host Configuration Protocol 22-8 See DHCP-based autoconfiguration 22-7 dynamic port VLAN membership 22-12 rate limit for incoming ARP packets default configuration
Index enable password EtherChannel (continued) 7-3 enable secret password LACP 7-3 encryption, CipherSuite described 7-44 encryption for passwords displaying status 7-3 Enhanced IGRP commands modes Layer 3 interface IP routing state load balancing 42-2 line-protocol state 37-7, 37-17 aggregate-port learners environment variables, function of 37-4 described 37-22 interaction with other features 2-5 EtherChannel 37-18 37-5 displaying status 19-2 error messages during command
Index Ethernet VLANs adding fallback bridging and protected ports 12-9 defaults and ranges modifying EUI bridge groups 12-8 creating 12-9 30-3 examples network configuration expedite queue for QoS Express Setup 46-5 46-5 46-11 46-11 configuration guidelines 46-4 connecting interfaces with 12-13 default configuration 12-12 described creating with an internal VLAN ID 10-7 46-4 46-1 frame forwarding 12-15 flooding packets 12-1 extended system ID MSTP 46-2 displaying 12-14 defin
Index fastethernet0 port Flex Links See Ethernet management port, internal Fast Uplink Transition Protocol features, incompatible FIB configuration guidelines configuring 19-6 20-6 configuring preferred VLAN 25-11 fiber-optic, detecting unidirectional links default configuration 28-1 files description basic crashinfo location monitoring 47-20 VLANs 47-20 crashinfo, description 20-5 20-2 20-11 20-2 flooded traffic, blocking B-5 25-7 flow-based packet classification 47-20 20-8 20-
Index HSRP G authentication string 40-10 get-bulk-request operation 32-3 command-switch redundancy get-next-request operation 32-3, 32-4 configuring get-request operation 32-3, 32-4 get-response operation global configuration mode global leave, IGMP 2-2 23-13 definition 40-1 guidelines 40-5 monitoring guest VLAN and IEEE 802.
Index ICMP ping IGMP executing 47-10 overview 47-10 configurable leave timer ICMP Router Discovery Protocol See IRDP ICMPv6 23-12 44-30 statically connected member and ingress RSPAN and ingress SPAN controlling access to groups 29-21 29-14 IEEE 802.1D See STP default configuration 44-30 deleting cache entries 44-53 displaying groups fast switching 14-1 IEEE 802.
Index IGMP (continued) IGMP snooping (continued) Version 2 querier changing to Version 1 described configuring 44-3 maximum query response time value pruning groups support for 23-3 1-4 VLAN configuration 44-33 IGMP filtering 23-14 23-14 supported versions 44-34 44-34 query timeout value 23-8 IGMP throttling configuring configuring 23-25 default configuration described 23-29 support for 1-5 23-28 default configuration 23-25 described 23-24 monitoring IGP 23-25 23-25 di
Index interfaces (continued) naming IP addresses 128-bit 10-20 physical, identifying range of discovering 10-25 10-17 10-10 1-2 IP broadcast address 38-17 ip cef distributed command 10-7 Interior Gateway Protocol IP directed broadcasts See IGP 38-86 38-16 ip igmp profile command internal BGP 38-10 38-19 IP base feature set interfaces range macro command 23-25 IP information See IBGP assigned internal neighbors, BGP manually 38-53 Internet Control Message Protocol 3-14 throu
Index IP multicast routing (continued) IP multicast routing (continued) bootstrap router routing table configuration guidelines deleting 44-12 configuring candidate BSRs configuring candidate RPs 44-53 RP 44-24 defining the IP multicast boundary overview displaying 44-23 defining the PIM domain border 44-53 44-22 assigning manually 44-16 configuring Auto-RP 44-21 44-17 configuring PIMv2 BSR 44-7 using with Auto-RP Cisco implementation 44-21 monitoring mapping information 44-25 u
Index IP SLAs IP source guard (continued) benefits default configuration 41-2 configuration guidelines 41-6 configuring object tracking Control Protocol 21-19 enabling 41-11 measuring network performance 41-3 object tracking 41-5 21-18 filtering source IP and MAC address adding described response time 21-19 IP traceroute 41-4 41-5 SNMP support supported metrics executing 47-14 overview 47-13 IP unicast routing 41-2 address resolution 41-2 threshold monitoring 41-6 UDP jit
Index IP unicast routing (continued) disabling IPv4 ACLs applying to interfaces 38-20 dynamic routing enabling extended, creating 38-4 named 38-20 EtherChannel Layer 3 interface IGP 38-6 inter-VLAN classes 39-18 39-2 39-7 IPv6 38-6 ACLs 39-4 38-14 38-6 MAC address and IP address passive interfaces 38-10 displaying 35-9 limitations 35-3 matching criteria port 38-97 protocols dynamic reverse address resolution 38-10 38-6 subnet mask 39-16 autoconfiguration 39-6 39-20 default
Index IPv6 (continued) Kerberos ICMP rate limiting link-local address monitoring KDC 39-27 7-34 configuration examples 39-25 configuring 39-5 router advertisements SDM templates described 8-2, 24-1, 35-1, 39-1, 39-13 7-32 KDC 39-13 7-32 39-4 operation switch limitations 39-12 realm 7-33 server 7-33 35-4 IRDP terms TGT 1-12 ISL 7-34 See KDC 10-3 1-8, 12-16 trunking with IEEE 802.
Index Layer 2 traceroute LLDP and ARP 47-12 and CDP 47-12 configuring characteristics broadcast traffic described default configuration 47-11 globally 47-11 IP addresses and subnets unicast traffic globally Layer 3 features overview 47-12 27-2 switch stack considerations assigning IPv4 and IPv6 addresses to 39-18 38-8, 38-76, 38-77 27-3 configuring TLVs Layer 3 packets, classification methods 36-2 overview LEDs, switch 27-2 LLDP Media Endpoint Discovery See hardware installat
Index manageability features M 1-6 management access MAC addresses in-band aging time 6-21 browser session and VLAN association 6-20 building the address table default configuration discovering displaying CLI session 6-20 6-21 SNMP 1-6 dynamic 21-19 CLI 2-1 CNS 6-20 4-1 Network Assistant 6-22 overview 34-27 38-10 manually assigning IP address 1-3 1-5 switch stacks IP address association 1-3 mapping tables for QoS 3-15 configuring static CoS-to-DSCP adding 6-24 allowing
Index metrics, in BGP monitoring (continued) 38-58 metric translations, between routing protocols metro tags MHSRP 38-93 MSDP peers multicast router interfaces 16-2 multi-VRF CE 40-3 MIBs MVR accessing files with FTP location of files overview mismatches, autonegotiation 47-9 34-39 45-18 speed and duplex mode 10-17 traffic flowing among switches 28-1 traffic suppression 26-5 tunneling CEF 38-86 VLAN fallback bridging VLANs 1-13 VMPS 20-11 VTP 40-11 IEEE 802.
Index MSDP (continued) MSTP (continued) join latency, defined configuring 45-6 meshed groups forward-delay time configuring defined hello time 45-15 18-22 link type for rapid convergence 45-15 originating address, changing overview maximum aging time 45-17 maximum hop count 45-1 peer-RPF flooding MST region 45-2 peers configuring a default monitoring path cost 45-4 peering relationship, overview requesting source information from shutting down 18-17 secondary root switch defined
Index MSTP (continued) multicast groups IST Immediate Leave defined 18-3 master 18-3 operations within a region enabling 19-11 19-18 mapping VLANs to MST instance 18-16 MST region 23-10, 24-8 ACLs on 34-38 blocking 25-7 multicast router interfaces, monitoring described 23-17, 24-12 23-10, 24-9 Multicast Source Discovery Protocol configuring See MSDP 18-16 multicast storm 18-2 hop-count mechanism 25-1 multicast storm-control command 18-5 multicast television application 18-3
Index MVR Network Assistant and address aliasing and IGMPv3 configuring interfaces default configuration guide mode 23-22 upgrading a switch wizards 23-20 5-2, 5-17 B-24 1-3 network configuration examples 23-21 data center 23-24 multicast television application setting global parameters support for 1-3 managing switch stacks 23-18 1-3 1-3 management options 23-18 in the switch stack monitoring 1-5 downloading image files 23-20 23-20 example application modes 1-3 described 23-2
Index not-so-stubby areas online diagnostics See NSSA described 48-1 overview 48-1 NSM 4-3 NSSA, OSPF running tests 38-37 NTP 48-5 Open Shortest Path First associations See OSPF authenticating defined optimizing system resources 6-4 options, management 6-2 enabling broadcast messages peer area parameters, configuring configuring 6-5 default configuration route restricting access source IP address, configuring 38-38 described 6-8 for IPv6 6-10 38-32 38-31 39-25 interface
Index passwords PIM (continued) default configuration 7-2 overview disabling recovery of 7-5 router-query message interval, modifying encrypting 7-3 for security overview 1-9 shared tree and source tree, overview 44-26 shortest path tree, delaying the use of 44-28 join messages and shared tree 47-3 setting overview enable enable secret RPF lookups 7-3 with usernames STP 44-9 configuration guidelines 7-6 enabling 13-8 path cost 44-5 understanding 18-21 support for 17-20
Index policy-based routing port-based authentication (continued) See PBR configuring (continued) policy maps for QoS characteristics of described switch-to-client frame-retransmission number 9-32 36-48 switch-to-client retransmission time 36-7 displaying default configuration 36-78 hierarchical described 36-8 configuration guidelines configuring described 36-32 36-52 displaying statistics 9-45 EAPOL-start frame 9-5 configuration guidelines encapsulation 36-32 9-3 configuration gui
Index port-based authentication (continued) port security ports (continued) protected and voice VLAN described 9-18 9-17 interactions routed 10-4 secure 25-7 static-access 9-17 multiple-hosts mode 9-9 resetting to default values 9-45 stack changes, effects of statistics, displaying switch 10-2 trunks 12-3, 12-16 25-16 and private VLANs 9-3 RADIUS client and stacking AAA authorization characteristics 25-12 default configuration described 9-11 voice VLAN enabling 9-16 25-18 25
Index private VLANs promiscuous ports across multiple switches and SDM template and SVIs configuring 15-4 defined 15-4 and switch stacks 15-5 15-1 community ports 15-2 community VLANs configuration tasks end station access to 15-3 mapping enabling 3-16 3-16 1-9, 25-5 38-42 See PIM provider edge devices 38-71 provisioning new members for a switch stack 15-3 5-9 proxy ARP 15-2 configuring 15-2, 15-3 definition 15-14 monitoring 3-16 Protocol-Independent Multicast Protocol 15-6
Index QoS (continued) Q configuration guidelines QoS auto-QoS and MQC commands 36-1 36-25 standard QoS auto-QoS 36-32 configuring categorizing traffic 36-21 aggregate policers configuration and defaults display configuration guidelines 36-29 36-25 auto-QoS 36-58 36-20 default port CoS value described 36-20 DSCP maps disabling 36-26 DSCP transparency displaying generated commands 36-26 displaying the initial configuration effects on running configuration egress queue defaults en
Index QoS (continued) QoS (continued) flowcharts policers classification configuring 36-6 egress queueing and scheduling ingress queueing and scheduling policing and marking implicit deny described 36-17 36-15 36-10 ingress queues 36-78 number of 36-33 36-9 policies, attaching to an interface allocating bandwidth described 36-68 buffer and bandwidth allocation, described configuring shared weights for SRR configuring the priority queue described 36-68 36-16 36-4, 36-8 token bucket al
Index RCP R configuration files RADIUS downloading attributes overview vendor-proprietary vendor-specific 7-31 B-16 preparing the server 7-29 uploading configuring 7-28 authentication authorization B-19 deleting old image 7-23 downloading 7-27 7-21, 7-29 communication, per-server multiple UDP ports default configuration uploading 7-20, 7-21 7-20 7-20 7-31 redundancy 7-20 limiting the services to the user EtherChannel 7-27 HSRP 7-20 7-19 47-1 37-2 40-1 backbone 7-18 17-8
Index resets, in BGP RIP (continued) 38-56 resetting a UDLD-shutdown interface 28-6 responder, IP SLAs described support for response time, measuring with IP SLAs restricted VLAN 41-4 default configuration overview 9-14 restricting access 30-2 30-1 collecting group Ethernet 6-8 collecting group history 7-1 passwords and privilege levels 7-2 TACACS+ support for reverse address resolution 12-32 See RARP enabling RFC STP 1157, SNMPv1 23-2 1-8 18-17 17-16 route calculation time
Index route targets, VPN RSTP (continued) 38-72 routing designated switch, defined default interoperability with IEEE 802.
Index secure HTTP client show l2protocol command 16-13, 16-15, 16-16 configuring show lldp traffic command 27-7 displaying 7-47 show platform forward command 7-48 secure HTTP server configuring displaying show running-config command displaying ACLs 7-46 See SNMP 25-9 Smartports macros 25-8 secure ports applying Cisco-default macros and switch stacks applying macros 25-7 configuration guidelines See SSH creating Secure Socket Layer defined tracing 1-9 sequence numbers in log mess
Index SNMP (continued) software images in-band management location in flash 1-6 informs recovery procedures and trap keyword described 32-15 enabling 32-14 source addresses 32-15 limiting system log messages to NMS 31-10 1-5, 32-3 location of A-4 supported notifications overview in IPv6 ACLs 35-6 source-and-destination-IP address based forwarding, EtherChannel 37-8 source-MAC address forwarding, EtherChannel 32-5 and stack changes 32-3 trap manager, configuring default configurati
Index spanning tree and native VLANs stack changes, effects on (continued) 12-19 Spanning Tree Protocol MAC address tables See STP MSTP SPAN traffic 18-8 multicast routing 29-5 split horizon, RIP MVR 38-25 SRR 25-17 SDM template selection shaped weights on egress queues 36-75 SNMP shared weights on egress queues 36-76 SPAN and RSPAN shared weights on ingress queues described 44-10 23-18 port security configuring 6-20 36-68 STP 32-1 17-12 shaped mode 36-14 VLANs shared mo
Index stacks, switch stacks, switch (continued) accessing CLI of specific member offline configuration 5-26 assigning information described member number priority value effects of adding a provisioned switch 5-24 5-25 provisioning a new member auto-advise 5-13 auto-upgrade 5-11 effects of replacing a provisioned switch 5-11 provisioned switch, defined 5-9 provisioning a new member 5-25 partitioned 5-13 CDP considerations 5-3, 47-9 configuration file adding 26-2 compatibility, so
Index standby links storm control 20-2 standby router configuring 40-1 standby timers, HSRP 40-10 startup configuration booting manually 3-19 specific image clearing 3-20 configuration file specifying the filename default boot configuration stateless autoconfiguration 3-18 3-18 39-6 static access ports 12-11 10-3, 12-3 static addresses See addresses 1-12 1-9 static routes 39-21 12-2 statistics 1-4 thresholds 25-1 3-18 described 19-7 disabling 19-17 enabling 19-16 described 1
Index STP (continued) STP (continued) default optional feature configuration designated port, defined load sharing overview 17-4 designated switch, defined 12-24 using path costs 17-4 detecting indirect link failures disabling 19-12 12-27 using port priorities 19-8 12-25 loop guard 17-16 displaying status described 17-24 EtherChannel guard 19-11 enabling 19-18 described 19-10 modes supported disabling 19-17 multicast addresses, effect of enabling 19-17 optional features supp
Index stratum, NTP system clock 6-2 stub areas, OSPF configuring 38-36 stub routing daylight saving time EIGRP PIM manually 38-29 subdomains, private VLAN subnet mask overview 38-8 summer time and IP unicast routing and router ACLs enabling switch console port 31-5 level keywords, described 10-5 routing between VLANs 31-14 facility keywords, described 10-6 limiting messages 12-2 message format 1-6 Switch Database Management overview See SDM 31-9 31-4 displaying the configu
Index TFTP T configuration files TACACS+ downloading accounting, defined 7-11 authentication, defined preparing the server 7-11 authorization, defined uploading 7-11 7-17 authorization 7-13 deleting 7-16 7-14 identifying the server uploading 7-17 B-26 B-29 limiting access by servers 7-13 TFTP server limiting the services to the user 7-16 7-12 32-15 1-6 threshold, traffic level 25-2 threshold monitoring, IP SLAs 7-10 support for B-27 preparing the server 7-13 displaying
Index traceroute, Layer 2 (continued) multicast traffic connectivity problems 47-12 multiple devices on a port unicast traffic troubleshooting 47-12 47-11 47-10, 47-11, 47-13 detecting unidirectional links 28-1 displaying crash information 47-20 usage guidelines 47-12 PIMv1 and PIMv2 interoperability problems traceroute command 47-14 setting packet forwarding See also IP traceroute show forward command tracked lists with CiscoWorks configuring types with ping 42-3 tracked objects 4
Index tunneling defined unicast MAC address filtering and adding static addresses 16-1 IEEE 802.1Q 6-25 and broadcast MAC addresses 16-1 Layer 2 protocol and CPU packets 16-8 tunnel ports described 1-6 6-25 and multicast addresses 6-25 and router MAC addresses 10-4, 16-1 IEEE 802.
Index uploading (continued) VLAN database image files and startup configuration file preparing and VTP B-26, B-30, B-35 reasons for B-33 using RCP B-38 using TFTP 13-1 VLAN configuration saved in B-24 using FTP VLANs saved in 12-7 vlan dot1q tag native command B-29 VLAN filtering and SPAN See UDP VLAN ID, discovering 2-2 username-based authentication described version-dependent transparent mode 13-2 VLAN Management Policy Server 13-4 See VMPS version-mismatch (VM) mode automa
Index VLANs adding VLANs (continued) traffic between 12-9 adding to VLAN database allowed on trunk VLAN-bridge STP 12-9 aging dynamic addresses VTP modes 17-9 and spanning-tree instances configuration guidelines, normal-range VLANs 12-7 12-13 default configuration 12-32 12-33 voice-over-IP 12-28 12-33 12-32 12-32 12-32 14-1 voice VLAN in the switch stack Cisco 7960 phone, port connections 12-6 limiting source traffic with RSPAN limiting source traffic with SPAN 29-19 29-15 IEEE 80
Index VPN VTP (continued) configuring routing in forwarding configuration revision number 38-79 guideline 38-73 in service provider networks routes 38-70 resetting 13-15 configuring 38-71 VPN routing and forwarding table See VRF VQP 13-14 client mode 13-11 server mode 13-9 transparent mode 1-8, 12-28 VRF consistency checks defining tables VRF-aware services ftp ping 13-1 disabling 13-12 domains 38-75 38-75 client 13-3, 13-11 13-3, 13-9 38-76 server syslog 38-77 transit
Index VTP (continued) WTD Version 2 described configuration guidelines 36-13 setting thresholds 13-9 disabling 13-13 egress queue-sets enabling 13-13 ingress queues overview 13-4 support for X WCCP Xmodem protocol default configuration 43-5 43-5 43-1 displaying 43-10 dynamic service groups enabling 47-2 43-3 configuration guidelines described 36-67 1-11 W authentication 36-71 43-3 43-6 features unsupported 43-5 forwarding method 43-3 Layer-2 header rewrite MD5 secur
Index Cisco Catalyst Switch Module 3110 and 3012 for IBM BladeCenter Software Configuration Guide IN-54 OL-12189-01
